The recent hack of crypto exchange, Cryptopia has brought into focus one of the main challenges in bitcoin and cryptocurrencies world: crypto exchange hacking. In the case of Cryptopia, the exchange announced on Twitter on January 15th that it had registered significant losses following the security breach and authorities had been alerted.
It was estimated that the New Zealand based exchange had experienced losses of up to NZ$3 million. Thieves of the stolen tokens were trying to transfer the funds to other exchanges but some were detected. Binance CEO announced on Twitter that hackers had tried to send the funds to Binance but it was detected and were able to freeze some of the funds from cryptopia hackers. This was one of the first reported exchange hacks in 2019, continuing the trend of security breaches on crypto exchanges. Recently, other exchanges such as Poloniex and Debrit have also announced halting of trading for a short while in order to fix some vulnerabilities.
Over the last 10 years, there has been more than a dozen hacks on crypto exchanges leading to loss of millions. Most of these hacks have happened on centralized exchanges. centralized exchanges have more vulnerabilities than decentralized exchanges. however, people still prefer them because of convenience they offer.
‘If you do not own your private keys, you do not own the coins’ so the saying goes.
One of the reasons centralized exchanges are prone to hacking is because they store the users private keys. If and when hackers get access to private keys, they can easily transfer the funds. That is why one of the main security features that has been highly publicized in the crypto community is not have a lot of funds in a crypto exchange.
Here are some of the major crypto exchange hacks:
Not many are aware of this but Bitcoin could have died an early death in August 2010 when an unknown hacker detected a loophole in code that allowed him/her/they to create 184.467 billion bitcoins out of thin air. The hack that came to be known as Value overflow incident .
Luckily the problem was detected early by the bitcointalk community and Satoshi was able to create a new chain. This was basically a hard fork, Satoshi created a new chain to counter the fraudulent one. Miners were urged not to mine the bad one and within a few hours the good chain became the dominant chain. Future printing of unlimited bitcoins was also rectified and it has not happened again ever since and the updated bitcoin version 0.3.1 created is the one we use to this day. Such a hack would be almost impossible today due to growth of bitcoin network and a hacker would require an incredible amount of computing power and resources to execute. A hacker would require to reverse all transactions since 2009. All the hacks i describe below are not of bitcoin itself but the exchanges.
This is the earliest and one of the most famous bitcoin exchange hacks that took place. Mt. Gox was a Japanese based crypto exchange that was hacked not once but twice. Started in 2010, it had its first hack in June 2011 leading to a loss of 2609 bitcoins but it was able to survive. Later in 2014, it was hacked again losing 850,000 bitcoins valued at $450 million at the time enough to sink it as it declared bankruptcy. During the period 2013 and 2014 leading upto the collapse, it was the largest exchange handling over 70% of all bitcoin transactions at the time. Investors lost their money.
Hackers were able to detect vulnerabilities as a result of unencrypted private keys that were stored online. 24,000 bitcoins were stolen but it was able to refund the money to investors.
Due to a vulnerability in the code that handles withdrawals, Hackers were able to exploit it and get away with 12.3% of BTC at the exchange at the time which was about 97 BTC. In an announcement on bitcointalk, it was explained that Poloniex had not properly audited its withdrawal processes that enables hackers to place several withdrawal requests at the same instant. The system was setup to process request simultaneously instead of sequentially which would have allowed queuing of every request.
However, the users were able to get refunds and the exchange continued operating.
This crypto exchange was hacked in January 2015 leading to a loss of 19,000 bitcoins worth $5 million at the time. This led to suspension of services from the crypto exchange as users were advised to stop trading on the exchange. Investors were not refunded but the exchange continues to operate today amid assurances that it had tightened its security features.
Bitfinex has had several hacks that led to loss of funds. In 2015, 1500 bitcoins were stolen. Later, 120,000 BTC worth $72 million was stolen by hackers from this crypto exchange in August 2016. Based in Hong Kong, hackers were able to gain control of the multi-signature system through a bug that enabled approval and withdrawal of coins from hot wallet. Various measures were instituted by the founders such as distribution of the losses among users and compensation of the losses through its native token BFX and it was able to maneuver the hack and continues to operate to this day.
The DAO: 2016
Decentralized Autonomous Organization (DAO) was created by Ethereum that worked as an organization without a central command. The DAO was like a venture capital firm that allowed users to invest and then vote which projects to fund. In June 2016 a hacker detected a loophole that allowed creation of ‘Child DAO’ that enabled creation of unlimited withdrawal requests to the same DAO tokens leading to a loss of $50 million. The end result was a soft fork that led to creation of Ethereum Classic.
This Slovenian-based mining marketplace lost about $70 million in bitcoins. However, the matter was handled well with the announcement that old balances being restored in early 2018.
The Japanese based crypto exchange lost 523 million NEM in January 2018.
Hacking attacks caused losses of $170 million NANO (XRB) from Bitgrail on Feb 13 2018. A bug was responsible for the attack and discussions started in the community as to who was responsible for the bug. Failure to resolve resulted to police involvement leading to confiscation of all the Bitgril cryptocurrency in order to refund the affected users. transactions on the exchange were halted on May 2018.
$41 million in 11 cryptocurrencies was lost after the attack on the crypto exchange on June 2018. Trading resumed a month later in July with compensation plans being announced for all those who lost funds.
This exchange has experienced 2 hacks. The first was in 2017 that involved access to personal data of 30,0000 users. The second attack was in June leading to loss of $30 million. At the time of the hack, the amount constituted about 10% of all the exchange trade volume. The exchange has since said that it had upgraded its security features.
Bancor decentralized exchange was hacked on July 2018 leading to a loss of $23 million mostly in its own Bancor token as well as Ehereum. Up until then decentralized exchanges were seen as better alternative to centralized exchanges. Its stolen tokens were immediately frozen and this action resulted to criticism from the crypto community. Firstly its because Bancor is decentralized and if it could freeze tokens at will, there were concerns about its censorship policy and whether it was decentralized enough.
from the above analysis, the main reasons for breaches are:
- storage of data in an unencrypted way
- having large sums of money in an online hot wallet (exchange) instead of cold storage (offline).
- lack of constant audit of an exchange features.
Decentralized exchanges have been fronted as the future of digital assets exchange because they are able to mitigate some of security flaws of centralized exchanges. The peer-to-peer nature of such exchanges makes it hard to hack. Furthermore, on decentralized exchanges such as IDEX, CCN explains that users have non custodial wallets such as Trezor that they use to trade crypto thereby ensuring users have complete control over their assets at all times. However, the adoption is still low and centralized exchanges have better user features.
READ MORE: Overview of Decentralized exchanges.
All in all, Reuters estimates that about 980,000 bitcoins have been stolen from exchanges since 2011. In today’s value, that’s about $3 billion and about $19 billion at bitcoin’s peak price level . It is inevitable that more security features will continue to be sought in future.