Biggest Cryptocurrency Security Breaches of 2018
[Update: after years of R&D on the world’s first moving target defense data protection platform with federal agencies and Fortune 100 R&D labs, we are productizing & commercializing CryptoMove’s moving target data protection platform as Tholos Key Vault, a product for managing keys and secrets. You can check out our private beta here.]
In the past year, activity regarding blockchain and cryptocurrency is higher than ever before. By some projections, the cryptocurrency industry is set to amount to $1 trillion in 2018. Other cryptocurrencies, like Ethereum and the too-many-to-count ICO tokens, are starting to join the industry, bringing Bitcoin down from 80% to 50% in its market holdings in 2017.
As TechCrunch writer Fitz Tepper notes, The fact that these gains have come from currencies other than Bitcoin are a good sign that this is less of a bubble and more of a resurgence of interest in crypto.
Fred Wilson calls this the “installation phase.”
Such rapid growth, however, is not without pitfalls. In 2018, cryptocurrency exchanges have lost over $760 million in the first two quarters of the year, compared to $266 million lost throughout the entire year of 2017. If cryptocurrency is such a rising industry in today’s age, then why are we hearing of a new security breach almost every month?
“Cryptocurrency theft has surged three times in the first half of 2018 over the whole of last year, according to a report by CipherTrace.”
What follows is a brief overview of hacks in 2018:
Coincheck: In January 2018, the Japanese cryptocurrency company reported over $500 million stollen in NEM coins. This breach is the biggest reported digital currency theft in the world. The funds were stored in a “hot wallet” rather than a “cold wallet,” meaning that they were connected to the internet instead of being stored offline.
Coinsecure: In April of 2018, the Indian cryptocurrency company reported $3 million stollen. This is the “biggest reported theft in India’s virtual currency market.” An outside source was stealing bitcoins while the CSO of Coinsecure was transferring coins to customers.
Bitthumb: In June 2018, the South Korean cryptocurrency company reported $31 million worth of cryptocurrencies including Bitcoin, Bitcoin cash, ether, XRP, kyber network tokens… (etc.). They were able to save approx. $14 million in funds by recovering Cryptographic wallets and collaborating with the Cryptographic Fund and the Worldwide Cryptographic Exchange.
Bancor: In July 2018, the Israeli cryptocurrency company reported $13.5 million worth of tokens stolen. To explain this breach, the company stated that a cryptocurrency wallet on its network had been “compromised and used to withdraw funds from a smart contract.” Bancor was able to freeze some of the tokens that were stolen.
A wallet was used to upgrade some smart contracts was compromised. This compromised wallet was then used to withdraw ETH from the BNT smart contract in the amount of 24, 984 ETH ($12.5M). The same wallet also stole $1M in NPXS and 3,200,000 in BNT.
Following the trend of most new technologies, blockchain and crypto companies focus more on their product and performance and risk falling behind on security measures.
“Bitcoin and other cryptocurrencies have risen dramatically in popularity and value over the past few years,” said John Sedunov, an assistant professor of finance at Villanova University. “This fast run-up may have caught some exchanges off-guard, and they may not have had the capital on hand, time, or even the technical ability to ramp up security features fast enough to ward off potential attackers.”
Because cryptocurrency is meant to be exchanged between people, it can be easier for someone to steal it. It is presumed more difficult for an adversary to steal stored data, because it will be more protected (Fung).
- Wallets: Using Coincheck’s hack as an example, funds stored in hot wallets are connected to the internet and therefore are easier to attack. Storing cryptocurrency offline in cold wallets may help avoid such hacks.
As many smart security practitioners turn their attention to this space, expect the pace of security innovation to quicken. CryptoMove, for instance, is active in this space as a solution for key and infrastructure secret storage, as well as secure off-chain storage.
Blockchain and cryptocurrency companies are paying more attention to increasing security as the space matures. One way to track this is by looking at the pace of CSO/CISO hiring. BitGo, for instance, recently hired CryptoMove advisor Tom Pageler — an expert with CSO and executive security experience at Neustar, DocuSign, JPMorgan, and Visa — as a step towards increasing security. Look to see Binance, Coinbase, and others continue beefing up their security teams. As with any new technology wave, attention to security will naturally lag the adoption curve. With crypto, however, maintaining trust is vital to keep that firehose growth going.
