More Than $200m in Cryptocurrency Stolen, Hacked or Locked Up in 2017
January 10th, 2017 | ECOMI Blog
In 2017 alone, we saw more than $200m worth of crypto-assets stolen, hacked or locked up due to poor storage and inappropriate security measures. Understanding how and where you are susceptible to attacks could literally impact your financial future, and it is with this in mind that we review some of the biggest failings of 2017, as well as how to protect yourself from cyber criminals.
July 2017- The Parity Hack
The second largest hack in the history of the Ethereum network occurred in July 2017. By exploiting a vulnerability in the Parity Multisig wallet, the hacker was able to syphon more than 150,000 Ether from a handful of multi-signature contracts, which was worth approximately $30 million. As the name suggests, a multisig contract requires number of signatures (private/public keys) to be confirmed simultaneously for transactions to occur and value to be transferred. However the hacker circumvented this by sending two transactions to the contract:
1. The first allowed them to take individual control over the contract (disabling the need for multiple key signatures).
2. The second to move the assets to their personal address.
Four Months Later..
Fast-forward 4 months, and the fix that was put in place to prevent more Ether being stolen actually led to a larger issue. Although the amount is speculative, it is estimated that another $2-300 million has been ‘locked up.’ Parity reported that while fixing the bug that allowed for the $30m hack, it unintentionally created a second fault, which allowed for one user to gain control over every multi-signature wallet on the network.
Is there a solution?
Although the user triggered this flaw by accident, when attempting to return the funds (by deleting the original code) the funds were instead locked away in the wallets, whilst also deleting any possible access to recover them. The only means of retaining the funds would require a hard-fork to deploy a fix, in which the entire ecosystem would need to accept and upgrade their code and systems (no small feat when taking into account miners, wallets, exchanges etc.). A similar fork was successful after the 2014 DAO hack; however at the time Ethereum was a much smaller network, and the currency lost represented a much larger percentage of available tokens.
November 2017- Tether Loses $30m to Hackers
Tether is a crypto-asset designed to allow users to trade crypto-tokens that are backed by FIAT currency, and is pegged to the USD at the rate of 1:1. In November 2017, a post on Tether’s website detailed that “malicious action by an external attacker” led to the theft of almost $31 million.
So what happened?
The company went on to say that whilst they could not recover the lost assets, they would attempt to prevent them from reentering the market, and at the time put a freeze on all Tether-holding accounts. Controversy surrounding the hack also saw Tether trading suspended on a number of exchanges. This is important for all investors to note, as not only are you subject to security breaches of third parties, but if you’re storing your tokens in hot wallets it may also affect your ability to trade, or exchange, your assets in the event of an attack.
December 2017- Mining Conglomerate NiceHash Loses $64M
In December 2017, hackers were able to access and empty the entire value of NiceHash’s Bitcoin wallet, speculatively estimated to be worth $64 million. As a mining service, NiceHash lets users trade their computers processing power for rewards in crypto tokens, most commonly in alt-coins. However many of the reward tokens- which are transferred into their equivalent value in Bitcoin- were left in hot wallets NiceHash’s exchange, and were thereby open to cyber-attack.
Can anything be recovered?
The specific address of the hack has since been identified, and NiceHash CEO Marko Kobal has publicly stated the company is ‘working on a solution to make sure all users are reimbursed.’ At the time of writing this, however, and with on-going investigations, the funds are yet to be recovered, and it is unclear if they will be.
How can I prevent this happening to me? - Cold Storage.
Although these reported hacks occurred on a large scale, it is important to note that with proper storage all of the funds lost could have been prevented. Not to mention these all occurred in our very recent history! We’ve highlighted the differences between hot and cold wallets before, however it needs to be said that hot wallet storage is literally an invitation for potential cyber-crime.
Don't let it this happen to you
Before we dive into prevention, however, it is also important to be able to identify how everyday people are lured into scams. New investors to the space are particularly vulnerable as they are unaware of best practice, however many avid investors live with the ‘it won’t happen to me’ attitude which is equally as dangerous. Aside from the vulnerabilities of hot wallets, you are also vulnerable to the following attacks:
- • Stolen usernames and password resets, granted by gaining access to your email accounts.
- • Access gained to your private keys. This can be through physical theft of devices, or unwanted access via your email, phishing scams and/or viruses, which locate them if stored on an online device.
- • Poor security provided by third parties, (as with the NiceHash Hack mentioned above).
So how do you circumvent these attacks?
A cold storage solution, such as the Secure Wallet, puts the power of security back into your hands. By giving you control over your private keys, and ensuring that you have to physically confirm any transaction leaving your device (via the one-time-password button) the wallet is completely immutable to viruses or malware.
Moreover, the Secure wallet is a true cold-storage hardware device, which is never directly connected to the online world, ensuring that it’s hardware can never be tampered with, whilst still allowing for instant transactions using the ECOMI companion app. This gives you the safest level of security and storage available today, whilst still providing the flexibility needed for active trading.