The level of Bitcoin’s volatility has reached its multi-month bottom, which indicates a certain stability of the currency. In turn, crypto exchanges have "stabilized" in the bad sense of this word, losing millions of dollars due to cyberattacks. Memories are still fresh from the September hack of one of the largest exchanges in Japan Zaif: minus $60 mln from the exchange, but plus to $867 mln already stolen in the first three quarters of 2018 according to the CipherTrace report. Let's figure out why crypto exchanges are so prone to hacking attacks and how swindlers manage to withdraw such significant amounts of money.
Hacking crypto exchanges, fraudsters can pursue one of the two main goals: either to steal crypto assets for their own use, or to intentionally bring down rates of the stolen coin and to affect the market. The object of the attack can be a blockchain-protocol, crypto exchange, personal wallet. Finding a vulnerability in the protocol is the most challenging task, but such precedents have taken place.
Perhaps, the most striking example of breaking a protocol due to the code imperfection is the Ethereum DAO case. The first decentralized autonomous organization (DAO) was built on the Ethereum blockchain using smart contracts. The idea was to allow everyone who was interested to invest in the company and vote for the projects they would like to finance. The smart contract code was responsible for the safety and automatic management and control of the DAO. If a user wanted to leave the organization, they had to sell their DAO tokens and exchange them for Ethereum. This exchange mechanism was called “Split Return” and consisted of two stages: the token holder received returns in the ETH proper amount, then the system took the tokens and registered the transaction on the blockchain to update the balance of the DAO tokens. An unknown hacker realized that he could cheat the system by looping the mechanism at the first stage without entering the second one, which allowed him to withdraw ETH in the amount of $50 mln.
Individual wallets fraud-wise are not so interesting: they store much smaller amounts of money, and the mass funds withdrawal is unlikely due to the high geographical distribution of such sources. Crypto exchanges, on the contrary, have highly centralized storage systems full with considerable crypto reserves, which makes them an ideal target.
Let's not fool ourselves: crypto exchanges operate on the principle of centralized web applications with the functions of executing transactions and storing their own crypto assets as well as the customers’ ones on one or more cold and hot-online wallets, that are incorporated in their infrastructure. Cold storage is much more secure, as virtual coins are stored on external media: USB-devices and hard drives. Meanwhile hot wallets can face the same security problems as all other websites do.
The biggest robbery in the history of the crypto industry in the amount of $532 mln occurred this year on the Japanese exchange Coincheck precisely because of the vulnerability of hot wallets. Behind the hack there was the banal phishing, not the shortcomings of the NEM protocol, which uses multi-signature technology. According to Nikkei Asian Review, the attackers sent emails in English to several Coincheck employees allegedly on behalf of their colleagues in early January. Once the recipients clicked on the sender's address, the virus infected their computers, allowing third parties to manage them. Shortly after this, the system of exchange started to connect to external servers in Europe and the United States without proper instructions. Suspicious emails went on until nearly midnight of the 25th of January. By hacking emails of the exchange's employees, the fraudsters gained access to the private key necessary to transfer NEM tokens to the accounts they needed. Mass withdrawal of coins began on the 26th of January.
Coincheck held an unreasonably big portion of their clients’ assets in hot wallets, that were constantly connected to the Internet. Unauthorized access could have been prevented if coins had been stored on cold wallets, but the exchange could not afford to provide this kind of custodial services “due to technical reasons and understaffing”. This was reported after the incident by the former Coincheck President Koichiro WADA. He specified that: “We were aware we didn’t have enough people working on internal checks, management and system risk. We strived to expand using headhunters and agencies, but ended up in this situation.”
CEO of the Dutch company Eclectic IQ, which provides services for the management and analysis of cyber threats, Joep GOMMERS told us that the security system must first of all provide multi-level protection of the operating system and the application layer protocol. It must verify transactions and the identity of their parties. Mr. GOMMERS compares crypto currency exchanges with consolidated platforms, such as Amazon, Uber, where “if such huge platforms have problems, you lose everything at once and this is why there are so many heists happening. Large banks, on the other hand, are not central and have different types of security systems. You can not just steal all the money from a bank, but you can from crypto exchanges”.
Indeed, there are cases when, as a result of one cyber attack, crypto exchanges suffered such serious financial losses that they had to leave the market. In April it became known that Coincheck got acquired by a leading Japanese online brokerage company Monex Inc. for only $33.5 mln.
If we go back to even more distant past, we should recall another unfortunate Japanese exchange Mt. Gox. The second most large-scale heist of crypto assets in the amount of 850,000 BTC ($450 mln at that time) took place in 2014 and resulted in the bankruptcy of the exchange. In December 2017, the South Korean crypto exchange Youbit also filed for bankruptcy, losing 17% of its crypto reserves due to a hacking attack.
In order to avoid such significant losses, crypto institutions should take the example from banks that allocate their funds to different types of assets and store them not solely in the safes of head offices, but also in branches, ATMs and vaults. On the example of one of the largest banks in America Citigroup, which was also attacked by hackers in 2011, we see that besides cash reserves the bank has funds on deposits with the Federal Reserve bank and with correspondent banks, and items in transit to those banks. At the same time, these types of assets make up only 1.3% of the total reserves. The depositary assets of other banks in Citigroup account for about 9%.
The kinds of bank assets also vary. It can be not only deposits, but also loans, brokerage receivables, government securities, income from investment and trading activities, etc.
In addition, in the traditional financial sector there are organizations such as FATF and Wolfsberg Group, that develop anti-money laundering principles. Among the many AML rules described in Wolfsberg Guidance on Mobile and Internet Payment Services (MPIS), we have identified those that are the most correlated with the issue of cybersecurity:
Monitoring transactions by setting limits on the number of transactions and their frequency, as well as restrictions on the use of MIPS in high-risk activities.
Collecting and verifying information about the source of funding, such as a transfer from an existing financial institution account or receiving funds from a known, trusted source, such as a government agency (subject to country risk assessment).
Monitoring the payment channel load for reloadable MIPS, that are only funded from a specified source of funding (e.g. a government entity or listed corporation), which gives an opportunity to discover the channel overload caused by an unauthorized and eliminate risks related with these sources.
The implementation of the above standards helps banks to detect suspicious transactions at an early stage and prevent possible money laundering. An Estonian crypto exchange Poloniex could avoid the loss of 12.3% of its BTCs if it had utilized these AML principles in their operation. In 2014, a hacker, targeting the assets of the exchange, realized that if you placed multiple orders to withdraw coins in practically the same instant, they would get processed at more or less the same time. Although it led to the wallet balance going negative, at the moment of orders placement the ledger records were actual. Given that, requests were automatically processed and executed.
If the exchange had set limits on the maximum volume of the coin withdrawal, restrictions on the number of such operations per day and week and the minimum account balance, it could have prevented such a situation. This incident leads to the conclusion that the mechanisms of operation run by crypto institutions differ little from those practiced by traditional financial organizations. Therefore, they have the opportunity to take previously developed tools and implement them in their activities, learning from the mistakes of their traditional predecessors rather than repeating them once again.