Meet The Wild West of Crypto Exchanges

Meet The Wild West of Crypto Exchanges

Crypto is ready to change the world and fix many of our existing security problems and also contribute to building a new (and more trusted) world, but is the world ready for crypto exchanges? A new hack of nearly half a billion dollars has just been announced, and by a company who had not even registered with a financial regulator.

Before I start many of my presentations, I often show this slide, in order to show that crypto is amazing, but it is let down by a whole lot of things … especially humans not understanding security:

I remember hearing that, in the UK, for the first time in a single year, there were no actual physical bank robberies. Why? Because there are often much better pickings for criminals if they can hack their way into a bank. As we move into a crypto world, the opportunities for cyber criminals will increase by the day.

So which is the “crime” that is the easiest to implement (just running a script), most likely to gain you the most in return (a gain of 10s of millions), and have virtually no chance in getting caught (where money transfers are almost impossible to trace for their origin)? Crypto wallet and/or ICO (Initial Coin Offering) hacking!

Coincheck — A Bigger Hack than Mt Gox

While cryptocurrencies are safe in themselves, the major problem seems to be with the places which hold the wallets. In 2014, for example, Mt. Gox — a Japanese cryptocurrency exchange — filed for bankruptcy after a hacker drained the exchange of 100s of thousands of Bitcoins (worth around $340 million).

Now Coincheck, a Tokyo-based cryptocurrency exchange, has confirmed that it has possibly lost over 500 NEM token (58 billion yen/$533 million) due to a hack. Coincheck is not certified by the Japan Financial Authority (but 11 other exchanges in Japan are). Coincheck were thus operating illegally in Japan.

Yes. You read that right …. over half a billion dollars was stolen from their wallets! The currency (XEM) itself dropped on the news of the hack from $1.01 to $0.85:

The company are now looking into compensating its customers, and they have since announced that they were not even registered with the Financial Services Agency in Japan (but do intend to now register).

There are still lots of unknowns in this case, and even if it was a hack. It is suspected that the flaw was not in the NEM currency, but could be in the lack of implementation of multi-signature smart contracts. There are reports that the email address of the intruder was identified in minutes, and that the transactions have been locked. One way of fixing is to create a hard fork, and where the blockchain would be wound back to a time before the hack. It is though, though, that no fork in the currency is likely.

In November 2017, a bit the implementation of multi-party contract — and where an intruder could inject code into the wallet and cancel every contract — from Ethereum wallets caused Parity Technologies to freeze over $280 million of cryptocurrencies. The company are still examining their options for a fix.

Tricking users to create wallets — IOTA

Recently it was found that around $4 million — small money compared to the Coincheck hack — was taken from IOTA wallets. The intruders created a fake Web site to trick users into the creation of wallets, and where they had crafted their site so that it appeared at the top of all searches for the IOTA seed generator (the creator of wallets).

IOTA wallet seeds are a string of 81 (preferably randomly generated) characters. The tool at iotaseed.io generated the seed for the wallet, but also stored all the details associated with it. This meant that the intruders simply waited until the wallet was topped-up and then transferred the money out. The site has since been taken down:

With the Wayback Engine, we can look back at the site (it was last updated on 3 January 2018):

Read more here.

Youbit

Recently, Youbit, which is based in South Korea, lost 17% of its holdings. This was their second hack and have now filed for bankruptcy. In April it lost 4,000 bitcoins ($73m). Another South Korean based exchange — Bithumb — was also recently hacked. It is thought that users of Youbit will be able to claim up to 75% of their wallet values.

In earlier in the year, Bithumb, one of the largest Bitcoin/Ethereum cryptocurrency exchanges in the world, was hacked with a loss of more than $1 million. At the time, Bithumb was 4th largest Bitcoin exchange in the world and 1st for Ethereum. It was trading at around 20% of the global bitcoin business, and 10% of the conversion into Won (South Korea’s currency):

It is thought that the hack happened in July 2017, and involved a breach of around 31,800 user accounts, and where billions of Won were taken (which represents around 3% of Bithumb’s user account base). In one example over 10 Million Won worth of bitcoins were taken (approx $86,000).

There are also reports of over 1.2 billion Won’s being stolen, and it is thought that an employee’s home computer was hacked. This resulted in a breach of many user accounts. A report from the company identifies the usage of “disposable passwords” as the root cause.

Another crypto-wallet company — Parity — recently lost around $280 million in ether because a user deleted the code library within the infrastructure.

$7 million in 15 minutes?

Remember when you watched all those movies about safe crackers, and where some large men blew-up bank vaults? Well, stealing money doesn’t quite happen that way anymore, and it is more likely to be a bunch of crypto-analysts who are more likely to create a bank heist than from explosives.

In July 2017, hackers managed to syphon off $7 million from the Israeli start-up CoinDash, just as it was setting up its ICO (Initial Coin Offering) and part its fundraising activity. This year, alone, ICOs have generated over $540 million, and are one of the most popular ways for new businesses to generate funding.

With an ICO, the company trades tokens for cryptocurrency (typically with the Ethereum currency). The companies then convert this back into dollars, and have investment for their company. Tech-savy people love this form of fund raising, especially as it gives direct support for companies without the overall of business support for fund raising.

CoinDash started to sell its own digital tokens for Ethereum currency at 9am on Monday. By 9:13am they reported that their site had been hacked and replaced by a fake one, which redirected millions of dollars in investments.

CoinDash still managed to raise $6.4 million (out of the $12 million they aimed to raise), but it is thought that the hacker managed to redirect $7millions into their own account. CoinDash, though, has said that anyone who subscribed to the offering will get their tokens, but have said that they are still under attack, and for users to not send them any cypto-currency. Those who sent funds to the hacked site can claim from [here]:

The hack brings back memories of the DAO hack:

Scanning for wallets

What was worth $200 two years ago, and is now worth over $7,000 today? Yes, you’ve guessed it … a single Bitcoin (1 BTC). It’s the cryptocurrency that just won’t go away, even though several nations of the world won’t accept any form of trading with it. And those who thought that they should have bought some a few years ago, sink further into their seat.

But for a crime, the stealing of the private key (hosted on a wallet) is one of the most lucrative and unlikely to ever result in any criminal activities. The legal system is light years away from ever understanding the details involved in hacking a wallet. Basically, someone sneaks a peak in your wallet and sees the private key you use, and within 10 minutes, your money has gone.

So finding wallets is now a major focus of criminal gangs, and the Internet is full of bots scanning systems for bitcoin and Ethereum wallets. The most popular scans on systems are:

wallet - Copy.dat

wallet.dat

wallet.dat.1

wallet.dat.zip

wallet.tar

wallet.tar.gz

wallet.zip

wallet_backup.dat

wallet_backup.dat.1

wallet_backup.dat.zip

wallet_backup.zip

The scans are aiming to find wallets placed on open systems, and also from backups. In the following, we see a scan on a Web server and the search for anything related to bitcoin wallets and services:

Along with there are scans on servers which are providing Ethereum JSON RPC endpoints, and the host could be hosting wallets. Slamaris recently detecting a scan on the JSON-RPC interface on Ethereum nodes:

This API interface does not support any form of authentication (and is meant to be a local and could be used to transfer funds to a remove wallet. Slamaris has already detected the stealing of 8 Eth (worth over $3K), and traced it to this account:

Conclusions

Now is the time for some form of regulation, in order to protect users.

So will the courts understand the technical details of the crime? If someone uses a weak password to protect their private key, are they liable, or it is the exchange who allowed user details to be stolen?