SlowMist Identifies Key Causes of Cryptocurrency Losses

Experts at SlowMist have outlined the primary reasons why both individual and institutional investors lose their digital assets.

?个人/机构资产丢失原因占比排行榜：
1.助记词、私钥泄漏，占32%
2.钱包使用不当，签名钓鱼，占18%
3.下载假钱包、虚假交易软件，占16%
4.首尾号、木马软件钓鱼，占13%
5.专业黑客团伙攻击，占6%
6.虚假聊天软件，中间篡改，占8%
7.存放交易平台被定点攻击、钓鱼，占4%… pic.twitter.com/rjmhmD4Xa8

— 23pds (@im23pds) June 5, 2024

Nearly a third—32%—of losses are due to mnemonic phrase and private key leaks. Other causes include:

• phishing through transaction signing (18%);
• downloading fake wallets and trading apps (16%);
• address spoofing and Trojan phishing (13%);
• phishing in messengers, including fake chat apps (8%);
• attacks by professional hacker groups (6%);
• attacks on trading platforms (4%);
• transaction errors, Ponzi schemes, loopholes in smart contracts, etc. (3%).

“Think self-custody is safer? That’s laughable—99% of people can’t take good care of their assets, so don’t expect to be in that 1%,” wrote CISO SlowMist under the pseudonym 23pds. 

The expert also offered some advice. For large sums, he recommended using a hardware wallet and secure storage of mnemonics and keys, though he admitted this is a “problem of the century.”

For smaller amounts, conventional methods like mobile apps are acceptable, but security should be a priority, noted 23pds.

He also urged against blindly following all external advice and giving advice without being a professional.

Expert Supports Binance in $1 Million Loss Incident

The thread by 23pds followed his detailed analysis of a recent incident involving the theft of $1 million in cryptocurrency from a trader on Binance.

? On June 3, 2024, @CryptoNakamao revealed how they lost over $1M due to downloading a malicious Chrome extension. This has sparked major concerns in the crypto community about extension risks and asset security.

Our CISO, @im23pds is here to provide additional information… https://t.co/AEOOvVTv1p

— SlowMist (@SlowMist_Team) June 4, 2024

The loss was caused by a malicious Chrome extension offering trading data aggregation services. The user blamed the exchange, claiming its risk assessment and security systems failed.

Binance co-founder Yi He denied the platform’s responsibility for the incident. She noted that the hacker manipulated the trader’s device through the plugin, and the exchange team could not influence the situation.

23pds effectively sided with Binance. The expert emphasized that the trader independently installed the extension, which by default had access to all cookies, URLs, and storage. The collected information was automatically sent to the attackers’ server.

Once they obtained the necessary data, they intercepted the session opened by the user on the exchange’s website. This did not require interaction with the platform, entering login/password, or passing two-factor authentication (2FA).

In his view, exchanges can take several measures to reduce the risks of such incidents, such as:

• mandatory 2FA for all transactions; 
• using multiple types of authentication (SMS, email, hardware tokens, etc.);
• disabling inactive sessions;
• monitoring IP addresses and geolocation to warn of unusual activity;
• immediate client notification of logins from other devices with the option to block the session;
• strengthening security tools, risk control, using machine learning, and more.

However, he noted that implementing all proposed measures might not be “the best approach” due to resource constraints.

“There must be a balance between security and business needs. If measures are too strict, customer interaction may suffer. For example, 2FA for every transaction could be inconvenient for many,” the expert believes.

23pds strongly advised users to install software only from verified sources and always close sessions on trading platforms.

As reported in April, crypto projects lost approximately $25.7 million due to hacks and frauds. This was the lowest monthly amount since 2021, according to CertiK.

In May, a single successful attack on the Japanese exchange DMM Bitcoin netted hackers 4502.9 BTC or ~$305 million.