Cryptocurrency Exchange Hacks: how to secure user funds from theft
With growing popularity and mass adoption of crypto assets, the amount of funds flowing to centralized exchanges have been increasing as well. Unlike fiat money, transactions with digital currencies are basically irreversible, as known cases with digital currency hack attacks showed. The return of stolen funds is rather controversial, and at the same time it becomes a notable event.
In order to protect user’s funds from stealing, custodians have started to offer sophisticated solutions, hardware and software, advanced technologies, for safe storage of cryptocurrencies.
In this article we will emphasise the importance of custody, specify the risks associated with storing cryptocurrencies, as well as cover leading technologies and measures utilized by custodians to protect users’ funds.
The importance of digital assets custody
Crypto custody is a solution which allows secure digital assets. Digital asset custodians do not store any of the assets since all data and transactions are recorded on the blockchain. Instead, they protect users’ private keys for a crypto wallet, which grants access to the funds stored in it.
Crypto custodians are crucial for the extensive adoption of digital assets. According to Blockdata, the global assets under custody have grown significantly from Jan 2019 to Jan 2022 (approximately 600%).
Graph 1. Assets Under Custody vs. Total Market Cap 
Below are the key statistics that support the need for secure storage of digital currency:
- As stated by BlockData, starting from 2012, 47 cryptocurrency exchanges experienced large-scale attacks, whereas almost half of them referred to 2019. Depending on the source, the cumulated amount of stolen funds achieved approximately $2.66-$2.95 billion.
- Top 3 largest hack attacks in history took place on Mt. Gox, CoinCheck and Kucoin exchange platform resulted in the loss of more than $1bln.
- One of the first digital currency hack attacks occurred with the Japanese exchange Mt. Gox in 2014, which seized around 70% of global bitcoin traffic at that time. The number of bitcoins stolen from users’ wallets reached 850,000 BTC or $460 million.
- Another largest digital currency theft occurred in January 2018 on the leading Japanese cryptocurrency platform CoinCheck, where hackers accessed users’ private keys. As a result, 523 million NEM coins worth $534 million were stolen.
- The third largest hack attack on crypto exchanges attributed to KuCoin, which announced an unauthorized withdrawal of funds from token hot wallets in September 2020. According to CoinMarketCap estimates, around $280 million was stolen.
- The latest victims of cryptocurrency exchange attacks were Liquid (August 2021), AscendEX and Bitmart (December 2021), Crypto.com (January 2022). According to HedgewithCrypto, the total amount of stolen funds was over $400 million.
- As Blockdata states, in 2021, the funding raised by digital asset custody providers has surpassed the mark of ~$4.5 billion, which takes approximately 20% of the funds invested in the blockchain industry in 2021.
Graph 2. Funding Raised by Digital Asset Custody Providers 
The number of assets under custody, cyber-criminal cases with digital assets and funding raised by digital asset custodians emphasise the importance of secure custody solutions.
How to reduce the likelihood of a successful attack or fraudulent transaction?
There are three main risks related to digital assets, these are private key management, nearly irreversible transactions and product and networking risk. These risks mean that custodians of digital assets and technology providers must constantly ensure security and comply with necessary procedures, while companies’ products must be constantly monitored, tested and improved. Moreover, with the increase in the number of supported blockchains, these risks have intensified. While these 3 risks are true of the asset category as a whole, custodians and this article will focus on private key management keeping in mind that this management is crucial as stolen assets are nearly impossible to recover.
Many custodians have been using advanced methods and technologies to reduce the likelihood of a successful attack or fraudulent transaction.
Among the main technologies for user’s fund protection, The Block Research stated:
1) Hardware security modules (HSMs);
2) Multi-party computation (MPC);
3) Multi-signature technology (multisig)
Below you will find the characteristics of these technologies utilized by custodians to secure and manage access to digital assets.
1) Hardware security modules (HSM) are hardware devices applied to perform encryption, decryption, authentication, protection and cold storage of digital keys and other cryptographic functions. They have been tested and used in a diverse number of industries for nearly 20 years.
The main advantages of a HSM are:
- Security: HSMs provide a security against external threats since authentication takes place inside the module;
- Key retention: HSM stores keys on the device itself;
- Tamper tracking: Many HSMs are built to be tamper-evident, leaving a trail
However, HSMs are not a perfect security solution: HSMs are harder to update than software solutions; it involves slower transactions than some other solutions; the module implementations can be quite costly due to the need for purchasing, shipping, installation, maintenance, upgrading, configuration and scaling.
2) The main concept of multi-party computation (MPC), a cryptographic protocol, is that multiple parties can perform joint computations using their combined data without revealing each other’s inputs.
Custodian and technology providers usually implement MPC in secure private key generation. The private keys are used to digitally sign and authorize transactions for digital assets under custody. Below are the steps needed for transactions to be signed using MPC.
- MPC technology distributes private key shards across multiple cooperating servers and/or mobile devices;
- each device store and use a private key shard;
- when each party approves a transaction, their key part is used to generate a part of a signature;
- when enough partial signatures are collected, a single signature is generated and the transaction is approved;
- key shards never leave the parties’ devices, and at no time the private key ever having existed as a whole;
- lost devices (key shares) are easily replaced without changing the private key.
Growing number of institutional custodians, such as Coinbase and Gemini, have invested in MPC technology, highlighting its significant role in hardening security of the custodian service. MPC has also been growing in popularity with custody tech providers like Fireblocks and Curv.
3) Multisignature or “multisig” wallets share a similar idea with MPC, these two technologies require multiple parties to sign a digital asset transaction and access the funds stored on a multi-signature address. However, the difference between the processes is that multisig wallets are secured by several diverse on-chain signatures generated by different private keys, while MPC relies on a single signature created off-chain.
Graph 3. Difference between Multisig and MPC technologies 
In the institutional custodian space multisig serves not only as a strictly technical and security solution, but also as a policy and asset management feature. The main benefits of multisig technology are:
- Dividing up responsibility for possession of digital assets among multiple individuals;
- Eliminating a single-point of failure in cases where a buyer’s wallet is hacked;
- M-of-N backup where loss of a single key doesn’t lead to loss of the funds on a wallet. For instance, if one key is lost in a “2-of-3” wallet, the other two keys can be used to retrieve a transaction’s funds.
Other highly effective security measures include:
4) Two-factor authentication (2FA);
5) Know your customer (KYC) policy;
4) Two-factor authentication is a security system that requires two distinct forms of identification to access an account. 2FA is a combination of two of the following:
- Something you know (your password, PIN or an answer for a secret question)
- Something you have (such as a text with a code sent to your smartphone or other device, or a smartphone authenticator app)
- Something you are (biometrics using your fingerprint, face, or retina)
5) Know Your Customer is a set of standards used to verify customers, identify their risk profile, monitor their transactions and receive client’s acceptance with the company’s policy. KYC allows to limit or prevent cases of fraud, tax evasion and money laundering in financial markets.
6) Whitelisting is a security feature in wallets against any illegitimate activity. When this option is turned on, it allows crypto withdrawals only to authorized (whitelisted) wallets.
It is important to understand that not all of these measures are necessarily technological innovations (for example, KYC or access control). However, such measures as regulation (KYC) allow to consider the human and regulatory elements and ensure the reliability of stored funds.
Custody of digital currencies is a fairly mature area on the crypto market. However, it’s a matter of fact that custodial solutions will continue to evolve due to the expansion of brokerage services, lending and derivatives market as well as emerging of sophisticated fraud schemes. At the same time, without the custody, these services might not even exist.
The ability to protect the ownership of our digital assets will continue to be one of the most crucial topics in the crypto industry. Reliable custody must be inherently correlated with digital security, policy enforcement, and meeting customer needs with the right tools and services.
Crypto Industry Regulatory Risks. 2022 Rating by Country
Scalable Solutions and Coinfirm Partner to Ensure Secure Trading Globally
- “Crypto Custody: The Gateway to institutional adoption”. BlockData, January 2022
- “The 2022 Crypto Crime Report”. Chainalysis, February 2022
- Groves, K. “Cryptocurrency Exchange Hacks (Updated 2022 List)”. HedgewithCrypto. Access Date: February 24, 2022
- Kartsev, A. “Largest Crypto Hacks in History: Have Exchanges Learned Anything From Their Mistakes?” CoinMarketCap. Access Date: February 24, 2022
- Reyers, K. “Institutional Custody for Digital Assets”. The Block Research, September 12, 2021
- Spector, B. “What is Multi-Party Computation (MPC)?” Qredo, July 02, 2021
- Harper, C. “Multisignature Wallets Can Keep Your Coins Safer (If You Use Them Right)”. CoinDesk, September 14, 2021
- “Cryptocurrency Transactions: Multi-Signature Arrangements Explained”. Freeman Law. Access Date: February 24, 2022
- Wiener, F. “Secure Multiparty Computation (MPC) for Digital Asset Custody Wallets”. Sepior, February 09, 2021
- Jaerv, G. “MPC or HSM: Who Would Win?”. First Digital, August 7, 2020
- Kenton, W. “Two-Factor Authentication (2FA)”. Investopedia, Access Date: March 08, 2022
- Chen, J. “Know Your Client (KYC)”. Investopedia, Access Date: March 08, 2022