Cryptocurrency is a constant source of media attention. It’s new-ish, digital, and an insanely lucrative endeavor to get into. This perfect storm of positives is the main reason why many people are making a ton of money from mining and selling off their cryptocurrencies. But even with all the positives that investors can receive from their cryptocurrency efforts, hackers still pose a considerable threat to their sizable profits.
Since transactions are mainly carried out via cryptocurrency exchange providers that maintain completely digital databases, there is always the threat that security does not hold up against the threat of a data breach. Recently, there have been several large, high transaction volume cryptocurrency exchange providers that have been hit by data breaches that have lost hundreds of millions of dollars in cryptocurrency practically overnight. Let’s look deep into the top 5 cryptocurrency exchange provider security breaches, why they happened, and what the exchange providers could have done to deter the breaches.
Cryptocurrency Overview
Before we dive into our top 5 list of cryptocurrency exchange provider security breaches, we need to give you a quick overview on cryptocurrency and what services cryptocurrency exchange providers perform for investors.
Firstly, cryptocurrencies are a form of digital currency that function as a type of exchange for other types of global currency. The major form of cryptocurrency that most people are aware of due to its meteoric rise to fame due to a 2000% increase in exchange rate in 2017 alone is Bitcoin (BTC). As of early August 2018, Bitcoin one of the largest cryptocurrency platforms still accounted for 47.6% of all cryptocurrency market transactions. After being valued at nearly $20,000 per Bitcoin in December 2017, Bitcoin has since been hovering around $6,000 to $8,000 per Bitcoin since Spring 2018. Speculations surrounding the imposing global regulations of the cryptocurrency market, the percentage of Bitcoins left in existence (there are currently less than 4 million Bitcoins left to mine), and Bitcoins massive market share decrease in January 2018 were the main culprits behind this cryptocurrency’s fall from fame. Bitcoin transactions have since rebounded, but is still trying to remain relevant in the sea of new cryptocurrency competitors.
Some of the main reasons for the surge in Bitcoin’s value in 2017 was due to the general public’s consensus on the lack of growth in the global economy and the decentralized nature of the process of mining and selling Bitcoins in general. In Bitcoin’s decentralized network, every participant has a specific role that allows for the ecosystem to function in harmony.
The beauty of the decentralized cryptocurrency structure is that the network is theoretically immune to government interference or manipulation since there is no entity that is solely responsible for the currency. Another cryptocurrency feature that led to the increase in value was that it was near impossible to counterfeit. With paper currency, there is still a human element that must inspect the currency, but since cryptocurrencies are digital, they do not have that issue.
Lastly, the cryptography that is used to secure and verify transactions is done via blockchain which is well regarded as the future of digital currency exchange. Blockchain ensures that every cryptocurrency transaction is public ledger; meaning that transactions and account details are available for everyone to see at all times. This might see like an invasion of privacy to some, but for others it is a valuable blockchain safety measure that ensures that digital records are always trackable and verified.
All transaction blocks in a blockchain are verified by the peer-to-peer network and cannot be retroactively edited at any time. This is to ensure that any hacker that steals cryptocurrency that is associated with a block in a blockchain could be traced via a link and reprimanded shortly after. This sounds all fine and dandy, but can only work if the blockchain and all necessary security features within the network of the cryptocurrency exchange provider are developed appropriately. Let’s take a look at the cryptocurrency exchange providers that bit off more than they could chew and suffered massive losses due to insufficient security planning and implementation.
Top 5 Cryptocurrency Exchange Provider Breaches
More than 130 cryptocurrency exchange providers functioning globally, operating under virtually non-existent cybersecurity standard regulations. In other words, it’s practically the wild west of digital currency at the moment. Investors stand to make a ton of money, but also stand to lose everything due to the negligence cybersecurity standards of the cryptocurrency exchange provider that they did business with.
With nearly 1 million Bitcoins being stolen directly from cryptocurrency exchanges historically that works out to more than $15 billion in losses. Cryptocurrency exchanges recorded roughly $266 million of these losses from security breaches and heists in 2017 alone; a figure which was tripled just in the first half of 2018. The truly scary part of these figures is the fact that these losses are not regulated, thus are uninsurable. That means once they’re gone, you have no chance of getting them back. In the past 5 years, the following cryptocurrency exchange providers were hit with massive breaches that left their exchange in shambles:
| Year | Exchange | Breach Value (Cryptocurrency) | Breach Value ($) |
| 2014 | MtGox | 850,000 BTC | $700 Million |
| 2018 | Coincheck | 523 Million NEM | $534.8 Million |
| 2013 | Silk Road | 171,955 BTC | $270 Million |
| 2018 | Bitgrail | 17 Million NANO | $195 Million |
| 2016 | Bitfinex | 120,000 BTC | $72 Million |
#1 – MtGox (2014)
MtGox was developed by programmer Jed McCaleb in 2006 first as an online Magic: The Gathering card-trading online community. After 4 years of running the site to moderate success, McCaleb transitioned the site to become focused on Bitcoin trading. In 2011, he sold a majority stake in the company to Mark Karpelès for an undisclosed amount. From that point, the site grew exponentially and began to consume more and more of the Bitcoin exchange market. Along the way, there were many setbacks including a sizable hack in 2011 and problems with blockchain functionality in 2013. These were later addressed by site administrators, but there were still issues with keeping up with the Bitcoin network demand.
At its height, MtGox traded 150,000 bitcoins per day and accounted for 70% of global Bitcoin transactions. Site trading was suspended for an entire day in April 2013 to cool the Bitcoin market down. This trading suspension caused the price of Bitcoin to drop more than 40% overnight. Shortly thereafter, MtGox suspended withdrawals in late 2013 then again in early 2014 which prompted discussion about a possible security breach. These assumptions were confirmed when a joint statement regarding the MtGox hack was released on February 24th, 2014. By the end of the month, the price of Bitcoin would fall more than 30%. The investigation regarding the source of the hack was never confirmed until recently when a team of software engineers located most of the 850,000 stolen Bitcoins on the BTC-E cryptocurrency which is owned by software engineer, Alexander Vinnik. Vinnik was arrested in 2017 for allegedly laundering billions of dollars in Bitcoin through his exchange and is awaiting extradition to either France or his native country of Russia.
Sources say that the hack was made possible due to the lack of oversight and follow through from MtGox’s CEO, Mark Karpelès after he became aware of a security breach in 2011. After learning of the breach in mid-2011, Karpelès took measures to transfer more than 400,000 Bitcoins from cold storage to the affected Bitcoin wallets. Unfortunately, Karpelès didn’t realize that the deposit addresses were compromised which meant that the hacker could slowly siphon the Bitcoins off of the exchange and into designated wallets at their leisure. This happened for nearly 2 years without MtGox realizing anything was wrong. In the end, more than $700 million in cryptocurrency was stolen and Mark Karpelès was charged with embezzlement and data manipulation stemming from operating a so-called ‘Willy Bot’ on the exchange that placed a certain number of Bitcoins in his own personal cold storage.
#2 – Coincheck (2018)
Coincheck is a Tokyo-based cryptocurrency exchange provider that trades Bitcoin, NEM, and other cryptocurrencies. Coincheck was founded in 2014 and grew to accommodate more than $160 million in monthly transactions by 2016. In January 2018, Coincheck’s entire allotment of 523 million NEM (valued at $534.8 million) were stolen and transferred to 20 different accounts. After learning of this breach, Coincheck froze all deposits and withdrawals to assess the cause of the losses. The investigation found that all NEM coins were stored in a single hot wallet (online) and lifted via several unauthorized transactions which was possible through the theft of several private keys.
Since the security breach, Coincheck has been hit with numerous lawsuits costing them millions of dollars due to their negligence in not storing a portion of the NEM coins in an offline “cold storage” wallet to deter the threat of such a widespread breach. Coincheck also lacked critical multi-signature security processes that call for customers to sign off multiple times before funds can be transferred between accounts. A few months following the breach, Coincheck began to refund affected customers of their losses and allow them to withdrawal and sell off certain cryptocurrencies from their exchange. More than 7 months later, trading on the Coincheck exchange is still suspended.
#3 – Silk Road (2013)
Silk Road was an online black market community that was primarily used for the sale of illegal drugs on the dark web. Silk road also was a place that the FBI says users could trade firearms, hire assassins and employ hackers. This marketplace was one of the first to accept cryptocurrency and many people stored their Bitcoins there. It wasn’t until a hacker breached Silk Road CEO Ross Ulbricht’s computer and demanded $500,000 to prevent the release of sensitive information regarding Silk Road to the FBI. In response, the FBI claims that Ulbricht allegedly hired a hitman for $150,000 in Bitcoin to have the hacker killed.
Not long afterwards, $2.7 million in Bitcoin was stolen from site users and staff members. At first, Silk Road administrators thought the hack was due to transaction malleability which is essentially the mutation of the signature by an unauthorized source. The hacker responsible for the hack also took advantage of the vulnerability in the site’s “Refresh Deposits” function which allowed them to credit their account with infinite amounts of Bitcoins as long as they kept spamming the hash link. The site administrator, Defcon, claims that a vendor was behind the hack which took place as the site was undergoing infrastructure changes ahead of the site’s relaunch. Not long after this, the FBI managed to locate Ross Ulbricht and confiscate all the Bitcoins that were deposited on the website. This led to the site’s closure, Ulbricht’s life prison sentence, and $270 million dollars’ worth of Bitcoin being confiscated by the FBI.
#4 – BitGrail (2018)
BitGrail is a somewhat obscure Italian cryptocurrency exchange that deals with trading of NANO (rebranded from RaiBlocks in January 2018). NANO’s structure is based on a block lattice architecture that does not incur any fees per transactions. The block lattice architecture of NANO enticed investors, but not enough for some to make the dive due to the low rate of adoption by cryptocurrency exchanges. BitGrail began trading RaiBlocks (before it was called NANO) up until they suffered a massive security breach in February 2018 that lead to the theft of 17 million NANO (worth $195 million) from the exchange.
Immediately following the hack, BitGrail’s Founder, Francesco Firano, pointed the finger at NANO for their lack of security surrounding NANO’s timestamp technology as well as the unreliability of the cryptocurrency’s block explorer. NANO released a statement on Medium regarding the breach and how Firano had been misleading their team regarding BitGrail’s solvency for years. The subsequent investigation found that BitGrail had failed to secure its coin storage, thus leading to the security breach. This could have been remedied by patching software vulnerabilities the moment they were realized instead of just staying the course as BitGrail did.
#5 – Bitfinex (2016)
Bitfinex is a cryptocurrency exchange provider that was founded in 2012 and was combined with BitGo to create multi-signature wallets that was advertised as giving investors an increased amount of control and security over their transactions. Bitfinex structured their customer accounts in a way that divided 2 of the 3 customer keys (1 online and 1 offline key) via BitGo that accompanied the 3rd key which was held by the customer. This structure was theorized to help meet liquidity demands to ensure that the correct amount of hot and cold storage wallets maintained the correct amount of cryptocurrency always to meet market demand.
Unfortunately, Bitfinex was breached in August 2017 where 120,000 bitcoin tokens were stolen (worth $72 million). Many have speculated that the reason behind the breach was due to the ineffective implementation of BitGo’s structure for key storage and recall. Others believe that Bitfinex’s multi-signature technology was not as robust as it should have been, thus leading to the manipulation of the private keys during the authentication sequence.
Closing Thoughts
These cryptocurrency exchange security breaches have rocked the marketplace and continue to make the process of trading cryptocurrencies an extremely risky enterprise to undertake. They have triggered massive investment reductions and calls for cryptocurrency exchange security standard (CCSS) implementations around the world. Strict policies are being enacted in Japan and South Korea now as these countries both experienced large security breaches this year.
Once regulatory policies are enacted, we may see global policies enacted if adoption of cryptocurrency is to continue. Until that point, it is best to assess the security prowess of any cryptocurrency exchange and get your ducks in a row to ensure your investments are not at risk of being stolen via a security breach.
For more information on how to achieve CCSS compliance for your business or if you have any questions regarding our other cybersecurity solutions, please call RSI Security today.
