Top 10 Most Disastrous Cryptocurrency Breaches in 2018
The compilation of the Top 10 notorious cryptocurrency exchange breaches and cryptocurrency thefts occurred in 2018 (so far).
The value of Bitcoin, the first and best-known cryptocurrency, surged from around $900 to just under $20,000 during the year 2017. Other cryptocurrencies also increased in value. Where money is, criminals follow.
A separate blog post will be published on Initial Coin Offering (ICO) security incidents, that accumulated over $400M losses already at the very beginning of 2018 according to Ernst & Young.
The greatest concentration of cryptocurrency is found in the cryptocurrency exchanges, where customers can trade cryptocurrency for conventional fiat money or other digital currencies. This has made them a prime target for cyber criminals. Here we list ten of the most notable cryptocurrency and cryptocurrency exchange heists of 2018.
10. Bee Token
When: January-February 2018.
What was lost: Over $1 million worth of the Ethereum cryptocurrency.
How: An old-fashioned phishing scam.
Bee Token is a shared housing startup which has made the blockchain integral to its business model. Operating somewhat like Airbnb to offer short-term accommodation, Bee Token uses the Ethereum cryptocurrency. Starting at the end of January, the Bee Token team held an ICO – an Initial Coin Offering – to help fund their venture; but the event was exploited as part of a phishing scam.
Targeting email addresses on Bee Token’s mailing list, the scam emailed false but official-looking requests for Ethereum, directing users to various wallet addresses. Bee Token quickly became aware of the issue and released prompt security alerts, but as is often the case with phishing scams, not everyone was successfully protected. BleepingComputer was able to identify a limited number of the scam wallets, which were found to hold over $1 million worth of Ethereum, and it is likely that the scam netted even more.
When: May 2018.
What was lost: $1.5 million worth of Ethereum and a sizable chunk of the team’s own token supply.
How: Compromised passwords allowing direct theft.
On May 22nd, the official Medium account for the Taylor crypto-trading assistant app released a blog post disclosing “a highly advanced and coordinated attack”. An unidentified attacker had managed to bypass the team’s security measures and steal their entire stock of Ethereum – just under 2,600 ETH, worth roughly $1.5 million.
A later update released by Taylor revealed that the cause of the attack was the attacker gaining access to one of their devices and compromising the team’s password management software. While this theft did not cause the development of the Taylor app to shut down, it did severely disrupt development. The team suspended, and later reissued their TAY cryptocurrency token, delaying its planned distribution.
8. Verge (Twice)
When: April and May 2018.
What was lost: $14,000 in XVG, then $1.7 million in XVG a month later.
How: Blockchain vulnerabilities allowing accelerated mining.
2018 was a very unfortunate year for open-source cryptocurrency Verge. In March, the official Twitter account was hijacked in an attempted – yet evidently thwarted – phishing campaign. Although this attack saw next to no success, Verge suffered two more attacks over the next two months.
In early April, a Bitcoin forum user noticed an ongoing attack on Verge’s blockchain. Overcoming the anti-mining security controls, an attacker was able to obtain 250,000 XVG, valued at approximately $14,000 at the time. Verge implemented extra security in response to this, but evidently not enough to stop another attack the very next month. The May attack eclipsed the previous one, using what appeared to the same or similar techniques. This time, 35 million XVG was stolen in just a few hours, the equivalent of around $1.7 million.
When: April 2018.
What was lost: 438 BTC – Valued at over $3 million at the time.
How: Suspected insider theft.
High-profile cryptocurrency exchanges are always attractive targets for hackers, and India’s Coinsecure is no exception. In April, the firm disclosed the loss of just over 348 bitcoins, lost during a BTG extraction. Coinsecure soon made plans to reimburse affected users in Indian Rupees.
Suspicion immediately fell on Coinsecure’s own Chief Security Officer, who had been performing the BTG extraction when the funds were lost. The CSO maintained that the tokens were lost due to an external attack. Founder and CEO Mohit Kalra retained suspicions, saying of the CSO “we feel that he is making a false story to divert our attention and he might have a role to play in this entire incident”. By September, the New Delhi Police were ready to file charges, and the result of the investigation is likely to influence cryptocurrency regulations in India.
When: July 2018.
What was lost: $23.5 million in multiple cryptocurrencies, though $10 million of that was recovered.
How: A compromised high-privilege wallet.
An exchange platform dealing in multiple cryptocurrencies, Bancor released a Twitter statement on July 9th announcing a large-scale theft. A wallet with smart contract privileges had been compromised, and used to withdraw Ethereum, Pundi X and Bancor’s own cryptocurrency to a total value of approximately $23.5 million. Bancor was able to freeze and then recover the $10 million worth of its own currency, but could not do the same for Ethereum or Pundi X.
The incident harmed Bancor’s image as a decentralized exchange, since the ability to freeze any type of cryptocurrency or extract funds to the detriment of other users are primarily associated with centralized systems. The Bancor network was taken offline to prevent further damage, but was back online by July 12th.
When: June 2018.
What was lost: $31.6 million of multiple cryptocurrencies, with $14 million recovered later.
How: A straightforward ‘hack’ of unknown origin.
The largest South Korean-based cryptocurrency exchange, and 6th largest worldwide, Bithumb reported a large-scale theft in the latter half of June this year. The losses amounted to roughly $31.6 million (35 billion won) in value, though the firm was able to recover about $14 million later. Bithumb released a breakdown of the stolen funds, which comprised 11 different cryptocurrencies. The highest value losses were in Ethereum, Ripple and Bitcoin.
Bithumb responded by transferring funds to a more secure cold wallet, promising to reimburse affected customers. Exchange services were temporarily shut down, and customers urged not to make any new deposits. How exactly the theft was carried out is either unknown or remains undisclosed. Bithumb had made database changes as part of a security update the prior week, but whether this had any connection to the theft is not known.
When: June 2018.
What was lost: 30% of Coinrail’s crypto assets, worth approximately $40 million.
How: A ‘cyber intrusion’, specifics unknown.
Though smaller than Bithumb, Coinrail suffered a larger theft of cryptocurrency earlier in June, just weeks prior to the Bithumb incident. An estimated total value of $40 million in various cryptocurrencies was stolen, including Pundi X, Aston X, Dent and Tron among others. Coinrail said it would move the 70% of its assets that remained uncompromised into cold storage while investigating the incident.
Coinrail was able to freeze two thirds of the compromised assets, but others were permanently lost. The Pundi X stolen in this attack was a notable example. The official Pundi X Medium account released a statement that the funds had already been offloaded on IDEX (another exchange offering real-time trading) before anyone could react.
When: September 2018.
What was lost: $60 million worth of user and company cryptocurrency, and ownership of Zaif itself.
How: Attackers gaining access through an employee’s compromised PC.
On September 19th, Japanese crypto exchange Zaif reported a hack that had begun on the 14th. By the time the attack could be shut down, the exchange had lost roughly $60 million (6.7 billion yen) worth of Bitcoin, Bitcoin Cash and Monacoin from their hot wallet. The Financial Services Agency (FSA), Japan’s financial watchdog, reacted harshly, issuing three business improvement orders to Zaif. They also criticized both the response to the incident and the lack of disclosure of the breach’s cause. Evidently, Zaif’s initial explanation amounted to “An employee’s PC was hacked”.
As a result of the hack, in order to reimburse its users, Zaif’s then-owners, Tech Bureau Corp. accepted a takeover by Fisco. While Fisco Cryptocurrency Exchange Inc. completed the takeover on November 22nd, that exchange and Zaif are still operating as separate services.
When: February 2018.
What was lost: $150-195 million in Nano tokens.
How: A possible flaw in either Nano’s protocol or BitGrail’s exchange software.
The hack of BitGrail early in 2018 is perhaps the most convoluted entry on our list. On February 8th, the Italian-based exchange announced that it had lost 17 million tokens of Nano, valued at $195 million. Other reports put this figure at 15 million Nano, or $150 million. The firm immediately requested that Nano alter its ledger to cover the losses, which was firmly refused.
This sparked a series of accusations thrown between the Nano team and BitGrail, with Nano’s response on their official Medium account saying, “We now have sufficient reason to believe that Firano has been misleading the Nano Core Team and the community regarding the solvency of the BitGrail exchange for a significant period of time.”
Each party continued to maintain that the other was ultimately at fault for the theft. Nano placed the blame on Bitgrail’s software, while BitGrail founder Francesco Firano claimed that the fault was in Nano’s own protocol. There does not currently seem to be a final legal ruling, though Italian authorities have seized control of BitGrail’s Bitcoin assets. A separate court case cleared Nano of wrongdoing in regard to prompting a customer to purchase the cryptocurrency shortly before the breach.
When: January 2018
What was lost: $532 million in NEM tokens.
How: Storing customer funds in a ‘hot’ (externally connected) wallet, exploited by attackers.
2018’s earliest cryptocurrency hack is also its biggest, eclipsing any other entry on this list. January’s Coincheck hack is, to date, the largest ever theft of Bitcoin (or any cryptocurrency) in terms of value, with Coincheck losing 523 million NEM coins. This was valued at around 58 billion yen, or $532 million. The Coincheck hack broke the previous record of Mt. Gox, which had $460 million in Bitcoin stolen in 2014.
The exact method of the hack was not disclosed, but Coincheck claims it was perpetrated by external actors exploiting a security oversight. The extracted funds were stored in hot wallets, which are connected to external networks and more vulnerable to theft. Virtually all activity on the exchange was shut down in the wake of the theft, and it did not become active again until March. The company began compensating affected customers at the same time, with their operations under much heavier scrutiny from Japan’s FSA.
Since the heady cryptocurrency days at the beginning of 2018, cryptocurrency values have fallen. Bitcoin, for example, is down from just under $20,000 to the current (at the time of writing) value of approximately $4,000. The market is volatile. Cryptocurrency critics say it is because cryptocurrency is not a real currency, merely a medium for investment, and that all cryptocurrencies are fundamentally worth nothing. They see the cryptocurrency phenomenon coming to an end.
Adherents, however, still claim it is valid as both a currency and an investment – and the increase in value will return.
If the value continues to decline, there will come a point where criminals will look elsewhere. If it stays where it is, and even more so if it rises, cybercriminals will continue to attack cryptocurrency and especially cryptocurrency exchanges.
It is at this point worth mentioning that several major attacks have been linked to the Lazarus hacking group – which is generally considered to be tied to the North Korean government. The thefts are thought to be a way of bolstering the North Korean economy, which is suffering severely from international sanctions.
In short, cryptocurrency exchanges are not merely attacked by standard cyber criminals, but by nation-state actors as well.