This article is part of our complete guide to Bitcoin and altcoin hacks. Here we cover Bitcoin and altcoin security incidents from the year 2017.
In late 2017, Italian cryptocurrency BitGrail was hacked and 2.5 million NANO were stolen.
Initially, the exchange reported the issue as a “maintenance”:
XRB withdrawals will be enabled again as soon as possible. Funds are safe, users still have access to them.
Withdrawals that were pending since before this maintenance should have been completed.
Reminder: withdrawals for other coins are available.
Thank you for understanding.
— BitGrail Exchange (@BitGrail) January 10, 2018
All investors had to do was scan BitGrail’s Twitter feed and see that it had been embattled for months, with tens of tweets apologizing and explaining technical issues.
After stressful exchanges between BitGrail and NANO developers, with mutual accusations, BitGrail shut down in 2018 and hasn’t been active on social networks since.
One year later, former BitGrail CEO was sentenced to pay all investors back for the lost funds.
In May 2017 dogetipbot creator Josh Mohland posted a notice to Reddit users saying he was broke and he had spent all the dogetipbot DOGE coins to pay for his own expenses.
The bot was taken down, the coins were all wiped out and the only thing users could do was protest.
Mohland had filed for Chapter 7 bankruptcy for his business, which was aptly named Wow Such Business Inc (a reference to the Doge meme).
About U$ 150,000 of Reddit users’ DOGE coins were gone just like that.
Nicehash isn’t a traditional exchange. Instead of buying and selling cryptocurrencies, they deal hashpower.
You download a mining application which uses your computing power to produce the most profitable coin at the moment. It then converts the mined coin into Bitcoin and pays you BTC shares every hour.
In December 2017, just as Bitcoin hit the highest valuation ever, Nicehash fell victim to a hack that cost them U$ 60 million at the time.
The Bitcoin hot wallet where Nicehash kept miner funds was stolen – a 100% loss of funds.
Despite the worst predictions, though, Nicehash was able to return to business a few days later.
In November 2017, near Bitcoin’s all time high price, Tether announced that they’d lost 30.95 million USDT tokens.
Users then quickly noticed that the target Omni address had been frozen:
earlier today Tether blacklisted a specific address.
that address has $31m in Tether #usdt
their explorer has been down all day.
does this mean that law enforcement are looking into their non-transparent operations?https://t.co/SXIsTgVary
— Tim Swanson (@ofnumbers) November 21, 2017
Questions were immediately raised about Tether’s power to fork the system and freeze addresses:
Tether quietly did a hard fork to blacklist a specific address and freeze funds.
1. Who controls the Omni ledger and who can perform these kinds of operations?
2. Why was this address blacklisted?
3. Which other addresses are next in line? https://t.co/V13170NXae
— Emin Gün Sirer (@el33th4xor) November 21, 2017
Tether’s history has no shortage of controversy.
Whether it’s their ties to Bitfinex or investigations by the New York Attorney General, Tether seems to find comfort in chaos. Over 90% of all daily Bitcoin volume is traded in Tether. Regardless of my opinion about this crypto asset, it’s still very relevant to the Bitcoin ecosystem.
Parity is a multi-signature Ethereum wallet. In July 2017 its source code was cleverly exploited and fell victim to one of the largest Ethereum thefts of all time.
Over 150,000 ETH were stolen in a single attack.
The way the funds were stolen is a masterclass for cryptocurrency developers.
The wallet included code that allowed it to abstract some functions. This code had a bug in it that allowed regular, non-privileged, users to run administrator-level functions. The attackers simply called the function which changes the contract owners. This function is usually reserved for a single ETH address and is set when the smart contract is deployed.
Youbit / Yapizon
2017 was a bad year for Youbit. Within less than 9 months it was hacked twice and was forced to shut down when cryptocurrencies were at or near their all time high prices.
First, in April 2017, Youbit (then called Yapizon) was robbed of 4,000 BTC.
Then, in November, the exchange lost 17% of their total cryptocurrency balances in a second and more damaging hack.
North Korea was accused, by more than one research firm, of being behind the attack. But as often is with cryptocurrency hacks, tracing the true origin of hacks can be very difficult.
Youbit reappeared briefly in early 2018, before fading again into oblivion.
A serious vulnerability was discovered in the EtherDelta smart contract code which, combined with traditional Internet exploits (DNS, specifically) allowed hackers to steal funds from the DEX.
The security researcher who found this reported the flaw to EtherDelta before he made it public, allowing them to launch a new smart contract with the flaw corrected.
Unfortunately, a malicious hacker had already used the flaw to siphon out large sums of Ethereum.
The problem here was mixing a Dapp with traditional centralized app strategies.
Session data was collected using simple PHP scripts that anyone can write and host even for free in some cases. The scripts were accessed by users who fell victim to a poisoned DNS system which detoured traffic from its intended target to these PHP scripts. The bigger issue was EtherDelta accepting this session data as parameters on their decentralized exchange. Combining the old school hack with newly discovered flaws in the DEX’s smart contract allowed the hackers to get away with a major ETH heist.
The hunt for the EtherDelta hacker has been ongoing for years as we write this.
Return to the main article: The complete guide to Bitcoin and altcoin hacks