According to Carbon Black survey, companies developing tools for protection against spam, viruses, DDoS, hacker attacks and other cyber threats, cryptocurrency exchanges account for 27% of all attacks related to cryptocurrency. So, only in the first half of 2018, attackers managed to steal more than 1 billion dollars. Next, we look at how and how they succeeded.
The easiest way to steal money from deposits of cryptocurrency exchanges is to hack mobile applications, for example, Bitfinex, EXMO, Cex.io, Bitstamp. This is the conclusion reached by Positive Technologies analysts, who tested five popular applications for iOS devices and six for Android.
It turned out that all the applications involved in the study have security problems, while 70% of them contain at least one critical error that can be used to steal money or personal data. Most of the problems associated with storage and security keys.
Ways of hacking mobile applications of cryptocurrency exchanges:
- Actions on behalf of the trader. In a third of cases, vulnerabilities allow attackers to carry out financial transactions or manipulate information on the screen of the user's device. In the first case, you can simply steal money, in the second - to force a large number of people to buy or sell assets at the right time, thereby increasing or decreasing the demand for them.
- Data theft. Two-thirds of the programs contain vulnerabilities that allow access to the credentials that are stored in the device or centralized database of the exchange.
- PIN code selection. The fifth part of the application allows you to set simple passwords, up to 8 characters without Latin letters. With the banal selection of PIN-code, the hacker is able to find the right combination and transfer the money of the victim to his account or carry out a phishing attack.
- Unprotected HTTP. The fifth part of the platform for Apple devices and half for Android do not encrypt the HTTP connection when switching to internal Internet resources. Having intercepted this traffic, attackers can redirect traders to phishing resources or infect a device with malicious software.
Such attacks rarely have a significant impact on cryptocurrency exchanges, as they are aimed at users, and not at the platform itself. However, this is a big problem for ordinary traders, because no one compensates their losses in such attacks.
Programs that are installed on computers, laptops and tablets, are also vulnerable. So, in 2017, the ethical hackers of Positive Technologies bypassed the external perimeter of protection of 70% of companies. And although financial institutions invest significantly more resources for cyber defense than regular companies, their efforts were ineffective in 22% of cases.
The likelihood of success of hacking desktop cryptocurrency exchanges can be increased from 22 to 75%, if you take advantage of attacks built on the basis of social engineering - phishing. This will be discussed below. Ways to hack desktop applications:
- Control over the trader's device. When applications connect to the trading platform to check for updates, this connection is often not encrypted. If you replace the server during such an appeal, you can install malicious software instead of updating.
- Counterfeiting operations. If the default data transfer is performed in open form, hackers can connect to the victim’s network, intercept traffic and perform a financial transaction on its behalf.
- Data theft. Some applications also do not encrypt connections that contain user logins and passwords. Having connected to the trader's network, you can intercept them and log into his account.
- Data manipulation. In some cases, vulnerabilities make it possible to change the information that a trader sees on the screen. Changing it can make people buy or sell assets at the right time.
Such attacks can be directed both to the official software of cryptocurrency exchanges and to third-party programs that automate trading operations, for example, MetaTrader 4, Qt Bitcoin Trader or TerminalCoin. They can be connected to the cryptocurrency exchanges Poloniex, Bithumb, YoBit, Bittrex.
To hack the cryptocurrency exchanges, you can also use a direct attack on the web terminal (the web version of the trading platform) and, having infected it, steal money from hot wallets. In addition, you can intercept platform traffic and send a transaction request to users' devices to steal money from over-the-counter traders wallets.
Ways to hack web terminals of cryptocurrency exchanges:
- XSS. Almost all trading terminals are vulnerable to cross-site scripting attacks. Using the vulnerabilities found, attackers inject a malicious code onto a web resource page that redirects traders to third-party web resources and / or infect users' devices with malicious software.
- Configuration vulnerabilities. Web terminals may not have HTTP headers that increase security against some types of hacker attacks. So, the ContentSecurity-Policy header protects against attacks related to the introduction of malicious content, including XSS; X-Frame-Options - from Clickjacking attacks; Strict-Transport-Security enforces a secure connection using HyperText Transfer Protocol Secure (HTTPS).
Research by Coverity, a company specializing in software quality and security testing solutions, showed that for every 1000 lines of code, there are 0.52 errors in open source products and 0.72 in proprietary (the quality standard is less than 1 error per 1000 code lines ). And there are no guarantees that these errors will not affect the security of the platform.
Moreover, even if the programmers of the exchange write the perfect code without a single error, there is always the risk that in the third-party software that they use, there will be vulnerabilities. For example, in an operating system (Windows, Linux, MacOS), a payment gateway (Internet banking, PayPal), a messenger (WhatsApp, Facebook Messenger, Viber) or a game that they launch during the lunch break. Holes in these programs can be used for phishing or installing malicious software on devices of employees of the exchange.
Example 1: Mt Gox (473 million dollars)
One of the most illustrative examples of hacking a cryptocurrency exchange, as the platform simply “suggested itself” for trouble, ignoring almost all the safety rules. Speech of the following:
- No Version Control System (VCS) software. That is, the platform did not track changes in the code.
- No code testing policy. Platform developers literally gave users unverified code.
- All changes in the code had to be approved by the CEO. This is an extremely inefficient way to manage, as one person is not able to keep track of everything.
- Mt Gox was administered by a talented developer, but the manager was mediocre.
The result of these problems was platform hacking. First, in 2011, when hackers attacked Mt Gox’s computer, using it to transfer Bitcoin traders to their wallets ($ 8.75 million at the exchange rate at that time). The consequences of the attack were smoothed out by paying compensation.
The second hack of Mt Gox occurred in 2014. Hackers managed to steal $ 470 million (in bitcoins) using a vulnerability that allowed changes to the data on traders' transactions before they were entered into the blockchain. Exchange did not survive that.
Example 2: BitGrail ($ 170 million)
In 2018, BitGrail announced that it had lost 17 million Nano cryptocurrency coins in an amount equivalent to $170 million at the exchange rate at the time. Hackers used a withdrawal error that allowed them to get double the balance. That is, they made a request for withdrawal, for example, 100 Nano coins, and received 200 coins.
Representatives of the platform say that this was possible because of an error in the cryptocurrency code, and not because of errors in the platform itself. Nano developers denied the charges, pointing out that there are no such problems on other cryptocurrency exchanges.
Example 3: Poloniex (12.3% of Exchange assets)
In 2014, Poloniex representatives announced that their platform had lost 12.3% of assets due to an error in the code. The problem was allegedly used by hackers, who noticed that if they made a request to withdraw several operations at the same time, the system would crash and execute these transactions, despite the fact that they may be more than the current balance.
It is noteworthy that, judging by the messages on the forums, the error was discovered and used not by malicious hackers, but ordinary users (hackers joined after some time). True, not everyone was able to cash in on. Upon learning of the problem, Poloniex tracked down some of the “lucky ones” and made them return the excess.
Example 4: Coincheck ($ 500 million)
This is the most record-breaking robbery of a cryptocurrency exchange in history in early 2018. Unknowns managed to find vulnerabilities in the protection of hot wallets of the exchange and steal NEM coins for $500 million. Hackers using an email virus infected the internal network of the platform, and the virus looked for and gave them user credentials.
Despite the huge number of stolen coins, the exchange experienced a break-in and even started making payments to victims (260,000 people): 88.5 Japanese yen for 1 NEM coin, that is, 0.83 dollars for 1 NEM coin. A cryptocurrency exchange program was also written, blocking the exchange of stolen NEM coins.
Example 5: Bitfinex ($ 72 million)
In 2016, Bitfinex Cryptocurrency Exchange lost 120,000 bitcoins for an equivalent of $ 72 million at the exchange rate at that time. Hackers used a bug in BitGo’s partner company’s multisignature system, which allowed them to empty hot exchange wallets.
As planned, the multi-signature protection system had to use two keys to confirm the authenticity of transactions: one from Bitfinex, the second from BitGo. But in fact, the money was withdrawn without BitGo participation through only one Bitfinex key (why this is not so clear). Hackers discovered this vulnerability, seized the key of the exchange and brought money from hot wallets.
This is a vivid example of how to use the vulnerabilities of third-party software to crack cryptocurrency exchanges. And also the fact that the neglect of the banal safety rules leads to very big problems.
Phishing (social engineering)
A type of online fraud, the purpose of which is to trick user’s credentials, money, or to get action done by fraudsters using tricks. Usually, social engineering techniques are used for this, since they can be used to force the victim to independently perform the necessary action.
The simplest example of phishing is sending emails with a link that should lead to the site of a well-known company (bank, social network, marketplace), but actually redirects to a fake site that is almost indistinguishable from the original. For example, on a fake site with the domain PayPai.com instead of the official PayPal.com.
Example 1: Bitstamp ($ 5 million)
The victim of such fraud in 2015 was Luka Kodric, administrator of the Bitcoin exchange Bitstamp. He opened the link in an email, thereby infecting the office PC with a virus that allowed hackers to steal 19,000 BTC. It is 5 million dollars at the rate at the time.
Example 2: Binance (failed)
Another example of hacking a cryptocurrency exchange with phishing is the attack on Binance in March 2018. The intruders spent several months collecting trader credentials using unicode characters to direct them to a fake Binance domain.
The received API keys were used only once. On the evening of March 7, the massive purchase of Viacoin (VIA) cryptocurrency in the VIA / BTC trading pair began on behalf of the hacked accounts. As a result, the course of the coin began to rise sharply.
This is where the hacker accounts set up for selling VIA at the highest price should have entered the game. But the unusual activity was noticed by the administrators of the exchange, who immediately stopped trading and froze the accounts involved in trading with the VIA / BTC pair. After the exchange has returned everything to its original state.
Example 3: Kraken (special cases)
In August 2016, the Kraken cryptocurrency exchange published the results of an internal investigation regarding the loss of money from individual user deposits. It turned out that the money disappeared due to phishing, which caught users. The platform and its personnel were not compromised.
According to Kraken employees, the majority of people who reported missing money did not enable two-factor authentication and at the same time used old credentials to log in to the system. What, together with the inattention of users, allowed hackers to get their logins with passwords. At the same time, the Kraken platform itself was in perfect order.
Example 4: Poloniex (fake application)
ESET specialists, antivirus software development companies, in March 2018 found a fake application in the Google Play marketplace that was disguised as a mobile trading platform for the Poloniex exchange. After the trial, the application was removed from the marketplace.
This is not the first occurrence of the Poloniex phishing application. In 2017, ESET experts found on the Google Play application POLONIEX EXCHANGE and POLONIEX, which are not related to the exchange of the same name. In total, they were downloaded more than 5,000 times.
If attackers know that a particular person is trading or working as a cryptocurrency exchange administrator, his SMS can be intercepted and used during authentication or access recovery procedure.
The main options for such a hack are:
- Wiretapping. It can be done with the help of special equipment or by infecting the victim’s phone with malicious software. You can also attack the provider's server.
- Cloning a SIM-card. In large cities, there are a lot of hackers who, for a small amount, clone any SIM card. Moreover, the network has many instructions on how to do it yourself.
- False base station. Uses expensive equipment that intercepts and decrypts SMS.
- Hack of "Personal Account" on the operator’s web platform. By doing this, you can redirect all messages to the number or email the attacker.
- SS7 attack. Hacking a system of special telecommunications protocols used to configure telephone exchanges (PLMN, PSTN).
- Phishing operator call center. Attackers find out the personal data of users and their phone numbers, and then call the call center operator to “restore” the SIM card.
Intercepted SMS can be used not only to log on to the account of the exchange, but also to "restore" access to e-mail. To do this, you need to try to log in to the postal service, after a failure, reset the password using SMS. Then you can use mail and SMS with dual-circuit authentication, for example, on the Coinbase exchange.
Before development cryptocurrency platforms, all modern methods of hacking cryptocurrency exchanges should be considered and choose reliable software providers.