Why holding crypto on exchanges is a bad idea

This April, cryptocurrency exchange Hotbit got hacked. Consequently, the platform has shut down, stating that it needs to perform a “comprehensive inspection”. Everyone who had stored their digital assets on Hotbit could not access the funds or even close their trading positions. In a blink of an eye, thousands of people became potential victims of yet another crypto exchange hack. There have been many such incidents in the past, with losses exceeding billions of dollars if calculated at the current Bitcoin exchange rate.

What happened to Hotbit?

Since hackers managed to gain access to customers’ personal data, the exchange warned that email addresses, phone numbers and registration information could be made public, while passwords and 2FA combinations could also be at risk of getting leaked. The platform pledges to reimburse potential losses on open leveraged trading positions and promises to close all open trades as maintenance goes on.

Some time after the announcement, a number of transactions were made from Hotbit wallets. The exchange stated these were transfers to their new cold wallet and users’ crypto “remains safe”. For example, below are two transactions from Hotbit’s wallet to 0x2AcDb44596E2b6FFBBF62614C9aaD9CD04980248 of 30 and 760 ETH. The transfer of funds caused bewilderment and concern among users; many of them began to speculate that there was, in fact, no hacking, and the exchange is just robbing the customers.

However, Hotbit’s Twitter account is still posting platform maintenance updates. Here’s the latest post from their official Twitter account:

Hotbit users have a reason to be worried — in the last few weeks alone two major Turkish crypto exchanges have been at the center of a major fraud scandal. We would like to take a closer look at the Vebitcoin and Thodex platforms.

What’s going on with crypto exchanges in Turkey?

Local news agency Anadolu Agency reported that the Financial Crimes Investigation Council (MASAK) began investigating Thodex CEO, Faruk Fatih Ozer, on Wednesday; on top of that, authorities froze the exchange’s bank accounts on Thursday. The agency reports that the Istanbul prosecutor’s office also asked the victims to reach the authorities and testify. A little later, police searched the exchange’s headquarters in Istanbul. Ozer left Turkey and flew to the Albanian capital, Tirana, on Wednesday. Below is a photo of him obtained by law enforcement from airport officials.

However, an announcement appeared on the homepage of Thodex, in which Ozer tried to dispel all related suspicions. Allegedly, the exchange’s technical department is investigating “abnormal fluctuations in accounts identified a week earlier, affecting about 30,000 users”. He said the platform remains closed as the investigation into the “incident” continues. Ozer adds that he went abroad as part of late negotiations with new foreign investors, rather than fleeing with the assets (he is now suspected of stealing more than $2 billion). He also said that the exchange expected to open withdrawals in the coming days. That hasn’t happened yet.

On his Twitter page, Ozer posted the following message, which was later deleted:

“If I had any intention of raising money and fleeing, I would have illegally withdrawn millions of dollars from our bank accounts. But the money is still there.”

Interestingly, a decision of the Turkish government preceded this delicate Thodex situation. Recall that on April 16, Turkey’s central bank announced a ban on cryptocurrency usage in domestic payments. The bank stated that the decision was made because the digital assets could “cause unrecoverable losses” among the population.

Almost simultaneously, another Turkish cryptocurrency exchange, Vebitcoin, ceased its operations. On Friday, April 23, the following message appeared on its homepage:

“Due to recent events in the cryptocurrency industry, our transaction activity has significantly exceeded our expectations. We would like to state with regret that this situation has forced us to make extremely difficult decisions. We have decided to cease our operations in order to meet all the requirements [of regulators].”

Financial regulator MASAK has blocked Vebitcoin bank accounts and launched an investigation. To date, four people have been detained as part of the investigation, with another 62 suspects arrested in the Thodex case. Farooq Fatih Ozer, the CEO of Thodex, is still wanted.

Sad lessons from Mt. Gox

In 2014, there was an event that immediately received widespread publicity even outside the crypto industry — the exchange was hacked and hackers managed to steal 744,000 BTC; after some time, the trading platform ceased its operation for good. The losses at the time reached $460 million.

Although all the high-profile events began to unfold only in February 2014, it became clear sometime later that Mt. Gox had not been doing very well since June 2011. At that time, the company was the victim of its first hacking attack, in which hackers managed to gain access to Mt. Gox’s auditor’s computer and artificially drop bitcoin’s price to 1 cent to further buy about 2,000 BTC.

Mt. Gox has since beefed up its security, but that was not enough to protect the exchange. An investigation after the 2014 incident revealed that the private key for the Mt. Gox wallet was unencrypted and stolen back in 2011. However, it is unclear whether it was obtained through hacking or with the help of an insider. Criminals utilized this private key to withdraw bitcoins from customer accounts over the next few years.

In fact, Mt. Gox lost its solvency two years before it shut down for good. While its potential debts to customers grew due to stolen funds, bitcoins continued trading on the platform as if nothing had happened — in 2013 it became the industry’s leading player and one of the most recognizable cryptocurrency-related brands.

Why didn’t anyone know about what was happening? Many former Mt. Gox employees later cited mismanagement and disorganization within the company. An anonymous developer reported that the company didn’t even use version control. This standard tool was used to prevent colleagues from accidentally overwriting the work of others if they worked on the same file. Another problem was that the only person who could approve changes to the platform’s source code was Mark Karpeles himself. This meant that even important security updates and bug fixes could take weeks to get approved.

In addition to the technical problems, the first challenges to Mt. Gox’s existence as a legitimate firm began to emerge in 2013. That May, a former Coinlab business partner sued Mt. Gox, claiming a breach of their contract. On top of that, Mt. Gox was under investigation by the U.S. Department of the Interior for allegations that the exchange was operating without a license in the United States. At the end of the day, the U.S. government seized more than $5 million from the company.

The litigation over the missing funds from Mt. Gox continues till date. One of the latest news is the approval of a new civil rehabilitation plan for the bankrupt company, announced in February this year by the exchange’s trustee Nobuyaki Kobayashi. However, many Mt. Gox creditors and traders are still seeking the compensation they were promised, with court cases dragging on for years.

WEX and the Russian crypto exchange hack

Platform’s daily trading volumes grew from $600,000 to $66 million between 2013 and 2017. However, on July 25, 2017, BTC-e stopped all operations and announced “unscheduled maintenance”. Since then, the exchange never went online again.

At about the same time, 38-year-old Russian citizen, Alexander Vinnik, was arrested in Greece and accused of laundering $4 billion dollars through the BTC-e platform. The U.S. authorities and the FBI seized operations of BTC-e, confiscated the domain, and fined the company $110 million. Vinnik was identified as one of the owners and administrators of the trading platform. A few months later, organizers tried to relaunch BTC-e, but only by September, a “new version” of BTC-e appeared. The exchange was rebranded to WEX and moved to the wex.nz domain.

The name was not the only thing to get changed — new owners came in as well. New management (Vinnik’s former partner Alexander Bilyuchenko and one of BTC-e’s major clients Dmitry Vasilyev) took over the digital assets, user database and all relevant information. WEX pledged to repay the previously lost funds in fiat and cryptocurrencies, though only 62 percent of the funds were returned from the reserve fund, never seized by the FBI. The remaining 38 percent was planned to be repaid by issuing an internal WEX token, which the exchange would then gradually buyback from users.

However, in 2018 history repeated itself: WEX froze funds, and sometime later, information popped out that more than $450 million had “escaped” from the cryptocurrency platform. This is the last point in the history of the existence of BTC-e, although many clients have not yet seen (and are unlikely to see) their compensation.

Conclusion

To avoid becoming another victim of a new hacker attack or fraudulent scheme, avoid keeping significant parts of your savings on the exchange. Deposit only those funds that you are willing to lose. We strongly recommend you to use a cold wallet, completely isolated from the Internet to store cryptocurrencies long-term. And remember, from the moment coins are transferred to the exchange, they are actually at the company’s disposal and you have no fundamental control over the funds.

Trading blog. Tools, bots, strategies.