Crypto Exchange Hack: Decentralized Heists

In July 2019, Japanese crypto exchange Bitpoint, a subsidiary of Remixpoint, announced that it had suspended all operations after being hit by a hacking attack. The exchange operator lost 3.5 billion yen, which is the equivalent of $32 million. The stolen crypto funds involved Ripple, Ethereum, and other coins.

As we all know, this is not the first and probably not the last incident of this kind. In the following lines, I’d like to focus on the biggest crypto heists in history and see where Japan and other countries stand on this matter.

Bitpoint(Crypto Exchange) Hack Spur Tighter Japanese Regulations

Bitpoint’s clients have lost 2.5 billion yen ($22.7 million) on Friday, while the rest of the stolen funds belonged to the company itself. What’s interesting, last year, the Japanese Financial Services Agency (FSA) issued an operation improvement order to Bitpoint. The regulator wasn’t happy with internal controls at the exchange operator. The order was lifted at the end of last month, and the hack came after only two weeks.

The situation can encourage the FSA in its fight against illegal crypto activities. The chances are that the regulator will increase supervision over local crypto exchanges.

Following the incident, parent company Remixpoint saw its stock price tumbling by almost 19% on the Tokyo Stock Exchange.

As per Bitpoint, the coins were stolen from a hot wallet that stored five cryptocurrencies, including Bitcoin, Ripple, and Bitcoin Cash. The cold wallets stayed untouched.

As a result, the exchange firm halted all operations, including the following services:

  • The Web Trading Webpage
  • Trading on the MT4 Platform
  • API and Smart API Service
  • Bitpoint Wallet Application
  • Crypto Custody Service
  • Bitpoint LITE Application

Thus, all services cannot be accessed, and new account openings are not accepted for now. The company will announce when it restarts the operations.

Incident Confirms Japan’s Position As Most Affected Country by Crypto Exchange Hacks

Japan is one of the leading adopters of cryptocurrencies and blockchain technology. However, it is also the country that hosted the largest crypto heists in the short history of the industry.

In May 2019, fintech research firm MEDICI reported that 62 hacks had been made on cryptocurrency exchanges, wallets, and marketplaces worldwide from 2011 to 2019. The total amount of the losses was $2.71 billion. Japan alone accounts for $920 million of the losses, which represents a third of all stolen crypto funds.

From January to April of 2019, there were recorded eight crypto heists, which deprived clients of $729 million worth of cryptocurrency. MEDICI estimated that the number of hacking attacks would increase to 16, while the volume of losses will reach $1 billion by the end of this year.

The research firm created a map with the most affected countries, with Japan leading this unfortunate top.

Geographical Distribution of Crypto Exchange Hacks by Value 2011-2019
Source: Medici Research – 39 Cryptocurrency Hacks: $1.93 Billion in Loss Over 5 Years

As you can see, other countries that have suffered from crypto hacks are Singapore, South Korea, the UK, Italy, Canada, China, Poland, New Zealand, the US, South Africa, India, and Russia, among others.

In the last eight years, Singapore was hit by five crypto heists, with the total amount of fraudulent transactions reaching $507.31 million. The UK, Canada, and South Korea lost $337 million, $265 million, and $181 million, respectively.

2019 has already updated the record for the biggest crypto hack-related losses registered within a year.

Volume and Value of Total Crypto Exchange Hacks 2011-2019
Source: Medici Research – 39 Cryptocurrency Hacks: $1.93 Billion in Loss Over 5 Years

The number of thefts is increasing as cryptocurrencies become more popular and valuable. It’s worth mentioning that the existence of incidents like Bitpoints doesn’t point to vulnerabilities in the distributed ledger technology (DLT) but rather in the storage methods and services used.

5 Largest Crypto Exchange Hacks

The weakest point of the cryptocurrency ecosystem is represented by crypto exchanges, which in general do a great job at speeding up adoption and providing liquidity. However, given that most of the crypto exchanges operate online, they’re prone to hacking attacks. Here are the five biggest crypto heists so far:

Coincheck (Japan)

About $530 million; In January 2018, Japanese crypto exchange operator Coincheck announced that hackers had stolen over 500 million NEM coins, which were worth about $530 million at the time. This is still the largest crypto exchange heist ever.

NEM Foundation blamed the exchange firm for its “relaxed security measures.” Nevertheless, other cryptocurrencies besides NEM were not touched. In the end, it is not NEM’s fault at all. The exchange admitted that they stored all of the NEM funds in a single hot wallet without using multisig contract security.

Initially, investigators suspected a group of attackers with North Korean roots. However, according to a report from local media portal Asahi Shimbun, the personal computers of Coincheck employees have been infected by a virus linked with a hacking group with Russian connections.

The next day after the hack was announced, Coincheck pledged to refund all 260,000 affected users – a decision that was unanimously welcomed by the crypto community. Elsewhere, NEM developers tagged all the stolen coins to make them easy to identify so that other crypto exchange wouldn’t accept them. The coins have been never recovered though, as NEM suddenly decided to stop the search.

Coincheck created a precedent that gave the FSA more reasons to tighten crypto regulation. Interestingly, the exchange was not shut down but continues its operations to this day after being acquired by Monex. 

Mt. Gox (Japan)

About $450 million; in February 2014, the Tokyo-based exchange was supervising about 70% of all Bitcoin exchanges, being by far the largest Bitcoin exchange in the world.

However, despite its status, the exchange was about to crash soon. One day in February 2014, it announced that about 850,000 Bitcoins had been lost, all of which were belonging to clients. The missing amount was valued at about $450 at the time. Based on the current BTC rate of $11,300 as of July 13, 2019, that amount would be the equivalent of $9.6 billion, which makes it by far the most infamous crypto heist in the history. That stolen BTC funds represented 6% of all Bitcoins in circulation at the time.

In April 2015, Tokyo-based security firm WizSec concluded that most of the Bitcoins had been stolen from Mt. Gox’s hot wallet over time, starting with 2011.

The Missing MtGox Bitcoins - Crypto Exchange Hack
Source: WizSec – The Missing MtGox Bitcoins

Mt. Gox immediately suspended trading, shut down its exchange service and webpage, and filed for bankruptcy. In April of the same year, the exchange firm started liquidation proceedings.

BitGrail (Italy)

About $195 million; in February 2018, BitGrail, a lesser-known crypto exchange based in Italy, announced that it had lost 17 Nano tokens, which were worth around $195 million at that time.

BitGrail accounted for a large volume of Nano trading, a coin that was formerly known as RaiBlocks. While the hack was officially announced in early 2018, the story around Nano actually started much earlier, with BitGrail allegedly being insolvent for several months prior to that.

Moreover, it seems that what was believed to be a hack might have been an exit scam. BitGrail users became suspicious when the exchange suspended all withdrawal and deposits of Nano in January 2018, citing new of ID verification and anti-money laundering (AML) rules for its users. However, the company didn’t deal with fiat currencies and wasn’t connected with traditional banks, which questioned the need for the AML rules.

Several users were already alerted by these signs and voiced their concerns that BitGrail might prepare an exit scam. Nano fell by over 20% on the news. Shortly before the official announcement of the hack, BitGrail founder and owner Francesco Firano required the Nano team in private to carry out a hard fork of the blockchain network to recuperate the lost funds. Nano reacted promptly, rejecting such an idea, and eventually presented copies of their discussions with Firano. Earlier in 2019, a court required Firano to return the missing Nano funds to BitGrail clients.

Bitfinex (Hong Kong)

72 million; in August 2016, Bitfinex, which has been operated by Hong Kong-based iFinex, announced that over 120,000 Bitcoins were stolen. They were valued between $60 million and $72 million at the time.

It is remarkable how the exchange could operate till this day, given that it suffered the second-largest hack by the number of missing Bitcoins (after Mt. Gox) and has been dealing with controversies surrounding Tether.

Bitfinex customers lost their crypto funds despite using two-factor authentication methods. The news caused the Bitcoin price to decline by about 20%. Users were compensated in BFX tokens rather than BTC.

Interestingly, last month, a portion of BTC stolen from the exchange back in 2016 was seen to move from the hackers’ wallet to another address. At the time of reporting, about 185 Bitcoins were moved through six transactions. The price of those coins was about $1.5 on June 7. However, the spotted portion of BTC represents only 0.15% of the total amount stolen.

Nevertheless, it seems that the incident helped investigators find some suspects. At the end of last month, two Israeli brothers, Named Eli and Assaf Gigi, have been arrested for their alleged involvement in the Bitfinex hack.

Zaif (Japan)

$60 million; in September 2018, crypto exchange Zaif announced that it had lost 6.7 million yen (about $60 million) worth of cryptocurrency. And yes – we’re speaking about Japan again. Zaif was the country’s second-biggest crypto exchange heist in 2018 after Coincheck.

Zaif is operated by the Japanese firm Tech Bureau. It announced that hackers stole Bitcoin, Bitcoin Cash, and MonaCoin. The FSA investigated the case and soon found out that that the crypto funds were traded on popular exchanges like Binance and Huobi. The criminals created hundreds of accounts and deposited only 2 BTC in each of them to avoid Binance’s AML check.

Meanwhile, Zaif has been taken over by another company called Fisco. It pledged to restructure the crypto exchange as required by the FSA. However, it seems that it failed to do so, as the regulator discovered several violations of the AML rules.

Besides the mentioned five crypto exchange heists, there were other large hacking attacks that deprived clients of millions. Other notable mentions of hacked crypto exchanges are NiceHash ($60 million), Binance ($40 million stolen), Bithumb ($30 million), Coinrail ($37.2 million),  

Why Do Hacks Happen?

The main reason why crypto exchanges are often hurt is that they are centralized entities, suggesting that they have a single point of failure. Thus, they are vulnerable by the way they operate.

John Sedunov, an assistant professor of finance at Villanova University, shared his thoughts about the issue:

“Bitcoin and other cryptocurrencies have risen dramatically in popularity and value over the past few years. This fast run-up may have caught some exchanges off-guard, and they may not have had the capital on hand, time, or even the technical ability to ramp up security features fast enough to ward off potential attackers.”

Source: PressReader – Why Bitcoin Hubs Keep Getting Hacked

According to MEDICI, the primary reason that often leaves the door open to hacks is the lack of involvement of a regulator or a central authority that could provide clear guidance on the security checks required to be in place. While most of the exchanges have advanced in terms of digital security and technology, the hackers find ways to outclass them. The good news is that many exchanges are trying to improve security by imposing know your customer (KYC) measures and account monitoring procedures.

A Hackernoon report showed that:

  • All major exchanges are protected from potential POODLE, Heartbleed, and MITM attacks.
  • 1% of the exchanges were not protected from Robot vulnerability.
  • 60% of exchanges were protected against Clickjacking attacks.
  • 74% of exchanges were protected from Denial-of-Service (DoS) attacks.

If you noticed in the examples above, most of the hackers are targeting the hot wallets (online wallets). Today, most of the exchange platforms operate a hot wallet to process transactions without having to move the crypto funds in and out of the office cold wallets, which is a more difficult and expensive process. However, the problem is that hackers are most likely to aim for hot wallets because they are connected to the internet. At any given time, a large crypto exchange can have hundreds of millions of US dollars in cryptos stored on hot wallets.

Crypto exchanges have to improve the security of their platform, including by collaborating with third-party cybersecurity and fintech firms.

Interestingly, while hackers might have increased their gains in the last few years, they also have to launder the stolen funds, and it is becoming more and more difficult thanks to the new AML rules implemented in many jurisdictions. A recent report by CipherTrace reads:

“Whether it’s theft by hackers or inside jobs like exit scams, criminals must launder all of these ill-gotten gains before they can spend those funds in the real economy. In addition, global gangs, terrorist groups, and cyber criminals must hide their money trails. These bad actors are clearly flocking to jurisdictions with weak AML and Know Your Customer (KYC) regimes because in our Q3 (2018) report we published the results of research showing 97% of criminal Bitcoin flows into unregulated cryptocurrency exchanges.”

Source: Blockonomi – Bitcoin Theft Skyrocketed to Almost $2 Billion in 2018, Says New Report

How do You Store Crypto Funds Safely?

While crypto exchanges are prone to hacks, you shouldn’t panic about the safety of your crypto funds. There are several great methods to store your Bitcoins or altcoins safely without being visible to hackers. The first rule you should remember is – do not keep your crypto funds on any exchange!

The best way to store your coins is to use a cold wallet, also called a hardware wallet. The most popular brands of hardware wallets are Ledger Nano X, Ledger Nano S, Trezor T, and Trezor One. These wallets look like USB flash drives. They keep the private keys of your coins off-line, meaning that no hacker can reach them.

Obviously, if you need to carry out transactions, you would use the service of a crypto exchange. In this case, you can deposit only a portion of your crypto budget and leave the main stack on the cold wallet.

Another important rule to keep your crypto funds safely is – never entrust your coins to unregulated exchanges! Before dealing with an exchange, make sure it’s recognized by local regulators and can guarantee the safety of your deposit. Do your homework before picking an exchange platform.

Don’t forget to check the reputation, transparency, and security measures adopted. Feel free to enable any security option available with the exchange, including the two-factor authentication (2FA), even if it seems annoying. By implementing these simple rules, you can avoid being a victim of crypto exchange hacking attacks.

Leave a Comment