10. The DAO
The DAO hack is an example of the risk early adopters take when they invest in new concepts before these have proven themselves. The Decentralized Autonomous Organization (The DAO) was intended to work like an investment fund for the crypto space, yet in a fully decentralized manner. It would function without any central authority, relying on a complicated set of smart contracts and stakeholder voting. In May 2016, the platform was launched and investors started sending money to the smart contracts. Eventually the fundraising attracted a whopping 12.7 million ETH, or about $250 million, becoming the biggest crowdfunding ever.
But then a catastrophe occurred. On June 17 — merely a month after the campaign’s closing — someone discovered a bug in the smart contract code and managed to drain 3.6 million ETH ($70 million) in just a few hours from the DAO’s smart contract.
As a result, the DAO project failed, although many investors did manage to get their money back. Due to the intricacies of the contract, the hacker had to wait 28 days before he could access the stolen funds. In that time window, the Ethereum community made the controversial decision to hard fork the Ethereum blockchain to a fork where the original investors got their money back. The original chain with the stolen Ether is now called Ethereum Classic (ETC), taking the 21st spot on coinmarketcap, while Ethereum (ETH) holds position number 2, after Bitcoin.
9. Bitfinex (2016)
In 2016, the then largest Bitcoin exchange operating in USD announced a security breach and the loss of just under 120,000 BTC, worth around $78 million at the time (and over $1 billion at the top of the market in late 2017!). If you had Bitcoin, you most likely had an account at Bitfinex. As a result of the hack communication, Bitcoin took a direct plunge of 20% in value. Bitfinex’ response to the heist was to spread the damage over all clients and their assets, averaging out each user’s loss to 36%. Moreover, Bitfinex gave each affected user Bitfinex (BFX) tokens that they could redeem through the exchange or trade for shares in the parent company iFinex. Customers were given 1 BFX for every 1 dollar lost. Bitfinex made it an important objective to compensate its customers, and within 8 months following the breach, all BFX tokens were either redeemed or trades for iFinex shares. The ongoing investigation eventually led to the arrest of two Israeli brothers in 2019 by the Israeli Police cyber unit. Apart from the Bitfinex hack, the duo was also charged with a multitude of elaborate phishing attacks, netting them an estimated $100 million in total.
8. Zhou (2018)
In 2018, police in the city of Xi’an in northern China began investigating a complaint alleging hackers had compromised a victim’s computer to steal 100 million yuan (approximately $15 million) in cryptocurrencies. A task force was set up and months later identified a suspect named Zhou. The authorities started tracking Zhou’s movements and were able to pinpoint two accomplices, Cui and Zhang. Each of them had worked for high profile internet companies.The group was charged of reaving an estimated total of 600 million yuan or $87 million, but the actual amounts could be even higher. Their victims were mostly corporate and personal network systems.
7. CoinBene (2019)
In 2019, it was discovered that CoinBene’s hot wallet was depleted for all of its ERC20 tokens except Maximine (MXM). Another $200 million remained safe in the exchange’s cold wallet. It then came to light that the exchange never actually possessed a cumulative ETH balance exceeding $10 million in both its hot and cold wallets. The majority of the CoinBene’s funds in fact came from a recent transaction from Maximine worth $200 million. From there on, the story only became more confusing as the number of MXM tokens seemed to be contradicted by different sources. One thing that could add to a possible explanation is a 2019 Bitwise report — published by the SEC — on fake exchange volumes. The report positions CoinBene number 1 when it comes to exchanges reporting fake volumes (have a look at slide 55). The report also revealed that only 10 out of 81 analyzed exchanges were truthful about their volume.
6. QuadrigaCX (2019)
A mysterious event took place in 2019, when Gerald Cotten, owner of the largest Canadian crypto exchange QuadrigaCX reportedly died in India from a fatal disease. The news came in hard for many users of the exchange, as the sudden death revealed that all assets were kept in cold storage, and only Cotten knew the key. The result was a liquidity crisis as the platform only had $286,000 in available assets, and it owed its user base a whopping $190 million. Later in June that year, Ernst & Young released a report in which it revealed that Cotten had transferred users’ funds to serve as his personal collateral for margin trading on other platforms. The report also showed he created fake accounts to simulate artificial income on QuadrigaCX, and that there was no segregation of duties in many different layers of its internal governance. In a concluding article, Cointelegraph wrote the biggest takeaway was that “users must first of all protect themselves, and check as much and as deep as they can before giving their money to someone else”. Do read that phrase again. Your funds in the crypto space are only yours, when you are the only one who knows the private key(s) to the associated account(s). The fact that that incredible amount of $190 million is still stuck on the exchange’s cold wallet illustrates the practical impossibility of brute forcing the private key. Read more about the “Private key paradox” here.
5. Bitgrail (2018)
The Italian exchange Bitgrail fell victim to a high profile hack in February 2018, with the total impact further aggravated as crypto winter just kicked in, and customers were unable to cash in their profits to cover their losses. A long back and forth of finger pointing ensued between the owner, Francesco Firano, and the developer community of NANO. Firano was ultimately deemed responsible by a court ruling highlighting that it was the exchange’s software that was not able to properly manage withdrawal requests from users, who were redirected to the Nano node, resulting in multiplied identical requests draining funds from the wallet. Firano was also criticized for keeping the exchange’s investment funds in a hot wallet. On top of that, previous hacks also came to light of which Firano was aware, including other hacks in 2017, totaling an additional $10 million. Only by the end of 2017, Firano actively started involving a cold wallet. And during the time of the big heist in February 2018, he couldn’t help but deposit over 200 bitcoin (then worth $2 million) into one of his personal accounts.
4. Parity (twice in 2017)
The actual amount: 150,000 Ether (black hat hack) + 377,105 ETH (white hat hack) + 513,774.16 Ether (frozen funds)
Approximate value: $34 million (black hat) + $85 million (white hat) + $280 million (frozen funds)
Today’s value equivalent: $90 million (black hat + frozen funds)
As if the Ethereum ecosystem hadn’t suffered enough in 2016 with the DAO hack, the Parity hack in 2017 would add to its losses, and also happens to be an important part of NGRAVE’s genesis story. NGRAVE’s CTO Xavier Hendrickx was a developer at Swarm City at the time, a project that raised 76,000 Ether in 2016 in an ICO. One day, Xavier took a look at the smart contract balance holding the funds, and 44,000ETH were missing. Swarm City was one of the most impacted projects by the Parity hack, which totaled 150,000ETH. The attackers had been able to exploit a vulnerability in the coding of the multi-sig smart contract, developed by no one else than Gavin Wood, one of the co-founders of Ethereum. In a race against time, a white hat hacker group with which Xavier was acquainted, drained 377,105ETH from other Parity wallets, successfully protecting a multitude of projects from losing all their funds. Following the events, Xavier became CTO of SwarmCity in late 2017.
But the unfortunate story wasn’t over yet: within the same year, a Parity user under the pseudonym devops199 accidentally “killed” the entire Parity multi-sig library, freezing another monstrous 513,774.16ETH or $280 million in the act. Xavier happened to be in the Gitter chat (under his pseudonym n3xco) and witnessed first-hand devops199’s confirmation of the accidental freeze (screenshot below).
3. Mt. Gox (2014)
Mt. Gox — peculiarly short for “Magic The Gathering Online eXchange” (what’s in a name) — is one of those heists that is so mind blowing that it could easily make it to a box office movie. The platform was founded in Japan in 2010 and by January 2014, it was handling over 70% of all worldwide bitcoin transactions. Just a month later, in February, the exchange suspended trading, and by April it filed for bankruptcy. With the crypto space still in a nascent stage and practically no other existing tokens aside from bitcoin, this enormous blow of 850.000BTC or $450 million dollars at the time put a huge dent in this upcoming market.
Today, it is clear that the exchange was already subject to ongoing hacks as of September 2011, and that it had lost about half of its bitcoins by mid-2013. For the majority of its existence, the exchange had actually been insolvent. Later on, Bitfinex replaced Mt. Gox as the world’s largest bitcoin exchange, and at its turn, it lost $78 million worth of bitcoin in 2016. Part of the NGRAVE team also lost a relatively modest amount in the Mt.Gox heist, and still gets letters from Japan from time to time.
2. Coincheck (2018)
Whereas Mt. Gox filed for bankruptcy, Japan-rooted Coincheck was able to withstand an attack of similar magnitude and is still up and running. At the time and in the aftermath of Mt. Gox, Japan’s FSA rolled out a security framework. However, Coincheck was incidentally not subject to new exchange requirements as it was launched before these came into effect. The hack really reveals some of the most embarrassing ways for managing an entire exchange platform’s positions, as Coincheck allegedly had all NEM tokens stored in a single hot wallet and did not even use the NEM multi-sig contract as was recommended by NEM developers. Aside from the big blow to the exchange itself, NEM’s token value also rapidly plummeted from around $1.60 (ATH was at $2.09) to a mere 3–4 cents to the dollar today. If you are interested in how this story further unfolds, Cryptonews wrote in early April 2020 about two men being charged over the Coincheck raid.
1. PlusToken (2019)
PlusToken was a platform that allowed users to open accounts and invest in cryptocurrencies like Bitcoin and Ether. The company told its customers that it traded on their behalf. Lured by the promise of dazzling returns, thousands of people deposited over $2 billion into the platform, which also served the purpose of an online wallet. The criminals — having the actual private keys of users’ wallets — used the deposited funds to buy huge amounts of cryptocurrencies and transfer them to their very own wallets. To cover their tracks, some payouts were made to early investors. Alarmed by what they concluded was an elaborate scam, Chinese authorities eventually arrested a number of perpetrators in 2019 and the platform was shut down. Thousands of investors never got their money back in this beyond-surreal swindle.
Security breaches and frauds have been troubling the crypto sector since the very beginning. The more money flows into the market, the more attractive it becomes for malicious actors to improve their skill set and try yet another attack on user portfolios. Exchanges, browser- and other hot wallets have consistently been amongst the favorite targets for cyber criminals. This article illustrates the severeness and mind-blowing magnitude of some successful attempts. But it merely touches the tip of the ice berg. For every top 10 hack in this list, another thousand smaller ones stay under the radar. If you own cryptocurrencies, wherever you look, risk looks back.
Customers are increasingly aware that the only way to secure their coins is by keeping them offline. Storing assets on exchange platforms, which generate and manage private keys of their users, means that people don’t have full control over their keys and funds. Hot wallets are constantly online and can thus be targeted by hackers. Outsourcing the creation and safeguarding of private keys to third-party, online systems is clearly not the best move from the security point of view. That’s why NGRAVE has come up with a comprehensive solution. The company has developed a hardware wallet that generates and keeps keys forever offline and communicates with the LIQUID, NGRAVE’s mobile app, through QR codes. Also, NGRAVE offers the GRAPHENE, an encrypted and everlasting metal backup solution that enables you to protect and recover private keys. By developing these products, the firm has placed itself at the forefront of efforts to make sending and receiving virtual coins an effortless and highly secure process.
Hacks and scams are a major threat to the survival of the crypto industry. That’s why it’s important that companies and individuals better protect their wallets, accounts, and exchange platforms. Otherwise, they’ll be easy prey for criminals who never stop perfecting their attack techniques.
Ruben (CEO of NGRAVE)
PS: Don’t forget to clap and follow!