2017 Bitcoin and Altcoin Hacks [Part 9]

This article is part of our complete guide to Bitcoin and altcoin hacks. Here we cover Bitcoin and altcoin security incidents from the year 2017.

BitGrail

In late 2017, Italian cryptocurrency BitGrail was hacked and 2.5 million NANO were stolen.

Initially, the exchange reported the issue as a “maintenance”:

All investors had to do was scan BitGrail’s Twitter feed and see that it had been embattled for months, with tens of tweets apologizing and explaining technical issues.

After stressful exchanges between BitGrail and NANO developers, with mutual accusations, BitGrail shut down in 2018 and hasn’t been active on social networks since.

One year later, former BitGrail CEO was sentenced to pay all investors back for the lost funds.

dogetipbot

In May 2017 dogetipbot creator Josh Mohland posted a notice to Reddit users saying he was broke and he had spent all the dogetipbot DOGE coins to pay for his own expenses.

The bot was taken down, the coins were all wiped out and the only thing users could do was protest.

Mohland had filed for Chapter 7 bankruptcy for his business, which was aptly named Wow Such Business Inc (a reference to the Doge meme).

About U$ 150,000 of Reddit users’ DOGE coins were gone just like that.

Nicehash

Nicehash isn’t a traditional exchange. Instead of buying and selling cryptocurrencies, they deal hashpower.

You download a mining application which uses your computing power to produce the most profitable coin at the moment. It then converts the mined coin into Bitcoin and pays you BTC shares every hour.

In December 2017, just as Bitcoin hit the highest valuation ever, Nicehash fell victim to a hack that cost them U$ 60 million at the time.

The Bitcoin hot wallet where Nicehash kept miner funds was stolen – a 100% loss of funds.

Despite the worst predictions, though, Nicehash was able to return to business a few days later.

Tether

In November 2017, near Bitcoin’s all time high price, Tether announced that they’d lost 30.95 million USDT tokens.

Users then quickly noticed that the target Omni address had been frozen:

Questions were immediately raised about Tether’s power to fork the system and freeze addresses:

Tether’s history has no shortage of controversy.

Whether it’s their ties to Bitfinex or investigations by the New York Attorney General, Tether seems to find comfort in chaos. Over 90% of all daily Bitcoin volume is traded in Tether. Regardless of my opinion about this crypto asset, it’s still very relevant to the Bitcoin ecosystem.

Parity Wallet

Parity is a multi-signature Ethereum wallet. In July 2017 its source code was cleverly exploited and fell victim to one of the largest Ethereum thefts of all time.

Over 150,000 ETH were stolen in a single attack.

The way the funds were stolen is a masterclass for cryptocurrency developers.

The wallet included code that allowed it to abstract some functions. This code had a bug in it that allowed regular, non-privileged, users to run administrator-level functions. The attackers simply called the function which changes the contract owners. This function is usually reserved for a single ETH address and is set when the smart contract is deployed.

Parity, on the other hand, allowed the owner to be changed. After changing the contract owner, all funds deposited at the contract address were withdrawn.

Youbit / Yapizon

2017 was a bad year for Youbit. Within less than 9 months it was hacked twice and was forced to shut down when cryptocurrencies were at or near their all time high prices.

First, in April 2017, Youbit (then called Yapizon) was robbed of 4,000 BTC.

Then, in November, the exchange lost 17% of their total cryptocurrency balances in a second and more damaging hack.

North Korea was accused, by more than one research firm, of being behind the attack. But as often is with cryptocurrency hacks, tracing the true origin of hacks can be very difficult.

Youbit reappeared briefly in early 2018, before fading again into oblivion.

EtherDelta

A serious vulnerability was discovered in the EtherDelta smart contract code which, combined with traditional Internet exploits (DNS, specifically) allowed hackers to steal funds from the DEX.

The security researcher who found this reported the flaw to EtherDelta before he made it public, allowing them to launch a new smart contract with the flaw corrected.

Unfortunately, a malicious hacker had already used the flaw to siphon out large sums of Ethereum.

The problem here was mixing a Dapp with traditional centralized app strategies.

Session data was collected using simple PHP scripts that anyone can write and host even for free in some cases. The scripts were accessed by users who fell victim to a poisoned DNS system which detoured traffic from its intended target to these PHP scripts. The bigger issue was EtherDelta accepting this session data as parameters on their decentralized exchange. Combining the old school hack with newly discovered flaws in the DEX’s smart contract allowed the hackers to get away with a major ETH heist.

The hunt for the EtherDelta hacker has been ongoing for years as we write this.

Links

BitGrail Insolvency Update

Bitgrail’s $170M Hack Continues to Provide Drama

Owner of Hacked Crypto Exchange BitGrail Sentenced to Return Funds to Customers

Questions Mount Over $170 Million BitGrail ‘Hack’

Italian cryptocurrency exchange gets hacked for $170 million in Nano

Return to the main article: The complete guide to Bitcoin and altcoin hacks

Comments

Meta