2016 Bitcoin and Altcoin Hacks [Part 8]

This article is part of our complete guide to Bitcoin and altcoin hacks. Here we cover Bitcoin and altcoin security incidents from the year 2016.

Gatecoin

In May 2016 an attack on Gatecoin’s hot wallets cost them U$ 2 million in damages.

As much as 185,000 ETH and 250 BTC were stolen in the heist.

Interestingly, The DAO ICO was at full speed during this hack. Gatecoin’s own DAO (decentralized autonomous organization) project thus got a lot of attention and received massive funding stemming from the hype around The DAO.

The DAO was notably hacked soon after as well, in what became one of the most famous cryptocurrency thefts of all time (see below).

Monero

A white hat hacker discovered a major flaw in Monero and disclosed it privately to the developers before making it public.

This particular story has a happy ending as the ethical hacker warned the cryptocurrency devs before exploiting it to his own profit.

Monero being 100% anonymous and untraceable, this hacker could’ve stolen millions of U$ and gotten away with it.

Shapeshift

In April 2016 an inside job cost Shapeshift U$ 230,000.

An employee had stolen U$ 130,00 one month earlier. After he was finally discovered and fired, he sold internal details to a hacker who later stole an additional U$ 100,000 from the popular cryptocurrency exchange.

There was little technical complexity to the hack as it was straight up old school theft.

Apparently a lawsuit was filed against the employee but Shapeshift declined to give details about it.

The DAO

The DAO hack was one of the most technically impressive ever devised.

Whoever crafted this exploit had a deep understanding of Ethereum smart contract language Solidity and about the semantics of smart contracts.

The hacker exploited a badly coded section of the DAO smart contract. There was a function that performed a certain action before it updated the balance. The attacker found a way to make this function call itself several times recursively before updating the balance. As a result, over 36 million Ethereum were funneled out of The DAO ICO funds and into the hacker’s address.

The DAO had a significant impact in the history of Ethereum.

After the hack, there was enormous controversy as to whether Ethereum should fork the chain and reverse the hacked transactions. Long story short, those who believed the hack should be reverted remained in Ethereum and those who thought no transactions should ever be reverted due to badly coded contracts then founded Ethereum Classic.

So the original Ethereum blockchain, including the DAO hack is now called Ethereum Classic, whereas Ethereum (which was the original once) is the forked version with the DAO hack transactions rolled back.

The DAO is often cited in smart contract security guides due to the highly specialized nature of the hack. After DAO, all contracts are verified for the bug that led this otherwise highly successful ICO to its demise.

Interestingly, the attack author argued for the full legality of his actions, saying he only used a feature that DAO published voluntarily.

Bitfinex

This was one of the biggest BTC thefts of all time.  Over 119,000 BTC were stolen, the equivalent of U$ 1.14 billion dollars in today’s values.

It was a highly sophisticated hack that was able to piece together several very complex requirements in order to make such large withdrawals.

One of the most intriguing aspects of this hack is it involved multi-signature wallets. In this specific case, in order to move the funds, at least 3 people had to sign the transactions. How the hackers were able to obtain the 3 private keys necessary for this remains a mystery. Wild theories have circulated about it being an inside job.

In 2019 the US Government returned 27 BTC to Bitfinex. According to authorities they were able to trace these coins back to the 2016 hack.

Bo Shen

Cryptocurrency investor Bo Shen, head of Fenbushi Capital, had U$ 300,000 worth of Augur and ETH stolen from him in December, 2016.

The solen coins were immediately dumped in the market, causing a big price drop which Augur founder Jack Peterson explained as such:

SIM-swap SMS Hackfest

Numerous individual investors had their SIM cards swapped during the year 2016. Using social engineering at local telcoms, users could impersonate the client, get the phone number changed to a different SIM card.

With the new SIM card they could receive 2FA codes from cryptocurrency exchange logon processes.

Several SIM swapping busts were made in 2016 which, for some reason, became the year of the SIM spoofing hacks.

Return to the main article: The complete guide to Bitcoin and altcoin hacks

Meta