06 Jul Cryprocurrencies, the Dream of Cyber Criminals
In one of our previous articles, we have warned our clients that being a secure technology in itself, cryptocurrency has a dark side too. Crypto-related exchanges, wallets and regular cryptocurrency holders have long been subjects to cyber attacks, scams and hacks, and 2018 might become “the worst year of crypto losses in terms of assets stolen” (Crypto Aware). In this article, we will introduce you to the world and work of cyber criminals showing what fraudulent schemes have been already launched, so that you are informed and beware.
All events resulting in the loss of cryptocurrency may be divided into large crypto hacking incidents, which often make the headlines once they occur, and much more frequent scams and frauds, which occur to individuals and are largely unreported.
Here are the major hacks, which shook the world of cryptocurrency:
Mt Gox (“Magic: The Gathering Online eXchange”) Hack. Mt Gox used to be the biggest Bitcoin exchange in the world handling around 70% of the world’s exchanges. In 2011, the exchange underwent the first great hacking attack. Then, the attachers hacked into the auditor’s computer and transferred a huge amount of money to themselves. When the Bitcoin in Mt Gox fell to one cent – an artificially low price due to the hack – hackers bought other 650 coins from the exchange. Although the company managed to recover from this first blow, it did not solve its major flaws – absence of version control software (without it, a source code becomes a mess), lack of testing policy and poor management. No wonder, in 2014, another attack was made. This time, Mt Gox found 473 million in USD missing. Interestingly, the exchange has been hacked for about two years before it actually realised it. It is presumed that the money was stolen using the leak in hot wallets with the help of the stolen Mt Gox’s private key.
The DAO Hack. The DAO incident, which took place in 2016, was the biggest hack of Ethereum. Actually, it was an attack on DAO (Decentralised Autonomous Organisation), a decentralised fund built on the Ethereum blockchain. The investors of the fund earned DAO tokens for sending Ether to wallets. The creators envisioned a ‘split function’ for an exit in case any investor wanted to leave the fund. Here is where the hackers saw the opportunity to exploit: the system first gave the Ether and then registered the transaction and updated the balance. The hackers made a recursive function in the request of Ether in exchange for their tokens and the system sent the money to them multiple times before finally updating the balance. This way, the hackers managed to drain $50 million in Ether out of the fund. To reverse the hack, the investors agreed to a hard fork – a radical change in the protocol, which allows to make earlier transfers invalid but results in the splitting of cryptocurrency into two. Since then, other cryptocurrencies have considered or used this solution in case of hacks too.
Coincheck Hack. The January 2018 attack on a NEM exchange, Coincheck Inc., is the most recent and the biggest cryptocurrency hack so far resulting in $523 million losses in digital tokens stolen. Although there is no clear explanation about how hackers managed to steal the money, the perceived flaws of the exchange did contribute to the fact. In particular, the exchange kept customers’ assets in less secure hot wallets and lacked multi-signature security (although the multisig system is not immune, as its hack in Bitfinex showed, it still makes the attack more difficult). Notably, the addresses, to which the hacked money went were all known and flagged, but much of the stolen money is already laundered through regular exchanges and other services, which allow cryptocurrency trading without the collection of any personal data.
These examples show that cryptocurrency owners may be deluded by the exchanges that market their diligence and security while having considerable operational flaws. Still, there are many other instances of scams, in which hackers target the very owners, not larger intermediaries like wallet services and exchanges. Here are the most common examples:
Fraudulent ICOs.ICO is the way to build a cryptocurrency startup. In the nutshell, the creators of a new cryptocurrency announce the technology and explain why it will be profitable to invest in it; when people actually invest into the new cryptocurrency, it acquires the respective value. This is how Etherium was started. Scammers, in their turn, present fabricated papers on a fake ICO, create a marketing hype, persuade people to invest, and … successfully disappear with the collected funds.
‘Shady’ exchanges and fake wallets. Unlike the irresponsible exchanges described above, these are from the very beginning created for stealing people’s money. Since the activity of exchanges is not regulated and opening one does not require any certification, shady exchanges appear and vanish overnight, leaving the deluded customers blame only their own careless choice. Similarly, it is the responsibility of the customers to detect and avoid fake android wallets launched on play store every other day.
Pyramid scams. Century-old pyramid or Ponzi scams now take the form of a crypto project, where the impressive profits to the investors come from the investments of the newcomers they have to recruit. When the pyramid grows large enough and it becomes difficult to recruit more people, the promoter runs away with the money.
Phishing scams (punycode and fake airdrops). These scams relate to the very cryptosphere and are created to receive cryptocurrency owners’ usernames, passwords and seed keys. Punycode is a fake website looking exactly like a customer’s wallet and having a comparable name with one or two letters different, created for an unsuspecting user to leave his credentials for hackers’ use. Scammers also exploit airdrops idea (free tokens distributed to reward loyal customers or encourage prospective ones) creating fake ones and requiring users to leave their credentials for receiving the money.
Pumping & Dumping. Similarly to traditional market, the cryptocurrency market has its own (and large!) pump & dump groups that artificially manipulate a cryptocurrency price by sharing fake news, false “insiders leaks” and misleading “experts” views.
Impersonators. This notion stands for the scammers who create fake companies or personal profiles in the social media and, thus, directly interact with people offering cryptocurrency support, encouraging to invest into crypto projects or distributing fake airdrops.
Fake support stuffers. Scammers post fake support numbers online and when “providing support” direct the customers to transfer their cryptocurrency to the “temporary” wallet so that they do not lose the money while the support addresses the issue. Needless to say, the digital money never return to the victim.
While different, all the provided examples of hacks teach one important thing – the cryptocurrency market being unregulated, you, a cryptocurrency owner, assume ultimate responsibility for your choice of cryptocurrency-related services. Ultimately, you are to take care of the security of your funds. However, you are not alone in this quest. Mon-K is dedicated to provide superior security solutions to corporate and private customers and is ready to help you enter the world of cryptocurrency in the safe and secure way.