So many cryptocurrencies, so little time. A large number of digital currencies have either slipped up or have pulled off a scam. Whatever the case, over the past couple of years, over 20 different digital currency startups have been hacked. These numbers are based on the various news stories that have been published on the Internet.
Below is another list of those digital currencies that have been hacked.
- CoinDash appears to be victimized by a hacked website, which a supposed adversary swapped out a funding address with a malicious address immediately after a token sale was launched.
- Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly. Transactions posted to any fraudulent address after our site was shut down will not be compensated.
- It is unfortunate for us to announce that we have suffered a hacking attack during our Token Sale event. During the attack, $7 Million was stolen by a currently unknown perpetrator. The CoinDash Token Sale secured $6.4 Million from our early contributors and whitelist participants, and we are grateful for your support and contribution.
“An initial coin offering (ICO) for a little-known startup project called CoinDash was abruptly halted today when it was revealed the sale had been compromised shortly after it began.
“In total, the ICO was able to raise $7.53m before the Ethereum address it was using to solicit funds was altered to a fake one by an unidentified hacker, resulting in the ether going to another source.
“At the time of publication, the CoinDash website has been shut down, and the project is asking investors who have been affected to submit information to the provided link to collect the CoinDash token (CDT) they should be rewarded through the sale.”
The company’s statement reads:
Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly.
“Notably, as the project is still under attack, and the sale has been terminated.
“In a statement, CoinDash urged investors not to send any ether to any address, since “transactions sent to any fraudulent address after the website was shut down will not be compensated.”
“The hacking of this ICO is reminiscent of last year when $50m was stolen similarly from a project called The DAO. As such, the event will likely again draw attention to possible security issues in ICO funding, amid their escalating popularity.” –coindesk.com
- Due to a programming error in the implementation of Zerocoin, an attacker was able to exploit a single proof to generate multiple spends they could send to exchange, in which the attackers then sold and withdrew funds.
- Significant documentation on the breach is available.
- From what we can see, the attacker (or attackers) is very sophisticated, and from our investigations, he (or she) did many things to camouflage his tracks through the generation of lots of exchange accounts and carefully spread out deposits and withdrawals over several weeks. We estimate the attacker has created about 370,000 Zcoins which has been almost wholly sold except for about 20,000+ Zcoin and absorbed on the market with a profit of around 410 BTC. In other words, the damage has already been mostly absorbed by the markets.
“A malicious coding attack on Zerocoin created 370,000 fake tokens which perpetrators sold for over 400 Bitcoins ($444,000), it has emerged.
“In an announcement on Friday, the Zerocoin team made it known that a single-symbol error in a piece of code “allowed an attacker to create Zerocoin spend transactions without a corresponding mint.”
“Over a period of several weeks, the “highly sophisticated” criminal party created fake Zerocoins and sold them using multiple exchange accounts to avoid raising suspicion.”
The announcement continues:
We estimate the attacker has created about 370,000 Zcoins which have been almost completely sold except for about 20,000+ Zcoin and absorbed on the market with a profit of around 410 BTC.
“The episode nonetheless had an appreciable effect on Zerocoin itself, with its price and market cap rising.”
“In an uncommon move, developers have opted not to destroy any coins or attempt to reverse what happened with the newly generated ones.
“Instead, a release will circulate to exchanges, after which trading will continue as before.
“’Despite the severity of the hack, we will not be forfeiting or blacklisting any coins,’ they confirmed.
“Zerocoin is a project designed to add increased anonymity to Bitcoin transactions, operating within the Bitcoin network.
“Even the best-fortified realms of crypto can fall victim to smart criminals at a moment’s notice. Hardware wallet KeepKey even had its data records breached on Christmas day and offered a 30 BTC reward for information leading to the hacker’s capture.” –cointelegraph.com
- Most information related to this breach is in Polish. Bitcurex warned users not to use previous deposit addresses, which indicates a breach. No information on a cause is readily available.
- Follow up investigation of the blockchain is mostly done by Polish bitcoin press, which estimates a 2300BTC loss.
“Polish authorities in the town of Lodz have launched an official investigation into the closure of Bitcurex, a Bitcoin trading platform that began in 2012, and closed earlier this year.
“The timeline of events that led to Bitcurex’s closure is complex and spans six months.”
The hack Happened In October 2016
“First signs of trouble appeared on October 13, 2016, when the platform shut down without any kind of explanation. A few days later, a message appeared on the portal’s homepage, announcing issues with an update, also asking customers to be patient [mirror].”
“A few days after that, that message was replaced by another, which blamed the downtime on “external interference in automated data collection and processing of information.” Full message below, translated from source.”
On 13.10.2016 as a result of third-party systems service www.bitcurex.com / www.bitcurex.com damaged by external interference in automated data collection and processing of information. The consequence of these actions is the loss of part of the assets managed by bitcurex.com / www.dashcurex.com
Owner services entered into appropriate agreements with specialized companies for security audit, implementation of repair procedure and, above all, to monitor the loss of funds.
The Attacker Stole 2,300 Bitcoin
“The message didn’t sit well with Bitcurex users, who started digging around for what happened. An analysis of Bitcurex’s cold wallet quickly revealed that within two seconds on October 13, 2016, someone had transferred 2,300 Bitcoin out of the trading platform’s account. The sum was worth nearly $1.5 million at the time but is worth $2.45 million at today’s price.”“After news of the theft broke out, the message on the Bitcurex homepage changed once more, and this time provided lengthy instructions on how users could file complaints to recover funds from the service [mirror].
“Bitcurex promised to restore service by November 30, 2016.
“The service eventually came back online sometime in November, resuming trading, only to disappear a few weeks back, this time for good, with no statement on its website.”
Polish Authorities Are Investigating
“Now, the Prosecutor’s Office in Lodz, Poland, the town where Bitcurex’s headquarters are located, have put out a statement, asking Bitcurex customers, mainly Polish users, to submit legal complaints.
“Authorities are looking for written notices and proof to confirm users had suffered losses.
“It is unclear if the legal investigation targets the unidentified hacker, or Bitcurex’s administrators, a Polish company named Digital Future.
“In 2014, an unknown hacker tried to steal 19,000 Bitcoin ($20.2 million today) from Bitcurex, but the transaction was blocked in time.” –bleepingcomputer.com
- This is Bitfinex’s second appearance in the graveyard.
- All below information is inferred or directly from Reddit comments of Bitfinex employees. Employees repeatedly offer insight in comments that an internal breach allowed an attacker to interact with their BitGo implementation, and that BitGo’s security was not compromised.
- Bitfinex suggests in these comments that several withdrawal limits existed per user and system-wide, and employees are unsure how they were bypassed.
- BitGo is a multi-signature solution that heavily protects loss from a single essential material breach. This approach dramatically mitigates many of the risks associated with BTC, but still has a burden of securely storing API secrets or taking advantage of mitigations available to them in API implementation.
- At the end of the day, an application interacts with an API that signs transactions.
- The victims have actively cleared BitGo of fault; it appears Bitfinex may not have taken advantage of (or incorrectly used) the security controls available to them through the BitGo API.
- Employees have also stated that per user, HD wallets backed by the BitGo API were used instead of any genuinely offline cold storage solution. This implementation suggests that authentication to BitGo’s API was “warm” or “hot” leaving API and signing keys to reside on servers that could be remotely accessed by an attacker. It was also suggested that every Bitfinex BTC holder used this approach, meaning vulnerability carried 100% risk of bitcoin loss across the board.
- It’s not currently suggested how servers were accessed for an attacker to position themselves into an attack like this but will update if that becomes available.
- We are investigating the breach to determine what happened, but we know that some of our users have had their bitcoins stolen. We are undertaking a review to determine which users have been affected by the breach. While we conduct this initial investigation and secure our environment, bitfinex.com will be taken down, and the maintenance page will be left up.
- While technically an application vulnerability, this breach is interesting in that the vulnerability was within an Ethereum Contract. This has made the ability to patch or restore funds a very dramatic and unique situation involving miner consensus and the philosophy of Ethereum’s purpose as a technology. Hard and Soft forks were considered with contention to reverse the attack.
- An attack has been found and exploited in the DAO, and the attacker is currently in the process of draining the ether contained in the DAO into a child DAO. The attack is a recursive calling vulnerability, where an attacker called the “split” function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction.