The 2003 Antwerp diamond heist was the biggest of its kind. It is the subject of many books and documentaries, so you’ve probably heard of it. But crypto hacks make the Antwerp heist look like shoplifting from the corner store.
CryptoSec is an online watchdog. It states that the industry has suffered “a total of 51 hacking events” since Bitcoin launched back in 2009. That’s just over four per year. As a result, users lost “approximately USD 2.1 bln” in only 12 years.
With so much money involved, hackers will continue their assault on the industry. But how and why does it happen? And, more importantly, how can you avoid being a victim?
The root of all evil
The theft of cryptocurrency is the theft of keys. Every holder of crypto funds has two keys: one public and one private. Public key cryptography secures cryptocurrencies and enables safe transactions. The public key gets transformed into a public address, something like an account number. This acts as the user’s identity when sending and receiving funds. The public key is connected to the private key. The latter acts as a passcode for accessing crypto assets stored in the corresponding public address
Unlike traditional banking, the dual-key system lets users become the custodians of their funds. But with freedom comes responsibility. Users must carefully manage their keys. In general, all crypto assets face a public address. These addresses are all visible on the blockchain. But private keys must remain guarded secrets. The reason is simple: if you find the key, you find the funds.
A chunk of (ex)change
Crypto exchanges are a hacker’s paradise. These digital platforms connect buyers and sellers. They make it possible to trade and exchange different cryptocurrencies. They host the majority of all crypto transactions. Currently, many exchanges remain centralized. They are the custodians of a wide variety of cryptocurrencies.
Exchanges move funds from one address to another with software that automatically uses private keys. This means both the funds and the keys get stored on one server. They are regularly accessed by automated software. Only private keys can access funds that are always present on the blockchain. This makes them prone to cybersecurity attacks and hacks. The best advice any beginner could ever receive would be to store funds in a cold wallet (offline). Naturally, hot wallets (online) make exchanges the perfect target for hackers. The hacker only needs to access the exchange database, an auditor’s account, or the users’ data.
In 2014, Japan was the site of an incredible heist. Let’s compare it to the Antwerp diamond heist. In 2003, the jewel thieves stole nearly USD 100 mln worth of precious gems. This is a pocket change for the Mt. Gox hackers, who reportedly stole USD 480 mln. But how did they do it?
They changed the price of Bitcoin to 1 cent after accessing an auditor’s account. Next, they bought as much Bitcoin as they could. And they were not alone. Seeing this new bargain price, customers also started buying coins. The exchange lost BTC 2,000 in this part of the attack.
But most of the coins were lost as a result of direct theft. Hackers gained access to the private keys stored by the exchange. The keys were unencrypted, leaving them extremely vulnerable to attacks. This kind of hot wallet attack is a hacker’s bread and butter.
Four years after the Mt. Gox heist, Japan again made hacking history. In 2018, Coincheck reported an estimated loss of USD 500 mln. This attack is more of a mystery. But a couple of things are clear. First, the exchange kept some of its customers’ funds in a hot wallet. Internet-facing wallets can be a security risk. Second, the exchange lacked multi-signature security (multisig) – more on this later.
Absolutely not. Not one coin has ever been recovered from these two heists. There is a very simple reason for this: immutability. This is a fancy way of saying unchangeable. It is the genetic code of all blockchains. Once confirmed, all transactions are final.
There is no way to eradicate hacking completely. Network security is continually compromised as hackers invent new ways to breach security. But you should never make it easy for them.
Surprisingly enough, multisig wallets are secured by dispersing access to the funds. They link a public address to many private keys. Every multisig transaction requires all the private keys. The same is true for hackers. To get the funds, they need all the keys.
If you are going to use an exchange, make sure they use multisig wallets.
The most common reason for the loss of funds is the improper management of keys. Never share your private keys with anyone. And choose a safe place to store them. Cold wallets like Trezor are a great way to protect your most valuable assets.
Bitcoin Vault: 3-Key Security Solution
Bitcoin Vault (BTCV) is a project dedicated to delivering next-level security solutions for its users. Its founder, Eyal Avramovich, is committed to improving upon Satoshi Nakamoto’s genesis cryptocurrency, Bitcoin. In 2019, he created the innovative solution the industry has been waiting for.
The 3-Key Security Solution includes three private keys: the Standard Transaction Key, a new Cancel Transaction Key and a Fast Transaction Key. As the names suggest, the new Cancel Key lets users reverse most transactions within ca. 24 hours (144 block confirmations). The only exception is the Fast transaction. The Fast Key enables transfers that take only a few minutes. So, great speed requires great care.
Fast and Cancel Keys can only be stored offline. BTCV advises users to write them on a piece of paper or download them as a PDF and store them in a safe place. Since every transaction requires some combination of the keys, it is extremely difficult for hackers to access a user’s crypto funds. But we all make mistakes. The good news is that BTCV’s Cancel Key makes it possible to undo a lot of damage. The reversible transactions functionality can protect users from themselves. But it also protects them from hackers. If a hacker manages to transfer crypto from your wallet to one the hacker owns, you get 24 hours to take back your funds.
As the Mt. Gox and Coincheck cases make plain, most people never get the chance to reclaim their funds. BTCV corrects this injustice for its users worldwide.
What a difference a day makes.