Cryptocurrency exchanges lost nearly $170 million in 2019 and they’re still vulnerable
There are few images as gripping as that of Kolin Burges holding up the placard reading “Mt. Gox, Where Is Our Money,” in the midst of the collapse of the largest Bitcoin exchange in the world. This image of the beanie-headed Londoner on the streets of Tokyo defined the state of cryptocurrency exchanges for much of the past decade.
While some argue that the situation of exchange hacks and security breaches have improved, the cases of Gerald Cotten’s mysterious death and Lei Guorong’s disappearance points to the contrary. While QuadrigaCX and IDAX pose Hollywood-esque scripts, the larger issue surrounding them is a recurring problem within the cryptocurrency industry.
Over and Over again
It wasn’t just the small-fry exchanges that saw its funds siphoned away, even the big-fish were caught unaware. From DragonEx to Binance, over 10 exchanges were hacked in 2019 alone, with the total coins lost amounting to $170 million, according to Bobby Ong, co-founder of the crypto analytics website CoinGecko.
While exchanges are stepping up their game in terms of providing security measures, each hack is a testament to the hacker keeping up. The reward, especially in the liquid world of cryptocurrencies is too high. Some hacks originate from the core of the exchange, building a ‘fraud,’ from day one, while others are simply a victim of a cyber-criminal. Some perpetrators have been caught, while others have surgically distributed their funds to avoid detection. Regardless, hacks are rampant, and exchanges are insufficient in securing themselves.
The year began with the biggest Canadian exchange, QuadrigaCX, mourning the death of its founder Gerald Cotten, who, as it turned out, died with sole-knowledge of the exchange’s private keys. The long and arduous court rulings that followed saw Ernst & Young, the court-appointed bankruptcy trustee divulge some interesting details. Cotten, using competitor exchanges sent customer’s funds to his personal accounts, rather than the exchange’s hot and cold wallets. The mastermind Cotten, together with his wife, used the funds to acquire several “real and personal property” either personally, or via third-party corporations, including a “personal sailing vessel,” a “personal aircraft, “several luxury vehicles,” and gold and silver coins with a total value of $12 million. Right out of Hollywood.
From Canada, all the way to New Zealand. Cryptopia saw over $15 million in ETH stolen in not one but two hacks in January, with the exchange referring to the episode as a “security incident.” Few months later Grant Thornton was appointed as the liquidator. The most recent report, dated December 11, stated that $5.02 million has been recovered from third-party trust accounts while fixed assets worth $202,534 have been sold, in addition to 344BTC valuing $4.42 million from “company wallet outside of known client funds.”
Coinmama, a cryptocurrency brokerage company saw a breach of security in mid-February with the target being information not crypto. Around 450,000 email addresses and passwords were leaked, with the hack involving 24 websites, according to an official statement. While no assets were leaked, some say the loss of information is worse, as BitMEX’s email goof-up attests to as well.
DragonEX, a Singapore based Bitcoin exchange was hacked on March 24 with the total loss amounting to $7 million. While no promise was made to reimburse users for the loss, the exchange did offer USDT and their native-token in compensation.
The second hack of March, saw the biggest fiat-to-crypto exchange and the biggest South Korean exchange outright, Bithumb fall victim to a $20 million hack of EOS and XRP, with a large swath of CT suspecting that it was an ‘inside job.’
Read the announcement from Bithumb, looks like an inside job.
— CZ Binance (@cz_binance) 30 March 2019
Another one for the dramatic-exchange hack of the year was CoinBene. In late-March, the Bitcoin exchange stated that funds had been on the move owing to “maintenance,” but reports from customers and traders suggested that over $100 million in several coins had been stolen by hackers. The exchange later issued a statement:
Somebody doubt CoinBene was attacked by hacker recently because our maintenance.
We CoinBene are so sorry that made everyone worried for this problem.
Truth is 👇 pic.twitter.com/2P8Ulwjj6C
— CoinBene Global (@CoinBene) 27 March 2019
While April was rather quiet owing to Bitcoin’s massive surge, May saw, without a doubt, the biggest hack of the year, not in terms of amount stolen, but in terms of victim-status. Binance, the biggest and most reputed exchange suffered a $40 million BTC hack, in what resulted in a heated-debate around re-organisation of the Bitcoin blockchain as much as it did about security. The exchange close-off deposit and withdrawal services for a week, while CZ responded that “Funds are SAFU.”
While June was entrenched in what came to be known as the Libra-induced Bitcoin high, a notable ‘exit scam,’ slipped under the radar. Bitsane, an Irish exchange with $7 million in daily volume mysteriously went offline in May, with users complaining of prior withdrawal difficulties. There is no exact estimate of the amount hacked, as users suggest exchange-holdings between $5,000 – $150,000.
Another exchange hacked in June was Bitrue. The Singapore based exchange saw over 9 million XRP and 2.5 million Cardano stolen from 90 users. Bitrue further stated that Huobi Global, Bittrex and the crypto-swap service ChangeNow assisted Bitrue in “freezing the affected funds.”
Bitpoint, a Japanese exchange was the victim of a $28 million hack affecting 50,000 users. The stolen coins were divided as 1,225 BTC, 11,169 ETH, 5,108 LTC, and 1,985 BCH, with the exchange’s parent company promising customer reimbursement.
Zaif, yet another Japanese exchange suffered a whopping $60 million hack on September 17. Over 6.5 billion JPY were stolen in Bitcoin, Bitcoin Cash and Mona Coin from the exchange’s hot wallets. Zaif further stated that of the $60 million stolen, around 32 percent or $19 million belonged to the exchange, while the rest were user’s funds.
To round off the year, Upbit, another member of the Big-4 South Korean exchanges saw a breach to its hot-wallet resulting in over $50 million in ETH stolen. The exchange followed up by suspending its withdrawal and deposits for two-weeks following the incident, with several reports suggesting that the stolen funds were on the move.
Straight out of the Quadriga playbook, another cryptocurrency exchange CEO decided to play catch-me-if-you-can. Lei Guorong, the CEO of little-known cryptocurrency exchange IDAX reportedly went missing in late-November as the exchange halted deposits and withdrawals. The company’s cold wallets which holds “almost all cryptocurrency balances,” according to the exchange, was also taken hostage by Guorong.
Band-aids for Broken-Limbs
While security breaches are a consistent problem within the cryptocurrency world, other key factors this year have resulted in an increase in breaches. In 2019, unlike the previous year, the price of major cryptocurrencies have been surging, with an added incentive, hackers are more likely to ply their trade. The market, for the most part, was not primed on a hodling nature, instead focusing on rapid trading, which works to the hackers’ advantage, by allowing swift breakdown and distribution of funds.
The case of hot-wallets versus cold-storage was also called into question during these breaches. Several exchanges keep their funds in a primary hot-wallet used for immediate reserves for crypto-to-crypto and fiat-to-crypto trading, while cold-wallets act as back up. A ‘simple practice,’ to ensure the safety of funds is to keep primary reserves in cold-wallets while only “day-to-day trading” should be done through hot-wallets, according to Taylor Monahan, CEO of MyCrypto, a side-tool to interact with the Ethereum blockchain.
Centralized and custodial services that store coins are also a flaw in the matrix. While unknowing breaches within the space are bad, they are third-party-driven, hence little can be done before-the-fact. However, cases of owner disappearance with funds simply should not be commonplace in the market. Looking at the brightside, Monahan was appreciative of exchange’s retrieving funds in a number incidents; she told AMBCrypto,
“The good news is that in more and more cases, when an exchange is hacked, the exchange is able to cover the losses and users aren’t affected.”
Some exchanges have been quite proactive in their aid-measurements, others simply lie in wait for an attack. CZ, following Binance’s $40 million hack, vowed to beef-up security and KYC measures to prevent a repeat. He stated that the exchange is working with “a dozen or so industry-leading security expert teams,” to prevent such incidents and to catch the perpetrators.
Zhao also added that other exchanges helped Binance to track the stolen Bitcoin. ‘Exchange coordination,’ was seen in a number of cases, and according to Ong, it is crucial, especially immediately following a hack,
“One thing that exchanges can improve on is to ensure greater coordination amongst exchanges to freeze stolen cryptocurrencies whenever hackers moves them to an exchange to launcher them. That way, stolen coins can be recovered.”
Preventive measures ensuring hackers are caught before infiltration are pertinent. OKEx’s head of operations, Andy Cheung told AMBCrypto that two main measures employed by his exchange are bug-bounty programs and the use of white-hat-hackers. These measure of ‘ethical hacking’ to reveal vulnerabilities are regularly employed by exchanges the world over to improve security, and exchanges reward these ‘trial hackers,’ handsomely.
Another important development that can go a long way in building the security-infrastructure required for exchanges is the use of multiparty-computation [MPC] based wallet technology, according to Michael Shaulov the CEO of Fireblocks. In this cryptographic system, different computers can engage in computation of their piece of data from a larger set, resulting in a specified result. Interacting nodes will hence, be unaware of the data-sets of others.
Cryptocurrency exchange Liquid, in August, shed light on its use of MPC to ensure wallet-security. Cold-wallet storage dependence dropped to a “90 percent threshold,” while enhancing withdrawals. Almost 90 percent of Bitcoin and XRP withdrawals and 75 percent of ETH withdrawals were processed in under 10 minutes. The exchange stated,
“MPC-based security allows Liquid to adopt a secure, scalable, distributed model of trust with no singular point of compromise, resolving the dilemma hot versus cold wallets and self-versus-managed custody.”
Since the root of several hacks is internal, “social engineering tactics,” must be given importance, Shaulov told AMBCrypto. This ties into an increase in an exchange’s operational-security, which can be used to deter manipulation of employees by creating effective controls. The prevention of “employee collusion,” within an exchange infrastructure is also pertinent in the cause of exchange security, he added.
While regulators will step-in at some point to either, forcefully or not, engage in the compliance processes, it is important for exchanges to take their own external measures to improve security. Effective partnerships in the realm of AML/KYC and risk-compliance is as important to “assess and monitor infrastructure while providing real-time security” concluded Shaulov.
Exchanges need to learn, sooner rather than later, you can’t put a band-aid on broken limbs.