{"id":7248,"date":"2020-01-09T17:46:08","date_gmt":"2020-01-09T15:46:08","guid":{"rendered":"https:\/\/forklog.media\/?p=7248"},"modified":"2020-01-20T02:21:44","modified_gmt":"2020-01-20T00:21:44","slug":"hackers-loophole-vulnerabilities-that-cause-bitcoin-exchanges-to-lose-millions","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/hackers-loophole-vulnerabilities-that-cause-bitcoin-exchanges-to-lose-millions\/","title":{"rendered":"Hacker\u2019s Loophole: Vulnerabilities That Cause Bitcoin Exchanges to Lose Millions"},"content":{"rendered":"

According to a May <\/span>study<\/span><\/a> by The Block, 42 large cryptocurrency exchanges have been compromised since 2012, not taking smaller platforms into account. The total amount of stolen funds exceeded $1.35 billion, with about 59% of these funds (795.5 million) being stolen in 2018.<\/span><\/p>\n

<\/p>\n

According to <\/span>Carbon Black<\/span><\/a>, a cyber threat protection company, cryptocurrency exchanges account for 27% of all attacks related to cryptocurrency. In most cases, the hackers exploit vulnerabilities of crypto-exchange hot wallets, less often users fall victim to exit scams from the platform owners. ForkLog looked into the main crypto exchange bugs which were used by hackers the most in 2018\u20132019.<\/span><\/p>\n

How hackers attack exchanges<\/b><\/span><\/h2>\n

While an attacker requires specific conditions when launching an attack on a mobile device or personal computer, e.g. the ability to intercept traffic or to physically access the device, this is not necessarily the case for attacks via web applications. Hence such attacks tend to be larger in scale.<\/span><\/p>\n

Positive Technologies analysts <\/span>examined<\/span><\/a> the most popular approaches used to hack cryptocurrency exchange web terminals, which allow hackers to breach hot wallets of crypto trading platforms.<\/span><\/p>\n

XSS<\/span><\/strong><\/h3>\n

Most trading platforms are vulnerable to Cross-Site Scripting attacks. Using certain vulnerabilities, cybercriminals inject malicious code on the platform\u2019s web page redirecting traders to third-party web pages and\/or infecting user devices with malware. This malicious software includes stealer viruses that steal wallet passwords or replace the sender address in the clipboard.<\/span><\/p>\n

Configuration vulnerabilities<\/strong><\/h3>\n

Web terminals sometimes lack HTTP headers that increase protection from certain types of hacker attacks. For instance, the ContentSecurity-Policy header protects against attacks related to the injection of malicious content, including XSS. X-Frame-Options protects from Clickjacking attacks. Strict-Transport-Security enforces a secure connection through HyperText Transfer Protocol Secure (HTTPS).<\/span><\/p>\n

Code vulnerabilities<\/strong><\/h3>\n

Studies conducted by Coverity, a company specializing in software quality and security testing solutions, <\/span>showed<\/span><\/a> that for every 1000 lines of code there are 0.52 errors in open source products and 0.72 errors in proprietary ones (the quality standard being less than 1 error per 1000 lines of code). Potentially these errors can adversely affect the overall security of the platform.<\/span><\/p>\n

Even if the exchange developers make no errors in the code there is still the risk of a vulnerability in third-party software. For example vulnerabilities in the operating system, payment gateways or messengers can be used for phishing or installation of malicious software on the exchange employees’ devices.<\/span><\/p>\n

Smart contract vulnerabilities<\/strong><\/h3>\n

Hackers may find a vulnerability in the wallet\u2019s smart contract code which allows them to take control of the victim\u2019s funds. This can be either a targeted attack on a particular wallet or a large scale attack if many wallets share the same vulnerability.<\/span><\/p>\n

Phishing and social engineering<\/strong><\/h3>\n

Exploiting human weaknesses remains the most popular way of hacking accounts. Attackers disguised as exchange representatives may gain access to the employees\u2019 devices (sometimes it takes months to complete this task) and take possession of private keys. Hacking a private account is made much easier thanks to Google Play.<\/span><\/p>\n

SMS authentication<\/strong><\/h3>\n

If the attackers know that a specific person is trading on a platform or works as its administrator, his SMS traffic can be intercepted and used for authentication or to initiate the account restoration procedure.<\/span><\/p>\n

Hacking venues:<\/span><\/p>\n

    \n
  1. Wiretapping using special equipment, infecting the victim\u2019s phone with malware or hacking the provider’s server.<\/span><\/li>\n
  2. Cloning a SIM card.<\/span><\/li>\n
  3. False base station \u2013 expensive equipment that intercepts and decrypts SMS.<\/span><\/li>\n
  4. Hacking user\u2019s Personal Account on the exchange site. By doing this you can redirect all messages to the attacker’s device or email address.<\/span><\/li>\n
  5. SS7 attack. Hacking special telecommunication protocols used to configure telephone exchanges (PLMN, PSTN);<\/span><\/li>\n
  6. Phishing exchange\u2019s call center. Attackers collect users\u2019 personal data and their phone numbers and then call the call center operator to recover the SIM card.<\/span><\/li>\n<\/ol>\n

    Intercepted SMS can be used not only to access the exchange account but also to restore access to email. To do this the culprit attempts to log in to the mail service and after a failure resets the password using SMS.<\/span><\/p>\n

    How exchanges fight back<\/b><\/span><\/h2>\n

    Most cryptocurrency exchanges use at least one, more often several, anti-hacker systems. The simplest and most common is <\/span>two-factor authentication<\/b>: for each transaction you need to enter a one-time password, which is sent to the client\u2019s phone or email.<\/span><\/p>\n

    That being said, two-factor authentication is not the most reliable defense. A more advanced version of two-factor authentication is <\/span>special applications<\/b> like Authy and Authenticator. They block access to the system and request an additional code if the username and password are compromised.<\/span><\/p>\n

    The second most popular method of protection is <\/span>multi-signature<\/b>: when several keys to the Bitcoin wallet are held by different owners and access to funds can be obtained only by securing all digital signatures. Still, this system may fail, too. Experts note that multi-signature works only when all the “signatories” are independent of each other.<\/span><\/p>\n

    One of the most reliable ways to protect against hacker attacks is the <\/span>distribution of funds between hot and cold wallets<\/b>. In addition to physical protection (video cameras, armed security, retinal scanner, etc.) a cold wallet can be additionally protected by a multi-signature. The larger the share in the cold storage the safer. Ideally, cryptocurrency should only go online at the time of the transaction.\u00a0<\/span><\/p>\n

    Another security measure is the so-called <\/span>bitcoin valves<\/b> which are the bitcoin addresses where coins are locked with a two-stage security mechanism with two different keys. To unlock the funds you need a regular digital key but full access to your money is gained only after a 24 hours period. During that time, any transaction can be canceled by entering the second key. There is one more level of protection: even if a hacker takes possession of both keys, the exchange can burn the funds stored in the wallet.<\/span><\/p>\n

    It is becoming a bon ton among crypto exchange operators to conduct <\/span>hack tests and<\/b> regular audits by independent experts<\/b>. The latter is performed by the so-called white hat hackers. Their job is to crack security systems to find potential vulnerabilities that could be exploited by cybercriminals.<\/span><\/p>\n

    In any case, a comprehensive approach is important when it comes to the security of cryptocurrency exchanges: the security of native code in conjunction with the security of the development environment and third-party libraries that are used to create the product. The human factor which often contributes to hacker attacks cannot be ruled out.<\/span><\/p>\n

    Exchanges robbed by hackers in 2018\u20132019 (listed in chronological order):<\/b><\/span><\/h2>\n

    Coincheck<\/b><\/span><\/span><\/h3>\n

    On 26 January 2018 the Japanese cryptocurrency exchange Coincheck admitted the theft of $533 million in NEM cryptocurrency. About 260 thousand users fell victim to hacking.<\/span><\/p>\n

    At a press conference, NEM representatives said that hacking happened due to the fact that Coincheck neglected to use a smart contract with multi-signature function.<\/span><\/p>\n

    According to Coincheck security settings vary for different coins on the exchange. Hackers managed to steal the private key from a hot wallet where NEM coins were stored and withdrew them using several unauthorized transactions.<\/span><\/p>\n

    Nikkei Asian Review<\/span><\/a> reported that a few weeks before the attack several Coincheck employees received infected emails which allowed hackers to hack into the employees’ emails and steal the private key.<\/span><\/p>\n

    As discovered by researchers from BIG Blockchain Intelligence Group Inc. some of the stolen funds were first moved by criminals to a cryptocurrency exchange in Canada and then transferred back to Japan.<\/span><\/p>\n

    Coincheck <\/span>determined<\/span><\/a> 11 addresses on which stolen coins were located. Each of these addresses was tagged as follows: \u201ccoincheck_stolen_funds_do_not_accept_trades: owner_of_this_account_is_hacker\u201d. Thanks to this automated flagging system crypto exchanges can identify the addresses of hackers and prevent them from converting NEM to other cryptocurrencies or fiat.<\/span><\/p>\n

    Coincheck management compensated $400 million to the victims of this heist and changed the rules for listing coins on the platform.<\/span><\/p>\n

    Based on the audit conducted by the Japanese Financial Services Agency (FSA) in December 2018 the exchange was successfully <\/span>licensed<\/span><\/a>. The regulator concluded that after the exchange was acquired by the online broker Monex it was able to improve security and safety measures.<\/span><\/p>\n

    Bitgrail<\/b><\/span><\/h3>\n

    On February 8, 2018, in the aftermath of a slew of unauthorized transactions from the Italian BitGrail exchange, $170 million worth of Nano cryptocurrency was withdrawn by unknown hackers. The remaining coins were not affected.<\/span><\/p>\n

    Soon after the hacking, the owner of BitGrail Francesco Firano filed for bankruptcy. He <\/span>claimed<\/span><\/a> that the theft of funds occurred due to Nano’s timestamp technology and the unreliability of the block explorer.<\/span><\/p>\n

    In turn, Nano developers denied any errors within the cryptocurrency protocol. They also implied that the funds might have been stolen much earlier than this became known and said that Firano offered them to conduct a hard fork of cryptocurrency supposedly in order to cover the losses.<\/span><\/p>\n

    \u201cWe now have sufficient reason to believe that Firano has been misleading the Nano Core Team and the community regarding the solvency of the BitGrail exchange for a significant period of time,\u201d <\/i><\/b>noted Nano\u2019s team.<\/span><\/p><\/blockquote>\n

    In January 2019 BitGrail and Francesco Firano were declared bankrupt in court and ordered to reimburse the customers the maximum possible amount of the $170 million they lost while confiscating a significant part of Firano\u2019s own assets.<\/span><\/p>\n

    Binance<\/b><\/span><\/h3>\n

    The next attack, although unsuccessful, was nevertheless indicative. On March 7, 2018, Binance exchange reported a potential hack that forced automated trading systems to sell altcoins and buy Viacoin (VIA) instead.<\/span><\/p>\n

    The hackers launched a series of phishing attacks that lasted several months. Masking fake domains as the original Binance domain (homograph attack) using Punycode (a method of converting domain names into a sequence of ASCII characters) they collected the account data of most users.<\/span><\/p>\n

    <\/p>\n

    Hackers did not withdraw the money from compromised accounts but instead created API keys which were then used to purchase VIA\/BTC.<\/span><\/p>\n

    The hackers planned to collect money on 31 accounts and use them to promptly withdraw funds as fiat but were forestalled by the exchange. Binance risk management system noticed an anomaly within two minutes and immediately blocked all transactions.<\/span><\/p>\n

    Later Binance announced a reward of $250 thousand for helping to identify the hackers.<\/span><\/p>\n

    Coinrail<\/b><\/span><\/h3>\n

    Coinrail, a small Korean exchange, fell victim to hackers on June 10, 2018. About 30% of the exchange\u2019s altcoin portfolio was stolen from the company’s servers, including ICO tokens of the Pundi X (NPXS), NPER (NPER) and Aston (ATX) projects. The damage amounted to about $37 million.<\/span><\/p>\n

    Immediately after the official announcement of the incident the site was temporarily shut down and the remaining 70% of the funds were transferred to cold wallets. The Coinrail developers also managed to block almost two-thirds of the stolen funds.<\/span><\/p>\n

    Representatives of the Pundi X project <\/span>reported<\/span><\/a> that after the hack the exchange warned them of an Ethereum address which was allegedly linked to the hackers. The address was flagged as Fake_Phishing1432.<\/span><\/p>\n

    According to Etherscan someone tried to send 26 million NPXS from this address to the IDEX decentralized exchange. This happened immediately after the exchange received 2.6 billion of the same tokens from another address which was also flagged as suspicious \u2014 Fake_Phishing1431.<\/span><\/p>\n

    <\/p>\n

    Pundi X and Coinrail noted that IDEX froze assets that were sent from Fake_Phishing1432. However NPXS tokens have not been burned. In addition transactions related to Fake_Phishing1431 indicate that several hours before the hack it received other digital currencies from a single address \u2014 ETH, ATX, DENT, NPSX, Jibrel Network, Tron, Kyber Network, and Storm.<\/span><\/p>\n

    According to Etherscan while stolen NPXS tokens were sent to IDEA, the other stolen coins were sent to the EtherDelta decentralized crypto exchange.<\/span><\/p>\n

    Curiously back in February Korean banks <\/span>recorded<\/span><\/a> outgoing activity on Coinrail related to potential money laundering.<\/span><\/p>\n

    \u201cIn February several banks trading on Coinrail discovered suspicious money laundering transactions. Some of those banks stopped working with the exchange in April.\u201d<\/i><\/b> the local publication Chosun wrote.<\/span><\/p><\/blockquote>\n

    In a month\u2019s time, Coinrail restored its operations and updated its security system.<\/span><\/p>\n

    Bithumb<\/b><\/span><\/h3>\n

    The hot wallet of the South Korean exchange Bithumb was hacked on the night of June 19, 2018. Hackers stole about $30 million partially in the Ripple cryptocurrency.<\/span><\/p>\n

    Just prior to the hacker attack Bithumb transferred a large amount in Ethereum to a cold wallet citing suspicious activity on the servers. On June 16 Bithumb launched an extraordinary server scan “to maximize security settings.”<\/span><\/p>\n

    Many cryptocurrency users were skeptical of this kind of coincidence, indicating that shortly before the hack the exchange was to pay taxes approximately equivalent to the amount of stolen funds.<\/span><\/p>\n

    \n

    Bithumb had to pay $28 million worth of back taxes and now lost $30 million less than 2 weeks later. \ud83e\udd14 https:\/\/t.co\/spvFpzpb6X<\/a> pic.twitter.com\/DPq9kQG7Nm<\/a><\/p>\n

    — WhalePanda (@WhalePanda) June 20, 2018<\/a><\/p><\/blockquote>\n