Adam Adler "The Hackers Who Want to Steal Your Cryptocurrency"
Adam Adler ( Miami, Florida): 2020 will be remembered as the year institutions, everyday investors, and business giants began to take cryptocurrency seriously. Responding to author Ben Mezrich’s tweet saying he will never refuse to be paid in Bitcoin again, Elon Musk teased “me neither." As their prices soared, cryptocurrencies were welcomed by global regulators, led by the OCC’s letter of intent published back in July, authorizing U.S. banks to start offering custody of digital assets.
The rise of crypto over the last year was accompanied by cyber-attacks and hacking incidents on digital assets that netted $1.8 billion over the first 10 months of 2020. As crypto becomes institutionalized, going from a niche investment to a mainstream asset held by tens of millions of consumers in the U.S alone, banks are expected to take the plunge into the digital asset space. With big banks joining the party, hackers will become more incentivized to attack than ever before.
Indeed, 2021 may very well be the year hackers shift their sights from crypto exchanges to commercial banks that begin handling crypto. One thing is certain: hackers will try to exploit the “learning curve” that banks will inevitably go through as they enter a new domain that requires very different security protocols and technology than those currently employed in banks’ IT infrastructure.
No two hacks are identical. But by closely examining the major crypto hacks that took place over the past year, we can draw three key learnings that can bear valuable insights, helping banks better protect themselves in the crypto space.
1. Hot wallets are hackable
Altsbit is a small Italian crypto exchange. KuCoin is one of the largest exchanges in Southeast Asia. Harvest Finance is a niche smart contact DeFi protocol provider, and Exmo is a UK-registered exchange serving customers mainly in Russia and Ukraine. What do these four have in common? They were all hacked in 2020, with hackers stealing private keys from their Hot Wallets. Each of these exchanges quickly admitted the hack and clarified that it was limited just their hot wallets. In fact, they went out of their way to stress that their Cold Storage devices remained intact. This is the perfect segue to the next takeaway from 2020 hacks:
2. Cold wallets are indeed hack-proof; the problem is those storage solutions that claim to be cold aren’t really cold
Arguably one of the hacks that got most media coverage this year was the hack of Ledger Nano, a widely popular cold storage device. In July, Ledger admitted it had been hacked, compromising the personal information and private records of thousands of its users. In December, the hacker dropped these customer lists on RaidForums (a hub for buying, selling, and sharing hacked info), exposing the sensitive information of crypto owners. This included newbies who got half a Bitcoin for their Bar Mitzvah, to high-net-worth individuals with millions in digital assets.
Cold wallets also claim to enable signing on transactions and managing crypto assets without being connected to the internet, keeping users’ private keys outside the reach of hackers. In reality, this claim is only partially true, at best. Here’s why: In order to make a cryptocurrency transaction, each user must obtain a string of auto-generated data created by the blockchain. This random string is absolutely mandatory invalidating the signed transaction -- without this signature, the miner will simply disregard the transaction and avoid inserting it into the blockchain.
No matter how safe users keep their Cold Wallets, the moment they want to buy, sell or move around Bitcoin, Ethereum, or any other digital currency, they need to connect the cold wallet to the internet. Once connected, cold wallets become vulnerable to attacks. Skilled hackers know how to creatively find attack vectors on virtually any machine connected to the internet. Sure, it might take time and effort, but the general rule of thumb is that it takes an average investment of $1M to hack a single PC. Once hackers set their sights on a PC with a cold wallet plugged into it, they will find a way to hack it. Since any transaction to the blockchain is irreversible, hackers can use your private key to create a transaction and drain your account from all its digital assets minutes after they take over your local environment.
3. Unclear key management protocols are an accident waiting to happen
Something strange happened to global crypto exchange OKEx back this Fall: Its founder went missing, taking with him exclusive access to users’ private keys. OKEx announced a withdrawal freeze on all of its assets, which ended up lasting over five weeks. While there was no direct out-of-pocket loss, the reputational damage to OKEx was severe, undermining the fundamental trust between the exchange and its customers. The key takeaway from the OKEx incident is that any institution handling crypto can’t afford to run an architectural flow with a single point of failure. This is exactly where effective governance, control, and compliance are required in safeguarding digital assets from both hackers and inside jobs. Simply put: no single person should have access to all private keys—no matter how high their pay grade is.
In summary, 2021 has great potential for going into the books as the year in which crypto enters the official mainstream, with banks becoming major players in this market. But the premise for this rosy prediction is that bankers learn from the painful lessons that the 2020 hacks taught us. Otherwise, they will find themselves as the targets of cyber-attacks that will bear catastrophic consequences, indirect financial loss, reputational damage, and loss of goodwill.
The threat of hacking attacks of this type has been predicted by Kaspersky Lab as early as November of last year, and they did not take long to become reality. For the time being, this is one of the most widespread types of attacks that is aimed at stealing users’ information or money, with the overall estimated share of attacks to individual accounts and wallets being about 20 percent of the total number of malware attacks. And there’s more. On July 12, Cointelegraph published Kaspersky Lab’s report, which stated that criminals were able to steal more than $9 million in Ethereum (ETH) through social engineering schemes over the past year.
Briefly about the problem
The already mentioned Bleeping Computer portal, which works on improving computer literacy, writes about the importance of following at least some basic rules in order to ensure a sufficient level of protection:
“Most technical support problems lie not with the computer, but with the fact that the user does not know the ‘basic concepts’ that underlie all issues of computing. These concepts include hardware, files, and folders, operating systems, internet, and applications.”
The same point of view is shared by many cryptocurrency experts. One of them, Ouriel Ohayon — an investor and entrepreneur — places the emphasis on the personal responsibility of users in a dedicated Hackernoon blog:
"Yes, you are in control of your own assets, but the price to pay is that you are in charge of your own security. And since most people are not security experts, they are very much often exposed — without knowing. I am always amazed to see around me how many people, even tech-savvy ones, don’t take basic security measures."
According to Lex Sokolin — the fintech strategy director at Autonomous Research — every year, thousands of people become victims of cloned sites and ordinary phishing, voluntarily sending fraudsters $200 million in cryptocurrency, which is never returned.
What could that tell us? Hackers that are attacking crypto wallets use the main vulnerability in the system — human inattention and arrogance. Let's see how they do it, and how one can protect their funds.
250 million potential victims
A study conducted by the American company Foley & Lardner showed that 71 percent of large cryptocurrency traders and investors attribute theft of cryptocurrency to the strongest risk that negatively affects the market. 31 percent of respondents rate the hackers’ activity threat to the global cryptocurrency industry as very high.
- Attacks on the blockchains, cryptocurrency exchanges, and ICOs;
- Distribution of software for hidden mining;
- Attacks directed at users’ wallets.
Surprisingly, the article "Smart hacking tricks" that was published by Hackernoon didn’t appear to get wide popularity, and warnings that seem to be obvious for an ordinary cryptocurrency user must be repeated again and again, as the number of cryptocurrency holders is expected to reach 200 million by 2024, according to RT.
According to research conducted by ING Bank NV and Ipsos — which did not consider East Asia in the study — about nine percent of Europeans and eight percent of U.S. residents own cryptocurrencies, with 25 percent of the population planning to buy digital assets in the near future. Thus, almost a quarter of a billion potential victims could soon fall into the field of hacking activity.
The DigitalBank Crypto Vault: The World's Most Secure Crypto Storage Solution
Impenetrable Crypto Banking System: private keys never stored, anywhere, at any given time. The Private Key (PK) is safely generated by you, known only to you, and can be accessed only by you.
The Device generating the Private Key (PK) is not storing at any given time the PK generated. It is generated by you, on the spot, with a passphrase, when needed, for just a few milliseconds, just to sign in the transaction and then disappear permanently from the device.