Major Cryptoexchange Hacks
According to TheBlock (a prominent research, analysis, and news source in the crypto industry), 42 cryptocurrency exchanges have been compromised since 2012, and this does not include platforms with low trading volume. The total amount of stolen funds exceeded $1.35 billion. Obviously, exchanges are not the only ones suffering from the losses. Users end up being the victims of the hacks as well. Exchange hacks tend to be followed by a severe drop in the value of the stolen assets as the thieves sell-off and launder the stolen funds.
In this article, we will analyze the most significant exchange hacks. We will find out how users reduced their losses in the past and follow their example to minimize our losses.
Mt. Gox
Date of hack: June 2011, February 2014
Asset stolen: BTC
Amount: $450 million
Market response: BTC fell 30%
Mt. Gox was the largest cryptocurrency exchange up until 2013, the first hack that occurred was in June 2011. Hackers managed to steal around 500,000 BTC through the previous exchange owner’s audit account. Jed McCaleb kept access to his account after the sale of Mt. Gox to Mark Carpeles. Audit access was needed for Jed to monitor his interests as he was entitled to a portion of the Mt. Gox profit for six months after the sale. Unfortunately for Mt. Gox, this was not the last hack of the exchange.
Mt. Gox was finally closed in February 2014 after a loss of 850,000 BTC from user wallets. Attackers used a loophole in one of the protocols, which allowed changing transaction identifiers and thus could repeatedly sell the same asset. As the investigation found out later, hacking did take place. However, only 2,000 BTC was stolen, which equated to a small part of the total losses. In March 2014, 200,000 BTC were discovered in a separate fund managed by a client trustee, a Japanese lawyer named Nobuaki Kobayashi. The location of the rest of the assets could not be established and 650,000 BTC went missing. In the summer of 2018, a process called “Civil Rehabilitation” was launched, in which a trust fund was required to sell 35,841 BTC and 34,008 BCH to pay the affected customers.
Bitfinex
Date of hack: August 2016
Asset stolen: BTC
Amount: $65 million
Market response: BTC fell 18%
The second-largest hack occurred in August 2016. The amount of stolen funds equaled 120,000 BTC or $72 million at the time of the hacking. This time, hackers managed to take advantage of a security vulnerability. In the case of Bitfinex, three keys were required to confirm the transaction — two were stored at the exchange itself, and the third one was kept with a third party called BitGo, whose speciality was blockchain platforms security. BitGo was meant to verify all the outgoing Bitfinex transactions. This way, Bitfinex could reduce the amount of funds kept in a cold storage, simplifying the process of handling requests. Hackers were able to trick the BitGo algorithms into writing off the funds. It is still unclear how they managed to do so, as BitGo officially announced that their servers were not attacked.
Bitfinex issued tokens that were converted into dollars according to the payout schedule as compensation to the affected users. All the funds were returned to the investors, and Bitfinex continues operating and is one of the best known exchanges today.
Bithumb
Date of hack: July 2017, June 2018, March 2019
Assets stolen: BTC, ETH, XRP, and others
Amount: $65 million
In the summer of 2017, the South Korean exchange Bithumb stated that attackers gained access to the identity of the trading platform users. Data of 31 thousand customers was compromised and ended up in the hands of hackers. To make matters worse, the hack only came to light in the summer of 2017, 6 months after the attack had occurred in February. In addition to data, $7 million worth of ETH had been stolen as well. The South Korean National Intelligence Agency accused North Korean hackers of the incident, but the story did not develop further.
Six months later, on June 20, 2018, the exchange was attacked once again. This time, users of the trading platform lost about $32 million in XRP.
The latest hack took place at the end of March 2019. A message appeared on the Bithumb website stating that on March 29 at 22:15, “the monitoring system detected abnormal activity,” which led to the disconnection of the deposit and withdrawal function and all assets were moved to cold wallets. The exchange management did not disclose the amount of stolen funds; however, according to insider information, hackers managed to steal 3 million EOS (approximately $13.4 million at the time of hacking) and 20 million XRP (about $6 million).
Bithumb was able to utilize its reserves and reimburse half of the stolen funds but was forced to disable deposits and withdrawals of funds for several months.
Subsequently, the exchange announced that its system was undergoing radical changes to prevent further attacks, including a strict separation of customer assets.
Binance
Date of hack: May 2019
Assets stolen: BTC
Amount: $40 million
Market response: BTC fell 1%, yet grew 20% over the next week.
Binance prides itself as the largest and one of the most reliable crypto exchanges in the world. However, in May 2019, the exchange was hacked. More than 7,000 BTC was stolen from its accounts. Considering the exchange rate at the time of the attack, the cost of stolen funds equaled approximately $40 million.
Attackers had been carrying out a series of phishing attacks for two months, replacing Binance domains with the fake ones using Punycode, a method of converting domain names into a sequence of ASCII characters. Thus, they collected the account data of a large number of users.
The hackers did not touch the funds on the compromised accounts but created API keys, which were used on March 7 to purchase VIA/BTC.
Binance announced that the #SAFU fund would be used to cover losses fully, and initiated an audit of the existing security system.
This hack pushed a wave of conspiracy theories, the most notable were that Binance needed to launder a large amount of money, or aimed to manipulate the crypto markets. There is also an opinion that they tried to transfer money to save the Bitfinex crypto exchange as they hold large reserves of Tether (USDT) which Bitfinex has strong ties with.
Lessons learned
Hackers are becoming more inventive, if in 2013 they simply stole BTC from exchanges and transferred them to their addresses using a mixer, now they prefer creating API keys to exchange cryptocurrencies to cover their tracks by laundering funds to another less-traceable asset on the same exchange and then withdrawing the funds. Entire hacker groups specializing in cryptocurrency theft have emerged. This may lead us to a few conclusions:
- The funds kept on the exchange do not belong to you. You should not store all your coins on one exchange because if it gets hacked, you can lose everything. It is reasonable to distribute assets between several exchanges or only send funds on an exchange to perform the necessary operation and withdraw them back to your wallet when you are done.
- Reputation. Large exchanges often have an insurance fund, which can be used to compensate the customers for losses in case of hacking.
- Use two-factor authentication, a unique username/password pair for each account, pay close attention to which site you visit, and occasionally check your mail for suspicious emails and never click on emailed links to exchange log-in pages; go directly to the exchange website by typing the name into your browser address bar.
