By Sharon Lewis and Reethu Ravi This article is the first of a four-part Tech’s Year in Review series reviewing developments across industries in 2020. This first installation discusses some industries spotlighted by the COVID-19 pandemic, namely edtech, logistics and supply chains, fintech, [...]
In 2019 alone, there were 12 cryptocurrency hacks with $292 million and 500,000 pieces of customer data stolen
Bitcoin was first introduced to the world in 2009 when Satoshi Nakamoto, Bitcoin’s pseudonymous creator, mined the first block. Fast forward to 2020, and cryptocurrencies and blockchains are popular only within a specific, tech-savvy niche market, and have failed to become mainstream.
12 years is a long time in technology. To compare, iPhone was introduced in 2007 and has since revolutionized cellular technology. In a little under this time frame, cryptocurrencies on the other hand have not even reached halfway.
While there are several reasons behind cryptocurrency’s trailing popularity, like the lack of crypto literacy, or the unregulated market, one of the main factors keeping adoption at bay is the risk associated with digital tokens – which comes not only from their volatility, but the threat of theft.
While Bitcoin wallets have become more sophisticated to deal with hackers, hackers have also become more savvy and unrelenting in their attacks.
Below is a list of cryptocurrency hacks and heists that left a mark on the ecosystem.
1. Allinvain – The First Hack
Back in 2011, the crypto market was still in its nascent stage and Bitcoin was popular only among a handful of enthusiasts. On June 13, 2011, ‘allinvain,’ a member of the world’s first Bitcoin mining pool called Slush Pool, posted a message on BitcoinTalk forum marking the first massive crypto heist in history.
According to the forum post, the attackers gained control of the user’s local Windows computer, after hacking into the user’s Slush Pool account, and stole 25,000BTC.
The thief sent the stolen coins to Mt. Gox, a Tokyo-based cryptocurrency exchange that went bankrupt in 2014 due to another long-undetected cryptocurrency theft, to liquidate his loot, although the transactions could not be tracked for long since the only block explorer available at the time kept crashing, according to Bitcoin.com.
Even at that time, the 25,000 Bitcoins were worth a small fortune of $480,000, while today, their value stands at an astonishing $279 million (approximately).
2. Mt. Gox – The Largest Bitcoin Heist
Founded in 2010 by U.S. programmer Jed McCaleb, Mt. Gox controlled nearly 70% of all Bitcoin transactions at its peak in 2013 and 2014 before going bankrupt. The exchange suffered its first attack in March 2011, when 80,000 Bitcoins were stolen while the then 8-month-old exchange was undergoing an ownership change.
According to a recent report by Bitcoin.com, Australian computer scientist Craig Wright, who has publicly claimed to be Satoshi Nakamoto previously but failed to convince the crypto community, claims to own the address containing the 80,000 Bitcoins stolen from Mt. Gox in the first attack.
McCaleb sold the exchange to French Bitcoin enthusiast Mark Karpeles, and was entitled to a share of revenue and retained administrator controls to audit earnings.
This paved the way for the second attack on June 19, 2011 when McCaleb’s admin account was hacked and used to artificially drop the price of Bitcoin from $17 to a cent, which led to about 2000 bitcoins being bought and transferred out of the exchange before the attack was noticed and resolved.
The most significant attack, however, was the one that took place across years, between 2011 and 2014, which resulted in the loss of 744,408 customer-owned and 100,000 Mt. Gox-owned bitcoins, along with $27 million cash from Mt. Gox, making it the largest crypto heist in history.
According to Blockonomi, the June attack could have led to the theft of the Mt. Gox private key when the hackers may have gained access to the exchange’s unencrypted wallet.dat file. With the help of the file, the hackers were able to gradually siphon off Bitcoins without being detected, since Mt. Gox’s systems interpreted it as deposits being moved to safer addresses.
A month after declaring bankruptcy, the exchange announced that it had found 200,000 Bitcoins in old-format digital wallets that had been used by the exchange under McCaleb’s tenure. Karpeles is embroiled in an active lawsuit even today, as Mt. Gox customers are still awaiting compensation.
The stolen coins were worth nearly half a million dollars when the theft came to light in February of 2014, while the value of the nearly 650,000 missing coins is more than $7.5 billion today.
The eponymous name Mt. Gox stood for ‘Magic: The Gathering Online eXchange,’ named after the popular online card game.
In the aftermath of the fiasco, the incident inspired a new word, ‘goxxed,’ which is now commonly used in the crypto community and is loosely defined as, ‘Waking up and realizing your financial speculation just went south…and you should have known better,’ according to the Urban Dictionary.
On August 2, 2016, Hong Kong-based cryptocurrency exchange Bitfinex reported a security breach in which 119,756 Bitcoins worth $72 million at the time, were stolen. The current value of the digital heist is well over $1.3 billion at present rates.
Prior to the attack, Bitfinex and digital assets wallet Bitgo created a multi-signature wallet system, whereby Bitfinex held two of the keys (including one offline) and Bitgo used the third to co-sign transactions.
Therefore, Bitgo had to have signed off on the transactions for the Bitcoins to be moved, although it later reported that no signs of breach were discovered on its server during its internal investigations. Affected customers were irate about the lack of countermeasures for transactions of such size.
To soften the blow, Bitfinex spread the losses across all customer accounts, which resulted in a generalized loss of about 36%. In addition, Bitfinex provided 1 BFX token for each dollar lost to the affected customers, which could be redeemed at the exchange or traded for shares in the parent company iFinex.
In 2018, Bitfinex reported that the U.S. government had managed to recover 27.66 Bitcoins, while the major chunk of the haul is still missing. The wallet to which the stolen coins were transferred by the hackers lay dormant for over two years until 172.54 Bitcoins were moved to an unknown address in June last year.
Over the last 14 months, however, hackers have only moved 1-2% of their total haul, indicating that the culprits may be having difficulty due to the new anti-money laundering regulations.
Within a few weeks after the first movement of the stolen coins, two brothers, Eli and Assaf Gigi, were arrested and found to have been at least partly responsible for the Bitfinex hack.
In its latest effort to recover the stolen coins, on August 4, 2020, Bitfinex announced a reward of up to $400 million (almost 30% of the current value of the loot) to return the stolen coins.
4. Coincheck Hack
On January 26, 2018, during the peak of the ICO frenzy, Japanese crypto exchange Coincheck became the target of an attack that resulted in the theft of customer deposits containing the relatively lesser-known cryptocurrency NEM, worth about $530 million in total at the time.
The exchange first restricted deposits and withdrawals of NEM, and later held a press conference that confirmed that the hackers had drained 500 million NEM tokens. This made the Coincheck attack the largest crypto heist in history, surpassing the Mt. Gox hack in 2011.
Later, the exchange revealed the flaws in its security system which allowed it to store all NEM tokens in a single hot wallet and the absence of the NEM multi-sign contract recommended by developers. Most exchanges use a hybrid of hot and cold wallets, with the majority of assets stored in cold wallets for security.
Soon after the press conference, the exchange promised to reimburse its 260,000 users affected by the hack, while NEM developers tagged the stolen coins so that other exchanges did not accept them. Months later, Coincheck gave up its pursuit of the attackers and the recovery of stolen coins for unspecified reasons.
According to a TNW report, the hackers allegedly sent malicious files including Mokes and Netwire malware to Coincheck employees and gained remote access to infected systems. Coincheck employees unintentionally installed the viruses onto their systems, which provided remote access to hackers who manipulated the company’s security keys to carry out the theft.
The malware found on employee systems was linked to Russian hacker groups, although the North Korean hacker group Lazarus was thought to be responsible for the attack initially.
5. NiceHash Hack
NiceHash lets people use their extra GPU power to mine cryptocurrencies such as Bitcoin. On December 6, 2017, hackers with IP addresses outside Europe accessed the Slovenia-based startup’s computers and obtained a NiceHash engineer’s credentials. After doing so, they compromised the payment system and emptied the NiceHash Bitcoin wallet.
According to a report by Coindesk, the attackers stole 4,736.42 bitcoins worth about $62 million at the time, and about $54.87 million at current prices.
In October 2019, the former Co-founder and CTO of NiceHash was arrested in Germany over U.S. charges that he was part of hacking organization responsible for million of dollars of theft.
6. The Dao Hack
Decentralized Autonomous Organization (DAO) refers to entities that operate through smart contracts on a blockchain network, removing the need for a governing authority.
The Decentralized Autonomous Organization, known as The Dao, was built to function as a venture capital firm for the crypto and decentralized technology space, and ran on the Ethereum network. During its ICO, The Dao managed to collect 12.7 million Ether, worth almost US$5 billion at current rates, making it the biggest crowdfund in history.
The unexpected success, however, could have contributed to the attack that occurred within weeks of The Dao’s launch. It had stored all the Ether at a single address, since the designers had not anticipated the success of its crowdfunding campaign.
On June 17, 2016, an attacker started exploiting a bug in The Dao’s code which allowed the culprit to “ask” the smart contract to give the Ether back multiple times before the smart contract updated its balance. By the next day, the thief was able to transfer 3.6 million Ether, worth about $70 million at the time, into a clone DAO with the same structure as The Dao.
To understand the loophole in The Dao’s bug, imagine you have $100 in your bank account and you visit an ATM to withdraw the amount. When you put in your card and enter your PIN and the amount you wish to withdraw, the ATM checks your account balance before it spits out the cash.
Once the cash is released, the ATM updates your account balance, so that if you tried to withdraw $100 again, the machine would refuse since the updated balance in your account would be zero. When you are done with all the transactions and take your card back, your session ends.
However, if the ATM did not update the new balance until the end of your session, it would be possible for you to withdraw $100 multiple times in a single session until the machine ran out of money or you decided to stop.
The same flaw existed in The Dao’s code which made the smart contract update the balance after the Ether was sent out, since the coders did not anticipate the possibility of recursive calls.
It is believed that the attacker stopped of their own accord when a fork was proposed, which could freeze the stolen assets through a small alteration in Ethereum’s code or invalidate the hacker’s transactions.
Things got interesting when the hacker posted an open letter to The Dao and the Ethereum community threatening legal action against any efforts to invalidate their work, although many pointed out that the letter could be fake since the cryptographic signature in the message was not valid.
In theory, smart contracts are their own arbiters, with the terms embedded in the code, and nothing outside the code can change the rules of the transaction.
A heated public debate ensued where people argued that a fork violated the basic tenets of blockchain technology, in which transactions, once validated, cannot be reversed.
If people can simply reverse transactions they didn’t mean to make, then the whole premise of decentralization and autonomy falls into pieces. Critics of The Dao’s handling of the incident argued that if the code is flawed, it is a risk that creators should own up to, instead of changing the code of the underlying blockchain to suit their needs.
Since the stolen assets were parked in a DAO that was similar to The Dao, the hacker had no access to the funds for 28 days—the standard holding period before launch—and the Ethereum was hard forked so that the stolen coins were returned to the original owner accounts. However, none of this could prevent The Dao’s eventual downfall in late 2016 when it was delisted from major exchanges like Poloniex and Kraken.
Hacks and digital heists constantly grab media headlines and sometimes are just as easily forgotten given the frequency of the attacks. Owing to the relatively small size of the cryptocurrency market, which is projected to reach $1.40 billion by 2024, every small hack impacts volatile cryptocurrency prices and shakes the confidence of the crypto community.
As more and more entities work toward making cryptocurrency trading secure, perpetrators are constantly on the lookout for loopholes to manipulate the system and carry out digital heists, although cashing them in is often a problem.
Until hacks and digital heists are brought down to manageable levels, people will continue to be wary of trading in the cryptocurrency market and blockchain cannot deliver on its promise of being a secure and trustless platform.
Header image by madartzgraphics on Pixabay