Cryptocurrency Security Failures by the Numbers

Published in

Coinmonks

6 min readSep 10, 2023

Trust in cryptocurrency is low. Breaches aplenty and scandals like with FTX founder Sam Bankman-Fried have resulted in a many users selling-off their assets. Yet over half of Americans have owned or currently own cryptocurrency. Honestly, I am a cryptocurrency skeptic. I am one of those people that doesn’t trust it. Let’s look at the numbers.

An approximate timeline of the breaches referenced in the statistics. At the time of their incidents, Blockchain.com was operating as Blockchain.info.

Using a variety of sources across the web (special shot-out to the Coin Telegraph), I was able to pull together a (by no means comprehensive) list of 74 cryptocurrency breaches between 2012 and 2022. While there hasn’t necessarily been a consistent uptick in major breaches over time, we can see that as recently as last year, there were several major breaches. This isn’t a problem that’s gone away or will go away any time soon.

In total, keeping in mind the value of the breaches when they happened, they represent $7,858,426,775 in stolen cryptocurrency. That’s right, almost $8 billion and it’s just the tip of the iceberg when it comes to all of the cryptocurrency threats and scams.

Digging a little deeper, at least 16 of these breaches, or about 22%, were an inside job. (And that’s not including the debatable case of FTX.) It was somewhat shocking to me that 1 in 5 of these massive heists were insiders. In terms of assets stolen, insiders accounted for $819,157,466, or only 10.4%.

Other breaches could be attributed to hacking or fraud, scenarios where the cryptocurrency exchange’s founders themselves made off with users’ assets. Only two breaches in the dataset were attributed to fraud, BitGrail and Africrypt, but accounted for 48.3% of the stolen assets.

Fraud outpaces hacks and insider threats in terms of cryptocurrency breach impacts.

Summary of the assets stolen across 74 cryptocurrency breaches. The totals for fraud represent two incidents, BitGrail (2018) and Africrypt (2021).

It’s important to recognize that in most of these attacks, there was a human component. Whether it was fraud, an insider, or an employee falling victim to social engineering, there’s a human behind the keyboard. Despite how advanced we think that the blockchain is, it’s not impenetrable, nor are the organizations that host these exchanges.

Information security and regulations

For full transparency, this post took me months to figure out. I even turned to Chat GPT to help me do research around regulations, which I was somewhat loathed to do. After looking at the statistics regarding cybersecurity failures at cryptocurrency exchanges, I couldn’t help but question what was actually being invested into cybersecurity at these firms. As is often the case, I predict that very little would be unless a mandate requires it.

Thirty-nine (39) states, Puerto Rico, and Washington, DC introduced cryptocurrency legislation this year. Eight of those initiatives, half of them in Mississippi, have already failed. None of them appear to involve cybersecurity. Currently, the regulations and bodies that cryptocurrency exchanges have to comply with that actually reach into cybersecurity are somewhat limited. Some examples include:

Office of Foreign Assets Control (OFAC) regulations. These are the same regulations that come up when organizations are deciding to make a ransomware payment, with the question at hand being: Is this money going to a sanctioned entity? But it’s not necessarily a cybersecurity standard.
The Bank Secrecy Act (BSA), which requires them to have Anti-Money Laundering (AML) programs. Again, this is looking more at what customers or users are doing rather than employees.
The Securities and Exchange Commission (SEC), which does have oft-discussed rules related to incident reporting. On that end, we can expect these cryptocurrency exchanges to at least have some sort of incident response in place. However, as well all know, incident response is not the same as having proactive cybersecurity measures in place.
Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. Finally, a requirement for an information security program! With security awareness! And an insider threat program to boot!

But if organizations have to comply with GLBA, then why are there so many failures?

Historically, cryptocurrency was a bit of the Wild West. It wasn’t clear who had to comply with what, so that explains some of the earlier failings.
Not all of the exchanges are based in the U.S., with many in South Korea and Singapore. For those international exchanges, compliance with U.S. regulations is determined, in part, by whether or not users are based out of the U.S.
Exchanges that were fraudulent in nature never intended to be compliant to begin with, leaving users without their assets (and potentially without recourse).

My estimate is that for those cryptocurrency exchanges that do have to comply with U.S. regulations might be underfunding their information security initiatives in favor of growing the business. Their compliance initiatives might be framed around a “check-the-box” mentality. But I say that because it’s not a unique approach or limited to one industry. All security practitioners at some point will or have had to deal with limited budgets, etc. Really, these cryptocurrency breaches should be a wake-up call to the rest of us to move beyond what’s required in cybersecurity and move towards what’s right for customers.

Let me know if statistics around cryptocurrency or other security-related topics are of interest! I’m happy to put together additional metrics or research some additional topics.

Cryptocurrency Security Failures by the Numbers

Information security and regulations

References

Written by Sarah Miller (she/they)