Don’t get excited, this isn’t a how-to article. I have no idea how to hack Bitcoin (and even if I did, I probably wouldn’t tell you). With the Bitfinex drama and the Cryptsy theft (by its own CEO??) still appearing in headlines, and with so many of my friends asking “But I thought Bitcoin couldn’t be hacked???”, I wanted to dig into the how, the why and the who. I’m not going to go into all the crypto hacks and thefts over the past few years, that would produce an article the length of a book. But I am going to look at some of the more interesting and relevant ones, going back to the middle of 2014.
First, we need to differentiate between a hack and a theft. Many assume that they are one and the same, but they are not. Technically, a hack is “unauthorized access to a computer”. Many hackers go in and out of others’ computers and servers just for fun (scary, but it happens). Some hacks are positive – there is a service that will try to hack your bitcoin wallet to recover funds for you. The DAO fiasco saw the hacker(s) being hacked to try to recover funds (it didn’t work). And hackers have been helping to root out the owners of alleged scam cloudmining company HashOcean. So, not all hacks involve theft. And not all theft is a hack, obviously. Theft does still happen out there in the physical world, with no computer getting involved.
But, it’s not news that cybercrime is an intensifying threat to individuals, businesses and even economies, as the tougher the security, the more fun the challenge. And as more and more of our lives and our wealth is online, the stakes get higher. All major law enforcement groups have their own cybercrime division, drawing on the skills of detectives, lawyers and, yes, hackers. But in most cases, figures on cybercrime are difficult to come by, as most victims have no interest in publicity, and many attacks are covered up.
In the cryptocurrency world, however, things are very different. The media seems to relish a “see-I-told-you-it-wasn’t-safe” rubbing of hands and pronouncements of crypto doom. Plus, given the community’s active presence in forums and chats, news of hacks, outages and breaches spreads fast. Trying to cover up a crypto hack forever just wouldn’t work. A stroll through reddit or bitcointalk will give you an idea of the volume of chatter, level of detail and degree of scepticism about practically any and every aspect of the sector. Suspicions are aired, spread and debated, and the senior team of the putative hack victim is usually on hand to answer questions. From what I gather, and lamentably with some notable exceptions, they generally do so as truthfully as they can, with good intentions, because they know that hiding stuff from the community (some of whom are hackers themselves) is futile.
So, it’s not that cryptocurrency businesses suffer more hacks than all other sectors. They don’t. It just seems like they do, because those hacks get a lot of public attention.
The most recent one to occupy the headlines is the absolutely huge Bitfinex hack, in which 119,756 bitcoins (worth about $70 million at the time) were siphoned off from the exchange in early August. We don’t yet know how it was done, which is perplexing given that in 2015 Bitfinex announced a collaboration with multisig wallet producer BitGo to enable additional multisig security on Bitfinex wallets. In theory, with the BitGo solution, it was supposed to be impossible to hack clients’ wallets and steal their bitcoin. Yet that is exactly what happened. Both BitGo and Bitfinex assure us that BitGo was not at fault in the hack, that the coding worked as it should. Fingers seem to be pointing at the configuration Bitfinex employed, keeping bitcoins in individual accounts rather than in a cold storage pool (kept offline), to comply with a recent CFTC (Commodity Futures Trading Commission) investigation which resulted in a $75,000 fine and the requirement to change the process of settling margin trades.
In an unprecedented move, Bitfinex decided that in order to stay open for business (and as the 3rd largest exchange in terms of volume and the largest in US$/bitcoin trades, it was important that it do so, for market stability) it needed to spread the losses amongst the clients’ accounts. Rather than have some clients’ accounts lose everything, it applied a 36% haircut to all accounts, instituting the first “bail in” in digital currency history. This is more or less the haircut the account holders would get if Bitfinex went into receivership, and at least this way there is a chance that they can get their money back. The company has replaced the reduced amount with a cryptocurrency token which itself can be traded, or redeemed at a later date for bitcoins, or dollars, or shares in Bitfinex’s parent company, it hasn’t been decided yet. In the end they may not be able to do this, however, as the words “unprecedented” and “finance” generally don’t go well together, and the legality of token trading (which has already started, no time to waste) is in question, as is the concept of “socialized losses”. And, who knows, they may yet be able to recover some of the stolen bitcoins, given the $3.6 million bounty on offer.
In June, the Ethereum project theDAO was hacked to the tune of 3.6 million ether, at the time worth $60 million. The response of the Ethereum developers was to hard fork the blockchain, winding time back to before the theft, and closing the platform on which it happened. Hard forks are contentious, though, because of the risk involved – for it to work as planned, all network participants need to upgrade to the new version, to avoid some validating blocks on the old “invalid” code, which could lead to potential false transactions and double spending. In this case, the proposal was particularly contentious because it demonstrated that public blockchains are not necessarily immutable, resistant to censorship, etc. The Ethereum code was working fine. The change would be to avoid losing money. A good enough reason? If Ethereum can change the code to suit them, what’s to stop them from doing it again in the future, due to self-interest or coercion?
The hard fork turned out not to have the consensus that the developers assumed, and a few holdouts insisted on sticking with the “old” Ethereum chain. The “old” ether became a new cryptocurrency called ETC, while the new one retained the old symbol of ETH. The developers didn’t object at first because they really thought that ETC would fizzle out and quietly disappear. But it is now the 6th largest cryptocurrency in terms of market capitalization. And the thief still has his (or her) 3.6m ethers, the old version, although they are worth a lot less than the original $60 million. It’s disconcerting how one hack can change the fundamental nature of a promising blockchain in unforeseen ways.
In May, Hong Kong-based crypto exchange Gatecoin reported the theft of 250 bitcoins and 185,000 ether, worth about $2 million at the time. While most clients’ crypto assets are stored in multisig cold wallets, the hacker managed to overwrite the protocol that handles this so that ether went directly to the hot wallet (keys kept online) instead of the cold, and ignored the self-imposed limit of 5% of assets in online storage. In the end, the hacker made off with 15% of the exchange’s crypto assets. Immediately after, Gatecoin announced that it would seek $4-5 million in funding to cover the losses, and offered a bounty and a lifetime of free trading for return of the assets. In the end, the exchange managed to raise $500,000 to strengthen the security infrastructure, and replaced its CTO, referring to him as a possible suspect. At time of writing, its web site was undergoing an overhaul, and is supposed to relaunch today (August 17).
In April, exchange Shapeshift reported a hack executed in stages of 469 bitcoins plus some ether and litecoin, worth at the time about $230,000. In this case they were victim of an inside job – an employee stole the bulk of the funds, sold server access to a professional hacker, and installed malware on colleagues’ computers to enable the hacker to access the refreshed passwords. Erik Voorhees, the founder of Shapeshift, gives a riveting account of the drama here. No customer money was lost, and the site had relaunched by the end of the month.
Also in March of this year, Canadian exchange Cointrader suddenly closed down, with the explanation that an audit had revealed an unexplained deficit of bitcoin. The media took this to mean a hack, but it might not have been. In an email to clients, the exchange explained: “A recent internal audit revealed a deficiency of Bitcoin in our wallets.” Previously, trading had been halted on shares of the parent company Newnote Financial Corp. (listed on the Canadian Securities Exchange, similar to the US’s OTC market), because of failure to file financial statements. The company was undergoing an audit to rectify this, most likely the same audit that uncovered the missing bitcoins. In an official statement, Newnote announced that the audit was still ongoing and that Cointrader would be shut down due to “rising maintenance costs and lower trading volume attributed to an increase in competitors within the Canadian market space”. No mention was made of the hack. So, did the hack even take place? Or had the audit uncovered something else?
Here’s an interesting one, still making headlines today: In December 2015, exchange Cryptsy and the media started receiving a stream of customer complaints about stalled bitcoin withdrawals, some pending for weeks. In early January, in the face of no response whatsoever from the company, a frustrated client initiated a class action lawsuit in an attempt to recover their funds. The next day, the founder published a post on the Cryptsy blog announcing suspension of trade and withdrawals, and confessing to the loss of 13,000 bitcoin and 300,000 litecoin, at the time worth about $5.7 million. The founder explained that a back door had been installed on the exchange by someone claiming to be a developer. The most startling revelation was that the coins had been missing for a year and a half.
Why hadn’t he told anyone? According to his post, because he wasn’t sure what happened (even well over a year later), and “didn’t want to cause a panic”. He assumed that he could replenish the accounts with profits over time. But then an article was published in the sector blog Coinfire (now part of 99 bitcoins), claiming that Cryptsy was under investigation from several Federal agencies (including the SEC, the Department of Homeland Security and the IRS) for a long litany of infractions ranging from operating without licenses to knowingly servicing accounts linked to terrorist financing, which triggered massive withdrawal requests that Cryptsy simply could not honour.
A couple of weeks later, the CEO’s ex-wife claimed in a court filing that she believed that he would flee the country with the funds, and was using the money to support his lover and her children in China. A few weeks after that, we’re now in February of this year, the ex-wife was added as a defendant in the class action lawsuit, since it turns out that in early 2015 she and her (then) husband had paid for a waterside mansion in Palm Beach with cash. In April the court appointed a receiver to dissolve the business and determine how much was recoverable. Last week the receiver revealed that he had discovered that the (now ex-) CEO had been siphoning off crypto funds the whole time.
After an apparent lull in crypto hacks (what were the hackers up to?), in May 2015, a well-known Hong Kong-based exchange suffered a breach and a theft. The exchange was Bitfinex (yes, them again), and this time the target was their online hot wallets, which store a very small amount of crypto assets. Apparently about 1500 bitcoins were stolen, worth approximately $340,000 at the time. Customer wallets were affected, but Bitfinex was able to replenish the losses out of their reserves.
Also in March 2015, Panama-based Coinapult briefly suspended operations following the theft of 150 bitcoins (then worth $42,900) from its online wallet. Customer funds were unaffected, but immediately after, the exchange announced its intention to move to multisig authentication as soon as possible.
The previous month, Chinese exchange Bter, at the time the world’s largest exchange of altcoins (bitcoin alternatives), admitted to a hack of 7170 bitcoin (then worth $1.75 million) taken from its cold wallet. Because of the unlikelihood of a cold wallet getting hacked (the keys are kept offline, so how would the hacker get at them?), some pointed fingers at Bter, accusing them of covering up an inside job. However, there are cold wallets and then there are cold wallets. Depending on the configuration, some cold wallets can be compromised when they connect with the internet, however briefly, which they sometimes need to do to either move bitcoins or update balances.
The size of this theft almost caused Bter to sell the exchange, claiming that it simply did not have the funds to reimburse the 20,000 affected customers. A 1000 BTC loan from mining group JUA saved the day, however, and Bter was able to use that plus the promise to continue to repay out of profits to make the accounts whole. JUA also took over the protection of Bter’s cold wallets.
February 2015 was a busy month for hackers: Excoin was also hacked. The exchange turned out to have a prophetic name, since the hacker managed to divert all of the bitcoin on the exchange, which left it no choice but to shut down.
In January of last year, Bitstamp – a Luxembourg-based exchange, currently the fifth largest BTC/USD exchanges – had 18,866 bitcoins (then worth just over $5 million) stolen in a hack that involved targeted phishing emails and messages which installed malware on the computers of Bitstamp employees. The hackers not only spent time profiling the employees and creating specific language and offers for each in the emails, but they cleverly staged the access and the theft over the New Year period, counting on a slower reaction time. As soon as the movements were discovered (the same evening as the account was drained), it shut down operations, and started work on rebuilding the trading software from scratch.
After another lull in crypto hacks making headlines, in August 2014, Bter was hit again. Almost 52 million NXT (another cryptocurrency, associated with the blockchain of the same name), at the time worth $1.65 million, disappeared from its account. It turns out that the hacker got access by gathering information on one of the Bter developers, hacking an account that he used on a different website, and taking advantage of the fact that he used the same password to get into Bter. The exchange had set up 2-factor authentication on many of its systems, but not on NXT, which to make matters worse was kept in a “hot” online wallet, directly accessible from the site. Given the scale of the attack (at the time the theft was of 5% of the market cap), NXT considered “rolling back” the blockchain to reverse the hack, much like what Ethereum has just done. As we have seen, however, this is a very controversial move for any blockchain based on immutability and censorship resistance, and the majority of the participants opposed the idea. This hack had a “happier” ending, however, since the exchange managed to negotiate the return of the bulk of the coins. Perhaps they used the threat of a hard fork? Keeping some and returning the rest is better than losing all?
Let’s end this walk through history with a really juicy story, with several chapters but no happy ending: in July 2014, altcoin exchange MintPal was relieved of approximately 8 million of bitcoin alternative VeriCoin, which at the time was 30% of its market cap of $6.3 million. It is interesting to note that the exchange’s bitcoin holdings were also targeted, but they were held offline in cold storage and thus ended up untouched. The Vericoin were supposed to be in cold storage, but due to an error most of them weren’t. The community couldn’t allow that much VeriCoin in the hands of one attacker, since it would have given him or her enough weight to instigate a 51% attack, which made the decision to fork simpler – it was that or see the currency completely crash. The problem with hard forks, though, is that everyone in the network needs to update pretty much at the same time. That didn’t happen here, which meant that older versions processing new blocks effectively “reassigned” the attacker the stolen 8 million. A second hard fork a day later managed to fix the problem, diverting the coins to a new, MintPal-controlled wallet.
Trading volumes dropped sharply after the attack, which led to its acquisition by the end of the month by Moopay (more commonly known as Moolah, not to be confused with the payments services provider of the same name). Three months later, on October 14th, after several delays to MintPal’s relaunch, Moopay announced its plans to declare bankruptcy and shut down operations. MintPal had apparently already been transferred to new management, and the new team was focussing on “the resolution of issues surrounding missing balances”. Missing balances?
The following day, the CEO of Moopay insisted that the company had never bought MintPal, all that it had was a management agreement (documents subsequently released show that, indeed, Moopay did not own a stake in MintPal, but the CEO of Moopay did, he held 48% of the company that owned 100% of MintPal). To add to the confusion, less than 24 hours later, the CEO and founder announced that no, on second thoughts, Moopay was not going into bankruptcy after all. He then resigned. At the same time reports started to emerge tying the founder to other identities. The next day, this was separately confirmed by both a former lover and by an ex-associate who in the past had pressed charges against him for fraud. The following day (a busy week) it turned out that the name that they knew him by wasn’t his real name, either. The day after that (we’re now at the 18th of October), the ex-CEO fired all the staff, and the following day he confessed to the name change. And in case things weren’t confusing enough, he re-confirmed the bankruptcy.
At the same time, it emerged that 3,700 bitcoins were missing from MintPal’s wallets. It turns out that they were being held in the Moopay CEO’s personal wallet, and were moved as soon as this was discovered. Simultaneously, the CEO posted an abject apology on Moopay’s blog, which has since been taken down but part of the text is reproduced here. Then the lawsuits started flying, injunctions were handed down and the CEO went missing. In December, he and a former colleague (alleged to be his then girlfriend) were arrested in the UK but released on bail. And in August of this year, a couple of weeks ago, he was sentenced to 11 years in jail, not for theft or fraud, but for rape. I bet you didn’t see that one coming.
As you know, it’s not just cryptocurrencies that get hacked. Banks around the world are subject to a frightening number of hack attempts, some really sophisticated, and some successful. However, the bank hacks tend to be shrouded in secrecy, and many are never even revealed to the public – we wouldn’t want a panic, now, would we? Another big difference is that bank accounts are, in most systems, insured up to a certain amount. There is little if any risk of “losing it all”. With the uninsured crypto exchanges, however, that is not the case, and while the amounts are much smaller than with fiat bank hacks, the community is much more vocal.
How can we protect ourselves from bitcoin hacks? A relatively easy answer is to spread our bitcoin holdings across several wallets and exchanges, and throw the bulk in cold storage. It’s an easy answer, but it’s a hassle, which is why most casual bitcoin users don’t do it. Sticking with reputable exchanges is also a good idea, but a really big hack could decimate even the most solvent of business (crossing fingers for you, Bitfinex). When an exchange gets hacked, the loss of the cryptocurrency is not the only cost. There’s also the expense of the investigation, migrating servers, rebuilding the platform, lawyers…
It’s so easy to apply common sense in retrospect, but unfortunately much less so as we go about our daily lives. And as we’ve seen, crypto hacks can affect any exchange, even reputable, well-protected ones. Theft is lamentably a part of life which we will never be able to completely avoid. And the fact that it exists in no way makes the stolen asset more vulnerable and worthless. Cash is stolen every day, and yet that doesn’t make us suggest that cash is useless, does it? Gold, diamonds, cars… Anything that can be moved, can be taken. And nothing is easier to move, in terms of logistics, than bits and bytes of information. The fact that it doesn’t happen more often is a testament to the ingenuity of security experts, who are continually trying to stay on top of a moving pile of sand. With each hack, the community learns. And with that knowledge, gets stronger. While this doesn’t help the thousands who lose savings, it does strengthen the sector as a whole. And shows that if people are trying to steal what you have, it must be worth stealing.