Blockchain security

Security vulnerabilities of cryptocurrency exchanges

Daniel Dimov
June 26, 2018 by
Daniel Dimov

 

1. Introduction

Many experts argue that cryptocurrencies may radically change not only the financial sector but also the way society operates. The reasons provided to support this argument include the convenience to generate, manage, store, handle, transact, and account cryptocurrencies. While the success of Bitcoin and other major cryptocurrencies indicate that the new digital gold certainly has its own place in the digital economy, the frequent cyber-attacks on cryptocurrency exchanges continuously undermine the trust in cryptocurrencies, thus slowing down their development and acceptance.

Learn Blockchain Security

Learn Blockchain Security

Build your blockchain security skills with five courses covering blockchain structure, blockchain attacks, smart contract security and more.

In the recent months, we have witnessed several attacks on cryptocurrencies. For instance, the South Korean cryptocurrency exchange Coinrail confirmed that it was hacked in June 2018. According to the local news agency Yonhap, the hack resulted in losses amounting to 40 billion won (36,9 million U.S. dollars). Japan's cryptocurrency exchange Coincheck was hacked in January 2018 which resulted in losses exceeding 500 million U.S. dollars. After being hacked twice, the South Korean exchange Youbit stopped operating and declared bankruptcy in December 2017.

To avoid hacks leading to significant losses, cryptocurrency exchanges need to have comprehensive procedures for identifying and eliminating information security vulnerabilities. Although post-incident measures can be effective, it is unlikely that they will reduce the negative consequences to zero. For example, Coinrail stated in relation to the attack mentioned above that: "Seventy percent of total coin and token reserves have been confirmed to be safely stored and moved to a cold wallet [not connected to the internet]. Two-thirds of stolen cryptocurrencies were withdrawn or frozen in partnership with related exchanges and coin companies. For the rest, we are looking into it with an investigative agency, related exchanges, and coin developers."

The purpose of this article is to examine the common vulnerabilities of cryptocurrency exchanges (Section 2). Afterward, we provide concluding remarks (Section 3).

2. Common vulnerabilities of cryptocurrency exchanges

We can distinguish at least five common vulnerabilities of cryptocurrency exchanges, namely, the susceptibility of cryptocurrency exchanges to phishing (Section 2.1), missing hot wallet protections (Section 2.2), weak protection of employee login credentials (Section 2.3), software vulnerabilities (Section 2.4), and transaction malleability (Section 2.5).

2.1 Susceptibility of cryptocurrency exchanges to phishing

Even the best technological measures cannot protect a cryptocurrency exchange against phishing attacks. To illustrate, in 2015, as a result of a weeks-long phishing attack against the bitcoin exchange Bitstamp, criminals stole about 5 million U.S. dollars. A legitimate organization sent the fraudsters communicated with employees of Bitstamp by email and in Skype and succeeded to persuade one of them to download a file that he believed. The attachment contained a malicious VBA script and, when opened, installed a malicious file on the compromised machine.

2.2 Missing hot wallet protections

The term "hot wallet" refers to an online cryptocurrency wallet that is connected to the Internet. Many cryptocurrency exchanges use single private keys to secure hot wallets. If criminals get access to a single private key, they will be able to hack the hot wallet to which the private key relates. Typical examples of private key attacks are the attacks on Bitfinex (2016) and Parity (2017). The attacks resulted in losses of 65 million U.S. dollars (Bitfinex) and 30 million U.S. dollars (Parity). Cryptocurrency exchanges can easily avoid similar attacks by using multisignature private keys.

2.3 Weak protection of employee login credentials

Employees working at cryptocurrency exchanges often use weak passwords or store their login credentials in an unsafe way. This makes the login credentials an easy prey for criminals. At least the following three attacks were conducted by compromising employee login details: BitThumb hack (2017), NiceHash hack (2017), and YouBit hack (2017). It is worth mentioning that sometimes hackers attack private computers of employees. For instance, Berg Herzberg, a security researcher, noted in relation to the BitThumb hack: "In this case, according to Bithumb, the breach itself was on data stored outside of the company's assets on a personal computer. This also brings the question of data security in companies and the ability of employees to take sensitive information with them when they're at home." Therefore, organizations need to ensure that employees protect the login credentials related to software applications installed not only on professional work computers but also on personal computers.

2.4 Software vulnerabilities

Various laws oblige banks and other financial institutions to implement information security measures to protect the deposits of their clients and avoid unauthorized transactions. However, since the blockchain field is in its infancy, a few such laws apply to cryptocurrency exchanges. Therefore, it is not a coincidence that many cryptocurrency exchanges have vulnerabilities allowing hackers to steal substantial amounts of money.

On 27th of March 2018, Oleksii Mattiasevych (a security expert) found software vulnerabilities in eight major centralized exchanges. He informed the exchanges about the vulnerabilities and sent warning letters to over 200 other exchanges. The software vulnerability identified by Mr. Mattiasevych allows hackers to manipulate Ethereum account balance. More specifically, fraudsters can use the vulnerability to register a new account, unlawfully increase their balance, and withdraw the increased balance from the hacked exchange.

2.5 Transaction malleability

Proponents of blockchain technologies often argue that blockchain transactions are highly secure because they are recorded on an allegedly immutable record. However, they often forget to mention that each transaction has a signature and the signature may be manipulated before the closure of the transaction. The "Mt. Gox" hack, one of the largest attacks in the history of cryptocurrencies, was conducted by hackers who submitted code changes to a public ledger before the posting of the initial transactions. The attack resulted in a loss amounting to 473 million U.S. dollars and bankrupted the hacked exchange.

3. Concluding remarks

The large number of cyber-attacks discussed in this article, as well as the numerous reports regarding security vulnerabilities of cryptocurrency exchanges, show a pressing social need for regulation of the blockchain field. More particularly, governments should require cryptocurrency exchanges to adopt strict information security measures which will avoid the theft of billions of U.S. dollars.

References

1. Chuen, D., 'Handbook of Digital Currency: Bitcoin, Innovation, Financial Instruments, and Big Data', Academic Press, 5th of May 2015.

2. Higgins, S., 'Details of $5 Million Bitstamp Hack Revealed', Coindesk, 3rd of July 2015.

3. Kollewe, J., 'Bitcoin price plunges after cryptocurrency exchange is hacked', The Guardian, 11st of June 2018. Available at https://www.theguardian.com/technology/2018/jun/11/bitcoin-price-cryptocurrency-hacked-south-korea-coincheck .

4. Norton, A., 'South Korean Cryptocurrency Exchange Hacked', ISBuzz News, 11th of June 2018. Available at https://www.informationsecuritybuzz.com/expert-comments/south-korean-cryptocurrency-exchange-hacked/ .

5. Robinson, T., 'Bitthumb breach yields personal data on 30K, leads to funds scams', SC Media US, 5th of July 2017. Available at https://www.scmagazine.com/bitthumb-breach-yields-personal-data-on-30k-leads-to-funds-scams/article/673051/ .

6. Sigel, J., 'Bitcoin! Ethereum! Ripple! Do we have your attention yet?', Crossmatch. Available at https://blog.crossmatch.com/authentication/5-reasons-cryptocurrency-exchanges-hacked-how-to-prevent/ .

7. Varshney, N., 'South Korean cryptocurrency exchange hacked for nearly $40M', TNW, 14th of June 2018. Available at https://thenextweb.com/hardfork/2018/06/14/coinmarketcap-announces-night-mode-and-more-for-its-platform/ .

8. 'White hat hacker traces vulnerabilities in 8 top-rated cryptocurrency exchanges', CryptoNinjas, 2018. Available at https://www.cryptoninjas.net/2018/03/27/white-hat-hacker-traces-vulnerabilities-in-8-top-rated-cryptocurrency-exchanges/ .

Learn Blockchain Security

Learn Blockchain Security

Build your blockchain security skills with five courses covering blockchain structure, blockchain attacks, smart contract security and more.

Co-Author

Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master's degree in IP & ICT Law.

Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.