This is part two of a series about cryptocurrencies that have been hit by hackers. You can check out the first article here. Since the inception of Blockchain and cryptocurrencies, they have been the target of hackers. It doesn’t happen often, but when it does, it can have a profound effect on the targeted digital currency. In some cases, cryptocurrencies have all but failed due to being hacked.
Here is a list of those digital currencies that were victims of hackers.
- Coincheck is a Japanese exchange that works with multiple blockchains, including NEM. Around January 26, 2018, XEM valued at approximately $400m USD were stolen. Initial cause was unclear to Coincheck according to their statements.
- After hours of speculation Friday night, Coincheck Inc. said the coins were sent “illicitly” outside the venue. Co-founder Yusuke Otsuka said the company didn’t know how the 500 million tokens went missing, and the firm is working to ensure the safety of all client assets. Coincheck said earlier it had suspended all withdrawals, halted trading in all tokens except Bitcoin, and stopped deposits into NEM coins.
- Follow up reporting based on a press conference cite a breached hot wallet.
- According to the exchange’s representatives, the hackers have managed to steal the private key for the hot wallet where NEM coins were stored, enabling them to drain the funds.
- BlackWallet is a wallet used to send and receive Lumens (XLM) on the Stellar network. The creator of BlackWallet announced on Reddit an infrastructure compromise resulting in a hacked website that attacked users who entered private keys into it. It should be noted that BlackWallet was not in possession of user private keys, but it was a more of a wallet client that could be used to view a wallet.
- BlackWallet appears to have existed since August 2017, with a DNS hijack on January 13 pointing traffic towards Cloudflare, and a malicious browser-based wallet. BlackWallet only existed for five months before being victimized.
- I am the creator of Blackwallet. Blackwallet was compromised today after someone accessed my hosting provider account. He then changed the DNS settings to those of its fraudulent website (which was a copy of Blackwallet).
“A DNS hijack has led to hackers withdrawing $400,000 worth of Stellar Lumen (XLM) coins from wallets hosted by Blackwallet.co without users’ permission.
“As multiple sources report, on Saturday, Jan. 13, attackers took control of BlackWallet’s hosting server, changing settings to allow code to run which automatically sent customer balances over 20XLM to an address under the hackers’ control.
“Almost 670,000 tokens are currently missing as a result of the attack, likely explaining XLM’s almost 23 percent dive over the past 48 hours.
“On social media, desperate efforts to contain the threat before the service was taken offline saw BlackWallet’s developer caution users should move their funds elsewhere if they had entered their wallet information since Saturday.”
The developer, known as u/orbit84 on Reddit, wrote:
I am sincerely sorry about this and hope that we will get the funds back. I am in talks with my hosting provider to get as much information about the hacker and will see what can be done with it. If you ever entered your key on blackwallet, you may want to move your funds to a new wallet using the stellar account viewer …
- Yobit was hacked on December 19th at 4:35 am. They had previously been breached earlier in the year, with South Korean officials indicating North Korean involvement. Their hot wallet containing 17% of their assets, was breached and stolen, indicating that cold storage was useful. Assuming server breach of some kind.
- After the accident in April, we have done our best to improve the security, recruitment and system maintenance.
- Have managed to lower the hot wallet rate.
- Then, at 4:35 am, we lost our coin purse due to hacking.
- The coin loss at 4:35 am is about 17% of total assets. The other coins were kept in the cold wallet and there were no additional > losses.
- The loss ratio is low compared to last April, but the management of Yaffian Co., Ltd. is going to proceed with the process of stopping the transaction, stopping deposit and withdrawal, and bankruptcy on December 19, 2013.
- Accordingly, all coins and cash withdrawals and withdrawals will be suspended at 12:00 pm on December 19, 2017.
- Due to bankruptcy, the settlement of cash and coins will be carried out in accordance with all bankruptcy procedures.
- However, in order to minimize the damage to our members, we will arrange for the withdrawal of approximately 75% of the balance at > 4:00 am on December 19, The rest of the unpaid portion will be paid after the final settlement is completed.
- We will do our best to minimize the loss of our members by 17 %, through various methods such as cyber comprehensive insurance (3 > billion) and selling the operating rights of the company.
- After the announcement date, your assets will be adjusted to 75% at 4:00 pm on December 19, 2017. Cash and coins deposited after 4:00 pm will be 100% refunded.
“As Bitcoin and cryptocurrencies continue to rise in value, they become ripe targets for hackers, who have now forced a relatively unknown South Korean cryptocurrency exchange, Youbit, to file for bankruptcy.
“This is the second time hackers managed to access user funds on Youbit (not to be confused with Yobit), having made off with around 4,000 Bitcoins back in April (when the exchange was known as Yapizon).
“While the exchange did not announce the exact amount of Bitcoins lost this time, it shared that the hack took place today, at 4:35 AM and attackers managed to take 17% of the exchange’s holdings.
“Their official statement apologized for the funds lost and announced that all trading has been stopped. It also stated that every option will be explored in order to reduce losses, while presently all user assets will be marked down to 75%.
“Meanwhile, it is reported that the Korean Internet & Security Agency (KISA), will be investigating the attack.
“Even though cryptocurrencies are quite robust themselves, protected by complicated cryptographic algorithms, their safe storage is a different matter altogether.
“Just like paper money or physical assets like gold, cryptocurrencies are kept in wallets, which can only be accessed via a special pair of public and private keys. Anyone who has access to a wallet’s private key, can withdraw and move all the funds, and even though such thefts can be tracked on the blockchain, once lost, they cannot be recovered due to the technology’s immutable nature.
“One of the most prominent and largest Bitcoin thefts was the Mt. Gox scandal, which saw, the once mega-exchange losing over 744,000 Bitcoins, worth more than a staggering $14 billion at current prices.
“Given all this, it cannot be stressed enough that holding cryptocurrencies on exchanges is extremely risky, particularly for those who use exchanges for storage. If you are going to be holding a cryptocurrency for long, it is highly advised to move it to a secure, dedicated wallet, whose private keys are under your own control.”
- Nicehash was a cryptocurrency mining service and marketplace, allowing users to buy and sell their own mining power. While not necessarily a mining pool of its own, it still maintained a wallet for customer funds. Nicehash appears to have shuttered their website with a notice saying “a security breach involving NiceHash website” and “our payment system was compromised and the contents of the NiceHash Bitcoin wallet have been stolen.”
- A Facebook Livestream has further notes on the issue. This is hard to archive so I will transcribe useful points. Overall, this was lateral movement from a remote IP address, gaining access to a VPN, possibly through an employee computer, and moving laterally into production systems. This appeared to all have happened within a couple of hours, when the attacker decided to work actively.
- “We became a target and someone really wanted to bring us down.”
- “We are cooperating with local and international law enforcement.”
- 4,700 BTC stolen on early morning 12-06-2017.
- Can’t discuss everything due to the investigation.
- Hacker(s) were able to infiltrate our internal systems through a compromised company computer.
- Unknown how the company computer was compromised.
- VPN had visibility into abusive behavior, IP address was outside of the European Union.
- “Made a crucial VPN login using an engineer’s credentials.”
- After VPN login, learned and simulated the workings of our payment system.
- Tether lost $31 million in “tokens”. Tether tokens allow you to “store, send and receive digital tokens pegged to dollars, euros, and yen person-to-person, globally”. Based on the wording in Tether blog posts, a “treasury wallet” was drained by an external attacker.
- This infers that some sort of key material or signature generating process was misused, so I estimate this ultimately required the breach of a high-risk server.
- This estimation is low confidence and could change with new information, for instance, if the treasury wallet was cold, or held on a compromised endpoint by an employee. Remote access requires some aspect of wallet “warmth” which makes me believe it was online on a server.
- The Tether team claims high confidence in identifying their root cause so this is not an “unknown” root cause.
“Tether, the company behind a dollar-pegged cryptocurrency widely used in the market’s exchange trade, is claiming that its systems have been hacked and that $30 million worth of its tokens has been stolen.
“In a post on the project’s website (which has since been removed), Tether blamed a “malicious action by an external attacker” for the theft of $30,950,010 USDT yesterday. Originally launched as Realcoin and later rebranded, Tether aims to serve as a proxy for the US dollar that can be sent between exchanges, notably including Bitfinex, Poloniex and other markets without fiat trading.
“In response, Tether said it would move swiftly to ensure these exchanges do not trade or otherwise introduce the stolen funds back into the cryptocurrency economy.”
The company wrote:
“$30,950,010 USDT was removed from the Tether Treasury wallet on Nov. 19, 2017 and sent to an unauthorized bitcoin address. As Tether is the issuer of the USDT managed asset, we will not redeem any of the stolen tokens, and we are in the process of attempting token recovery to prevent them from entering the broader ecosystem.”
“Notably, the company said that it is releasing a new version of the Omni Core software client (which Tether runs on top of) in a bid to effectively lock up the tokens it alleges were stolen. Should nodes in the network adopt the software, it would effectively blacklist the stolen address, enacting an emergency fork to contain the funds.
“Representatives from the Omni Core software project said they would seek to release new software in the coming days that will allow Tether to retrieve the stolen tokens.
“‘The tether.to the back-end, wallet service has been temporarily suspended. A thorough investigation of the cause of the attack is being undertaken to prevent similar actions in the future,’” Tether wrote.
“The announcement comes amid a period of growing discussion – and controversy – around Tether.
“Under scrutiny has been the unclear relationship between Tether and the troubled British Virgin Islands-based bitcoin exchange Bitfinex – and long-standing allegations the exchange has been using the asset to engage in fraud and market manipulation. Complicating matters is that the two companies are said to share a common ownership, though details remain murky as to the exact nature of the connection.
“As such, today’s hack claims are likely to further drive the controversy, which began following Bifinex’s hack last August, in which it lost more than $70 million in customer funds.