There are approximately 130 cryptocurrency exchanges around the globe today. Most are based in Asia. They’ve existed in a foggy no man’s land of oversight that banks only dream of. Because of the trans-national locations of these entities and the diverse composition of investor nationalities, regulatory oversight of cybersecurity standards has been virtually non-existent.
For instance, the South Korean cryptocurrency exchange Coinrail confirmed that it was hacked in June 2018. According to the local news agency Yonhap, the hack resulted in losses amounting to 40 billion won (36,9 million U.S. dollars). Japan’s cryptocurrency exchange Coincheck was hacked in January 2018 which resulted in losses exceeding 500 million U.S. dollars. After being hacked twice, the South Korean exchange Youbit stopped operating and declared bankruptcy in December 2017.
To avoid hacks leading to significant losses, cryptocurrency exchanges need to have comprehensive procedures for identifying and eliminating information security vulnerabilities.
Common vulnerabilities of cryptocurrency exchanges
We can distinguish at least five common vulnerabilities of cryptocurrency exchanges, namely, the susceptibility of cryptocurrency exchanges to phishing, missing hot wallet protections, weak protection of employee login credentials, software vulnerabilities, and transaction malleability.
Susceptibility of cryptocurrency exchanges to phishing
Even the best technological measures cannot protect a cryptocurrency exchange against phishing attacks. This is the number one root cause that has been a commonality across crypto exchange hacks – in the majority of cases we analyzed, hackers managed to breach VPNs or employee hardware with stolen, guessed or otherwise compromised credentials (NiceHash hack 2017, BitThumb hack 2017, YouBit hack 2017, et al) – in order to manipulate code, inject malicious code, and/or create felonious transactions.
The addition of a simple biometric factor for authentication of employees of crypto-exchanges – for client, VPN and network logins, for example, while not preventing “inside jobs”, could have prevented the theft of hundreds of millions worth of cryptocurrency at the hands of well-meaning investors and the entrepreneurs that founded these trading platform companies.
Missing hot wallet protections
The term “hot wallet” refers to an online cryptocurrency wallet that is connected to the Internet. Many cryptocurrency exchanges use single private keys to secure hot wallets. If criminals get access to a single private key, they will be able to hack the hot wallet to which the private key relates. Typical examples of private key attacks are the attacks on Bitfinex (2016) and Parity (2017). The attacks resulted in losses of 65 million U.S. dollars (Bitfinex) and 30 million U.S. dollars (Parity). Cryptocurrency exchanges can easily avoid similar attacks by using multisignature private keys.
Weak protection of employee login credentials
Employees working at cryptocurrency exchanges often use weak passwords or store their login credentials in an unsafe way. This makes the login credentials an easy prey for criminals. At least the following three attacks were conducted by compromising employee login details: BitThumb hack (2017), NiceHash hack (2017), and YouBit hack (2017). It is worth mentioning that sometimes hackers attack private computers of employees. For instance, Berg Herzberg, a security researcher, noted in relation to the BitThumb hack:
“In this case, according to Bithumb, the breach itself was on data stored outside of the company’s assets on a personal computer. This also brings the question of data security in companies and the ability of employees to take sensitive information with them when they’re at home.”
Therefore, organizations need to ensure that employees protect the login credentials related to software applications installed not only on professional work computers but also on personal computers.
Various laws oblige banks and other financial institutions to implement information security measures to protect the deposits of their clients and avoid unauthorized transactions. However, since the blockchain field is in its infancy, a few such laws apply to cryptocurrency exchanges. Therefore, it is not a coincidence that many cryptocurrency exchanges have vulnerabilities allowing hackers to steal substantial amounts of money.
On 27th of March 2018, Oleksii Mattiasevych (a security expert) found software vulnerabilities in eight major centralized exchanges. He informed the exchanges about the vulnerabilities and sent warning letters to over 200 other exchanges. The software vulnerability identified by Mr. Mattiasevych allows hackers to manipulate Ethereum account balance. More specifically, fraudsters can use the vulnerability to register a new account, unlawfully increase their balance, and withdraw the increased balance from the hacked exchange.
Proponents of blockchain technologies often argue that blockchain transactions are highly secure because they are recorded on an allegedly immutable record. However, they often forget to mention that each transaction has a signature and the signature may be manipulated before the closure of the transaction. The “Mt. Gox” hack, one of the largest attacks in the history of cryptocurrencies, was conducted by hackers who submitted code changes to a public ledger before the posting of the initial transactions. The attack resulted in a loss amounting to 473 million U.S. dollars and bankrupted the hacked exchange.
The large number of cyber-attacks discussed in this article, as well as the numerous reports regarding security vulnerabilities of cryptocurrency exchanges, show a pressing social need for regulation of the blockchain field. More particularly, governments should require cryptocurrency exchanges to adopt strict information security measures which will avoid the theft of billions of U.S. dollars.