Hacking the Exchange: In G-D We Trust

According to cryptocurrency research firm Chainalysis, losses of bitcoin, including stealing individuals' holdings through scams, malicious computer software known as ransomware and hacks, increased at least 30 times to US$95m ($129.5m) in 2016 from about US$3m in 2013

Ramy Caspi
Read +
Follow Us

There's a lot of excitement about Bitcoin right now, with the value of the cryptocurrency  having soared above $20,000 last year -- although it's not even half that currently. Many people have begun to wonder if they should be purchasing Bitcoins and get involved in cryptocurrencies. Exchange markets like Binance managed to create an active community of over 6 million traders worldwide, dominating the scene in a matter of months. However, it is important to keep in mind that participating in the Bitcoin economy comes with big risks. Over the years, the cryptocurrency has been plagued by hacks, scams, and abusive practices. Users who don't take appropriate precautions can lose everything.

During the bitcoin frenzy at the end of December, Coinbase, one of the premier exchanges, halted trading briefly due to crushing volume as prices plunged. Many of Coinbase's competitors also have suffered growing pains as digital money grows ever more popular, overwhelming systems and encouraging formation of new exchanges that have yet to stand the test of time.

And then there are Hacks. A cryptocurrency exchange in Japan, called Coincheck, is under government scrutiny after hackers stole $530 million from its users in January. According to crypto currency research firm Chainalysis, losses of bitcoin, including stealing individuals' holdings through scams, malicious computer software known as ransom ware and hacks, increased at least 30 times to US$95m ($129.5m) in 2016 from at least US$3m in 2013.

Dr. Bora Ozkan, assistant professor of finance at Temple University's Fox School of Business, an expert in capital markets, in article published by CNBC says that blockchain, the technology at the heart of bitcoin and similar currencies, is quite secure due to its decentralisation, but that an individual exchange's systems for storing customer records and funds may be less safe because centralisation on a few servers makes them easy hacking targets.

"If cryptocurrency exchanges can figure out an efficient and swift way to operate decentralised exchanges — let's say, like blockchain — they can operate more securely," Ozkan said.

While such systems are in the works, experts say investors should do their own due diligence for now.

"Investors should evaluate exchanges and the companies that run them as they would any other institution that they would trust to secure their money, such as banks," said Richard Hendrix, cryptocurrency analyst at Real Ventures, a Montreal-based venture capital firm involved in this market.

So, what is a Cryptocurrency exchange? A Cryptocurrency exchange is a business that allows customers to trade digital currencies for other assets, such as conventional fiat money, or different digital currencies. They can be market makers that typically take the bid/ask spreads as transaction commissions for their services or simply charge fees as a matching platform.

What is Blockchain? Blockchain is a distributed ledger system that maintains a continuously growing record of transactions, or blocks, where each block is linked to a previous block and cannot be altered or reversed once it is added to the chain, and which does not require a central administrator to guarantee the veracity of any transaction. It is essentially a technological solution to the issue of trust in a record or transaction. Blockchain is the underlying technology behind bitcoin, which is a digital token that allows one party to pay another anywhere in the world for goods and services, in some ways like cash. Just like a dollar bill, a bitcoin, once used, permanently passes to another person and cannot be reused or unilaterally withdrawn. With a dollar bill, this is because the bill physically passes to another party; with a bitcoin, this is because the transaction is etched in the public ledger and cannot be undone. Blockchain technology eliminates situations akin to receiving a blank check where there is no value in the underlying account or paying a seller for land that he does not own. Furthermore, because the transaction itself is secure, the cost of the transaction can be significantly lower when compared to traditional payment methods such as credit card payments, international remittances, or any situation where there is a third party guarantor.

What is a Cold or a Hot Wallet? The simplest way to describe the difference between a cold wallet and a hot one is this: hot wallets are connected to the internet while cold wallets are not. Most people who hold digital assets have both cold and hot wallets because they are designed for different purposes. Hot wallets are like checking accounts while cold wallets are similar to savings accounts. People who have digital assets keep a small amount of money in their hot wallets for purchasing stuff. They keep the vast majority of their digital coins in their cold wallet. And, since hot wallets are online, they can be accessed if servers are breached by hackers. As such, the majority of large-scale cryptocurrency exchange in the industry only store a small portion of funds in hot wallets and the rest in cold wallets, securely kept offline and out of reach from hackers.

Ways to Hack?

You didn’t expect me to tell you how to hack an exchange. I am not a hacker, or a software specialist, but I took a look at the security report for Paetio, which was conducted by Sakurity and they broke it down into the following stages:

  1. Hijacking the account.
  2. Bypassing 2 Factor Authentication
  3. Attacking the Admin

To understand the above three steps, please download the final report.

But the most obvious issue for a hack is down to poor security.

Poor Security

While a blockchain can be secure, the exchanges that are listing trading the cryptos, they do not use the same technology, says Simon Choi, a director at anti-virus software company Hauri Inc.

South Korean exchanges reportedly have poor reviews for cyber security, and officials have said that the exchanges are not placing adequate precautions and as a result will face fines.

"If security on the exchanges' is not secure, their currencies can be stolen," Choi said. "If the exchanges are to play their intermediary role, they should be as safe as banks and strengthen their security."

Below we have presented a short history of the cryptocurrency world's most significant scams and hacks.

Should You Feel Safe With Your Cryptocurrency?

Thieves and hackers have really made a killing of the cryptocurrency growth. While some of these thefts have happened on storage wallets, studies indicate that 78% percent of them have happened on exchanges, with the highest number of theft being $534 million on Coincheck Exchange.

“Many expect more cyber attacks in the crypto space in the foreseeable future”, said Henri Arslanian, a fintech specialist at PwC.

“The pressure on crypto exchanges to continuously improve their security features may come from their retail and institutional clients who will expect the same level of security that they do from their traditional banks and brokers.”

  1. Whether you have a bitcoin wallet or trade on major exchanges; it’s recommended that you take necessary steps to protect your coins

Notable Cryptocurrency Exchange Hacks

  • Bitfloor Exchange | September 2012 - Amount: $250,000 (24,000BTC)

In September 2012 Bitfloor, a Bitcoin exchange suffered an attack when hackers stole 24,000 bitcoin. Unfortunately Bitfloor didn't have any reserves, which made the exchange insolvent and eventually ceased to operate in April 2013.

  • Silk Road Exchange | October 2013 - Amount: $270,000,000 (171,955 BTC)

Although not a cryptocurrency exchange, but instead a marketplace that accepted cryptocurrency, Silk Road was nonetheless a place where people stored their money. When the FBI managed to track down the exchange's owner they have confiscated all of the BTC that was deposited on the website's account.

  • Picostocks Exchange | November 2013 - Amount: $3,500,000 (6000 BTC)

Picostock exchange was compromised when a cold wallet was hacked.

  • Inputs.io | November 2013 - Amount $2,400,000 (4100BTC)

A cold wallet was compromised in November 2013 which resulted in the theft of 4100 bitcoins.

  • MtGox Exchange | March 2014 - Amount: $473,000,000 (744,408 BTC)

It is no surprise that by far the biggest hack in the history of cryptocurrencies happened to Bitcoin in the days of its infancy. The world's most popular exchange, MtGox was first hacked in June 2011 causing the service to go offline for several days. A hacker was able to access the Mt. Gox auditor machine and use the stolen credentials to transfer thousands of Bitcoins. He used the exchange's software to sell Bitcoin for a nominal amount and a number of accounts containing approximately $8,750,000 were affected. Mt. Gox tried to prove ownership of the coins and moved 424,242 bitcoins from cold storage to a Mt. Gox address; this was executed in Block 132749. In October 2011, a number of transactions appeared in the block chain at Block 150951 that sent a total of 2,609 BTC to invalid addresses. These Bitcoin were lost, however, as no private key could be assigned to them. A second hack took place in February 2014 and caused the company to declare bankruptcy. After a period of complaints by users, Mt. Gox halted all withdrawals and closed its service after discovering a latent hack that had been ongoing for years. The hack had gone undetected by the Mt. Gox security team and as a result, the company lost 744,408 of its customers' Bitcoin, and approximately 100,000 of its own. This amounted to 7% of all Bitcoin in circulation and was worth around $473 million at the time.

  • Cryptsy Exchange | July 2014 - Amount: $9,500,000 (13,000 BTC and 300,000 LTC)

The attacker – famous for developing Lucky7Coin – inserted a Trojan malware into Cryptsy’s code so that he could access precious information and transfer cyber currencies – mainly bitcoin and litecoin – out of the exchange’s wallet.

  • Mintpal Exchange | December 2014 - Amount: $3,200,000 (3,894 BTC)

At one time the cryptocurrency exchange Mintpal was one of the top trading platforms. In the fall of 2014 customers were told Mintpal was going to have new ownership. The exchange was sold to a Moopay executive “Alex Green” who many believe was a shady scammer. Most likely the vulnerability already existed at the time of sale and the new owner just failed to detect and patch it. However, many suggest that it was simply an inside job and Alex Green "hacked" himself.

  • Bitstamp Exchange | January 2015 - Amount: $5,100,000 (19,000 BTC)

Hackers sent a malicious file to the exchange employees and unfortunately one of the system administrators opened the file, which gave the hackers access to the exchange's BTC wallet and 19,000 BTC were stolen. The exchange survived the attack however it still remains a leading Bitcoin exchange today. A year later, another hack occurred on Bitstamp, when a hot wallet was compromised. During this hack, a further 18866 BTC where stolen.

  • Kipcoin | February 2015 - Amount $1,700,000 (3000BTC)

A cold wallet was compromised in February 2015 which resulted in the theft of 3700 bitcoins lost.

  • Bter Exchange | February 2015 - Amount: $1,750,000 (7,000 BTC)

Bter has been hacked before for a smaller amount of money in NXT equivalent. They haven't learned their lesson (as a number of other hacked exchanges don't) and got hacked again in 2015. The real question is, why do they still have customers after being repeatedly hacked again and again?

  • Bitfinex Exchange | August 2016 - Amount: $72,000,000 (119,756 BTC)

Bitfinex, the exchange most known for the creation of Tether and for sharing executives with the largest active ICO project, Bitfinex advertised itself as having multisignature wallets for each customer. Somehow this multisignature technology didn't help them prevent losing 119,756 of their customer's bitcoins. Bitfinex was transparent about the whole ordeal, and reassured the (understandably angry) customers that they were working to establish some sort of compensation. Instead of repaying their customers from their reserves or going out of business, Bitfinex issued BFX tokens to the hacked customers and promised to buy back these tokens at a later date. 

  • Bithumb Exchange Info Leak | April 2017 - FINE $55,000

A Bithumb contract worker’s personal computer that stored customers’ data files was hacked, resulting in the leak of personal and trading information of more than 30,000 users. The South Korean crypto-exchange was fined 58.5 million won ($55,000) by the local regulator for the breach

  • Youbit Exchange | December 2017 -

Youbit said it would file for bankruptcy hours after losing 17 percent of its assets in a cyberattack. The South Korean exchange had suffered what it called an “accident” in April and its owner encouraged clients to keep their tokens in a safer form. South Korean investigators are looking into North Korea’s possible involvement in the hack.

  • Coincheck Exchange | January 2018 - Amount: $534,800,000 (523,000,000 NEM)

While Coincheck exchange managed to use cold wallets for its Bitcoin trading operations, they have neglected security measures on the up-and-coming Asian crypto, NEM. All of NEM deposits on the exchange were stored in one wallet. Whether it was a hack or an inside job - I guess we will never know. And it doesn't matter to those who have lost their money.

  • BitGrail Exchange | February 2018 - Amount: $195,000,000 (17,000,000 NANO)

Nano is an interesting new 0-fee cryptocurrency that's based on a block lattice architecture as opposed to using a traditional blockchain. As with everything new and shiny, people were eager to get their hands on it. Unfortunately though, no reputable exchange would list the cryptocurrency until it reached some adoption levels. As such, a number of new exchanges emerged that allowed to trade NANO (at that time called RaiBlocks), and users were essentially forced to use insecure exchanges. BitGrail failed to secure its coin storage and an astronomical amount of money was stolen from it. Remember, using a centralised exchange is always a risk. Using a new an unproven centralized exchange is an even greater risk!

Other Notable Crypto Hacks

  • Bitcoin Hack | August 2010 - Amount  (184 Billion BTC)

Bitcoin investors are well aware that the cap on Bitcoin supply is 21 million. In 2010, an attacker spotted a bug in Bitcoin’s software and exploited it. This attacker was able to create a single block (#74638) that would create a transaction of 184 billion BTC more than was ever supposed to ever exist. It was instantly clear that someone had taken advantage of the software bug, which would later be on the list of Common Vulnerabilities and Exposure. The attacker tried to make massive profits (or massive tomfoolery) out of BTC’s blockchain. Members of the community sounded an alarm about the error. They forced the creation of a hard fork.

  • Gatecoin Hack | May 2016 - Amount $2,000,000

Hong Kong-based Gatecoin had roughly $2 million in Bitcoin and Ether stolen following a cyberattack

  • The DAO | June 2016 - Amount: $70,000,000 (3,000,000 Ether)

In 2016 the Decentralised Autonomous Organisation (The DAO) was created to operate like a venture capital fund for decentralised cryptocurrency projects. The DAO was built as a smart contract on the Ethereum blockchain and ran a crowdfuding campaign that attracted approximately $150M worth of Ether. This made it the most successful token sale up until that point. On June 18th 2016, funds were noticed to be leaving the DAO and around 3.6 million ether worth approximately $70 million were drained by a hacker in just a few hours. The hacker took advantage of a flaw that allowed the DAO smart contract to return Ether multiple times before it updated its internal balance. The hack resulted in the hard fork of the Ethereum protocol that resulted in both reimbursements and the creation of Ethereum Classic (ETC).

  • Steemit.com | July 2016 - Amount: $85,000 (260 Steem)

Roughly a month after the DAO disaster, social media blockchain Steem was attacked and 260 Steemit accounts were hit. Users had $85,000 of Steem and Steem Dollars drained from their accounts, which were hosted on Steemit.com.

  • CoinDash | July 2017 -Amount: $6,600,000

CoinDash got off to a disastrous start in 2017 when a hacker manipulated the address posted on CoinDash’s website telling initial coin offering investors where to exchange Ether for CoinDash tokens. The hackers made off with $6,600,000 million in stolen Ether.

  • Parity Hack | July 2017 - Amount: $ 31,000,000 (153,037 ETH)

The Parity hacker found a vulnerability in the Parity Multisig Wallet that allowed access to funds from the ICOs of Edgeless, Casino, Swarm City and aeternity blockchain. Ironically, “white hat” hackers took it upon themselves to safely drain the accounts of the remaining Parity wallet users and protect their funds, but the malicious hackers still made off with $31 million in Ether.

  • Veritaseum Hack | July 2017 - Amount: $8,000,000

Two months after its ICO, hackers gained access to a Veritaseum wallet and snatched $8 million in coins. Veritaseum is a cryptocurrency designed to build software for decentralised capital market trading.

  • Enigma Hack | August 2017 - Amount: $500,000 ( ETH)

Prior to Enigma’s ICO, hackers used credentials of CEO Guy Zyskind to infiltrate the cryptocurrency’s website, Slack group and email list and send messages to subscribers asking for funding. The hackers collected roughly $500,000 in Ether.

  • Tether Hack | November 2017 - Amount: $ 30,900,000

On November 19, 2017, an external attacker gained access to a Tether Treasury Wallet, and siphoned off $30.9 million in tokens. This attacker used a Bitcoin address for the transaction, so the theft was basically irreversible.

  • Nicehash | December 2017 - Amount: $63,000,000 (4,736.42 BTC)

NiceHash, a crypto-mining marketplace based in Slovenia, said on its Facebook page that its payment system was compromised and as much as $63 million worth of Bitcoin was stolen. The firm added extra security measures and sought the community’s help to analyze the breach.

Notable Private User Incidents

  • Allinvain Hack | June 2011 - Amount $500,000 (25,000 BTC)

In early 2011, Bitcoin had been a tight-knit community of hobbyists and mining bitcoins were much easier then. One use; had amassed a fortune of 25,000 bitcoins. On the 13th of June 13, Allinvain discovered that all of his bitcoin were stolen from his hard drive and transferring to an account controlled by the hackers.

  • MyBitcoins Hack | August 2011 - Amount

Bitcoin wallet services offer to store bitcoins on users' behalf, one wallet service that was popular was called MyBitcoin. However In August 2011, the company disappeared, claiming the site was hacked. This and similar experiences have made the Bitcoin community suspicious of online wallet services. With no real regulation, there's no way for users to verify that a wallet service is reliable.

  • Linode/Bitcoinica Hack | March 2012 - Amount $200,000 (46,703 BTC)

Hackers exploited a vulnerability in the shared online web host Linode to steal at least 46,703 bitcoins, worth then approximately $200,000—from several Linode users. That included more than 43,000 bitcoins stolen from Bitcoinica, an early Bitcoin exchange. Bitcoinica suffered a second hack in May 2012 that cost the company another 18,000 bitcoins. It was then taken offline for a security audit. Bitcoinica didn't survive these incidents. In August 2012, the site was sued by several users seeking the return of $460,000 in deposits.