In this article, we will try to remember all the major cryptocurrency thefts over the past 10 years.
1. Bitstamp hack, $5.3 mln (BTC), January 4th, 2015
On January 4, 2015, the operational hot wallet of Bitstamp announced that it was hacked by an anonymous hacker and 19,000 Bitcoins (worth of $5 million) were lost.
The initiation of the attack fell on November 4, 2014. Then Damian Merlak, the CTO of the exchange, was offered free tickets to punk rock festival Punk Rock Holiday 2015 via Skype. It was known that Merlak is interested in such music and even plays in a band. To receive the tickets, he was asked to fill in a participant questionnaire by sending a file named “Punk Rock Holiday 2015 TICKET Form1.doc”. This file contained a VBA script. By opening the file, he downloaded the malware on his computer. Although Merlak did not suspect any wrong and has opened the “application form”, to any critical consequences, this did not open access to the funds of Bitstamp exchange.
The attackers, however, did not give up. The attack continued for five weeks, during which hackers presented themselves as journalists, then headhunters.
Finally, the attackers were lucky. On December 11, 2014, the infected word document was opened on his machine by Bitstamp system administrator Luka Kodric, who had access to the exchange wallet. The file came to the victim by email, allegedly on behalf of an employee of the Association for Computer Machinery, although in fact, as the investigation showed, the traces of the file lead deep into Tor. Hackers' attempts were not limited to just one letter. Skype attacker pretended to be an employee of the Association for Computing Machinery, convinced that his Frame thought to make an international honored society, which required some paperwork. Kodric believed.
By installing a Trojan on Kodriс’s computer, hackers were able to obtain direct access to the hot wallet of the exchange. The logs show that the attacker, under the account of Kodric, gained access to the server LNXSRVBTC, where he kept the wallet file .dat, and the DORNATA server, where the password was stored. Then the servers were redirected to a certain IP address that belongs to one of the providers of Germany.
There are still no official reports of arrests in this case. Obviously, the case is complicated by the fact that the hackers are outside the UK, and the investigation has to cooperate with law enforcement agencies in other countries.
2. GateHub hack, $9.5 mln (XRP), June 1st, 2019
Hackers have compromised nearly 100 XRP Ledger wallets on cryptocurrency wallet service GateHub. The incident was reported by GateHub in a preliminary statement on June 6.
XRP enthusiast Thomas Silkjær, who first noticed the suspicious activity, estimates that the hackers have stolen nearly $10 million worth of cryptocurrency (23,200,000 XRP), $5.5 million (13,100,000 XRP) of which has already been laundered through exchanges and mixer services.
GateHub notes that it is still conducting an investigation and therefore cannot publish any official findings. Also, GateHub advises victims to make complaints to the relevant authorities of their jurisdiction.
Tether created a digital currency called “US tokens” (USDT) — they could be used to trade real goods using Bitcoin, Litecoin, and Ether. By depositing $1 in Tether, the user received 1 USD, which can be converted back into fiat. On November 19, 2017, the attacker gained access to the main Tether wallet and withdrew $ 30.9 million in tokens. For the transaction, he used a Bitcoin address, which means that it was irreversible.
To fix the situation, Tether took action by which the hacker was unable to withdraw the stolen money to fiat or Bitcoin, but the panic led to a decrease in the value of Bitcoin.
On July 20, 2017, the hacker transferred 153,037 Ethers to $31 million from three very large wallets owned by SwarmCity, Edgeless Casino and Eternity. Unknown fraudsters managed to change the ownership of wallets taking advantage of the vulnerability with multiple signatures.
First, the theft was noticed by the developers of SwarmCity.
Further events deserve a place in history: “white hackers” returned the stolen funds and then protected other compromised accounts. They acted in the same way as criminals who stole funds from vulnerable wallets — just not for themselves. And it all happened in less than a day.
5. Dao hack, $70 mln (ETH), June 18th, 2016
On June 18, 2016, members of the Ethereum community noticed that funds were being drained from the DAO and the overall ETH balance of the smart contract was going down. A total of 3.6 million Ether (worth around $70 million at the time) was drained by the hacker in the first few hours. The attack was possible because of an exploit found in the splitting function. The attackers withdrew Ether from the DAO smart contract multiple times using the same DAO Tokens. This was possible due to what is known as a recursive call exploit.
In this exploit, the attacker was able to “ask” the smart contract (DAO) to give the Ether back multiple times before the smart contract could update its own balance. There were two main faults that made this possible: the fact that when the DAO smart contract was created the coders did not take into account the possibility of a recursive call, and the fact that the smart contract first sent the ETH funds and then updated the internal token balance.
It’s important to understand that this bug did not come from Ethereum itself, but from this one application that was built on Ethereum. The code written for the DAO had multiple bugs, and the recursive call exploit was one of them. Another way to look at this situation is to compare Ethereum to the Internet and any application based on Ethereum to a website: if a website is not working, it doesn’t mean that the Internet is not working, it simply means that one website has a problem.
The hacker stopped draining the DAO for unknown reasons, even though they could have continued to do so.
The Ethereum community and team quickly took control of the situation and presented multiple proposals to deal with the exploit. In order to prevent the hacker from cashing in the Ether from his child DAO after the standard 28 days, a soft-fork was voted on and came very close to being introduced. A few hours before it was set to be released, a few members of the community found a bug with the implementation that opened a denial-of-service attack vector. This soft fork was designed to blacklist all the transactions made from the DAO.
6. NiceHash hack, 4736.42 (BTC), December 6th, 2017
NiceHash is a Slovenian cryptocurrency hash power broker with an integrated marketplace that connects sellers of hashing power (miners) with buyers of hashing power using the sharing economy approach.
On December 6, 2017, the company’s servers became the target of attack. At first, Reddit users reported that they could not access their funds and make transactions — when they tried to log in, they were shown a message about service interruption. In the end, it became known that the service had undergone a major cyber attack, and 4736,42 Bitcoins disappeared without a trace.
Despite heavy losses, NiceHash was able to continue working, but CEO and founder Marco Koval resigned, giving way to a new team. The company managed to maintain the trust of investors and began to strengthen the protection of its systems.
7. Mt. Gox hack, 850000 (BTC), June 19th, 2011
The hacking Of Mt. Gox was one of the biggest Bitcoin thefts in history. It was the work of highly professional hackers using complex vulnerabilities.
A hacker (or a group of hackers) allegedly gained access to a computer owned by one of the auditors and used a security vulnerability to access Mt. Gox servers, then changed the nominal value of Bitcoin to 1 cent per coin.
Then they brought out about 2000 BTC. Some customers, without knowing it, conducted transactions at this low price, a total of 650 BTC, and despite the fact that the hacking hit the headlines around the world, no Bitcoin could be returned.
To increase investor confidence, the company has compensated all of the stolen coins, placed most of the remaining funds in offline storage, and the next couple of years was considered the most reliable Bitcoin exchanger in the world.
However, it was only an illusion of reliability.
The problems of the organization were much more serious, and the management probably did not even know about them.
CEO of Mt. Gox, Mark Karpeles, was originally a developer, but over time he stopped delving into technical details, basking in the rays of glory — because he created the world’s largest platform for cryptocurrency exchange. At that time Mt. Gox handled over 70% of all Bitcoin transactions.
And, of course, there were those who wanted to take advantage of the technological weakness of the service. At some point, hackers made it so that Bitcoins could be bought at any price, and within minutes millions of dollars worth of coins were sold — mostly for pennies. World prices for Bitcoin stabilized in a few minutes, but it was too late.
As a result, Mt. Gox lost about 850,000 Bitcoins. The exchange had to declare bankruptcy, hundreds of thousands of people lost money, and the Japanese authorities arrested CEO Mark Karpeles for fraud. He pleaded not guilty and was subsequently released. In 2014, the authorities restored some of the Bitcoins remaining at the old addresses, but did not transfer them to the exchange, and created a trust to compensate for the losses of creditors.
8. Coincheck hack, $530 mln, January 26th, 2018
The sum was astonishing and even surpassed the infamous Mt. Gox hack.
While Mt. Gox shortly filed for bankruptcy following the hack, Coincheck has surprisingly remained in business and was even recently approved as a licensed exchange by Japan’s Financial Services (FSA).
Coincheck was founded in 2014 in Japan and was one of the most popular cryptocurrency exchanges in the country. Offering a wide variety of digital assets including Bitcoin, Ether, LISK, and NEM, Coincheck was an emerging exchange that joined the Japan Blockchain Association.
Since Coincheck was founded it 2014, it was incidentally not subject to new exchange registration requirements with Japan’s FSA, who rolled out a framework after Mt. Gox, and eventually was a contributing factor to its poor security standards that led to Coincheck hack.
On January 26th, 2018, Coincheck posted on their blog detailing that they were restricting NEM deposits and withdrawals, along with most other methods for buying or selling cryptocurrencies on the platform. Speculation arose that the exchange had been hacked, and the NEM developers issued a statement saying they were unaware of any technical glitches in the NEM protocol and any issues that were a result of the exchange’s security.
Coincheck subsequently held a high-profile conference where they confirmed that hackers had absconded with 500 million NEM tokens that were then distributed to 19 different addresses on the network. Totaling roughly $530 million at the time — NEM was hovering around $1 then — the Coincheck hack was considered the largest theft in the industry’s history.
Coincheck was compelled to reveal some embarrassing details about their exchange’s security, mentioning how they stored all of the NEM in a single hot wallet and did not use the NEM multi-signature contract security recommended by the developers.
Simultaneously, the NEM developers team had tagged all of the NEM stolen in the hack with a message identifying the funds as stolen so that other exchanges would not accept them. However, NEM announced they were ending their hunt for the stolen NEM for unspecified reasons several months later, and speculation persisted that hackers were close to cashing out the stolen funds on the dark web.
Mainstream media covered the hack extensively and compared it to similar failures by cryptocurrency exchanges in the past to meet adequate security standards. At the time, most media coverage of cryptocurrencies was centered on their obscure nature, dramatic volatility, and lack of security. Coincheck’s hack fueled that narrative considerably as the stolen sum was eye-popping and the cryptocurrency used — NEM — was unknown to most in the mainstream.
NEM depreciated rapidly following the hack, and the price fell even more throughout 2018, in line with the extended bear market in the broader industry. Currently, NEM is trading at approximately $0.07, a precipitous fall from ATH over $1.60 in early January.
The extent of the Coincheck hack was rivaled by only a few other hacks, notably the Mt. Gox hack. While nominally Coincheck is the largest hack in the industry’s history, the effects of Mt. Gox were significantly more impactful since the stolen funds consisted only of Bitcoin and caused a sustained market correction as well as an ongoing controversy with the stolen funds and founder. Moreover, Mt. Gox squandered 6% of the overall Bitcoin circulation at the time in a market that was much less mature than it is today.
Despite the fallout, Coincheck is now fully operational and registered with Japan’s FSA.
As practice shows, people make mistakes and these mistakes can cost a lot. Especially, when we talk about the mad crypto world. Be careful and keep your private keys in a safe place.