Hacker’s Loophole: Vulnerabilities That Cause Bitcoin Exchanges to Lose Millions
According to a May study by The Block, 42 large cryptocurrency exchanges have been compromised since 2012, not taking smaller platforms into account. The total amount of stolen funds exceeded $1.35 billion, with about 59% of these funds (795.5 million) being stolen in 2018.
According to Carbon Black, a cyber threat protection company, cryptocurrency exchanges account for 27% of all attacks related to cryptocurrency. In most cases, the hackers exploit vulnerabilities of crypto-exchange hot wallets, less often users fall victim to exit scams from the platform owners. ForkLog looked into the main crypto exchange bugs which were used by hackers the most in 2018–2019.
How hackers attack exchanges
While an attacker requires specific conditions when launching an attack on a mobile device or personal computer, e.g. the ability to intercept traffic or to physically access the device, this is not necessarily the case for attacks via web applications. Hence such attacks tend to be larger in scale.
Positive Technologies analysts examined the most popular approaches used to hack cryptocurrency exchange web terminals, which allow hackers to breach hot wallets of crypto trading platforms.
Most trading platforms are vulnerable to Cross-Site Scripting attacks. Using certain vulnerabilities, cybercriminals inject malicious code on the platform’s web page redirecting traders to third-party web pages and/or infecting user devices with malware. This malicious software includes stealer viruses that steal wallet passwords or replace the sender address in the clipboard.
Web terminals sometimes lack HTTP headers that increase protection from certain types of hacker attacks. For instance, the ContentSecurity-Policy header protects against attacks related to the injection of malicious content, including XSS. X-Frame-Options protects from Clickjacking attacks. Strict-Transport-Security enforces a secure connection through HyperText Transfer Protocol Secure (HTTPS).
Studies conducted by Coverity, a company specializing in software quality and security testing solutions, showed that for every 1000 lines of code there are 0.52 errors in open source products and 0.72 errors in proprietary ones (the quality standard being less than 1 error per 1000 lines of code). Potentially these errors can adversely affect the overall security of the platform.
Even if the exchange developers make no errors in the code there is still the risk of a vulnerability in third-party software. For example vulnerabilities in the operating system, payment gateways or messengers can be used for phishing or installation of malicious software on the exchange employees’ devices.
Smart contract vulnerabilities
Hackers may find a vulnerability in the wallet’s smart contract code which allows them to take control of the victim’s funds. This can be either a targeted attack on a particular wallet or a large scale attack if many wallets share the same vulnerability.
Phishing and social engineering
Exploiting human weaknesses remains the most popular way of hacking accounts. Attackers disguised as exchange representatives may gain access to the employees’ devices (sometimes it takes months to complete this task) and take possession of private keys. Hacking a private account is made much easier thanks to Google Play.
If the attackers know that a specific person is trading on a platform or works as its administrator, his SMS traffic can be intercepted and used for authentication or to initiate the account restoration procedure.
- Wiretapping using special equipment, infecting the victim’s phone with malware or hacking the provider’s server.
- Cloning a SIM card.
- False base station – expensive equipment that intercepts and decrypts SMS.
- Hacking user’s Personal Account on the exchange site. By doing this you can redirect all messages to the attacker’s device or email address.
- SS7 attack. Hacking special telecommunication protocols used to configure telephone exchanges (PLMN, PSTN);
- Phishing exchange’s call center. Attackers collect users’ personal data and their phone numbers and then call the call center operator to recover the SIM card.
Intercepted SMS can be used not only to access the exchange account but also to restore access to email. To do this the culprit attempts to log in to the mail service and after a failure resets the password using SMS.
How exchanges fight back
Most cryptocurrency exchanges use at least one, more often several, anti-hacker systems. The simplest and most common is two-factor authentication: for each transaction you need to enter a one-time password, which is sent to the client’s phone or email.
That being said, two-factor authentication is not the most reliable defense. A more advanced version of two-factor authentication is special applications like Authy and Authenticator. They block access to the system and request an additional code if the username and password are compromised.
The second most popular method of protection is multi-signature: when several keys to the Bitcoin wallet are held by different owners and access to funds can be obtained only by securing all digital signatures. Still, this system may fail, too. Experts note that multi-signature works only when all the “signatories” are independent of each other.
One of the most reliable ways to protect against hacker attacks is the distribution of funds between hot and cold wallets. In addition to physical protection (video cameras, armed security, retinal scanner, etc.) a cold wallet can be additionally protected by a multi-signature. The larger the share in the cold storage the safer. Ideally, cryptocurrency should only go online at the time of the transaction.
Another security measure is the so-called bitcoin valves which are the bitcoin addresses where coins are locked with a two-stage security mechanism with two different keys. To unlock the funds you need a regular digital key but full access to your money is gained only after a 24 hours period. During that time, any transaction can be canceled by entering the second key. There is one more level of protection: even if a hacker takes possession of both keys, the exchange can burn the funds stored in the wallet.
It is becoming a bon ton among crypto exchange operators to conduct hack tests and regular audits by independent experts. The latter is performed by the so-called white hat hackers. Their job is to crack security systems to find potential vulnerabilities that could be exploited by cybercriminals.
In any case, a comprehensive approach is important when it comes to the security of cryptocurrency exchanges: the security of native code in conjunction with the security of the development environment and third-party libraries that are used to create the product. The human factor which often contributes to hacker attacks cannot be ruled out.
Exchanges robbed by hackers in 2018–2019 (listed in chronological order):
On 26 January 2018 the Japanese cryptocurrency exchange Coincheck admitted the theft of $533 million in NEM cryptocurrency. About 260 thousand users fell victim to hacking.
At a press conference, NEM representatives said that hacking happened due to the fact that Coincheck neglected to use a smart contract with multi-signature function.
According to Coincheck security settings vary for different coins on the exchange. Hackers managed to steal the private key from a hot wallet where NEM coins were stored and withdrew them using several unauthorized transactions.
Nikkei Asian Review reported that a few weeks before the attack several Coincheck employees received infected emails which allowed hackers to hack into the employees’ emails and steal the private key.
As discovered by researchers from BIG Blockchain Intelligence Group Inc. some of the stolen funds were first moved by criminals to a cryptocurrency exchange in Canada and then transferred back to Japan.
Coincheck determined 11 addresses on which stolen coins were located. Each of these addresses was tagged as follows: “coincheck_stolen_funds_do_not_accept_trades: owner_of_this_account_is_hacker”. Thanks to this automated flagging system crypto exchanges can identify the addresses of hackers and prevent them from converting NEM to other cryptocurrencies or fiat.
Coincheck management compensated $400 million to the victims of this heist and changed the rules for listing coins on the platform.
Based on the audit conducted by the Japanese Financial Services Agency (FSA) in December 2018 the exchange was successfully licensed. The regulator concluded that after the exchange was acquired by the online broker Monex it was able to improve security and safety measures.
On February 8, 2018, in the aftermath of a slew of unauthorized transactions from the Italian BitGrail exchange, $170 million worth of Nano cryptocurrency was withdrawn by unknown hackers. The remaining coins were not affected.
Soon after the hacking, the owner of BitGrail Francesco Firano filed for bankruptcy. He claimed that the theft of funds occurred due to Nano’s timestamp technology and the unreliability of the block explorer.
In turn, Nano developers denied any errors within the cryptocurrency protocol. They also implied that the funds might have been stolen much earlier than this became known and said that Firano offered them to conduct a hard fork of cryptocurrency supposedly in order to cover the losses.
“We now have sufficient reason to believe that Firano has been misleading the Nano Core Team and the community regarding the solvency of the BitGrail exchange for a significant period of time,” noted Nano’s team.
In January 2019 BitGrail and Francesco Firano were declared bankrupt in court and ordered to reimburse the customers the maximum possible amount of the $170 million they lost while confiscating a significant part of Firano’s own assets.
The next attack, although unsuccessful, was nevertheless indicative. On March 7, 2018, Binance exchange reported a potential hack that forced automated trading systems to sell altcoins and buy Viacoin (VIA) instead.
The hackers launched a series of phishing attacks that lasted several months. Masking fake domains as the original Binance domain (homograph attack) using Punycode (a method of converting domain names into a sequence of ASCII characters) they collected the account data of most users.
Hackers did not withdraw the money from compromised accounts but instead created API keys which were then used to purchase VIA/BTC.
The hackers planned to collect money on 31 accounts and use them to promptly withdraw funds as fiat but were forestalled by the exchange. Binance risk management system noticed an anomaly within two minutes and immediately blocked all transactions.
Later Binance announced a reward of $250 thousand for helping to identify the hackers.
Coinrail, a small Korean exchange, fell victim to hackers on June 10, 2018. About 30% of the exchange’s altcoin portfolio was stolen from the company’s servers, including ICO tokens of the Pundi X (NPXS), NPER (NPER) and Aston (ATX) projects. The damage amounted to about $37 million.
Immediately after the official announcement of the incident the site was temporarily shut down and the remaining 70% of the funds were transferred to cold wallets. The Coinrail developers also managed to block almost two-thirds of the stolen funds.
Representatives of the Pundi X project reported that after the hack the exchange warned them of an Ethereum address which was allegedly linked to the hackers. The address was flagged as Fake_Phishing1432.
According to Etherscan someone tried to send 26 million NPXS from this address to the IDEX decentralized exchange. This happened immediately after the exchange received 2.6 billion of the same tokens from another address which was also flagged as suspicious — Fake_Phishing1431.
Pundi X and Coinrail noted that IDEX froze assets that were sent from Fake_Phishing1432. However NPXS tokens have not been burned. In addition transactions related to Fake_Phishing1431 indicate that several hours before the hack it received other digital currencies from a single address — ETH, ATX, DENT, NPSX, Jibrel Network, Tron, Kyber Network, and Storm.
According to Etherscan while stolen NPXS tokens were sent to IDEA, the other stolen coins were sent to the EtherDelta decentralized crypto exchange.
Curiously back in February Korean banks recorded outgoing activity on Coinrail related to potential money laundering.
“In February several banks trading on Coinrail discovered suspicious money laundering transactions. Some of those banks stopped working with the exchange in April.” the local publication Chosun wrote.
In a month’s time, Coinrail restored its operations and updated its security system.
The hot wallet of the South Korean exchange Bithumb was hacked on the night of June 19, 2018. Hackers stole about $30 million partially in the Ripple cryptocurrency.
Just prior to the hacker attack Bithumb transferred a large amount in Ethereum to a cold wallet citing suspicious activity on the servers. On June 16 Bithumb launched an extraordinary server scan “to maximize security settings.”
Many cryptocurrency users were skeptical of this kind of coincidence, indicating that shortly before the hack the exchange was to pay taxes approximately equivalent to the amount of stolen funds.
— WhalePanda (@WhalePanda) June 20, 2018
AlienVault cybersecurity experts detected HWP documents disguised as CV documents during the investigation of the incident. Experts suggested that they were created by members of the North Korean APT group Lazarus and its subsidiary BlueNoroff.
HWP documents are created using Hangul Word Processor, a popular text editor in Korea. These files contain malicious code that downloads a target malware from a third-party server — a 32-bit or 64-bit version of the Manuscrypt backdoor, through which the crypto-exchange is hacked.
Bithumb was able to reimburse users half of the stolen funds ($14 million) from its own reserves but for several months was forced to block the deposit and withdrawal of funds.
Later the exchange announced that its wallet system would undergo a “complete overhaul” in order to prevent further attacks and also announced a strict separation of assets belonging to customers and the exchange itself.
On September 18, 2018, hackers got unauthorized access to the Zaif exchange’s hot wallet. The damages amounted to $60 million in Bitcoin, Bitcoin Cash and MonaCoin. Two thirds of the stolen coins belonged to users of the platform.
Unusual activity on the site began as early September 14th. The exchange made a public statement only four days later when server malfunctions were discovered.
Bitfury Crystal Blockchain Analytics engineers who investigated the hack were able to identify the transaction and the address belonging to the hacker.
Suspicious transaction with an identifier c3b9a4a0831a65523c81e6a04f6ddf5a7a89f344d990e8a13e5278efe57f4280 had 131 input addresses all of them belonging to Zaif. The hacker sent the stolen bitcoins to the address 1FmwHh6pgkf4meCMoqo8fHH3GNRF571f9w and subsequently distributed the funds among 5109 addresses. However a significant part of the funds (30% of the total amount) was transferred to two Bitcoin wallets:
- 3MyE8PRRitpLxy54chtf9pdpjf5NZgTfbZ — 1007,6 BTC
- 3EGDAa9rRNhxnhRzpyRmawYtcYg1jP8qb7 — 754,5 BTC
Another 1,451.7 BTC were transferred in small transactions to 1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s which belonged to Binance.
The remaining amount (about 46%) was distributed in small parts between a score of different addresses. Among them, a mixing service ChipMixer.com, a gambling site CoinGaming.io, exchanges Huobi, Bitstamp, BTCBox.com, and Livecoin.
In November cybersecurity experts from Japan Digital Design tracked down the hacker. They studied the movement of Monacoin coins from the moment of hacking, analyzed the payment channel using static blockchain analysis and identified the hacker’s IP address.
“By deploying the virtual currency node on a large scale after the outflow of the virtual currency, we verified whether we can obtain clues such as source IP address etc. We also got useful data to grasp the accuracy of the information and the cost of tracking,” experts reported.
On October 28, 2018, due to an undisclosed bug, all funds in the amount of 913 BTC ($6 million) were withdrawn from the accounts of a small Canadian exchange MapleChange.
Later representatives of the exchange said that their hot wallet contained no more than 8 BTC and 100 LTC and that vulnerability was the result of updating the site’s framework.
Curiously enough a few hours after the hacking the exchange’s social media accounts were taken down. Representatives of MapleChange explained this being a temporary measure necessary in order to come up with a way out of this situation.
The company also announced that it would not be able to refund stolen Bitcoins and Litecoins but promised to transfer the remaining assets in cryptocurrencies Conceal (CCX) and Lumeneo (LMO), which accounted for most of MapleChange’s trading volume, to the developers.
Due to the fact that the chat for user complaints on the Discord server was inaccessible and also because there was very little time between the announcement of the “bug” and the complete disappearance of the company’s social media presence, experts were quick to accuse the platform of an exit scam. The lack of any technical details about what happened also spoke in favor of this version.
Customers of the site, comprising the Maplechang’ed activist group, found out that most of the data related to the platform, particularly information about the domain registry, was false. They also claimed that the CEO of the exchange, Glad Poenaru, was in collusion with the mining pool ETZmine.com and a cryptocurrency project called Weycoin (WAE) but their participation in this incident has not yet been proven.
AMLT service specialists managed to find several addresses related to the exchange. Analysis of their transfer history showed that funds were scattered across several popular exchanges, including Bittrex and Binance.
Currently, the exchange is not functioning. Its domain has been transferred to another owner.
In early November 2018 hackers attempted to hack the Gate.io Bitcoin exchange by compromising the web analytics service StatCounter.
The script checks for the string myaccount/ withdraw/BTC in the URL and then adds a new code element to the web page — https: //www.statconuter.сom/c.php. The link is designed to exploit user’s carelessness and leads to a domain belonging to attackers. Previously this false domain has already been suspended in 2010 due to malicious activity.
Despite the fact that the malware affected the activity of at least 700 thousand services the hackers’ main goal was Gate.io exchange since only it used the unified resource identifier https://www.gate.io/myaccount/withdraw/BTC to transfer Bitcoins from its own accounts to third-party addresses.
“Malicious script automatically replaces user’s Bitcoin address with the address of the attacker. Due to the fact that the hackers’ server generates a new address every time user downloads the StatConuter script it is difficult to determine how many Bitcoins could be stolen.” said ESET representatives.
The StatCounter service was quickly removed from Gate.io. Exchange’s management announced that “all the user assets are safe.”
In January 2019 Gate.io users once again became hacker victims. This time due to a “51% attack” on the Ethereum Classic blockchain they lost $220,000.
Gate.io has identified three addresses allegedly controlled by the attacker:
According to representatives of the exchange, initially they were able to successfully block the attacker’s transactions sending them to manual review. Yet, during the attack, all transactions looked valid and were successfully confirmed on the blockchain which led to the loss of about 40 thousand ETC.
The exchange fully reimbursed the damages.
New Zealand Cryptopia exchange was another victim of double-spend issue. In November 2018, the platform lost $571,000 due to a 51% attack on the AurumCoin (AU) network.
Founders of AurumCoin maintained that they were not responsible for what happened since their token was an open code project and transferred the blame to the exchange employees.
The hacker is estimated to have sent about 16,000 AUs to an account owned by the exchange and traded them for another cryptocurrency. After the transaction attacker used the overwhelming computing power at his disposal and canceled the transaction.
Cryptopia’s problems were far from over. On January 14, 2019, Cryptopia suspended operations informing users of “significant losses” due to a security flaw.
Elementus experts found that on the morning of January 13 several major transactions were made from the main Cryptopia wallets: 19.391 ETH (about $2.5 million) and 48,029,306 CENNZ ($1.17 million). Next hackers began to withdraw funds from more than 76,000 secondary wallets, operations on which were carried out until January 17.
About $880,000 were withdrawn to various crypto exchanges, like Binance, Huobi, and HitBTC. Another $15 million was stored on two addresses allegedly controlled by attackers.
On January 29 an attacker withdrew another $175,000 from about 17,000 Cryptopia wallets. Stolen funds were transferred to his ETH address, marked with the tag “Cryptopia_Hack1”.
Total losses of Cryptopia amounted to $16 million. The exchange itself stated that “in the worst-case scenario it lost no more than 10% of all its funds.”
Analysts also pointed out that the fact that several tens of thousands of addresses were hacked went unnoticed for a long time and suggested that Cryptopia employees lost control of Ethereum wallet private keys. This could be explained by the fact that Cryptopia did not have backup copies of private keys: the hacker gained access to the server where the keys were stored and then deleted them.
The site management announced its intention to return funds to the affected users and even sent tokens to the users’ accounts, which traced the amount of payments due to them.
In May 2019 trading on the platform was stopped and its liquidation process was officially announced. It is expected that the liquidators will be collecting available assets to reimburse the affected users.
On March 29, 2019, Bithumb employees recorded unusual withdrawals of funds from the hot wallets of the trading platform. The damage amounted to about $20 million in EOS and XRP. Stolen assets belonged to the exchange itself. User accounts were not affected.
Insiders allegedly participated in the theft of funds. They stole a private key to Bithumb hot wallet on the EOS blockchain and also hacked the exchange’s XRP wallet.
And this is the second time Bithumb saw a MAJOR hack, last time it’s hacked with a loss over $30m.. lol and after the first hack it was STILL able to get the fiat license from Korea and WTF??
— Dovey 以德服人 Wan 🗝 🦖 (@DoveyWan) March 30, 2019
Stolen funds were transferred through the anonymous ChangeNow exchanger to other crypto exchanges, namely EXMO, Huobi, Changelly, KuCoin, HitBTC, and Binance.
3. EOS won’t be able to freeze this time, or it’s now too late
4. Hacker has been disposing the stolen EOS via ChangeNow, a non-custodial crypto swap platform dose not require KYC/account
5. Bithumb is the only top Korean ex operator without a commercial banking partnership pic.twitter.com/SM9Wes0BI6
— Dovey 以德服人 Wan 🗝 🦖 (@DoveyWan) March 30, 2019
EXMO staff managed to block the transfer of about $3 million.
Binance CEO Changpeng Zhao published a withdrawal scheme used by fraudsters:
Received this diagram in a group: pic.twitter.com/PqcyaCDRKB
— CZ Binance (@cz_binance) March 30, 2019
Hackers apparently tried to withdraw an additional large sum of XRP but this was prevented. Using XRP Ledger Explorer several wallets were discovered containing 90 thousand XRP each from which the output to an external wallet (rLaHMvsPnPbiNQSjAgY8Tf8953jxQo4vnu) was carried out.
— XRP Scan (@xrpscan) March 30, 2019
More than 200 transactions were carried out to withdraw 90 thousand XRP each, however, some of them were addressed to another Bithumb account which probably meant that the exchange managed to reclaim some of the funds.
Experts noted that this attack was made possible due to a number of Bithumb vulnerabilities: the absence of a mandatory KYC check, the lack of guarantee agreements with banks and the tardiness of the security system itself.
On March 24, 2019, a Singapore-based Bitcoin Exchange DragonEx fell victim to a hacker attack. As a result, both user funds and the assets of the exchange itself were stolen.
Uppsala Security Operations Team (USOT) found out that the hacker distributed the stolen cryptocurrency between his wallets on Huobi, Gate.io, Bittrex and Binance exchanges. Some of these funds were blocked by those platforms’ employees.
Despite the fact that the total amount of stolen funds was never officially announced, USOT experts estimated that the hacker had stolen 2738.12 ETH. According to DragonEx the balance of hacker’s Ethereum and Bitcoin wallets was at 1522 ETH (about $202,730) and 135 BTC (about $528,855) respectively.
On May 7, 2019, hackers stole 7,000 BTC ($40.5 million) from Binance’s hot wallet. Representatives of the platform reported a “serious security breach.”
Using phishing and viruses hackers stole a lot of user API keys and two-factor authentication codes (2FA) from various accounts, including those with large balances. The attackers acted through several independent accounts so the transaction passed all security checks and was completed.
Immediately after the hack Binance team was somewhat bewildered. The exchange’s security system was the first to react rendering withdrawal of funds from the platform impossible.
Criminals distributed the stolen bitcoins between 44 wallets, 21 of which were their own SegWit addresses. Those received 99.97% of the stolen funds. The next day funds on hackers’ wallets came into motion.
The Block analysts concluded that stolen cryptocurrency was distributed between 7 addresses, most of which are in Bech32 format:
- bc1q2rdpyt8ed9pm56u9t0zjf94zrdu6gufa47pf62 (1060.6 BTC)
- bc1qx3628eh9tdnm0uzculu8k6r2ywfkc5zns2hp0k (1060.6 BTC)
- bc1qnf2ja3ffqzc3hskanjse6p8zag52fm6jgmmg9u (1060.6 BTC)
- bc1qw7g5uxxl750t0h2fh9xajwuxp4qt634yh3vg5q (1060.6 BTC)
- 16SMGihY94H8UjRcxwsLnDtxRt7cRLkvoC (1060.6 BTC)
- 1MNwMURYw1LkPnnpda2DQkkUsXXeKL9pmR (1,060.6 BTC)
- bc1q3a5hd36jrqeseqa27nm40srkgxy8lk0v0tpjtp (707.1 BTC)
Binance management has promised to update security system. The changes were to affect the API, two-factor authentication, the process of confirming the withdrawal of funds, risk management, analysis of user behavior and the KYC procedure.
Given the rising popularity of digital currency, hacking crypto-exchanges will for a long time be a source of profit for hackers. Even being aware of basic methods of hacking the exchange’s team cannot foresee whether their platform will be hacked and how exactly this will happen because each bug exploitation is a unique case.
“Even though budgets allocated to security are growing every year and the main vector of attacks is known to everyone, unfortunately criminals do not rest either and also invest more resources in conducting attacks on exchanges. Therefore no one can give a 100% guarantee that the exchange you use will not be hacked.
It is also worth noting that hacking of accounts often occurs not by the fault of the exchange but because of the negligent attitude of users to the security of their own funds,” says Nikolai Naumov, ForkLog CTO.
To better protect your money from criminals consider following these simple recommendations:
- Never store cryptocurrency on exchanges for a long time.
- Use the maximum number of levels of protection on the exchange: two-factor authentication, multi-signature and so on.
- Do not store wallets access files on a home computer connected to the Internet. Record them on external media and store in a safe place.
- If possible try not to use online wallets. Employ cold storage.
- Check the addresses of visited sites whether it is a cryptocurrency exchange, exchange service or whatnot to avoid becoming a victim of a phishing attack.
Crime in the crypto world is much less common than in traditional financial institutions. An ordinary investor just needs to be a little careful, pay attention to the feedback on the forums and adhere to the rules of the exchange platform.
Subscribe to our Newsletter<
- U.S. Treasury Promised New Cryptocurrency Regulation: What May Come Along?
- Dmitry Bondar: If There Is Time to Be Afraid of CBDCs, It Is Better to Spend It on Preparation
- Lending Tops Crypto-Industry by ROI: What Can Go Wrong?
- Visa Acquires Payment Startups: What Could It Mean for Crypto?
- Samson Mow: Bitcoin Is a Way to Prevent an Orwellian Future
- Digix Co-founder Shaun Djie: Having DigixDAO Continue to Exist Would Be Good But It’s No Longer Possible
- Crypto-Exchange Founder: More Institutional Players Will Come to the Industry But Not Overnight
- Crypto-Anarchist Smuggler: A Lot of the Cryptocurrency Politics Is Not About Privacy, but About Economics