Cryptocurrency Security Failures by the Numbers
Trust in cryptocurrency is low. Breaches aplenty and scandals like with FTX founder Sam Bankman-Fried have resulted in a many users selling-off their assets. Yet over half of Americans have owned or currently own cryptocurrency. Honestly, I am a cryptocurrency skeptic. I am one of those people that doesn’t trust it. Let’s look at the numbers.
An approximate timeline of the breaches referenced in the statistics. At the time of their incidents, Blockchain.com was operating as Blockchain.info.
Using a variety of sources across the web (special shot-out to the Coin Telegraph), I was able to pull together a (by no means comprehensive) list of 74 cryptocurrency breaches between 2012 and 2022. While there hasn’t necessarily been a consistent uptick in major breaches over time, we can see that as recently as last year, there were several major breaches. This isn’t a problem that’s gone away or will go away any time soon.
In total, keeping in mind the value of the breaches when they happened, they represent $7,858,426,775 in stolen cryptocurrency. That’s right, almost $8 billion and it’s just the tip of the iceberg when it comes to all of the cryptocurrency threats and scams.
Digging a little deeper, at least 16 of these breaches, or about 22%, were an inside job. (And that’s not including the debatable case of FTX.) It was somewhat shocking to me that 1 in 5 of these massive heists were insiders. In terms of assets stolen, insiders accounted for $819,157,466, or only 10.4%.
Other breaches could be attributed to hacking or fraud, scenarios where the cryptocurrency exchange’s founders themselves made off with users’ assets. Only two breaches in the dataset were attributed to fraud, BitGrail and Africrypt, but accounted for 48.3% of the stolen assets.
Summary of the assets stolen across 74 cryptocurrency breaches. The totals for fraud represent two incidents, BitGrail (2018) and Africrypt (2021).
It’s important to recognize that in most of these attacks, there was a human component. Whether it was fraud, an insider, or an employee falling victim to social engineering, there’s a human behind the keyboard. Despite how advanced we think that the blockchain is, it’s not impenetrable, nor are the organizations that host these exchanges.
Information security and regulations
For full transparency, this post took me months to figure out. I even turned to Chat GPT to help me do research around regulations, which I was somewhat loathed to do. After looking at the statistics regarding cybersecurity failures at cryptocurrency exchanges, I couldn’t help but question what was actually being invested into cybersecurity at these firms. As is often the case, I predict that very little would be unless a mandate requires it.
Thirty-nine (39) states, Puerto Rico, and Washington, DC introduced cryptocurrency legislation this year. Eight of those initiatives, half of them in Mississippi, have already failed. None of them appear to involve cybersecurity. Currently, the regulations and bodies that cryptocurrency exchanges have to comply with that actually reach into cybersecurity are somewhat limited. Some examples include:
- Office of Foreign Assets Control (OFAC) regulations. These are the same regulations that come up when organizations are deciding to make a ransomware payment, with the question at hand being: Is this money going to a sanctioned entity? But it’s not necessarily a cybersecurity standard.
- The Bank Secrecy Act (BSA), which requires them to have Anti-Money Laundering (AML) programs. Again, this is looking more at what customers or users are doing rather than employees.
- The Securities and Exchange Commission (SEC), which does have oft-discussed rules related to incident reporting. On that end, we can expect these cryptocurrency exchanges to at least have some sort of incident response in place. However, as well all know, incident response is not the same as having proactive cybersecurity measures in place.
- Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. Finally, a requirement for an information security program! With security awareness! And an insider threat program to boot!
But if organizations have to comply with GLBA, then why are there so many failures?
- Historically, cryptocurrency was a bit of the Wild West. It wasn’t clear who had to comply with what, so that explains some of the earlier failings.
- Not all of the exchanges are based in the U.S., with many in South Korea and Singapore. For those international exchanges, compliance with U.S. regulations is determined, in part, by whether or not users are based out of the U.S.
- Exchanges that were fraudulent in nature never intended to be compliant to begin with, leaving users without their assets (and potentially without recourse).
My estimate is that for those cryptocurrency exchanges that do have to comply with U.S. regulations might be underfunding their information security initiatives in favor of growing the business. Their compliance initiatives might be framed around a “check-the-box” mentality. But I say that because it’s not a unique approach or limited to one industry. All security practitioners at some point will or have had to deal with limited budgets, etc. Really, these cryptocurrency breaches should be a wake-up call to the rest of us to move beyond what’s required in cybersecurity and move towards what’s right for customers.
Let me know if statistics around cryptocurrency or other security-related topics are of interest! I’m happy to put together additional metrics or research some additional topics.
References
- Crypto Thieves Made Off With $4.3B in 2022: Top Hacks of the Year
- Africrypt Hack — One of the Biggest Crypto Hacks in History
- BitGrail Hack — One of the Largest Crypto Hacks in History
- Poly Network Hack — The Largest (Confirmed) Crypto Hack in History
- Report on Crypto Exchange Hacks
- Bitpoint Reveals Amounts Stolen, Pledging to Reimburse Users in Crypto
- Blockchain Aids Investigators as Ex-Mintpal CEO Arrested in the UK
- Chinese Exchange Gets ‘Goxed’ for 1,000 bitcoins (UPDATE: Company Responds)
- From Coincheck to Bithumb: 2018’s Largest Security Breaches So Far
- Most Significant Hacks of 2019 — New Record of Twelve in One Year
- The 10 largest crypto hacks and exploits in 2022 saw $2.1B stolen
- The biggest security breaches of 2021
- $1.3 Million in Bitcoin Stolen in Major Online Robbery
- Cyberattack Leads to $1 Million Bitcoin Heist
- Hacker exploits Harmony blockchain bridge, loots $100M in crypto
- Crypto Breach Losses at an All Time High in 2021 With Over $4billion Lost
- Africrypt brothers deny involvement in Bitcoin ‘heist’
- Cryptocurrency start-up suffers ‘security breach,’ theft of $13.5 million worth of digital tokens
- Hackers steal over $40 million worth of bitcoin from one of the world’s largest cryptocurrency exchanges
- Hackers have stolen $1.4 billion this year using crypto bridges. Here’s why it’s happening.
- Veritaseum Founder Claims $8 Million in ICO Tokens Stolen
- ICO Scammers Steal $500k in Phony Enigma Project Pre-Sale Launch
- Tether Claims $30 Million in US Dollar Token Stolen
- Hacks, Scams, and Attacks: Blockchain’s 2017 Disasters
- Bitcoin, Blockchain and Breaches
- More Than $600 Million Stolen in Ethereum And Other Cryptocurrencies — Marking One of Crypto’s Biggest Hacks Ever
- Second Biggest Crypto Hack Ever: $600 Million in Ether Stolen from NFT Gaming Blockchain
- The Largest Cryptocurrency Hacks So Far
- Binance Blockchain Hit by $570 Million Hack, Exposing Crypto Vulnerabilities
- Bitcoin: $64m in cryptocurrency stolen in ‘sophisticated’ hack, exchange says
- Hackers stole $400 million from cryptocurrency exchange Coincheck
- Crypto.com admits over $30 million stolen by hackers
- NiceHash Marketplace Hacked, Loses $64 Million in Bitcoins
- 2018’s most high-profile cryptocurrency catastrophes and cyberattacks
- $400,000 stolen in Lumens BlackWallet theft
- Another hack rocks cryptocurrency trading: Bancor loses $13.5 million
- Bitcoin exchange NiceHash hacked, $68 million stolen
- South Korean cryptocurrency exchange hack sees $40m in altcoin stolen
- South Korean crypto exchange Bithumb hacked
- The risky business of bitcoin: High-profile cryptocurrency catastrophes