2018 Bitcoin and Altcoin Hacks [Part 10]

This article is part of our complete guide to Bitcoin and altcoin hacks. Here we cover Bitcoin and altcoin security incidents from the year 2018.

Monacoin and Monappy

In May 2018 Monacoin was hit with a selfish mining attack.

As you may know from Satoshi’s original whitepaper, the longest chain is always considered the official blockchain. If someone is able to craft a valid longer chain, they then lead the mining. In short, in a selfish mining attack, a miner solves a block but does not tell anyone. They must then solve the next block very quickly and then broadcast that next block. They then have the longest chain which only they have started to mine, before everyone else. If this advantage is maintained long enough, several blocks can be mined all by themselves before anyone else is able to catch up.

Perhaps one of the most harmless (and least valuable) hacks in this article, the total advantage obtained by the hacker was around U$ 90 thousand. Still not bad for a few moments of cleverness.

Bancor

In July 2018 one of Bancor’s wallets was hacked and U$ 12.5 million ETH were stolen along with NPXS and Bancor’s own BNT token.

Here’s a summary of the hack, from Bancor’s official Twitter

The Bancor hack generated an intense debate about decentralization.

Some claimed that if Bancor was truly decentralized, then it couldn’t operate a centralized wallet out of which users’ funds could be hacked. A really decentralized exchange also could not control accounts in any way, such as freezing funds.

Coincheck

One of Japan’s largest exchanges, Coincheck made history in early 2018.

Just as Bitcoin was coasting from its recent all time high record, Coincheck was hit with one of the greatest thefts in history when U$ 530 million were stolen in a single attack.

Contrast this with “The Great Train Robbery” where approximately U$ 63 million in today’s values were taken. While movies were made about the railway exploit and its perpetrators became as famous as Bonnie and Clyde, the Coincheck thieves remain completely anonymous and nobody ever mentions a heist almost 10x as big.

Details eventually emerged, showing several bad security practices by Coincheck.

All of their NEM was kept in a single hot wallet, which allowed the hackers to gain access to 100% of their funds as soon as they accessed the wallet.

Secondly, they did not employ multisig, requiring more than one person to sign large transfers. A single private key would do.

Being in Japan raised immediate comparisons to the MtGox scandal, which was based in Tokyo. Japan took several regulatory measures as a response to MtGox and Coincheck would also usher in several new requirements for crypto exchanges.

And, of course, North Korea was also accused of being behind this attack.

Zaif

2018 was a difficult year for Japanese cryptocurrency exchanges. Just as the dust had begun to settle after the Coincheck hack, in September 2018, Osaka-based exchange Zaif woke up to a terrible surprise.

Hackers had siphoned off about U$ 60 million (billions of Yen) in Bitcoin, Bitcoin Cash and Monacoin. Its hot wallets had been compromised and funds were sent away in minutes.

The company had to get a loan to pay creditors and entered a period of financial distress. Soon after it was sold and the new management relaunched the exchange.

IOTA

It was January 2018 when 85 IOTA investors found their wallets completely empty. In total, EUR 11 million had vanished.

Several police reports filed in Europe sent Europol after the thief. After initial investigations, Germany became the focus of the high tech pursuit.

The IOTA hack was unique in that it employed the wallet recovery seed to steal from users.

As reported by Reuters, a website called IOTASeed.io was being used by IOTA users to generate wallet recovery seeds. What these investors didn’t suspect is that a seed is effectively an encoded version of the private key! Each character in the seed maps to a numeric value in a table, which is then put together to form the 81 character seed used by IOTA.

Investors then generated seeds in iotaseed.io and went on with ther lives, not minding the fact that the people behind iotaseed had several perfectly valid private keys at their disposal!

Once investors funded their IOTA wallets, while the hackers monitored the blockchain for deposits, all they had to do was open their own IOTA wallet using the seed and transfer the funds out as if they owned the wallet themselves.

This reinforces the motto “if you don’t own the private keys, you don’t own the coins”.

Seed generators should never be used!

The same tactic was used by corrupt Nano Ledger sellers who were pre-configuring the wallets with a seed which came printed in a piece of paper inside the box. The sellers kept a copy of each seed. If you funded one of those Nano Ledger’s with any significant amounts, they’d mysteriously disappear!

VERGE Hack

In April 2018 a Bitcointalk user called ocminer posted a warning to the community about a possible 51% attack on the Verge cryptocurrency.

A highly sophisticated timing attack exploited one of Verge’s most interesting features: the timing of the rotating cryptographic algorithm. The attacker was able to fool the Verge algorithm by setting blocks with a date in the past, offsetting the system’s reference time for newer blocks.

From block 2007365 onwards, the attacker was able to dominate XVG mining and produce over 250,000 coins. Reports of the total hacked vary from U$ 15,000 to 250,000 or more (possibly undetected before).

A relatively small attack financially, but technically very relevant due to the unprecedented exploit.

Verge price collapsed after the attack and has never recovered.

Verge price decline after 51% attack. Chart: CoinMarketCap.com

POWH

Proof of Weak Hands – that’s the concept behind POWH. It was a deliberate Ponzi scheme! There was no secret about this – the original plan was to produce a semi-serious ERC-20 token which would behave in unusual ways by default. Source code was published and everyone who got involved knew what they were getting in to (which is striking because POWH received over U$ 1 million in funds).

POWH was exploited using something similar to the 2010 Bitcoin Hack we discussed early in this article : negative integer overflows. As explained before, when computers treat signed integers as unsigned, weird things happen. Like, for example, a number flipping from negative to positive with a very high value in it (when the interpreter/computer treats the high end sign bit as a value and not a flag).

Someone was able to generate a negative balance for POWH holders by exploiting a flaw in the smart contract. They were able to withdraw more than funds available and the negative balance was treated as a very large positive number. The resulting balance was then astronomically large amount of POWH tokens.

POWH disintegrated and so did its market value. The crowd’s U$ 1 million burned like kerosene in a instant.

Coinrail

It’d already been a few rough seasons for South Korean cryptocurrency exchanges when Coinrail was hit with a U$ 40 million heist in mid 2018.

Interestingly, relatively unknown ICO’s were targetted in this hack: Pundi X’s NPXS tokens, Dent (dental coin) and Aston X. TRON was the more notable tokan, having about U$ 1 million stolen from Coinrail customers.

The NPXS tokens were dumped at IDEX and mixed minutes later, making it impossible to get them back.

The Coinrail hack contributed to 2018’s massive cryptocurrency rout, further accelerating the losses that began in late 2017.

Bithumb

Bithumb’s working wallets were hacked and approximately U$ 30 million were stolen in mid 2018, further intensifying the hard hitting bear market.

About U$ 14 million were later recovered but U$ 17 mln were gone forever.

Bithumb has since deleted tweets related to the attack (such as https://twitter.com/BithumbOfficial/status/1009239883645243392) :

But the thread which stemmed from the above deleted tweet is still published:

Coinsecure

India’s largest cryptoasset exchange Coinsecure was hacked in April 2018. Founded in 2014 by Mohit Kalkra and Benson Samuel, Coinsecure grew at impressive speed until India’s government started to regulate and prohibit several activities related to cryptocurrencies.

Apparently, Coinsecure was using a single signature wallet to hold its funds. Differently from the 2016 Bitfinex hack, where the attackers were able to compromise a multi-sig system, here all the hacker had to do was gain access to one private key.

Coinsecure was able to refund the majority of its customers but it was forced to shut down soon after.

Here is their latest tweet, from the same month as the attack in 2018.

Return to the main article: The complete guide to Bitcoin and altcoin hacks

Meta