DavidBalaban

David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Latest posts by DavidBalaban (see all)

Bitcoin Exchange Hack

There are two ways in which cryptocurrency can make a cybercrook’s day. One facet of this symbiosis revolves around the anonymity attributes inherent to digital cash. Tracking down a threat actor by a cipher-backed Bitcoin may often be a futile undertaking. Present-day ransomware extortion schemes have made this currency their core financial component.

On the other hand, the decentralized essence of Bitcoin makes it a tasty morsel for cybercriminals as an enticing object of hacking. Bitcoin exchange services pose the weakest link in this Internet-based economy. Many of them are run by programmers rather than experts in the domain of finance and security. The damage to customers tends to be high. There is typically no bank insurance that would reimburse possible losses in case things get out of hand.

Furthermore, as the incidents below will demonstrate, the security of cryptocurrency exchange ecosystem isn’t some operators’ first priority. A rough estimate of the losses incurred by this industry over the past four years is on the order of 1.3 million Bitcoins, or hundreds of millions of U.S. dollars.

Mt. Gox

It took Mt. Gox as little as three years to become the leading player in the niche. It processed about 70% of all Bitcoin exchange transactions at its peak in 2013. The website mtgox.com stands for “Magic: The Gathering Online eXchange.” Jed McCaleb originally launched Mt. Gox in 2007. Jed McCaleb is a programmer who was planning on using it to trade cards for said video game. Later on, the author switched to cryptocurrency exchange services. Jed McCaleb ended up selling the site in 2011. He finally realized he couldn’t cope with the huge ledger of transactions.

Mark Karpeles, a coder and cryptocurrency enthusiast based in Japan, acquired Mt. Gox. Mr. Karpeles revamped the back-end software of the website. He shortly succeeded in becoming the CEO of the world’s biggest Bitcoin exchange firm.

The company, however, underwent a series of attacks ever since. The first one took place in June 2011 and caused the service to go offline for several days. The threat actor had purportedly compromised Mt. Gox auditor’s machine. Then he used the stolen credentials to transfer thousands of Bitcoins to another wallet.

The second hack as of February 2014 caused the company to go bankrupt. With 744,408 BTC missing for an unknown reason, Mt. Gox halted all withdrawals and closed its service. This was reportedly a latent hack that had lasted for years without being detected by the company’s security team.

Bitfinex

The most recent incident involves Bitfinex, one of the world’s biggest Bitcoin exchange providers. The company lost 119,756 Bitcoins, which is currently the equivalent of more than $72 million, as a result of a breach that took place in early August 2016.

The attacker reportedly took advantage of a vulnerability in Bitfinex’ multi-signature system for signing Bitcoin withdrawal transactions. The idea of the multi-signature system is to engage several parties to authorize transactions. Bitfinex owns two secret keys, and its partnering BTC wallet provider BitGo owns one key.

At the time of writing, it’s unclear which of the parties got compromised and how. To their credit, the company has offered equity to the affected customers as a reimbursement for their losses.

Bitcoinica

Bitcoinica, another popular Bitcoin trading platform developed and owned by Zhou Tong, suffered two breaches in 2012. The first one resulted in the loss of 46,703 Bitcoins. The attacker compromised Bitcoinica customer service portal and leveraged the obtained access to drain Bitcoin wallets of eight customers.

In the second breach that took place several months later, the attacker was able to hack the company’s production servers and stole 18,547 BTC. The aftermath of these heists is as follows: four Bitcoinica customers filed a lawsuit, demanding a compensation of $460,457.

One of the mistakes that allowed these hacks to get through, experts argue, was that Bitcoinica stored large amounts of digital cash online rather than keep the bulk of it offline in an encrypted format.

BitFloor

The entry point for hacking BitFloor was a mix of human error and technical imperfections of handling cryptocurrency. This breach occurred in 2012, resulting in the loss of 24,000 BTC, which was worth $250,000 at that point. The perpetrator was able to compromise the company’s servers and obtain keys for multiple customers’ wallets.

The intruder got access to an unencrypted backup of keys that was made during manual maintenance. Whereas keeping such sensitive data in a format other than encrypted is an extremely bad idea, there was another serious mistake that allowed the malefactor to do so much damage. It’s an equally poor strategy to keep such a big amount of Bitcoins in a so-called online “hot wallet” rather than offline “cold storage” that cannot be accessed from the Internet.

Bitstamp

The Bitstamp heist as of January 2015 demonstrated how intricate the hackers’ modus operandi could get. Cybercrooks had been bombarding Bitstamp employees with phishing emails (a very popular technic) in a bid to execute malicious code on their computers. Unfortunately, this social engineering strategy resulted in compromising one of the machines on the exchange service network. By finally duping a staff member into opening a virus-tainted .doc attachment with an obfuscated VBA script in it, the perpetrators accessed two servers that contained hot wallet data.

The losses amounted to 19,000 BTC or roughly $5.2 million at the time of the breach. Having recovered from the attack, Bitstamp management decided to rebuild their whole trading platform from scratch in order to ensure better defenses and more efficient damage mitigation further on.

Security Recommendations

To stay on the safe side, Bitcoin exchange services should follow a number of important guidelines. First of all, the volume of cryptocurrency in an online-accessible hot storage should never exceed the amount that will make the company go bankrupt if lost. Keeping the bulk of it in an offline cold storage is a much more reasonable strategy. Furthermore, it’s a good idea to configure deposits to go directly to cold storage.

Adopting manual validation of transfers from cold storage to hot wallets is a worthwhile technique as well. In the case of large withdrawals, delaying the transaction for some time is the lesser of two evils – this will allow for scrupulous insight and validation.

As far as customer security goes, it generally boils down to the use of strong passwords and multi-factor authentication. Also, be sure to scrutinize the reputation of the exchange service of choice. However, some of the incidents above prove that immaculate background doesn’t fully guarantee a trouble-free experience.