The Largest Crypto Hacks in History and What has Been Learned From Them
As you may know, the cryptocurrency industry is extensively targeted by hackers. Unfortunately, attackers have been quite successful in this space with plenty of high-profile attacks targeting crypto services. In just the first half of 2018, $1.1 billion worth of cryptocurrency was stolen from victims.
These hacks painted a gloomy picture of the security of blockchain-related services, and some had a huge impact on the whole industry. Let’s review the most significant breaches and then see what we’ve learned from those hacks.
Coincheck – $532 million
January 26, 2018, the Japanese cryptocurrency exchange Coincheck froze all withdrawals on its platform. At first, the company published a blog post stating that they had stopped all NEM deposits:
“Depositing NEM on Coincheck is currently being restricted. Deposits made to your account will not be reflected in your balance, and we advise all users to refrain from making deposits until the restriction has been lifted,” Coincheck announced.
However, soon after that, the cryptocurrency exchange extended the freeze to NEM sales and purchases, as well as all withdrawals – including crypto and fiat pairs.
It turned out that the reason for the suspension of withdrawals on the exchange was due to a hack, which resulted in the loss of $534 million worth of NEM. This attack is still considered the largest heist in the crypto industry.
In a press conference hosted soon after the hack, Coincheck provided the details of the attack, stating that the attackers succeeded because the stolen NEM was stored in a hot wallet. The hackers managed to steal the private keys for the wallet, successfully draining the funds into their own wallets.
Mt.Gox – $473 million
For crypto enthusiasts, this is the story you’ll tell your kids when you are teaching them how not to store their funds. The Mt.Gox hack – which took place in early 2014 – had by far the largest impact of all the attacks listed here as the market was much smaller then. At the time Mt.Gox was the number one cryptocurrency exchange, handling over 70% of Bitcoin transactions.
On February 7, 2014, the cryptocurrency exchange temporarily stopped all BTC withdrawals, which was extended to all trading activities on February 24. After that, the website went offline.
Mt.Gox took these steps due to a hack, which resulted in the loss of the customers’ 744,408 Bitcoins as well as 100,000 BTC belonging to the company. At the time, the total amount the hackers stole was valued at approximately $473. As of November 1, 2018, despite it having been a bear market since early this year, the total BTC stolen from Mt.Gox is worth over $5 billion.
Due to this unfortunate hack, the cryptocurrency exchange declared bankruptcy on February 28, 2014. It was found that the reason the attackers succeeded was that the exchange stored most of the cryptocurrency that was stolen in a web-based hot wallet, which had a vulnerability that the hackers took advantage of.
BitGrail – $195 million
In February 2018, the Italian cryptocurrency exchange BitGrail announced that it had been hacked, losing approximately $195 million worth of Nano, the cryptocurrency formerly known as RaiBlocks. Nano could be considered as one of the most unfortunate cryptocurrencies of all time, as it had increased its value from $0.2 to roughly $10 surviving even in early 2018’s bear market. But the hack has affected the crypto badly as approximately 17 million of the coin were stolen from BitGrail. As of November 1, 2018, Nano’s price stands at nearly $2.
In a blog post on the company’s website, BitGrail stated that their internal checks revealed that the 17 million Nano was stolen from wallets managed by the cryptocurrency exchange. On the same day the company discovered the loss, they reported the incident to the authorities, the statement said.
Despite the fact that the cryptocurrency was stolen from the Italian exchange’s wallets, the company has started to blame the Nano development team for the incident.
“[BitGrail is] pressing charges against you due to your irresponsible behavior,” Francesco Firano, the owner of BitGrail stated. According to Mr. Firano, due to the non-collaboration of the Nano dev team, his company was unable to recover the lost funds.
On the other hand, according to a Medium post from the Nano team, BitGrail offered a controversial solution to recover the $195 million of stolen funds. The team stated that Mr. Firano suggested an option, in which the ledger of transactions had to be modified. Nano devs stated that this is an action that is not possible, and not a direction they wanted to pursue. We still don’t know for sure who was responsible for the incident, although there is currently a court case between Nano and BitGrail.
Bitfinex – $72 million
In August 2016, nearly $72 million worth of BTC (almost 120,000 Bitcoins) was stolen from Bitfinex. Due to the magnitude of the attack and the fact that Bitfinex did not publish the details of their internal investigation, the hack created a strange confusion in the crypto community at the time.
Unlike the other cryptocurrency exchange hacks mentioned previously, Bitfinex used the Bitcoin wallet provider BitGo for additional security of the funds held on the exchange. Despite the multi-signature wallets the exchange used, a possible reason for the attack could be due to the bad structure of the accounts.
Bitfinex and BitGo created a system, where the keys for the multi-signature wallets were divided among a number of owners to manage the risk. This solution was considered innovative at the time since it provided additional security as well as cutting down the time it took to move funds from offline storage to hot wallets.
After the hack, the market crashed with Bitcoin experiencing a nearly 20 percent fall before recovering.
Nicehash – $60 million
The next hack on our list is not an exchange, but a mining service. On December 6, 2017, Nicehash was hacked, netting attackers a $60 million “prize.” The attack was discovered by the community who reported that a large amount of funds was moved from the internal addresses of the users to BTC wallets controlled by an unknown party. Soon after the hack, the mining service announced it had been breached:
“Unfortunately, there has been a security breach involving the NiceHash website. We are currently investigating the nature of the incident and, as a result, we are stopping all operations for the next 24 hours. Importantly, our payment system was compromised, and the contents of the NiceHash Bitcoin wallet have been stolen. We are working to verify the precise number of BTC taken,” Nicehash stated.
Despite the attack, Nicehash assured its users that they were planning to resume operations with increased security measures.
In August 2018, Nicehash was reportedly returning 60% of the stolen funds to the victims. After resuming its service two weeks after the attack, the owners of the service pledged that they would return all of the stolen funds to the victims, paid back to them on a monthly basis.
Zaif – $60 million
The Japanese cryptocurrency exchange Zaif was the victim of one of the most recent hacks to target the crypto space. In September 2018, the company published a press release, in which they announced that the exchange was breached, netting the attackers approximately $60 million. Responding to the attack, Zaif has halted all the service’s withdrawals and deposits.
In the hack, 5,966 BTC, and an unknown amount of MCO and Bitcoin Cash was stolen. According to the company, they discovered unauthorized access to the service taking place between 7 pm and 9 pm on September 14, 2018. During this time, the hackers were able to steal the cryptocurrencies, which were held in the exchange’s hot wallets.
Zaif added that they were planning to restart the server along with a security update and that they had notified the authorities about the case.
DAO – $50 million
The DAO, a Decentralized Autonomous Organization, was hacked due to a vulnerability in the code. The attack resulted in the loss of 3.6 million ETH, which was worth approximately $50 million at the time. The DAO hack is still currently considered the biggest theft of Ethereum.
Soon after the hack, the Ethereum community gathered together in an attempt to recover the lost funds. A soft fork, which is an upgrade of the network that is backwards compatible, seemed like the best option to get back the stolen ETH. However, hours before the implementation of the fork, the developers realized that there was a bug in the code opening up an attack vector for DDoS (Distributed Denial of Service).
Therefore, the community had to go with a hard fork – an upgrade that isn’t compatible with its previous version. The fork had the sole function of refunding the smart contract and returning all ETH taken from the DAO. However, this proposal split the Ethereum community, which led to two new chains: Ethereum Classic – the ones who were opposed to the upgrade – and today’s Ethereum. The part of the community that decided to go with ETC stated that “code is law” and they were not supposed to implement a hard fork just for the purpose of recovering stolen funds.
Coinrail – $40 million
Along with Zaif, Coinrail was also subject to a recent attack, which took place in June 2018. The South Korean cryptocurrency exchange lost approximately $40 million of different ERC-20 tokens during the attack.
Soon after the hack, the community discovered that the hacker was trying to sell 26 million of the stolen NPXS tokens on the decentralized exchange IDEX. As the addresses of the hacker were discovered, they were quickly flagged in an attempt to freeze the stolen digital assets.
After the hack, Coinrail announced that 70 percent of the company’s reserves were safe since they had moved those assets to cold storage wallets. According to the cryptocurrency exchange, of the remaining 30 percent about two-thirds of them were frozen. The remaining one-third of the tokens were investigated by Coinrail in cooperation with law enforcement authorities.
What we have learned from these hacks (or should have)
As you’ve read most of the cryptocurrencies were stolen from low-security, hot wallets – wallets that are constantly maintaining an internet connection. Also, most of the high-profile attacks happened due to security vulnerabilities of the service providers. Furthermore, six out of eight hacks were exchanges, meaning that these services remain highly targeted by hackers.
Unfortunately, most of the victims of these attacks never got their funds back. That’s why we have to be extra careful where we store our funds.
Cryptocurrencies and blockchain technology gives us the financial freedom we have desired for a very long time. However, this liberty comes with great responsibility. Unlike the fiat world, there are no third parties – such as banks or credit card companies – who will issue you a chargeback when you get hacked. And if you send a crypto transaction to the wrong address, no one will refund or return that to you.
Therefore, everyone has to take responsibility for their funds and should consider security as the very first priority. Here’s a short list of advice on how to be secure in the crypto world:
- Don’t use hot wallets (such as exchange wallets) in the long term, only for a short time while exchanging funds or trading. After you are finished with that, withdraw your funds to a safe wallet.
- Use a wallet that offers cold storage and has great security. If you have the budget – though they are not that expensive – consider buying a hardware wallet.
- Do your due diligence on every service you are using or want to use. Before using a service or a product, check for reviews on forums – such as Reddit or Bitcointalk – and social media.
- If you are not sure about something, ask questions on forums or social media.
- And last, but not least, use your common sense. If something seems too good to be true (e.g., send 0.1 BTC to this address to get back 10 BTC instantly), it probably is.