The complete guide to Bitcoin and altcoin hacks

The complete guide to Bitcoin and altcoin hacks

Perhaps you’d be surprised to find out that Bitcoin has been hacked in the past? Millions of fake Bitcoins were minted out of thin air and injected into the blockchain.

Even the king of all cryptos has had its own security issues. But in 10 years, with an uptime that no SLA could ever hope to match, Bitcoin has proven to be one of the most resilient technologies ever developed.

In this article we’ll revisit most the most notorious Bitcoin and altcoin hacks that we’re aware of.

Billions of dollars in price fluctuations, speculation, fear, uncertainty and doubt. Those who lived through the first 10 years of cryptocurrencies sure have stories of sleepless nights to tell.

So let’s get started with what was arguably Bitcoin’s worse technical moment yet. The year was 2010 and Bitcoin was just over 1 year old.

This was to become the most serious Bitcoin hack, ever, so read on!

 2009

Well there was only one real Bitcoin hack in 2009 and it was when Hal Finney, Satoshi Nakamoto, Nick Szabo et al got together to give us the greatest and most fun technological development since the WWW itself.

Here’s arguably the greatest hack of 2009:

The Bitcoin Hack

Bitcoin isn’t just the handsome looking graphical window you see when you run Bitcoin Core (or your favorite alternative wallet).

In the background, a daemon, which is a spooky name given by Unix hackers to processes that run all the time behind the scenes, listens for new network data, verifies the data and commits it to your local copy of the blockchain.

This background process can run either through the graphical interface you see or on its own, by running a program called bitcoind (the “d” stands for daemon).

On August 15th, 2010, Jeff Garzik, one of the early Bitcoin Core developers, noticed something strange going on with block 74638.

Several 92233720368.54277039 BTC transfers were mined in this block. This number is far beyond the maximum number of Bitcoins allowed by the system (21 million).

Something was seriously broken.

Versions of bitcoind before 0.3.11 would not check for certain conditions in transactions and would commit invalid TX’s into the blockchain.

In modern computers when a number is negative, it is marked by a single bit being turned on, usually at the leftmost position. If the computer interprets this bit as being part of the number and not a sign, it doubles the number value. But if it’s interpreted to mean “negative number” then it plays no part in the magnitude of the number, it just means that everything to the right of it is a negative number.

So if you mix signed and unsigned numbers in clever ways, you end up with serious problems.

Imagine if I made a Bitcoin transaction so big, to the point the amounts added up to a number the computer cannot handle. In this case we get something called an overflow. When a number overflows in computer programs, it inverts its signal. If they were positive, the result comes out negative. In fact, checking for sign inversion is one way to detect integer overflows.

It just so happened that bitcoind did not check for overflows in versions < 0.3.11. So someone crafted transactions containing 92233720368.54277039 Bitcoins, which added up resulted in a negative number. This negative number was interpreted as un unsigned value, which would consider the leftmost 1 bit to be part of the number. As you can imagine this results in an astronomical value. So, out of nowhere, over 180 billion BTC were minted.

Here’s where Bitcoin’s amazing core dev team showed their prowess.

Just a couple of hours after the detection of this flaw, the Bitcoin Core code had been patched and distributed to users. This kind of agility is rare in large and popular projects.

The Bitcoin blockchain was forked, the one containing the malicious coins was made deliberately invalid and a new chain grew from the valid end.

Had the attacker been more subtle about the exploit, finding ways to exploit the overflow by crafting smaller amounts, it might have taken longer to detect the security flaw.

This was the only time Bitcoin itself was hacked and the only time Bitcoin ever reversed a transaction. There was no other option. Leaving the invalid transaction in the chain would break Bitcoin forever by recognizing hundreds of billions of coins when the software-coded maximum is 21 million BTC.

It was a tense moment. For a few hours in August 2010 it seemed like Bitcoin was doomed.

If anything of the sort happened today, BTC price would like drop to zero instantly and would cost hundreds of billions of U$ in damages.

Fortunately, things were simpler back in 2010.

 2011

MyBitcoin

MyBitcoin was one of the earliest Bitcoin wallet services available.

Users could take their BTC with them anywhere by accessing the online wallet instead of a heavy full node that needed to sync everytime you moved.

This doesn’t sound like much of an innovative idea today, but in 2011 Bitcoin was still considered the stuff of mad geniuses who blew stuff up in their basement.

The idea behind MyBitcoin was great and it had the potential to become one of the major cryptocurrency services just a few years later, unless….

In mid August of 2011 a cold shower hit all MyBitcoin customers. A letter from the admins said the service was suddenly bankrupt.

Users were mystified about this notice and could not believe they’d lost all their BTC.

There was ample skepticism about it, in fact, and questions began to be asked.

What happened at MyBitcoin was a quite clever hack.

Deposits were acknowledged before multiple confirmations. So hackers would broadcast a deposit that would bounce due to lack of funds and make withdrawals before the first confirmation.

When MyBitcoin took notice, their withdrawal wallets had already been drained.

Bitcoin7

Shortly after the MyBitcoin hack, 2 months later in fact in October of 2011, Bitcoin7 customers received an announcement from the admins that wallets had been stolen and user ID’s compromised.

The website went down with no public notice on its pages. Users simply could not access the exchange.

With a tiny office in Sofia, Bulgaria, Bitcoin7 didn’t execute a large volume of trades per day. It was a small exchange that came and went.

Back in 2011 there were very few exchanges and wallet services, so the Bitcoin7 hack ended up causing a stirr in the online forums.

Their domain is still registered, though as expected it has privacy enabled so we don’t know who’s behind it today.

Domain Name: BITCOIN7.COM
Registry Domain ID: 1660517880_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2019-06-09T05:53:18Z
Creation Date: 2011-06-08T13:27:40Z

MtGox

MtGox was hacked twice in 2011.

In June, someone hacked into the exchange’s order book and set all of MtGox’s cold wallet Bitcoins for sale. There was a flash crash and the thief ran off with millions of U$ (billions in today’s price).

Later in October someone hacked into MtGox and sent thousands of BTC to invalid addresses. Those BTC are lost forever because no one can ever generate those addresses from private keys.

allinvain Individual Hack

In June 2011, Bitcointalk.org user allinvain announced that he’d been hacked out of 25,000 BTC.

Not only is this hack considered one of the very first Bitcoin thefts, it’s also one of the most dramatic due to the way the user reported it. Initially, he’d said that he wanted to kill himself, which caused the community to look after him and offer support.

It’s not clear how the bitcoins were stolen.

allinvain claimed he made backups of his wallet.dat on several cloud based storage services. There was speculation that an employee of such services could be monitoring upload of files named wallet.dat.

Another possibility, reaised by allinvain himself, is that he later found a program called bitcoin-miner.exe that was detected as a trojan horse by his anti-virus software.

At the time of the heist the 25,000 BTC were worth U$ 500,000. Today they’d be worth U$ 240 million.

 2012

Bitcoinica / Linode Hack

Bitcoinica was hacked twice in 2012, which led them to shut down shortly after the 2nd heist.

In March 2012 Bitcoinica reported that 18,547 BTC had been stolen from its reserves. It was apparently a problem in the platform, because their found, Zhou Tong, mentioned they’d have to rewrite the platform completely. There were rumours that SQL injection had been used to gain access to user funds.

Later that year the Bitcoinica hosting provider was targetted. Linode was hacked and over 40,000 BTC were stolen off Bitcoinica’s servers.

This hack is known as the Linode hack, despite Bitcoinica being hurt the most.

The exchange shut down shortly after, claiming insolvency.

Zhou Tong made an effort to pay customers back. He donated 5000 of his own BTC and asked for help with donations on Bitcointalk.org.

Later in July, a post made to Bitcointalk by MtGox operators, including Mark Karpeles (MagicalTux) discovered that the whole Bitcoinica ordeal had been a big scam.

Zhou Tong’s email account had been used in an account at MtGox where stolen Bitcoinica funds had been deposited. He tried to claim that his Gmail was hacked, which didn’t succeed with the community.

By mid 2014 users were still seeking answers from Tong but it is understood that less than 2% of Bitcoinica’s customers received some form of compensation for the theft.

BitMarket

BitMarket.eu was a popular Bitcoin exchange running in Poland. If you visit their current site all you’ll find is a cryptocurrency blog.

What happened?

It turns out that in 2012 over 20,000 BTC were stolen from the exchange and they were forced to shut down.

Interestingly, an arrest made in 2016 in connection with the BitMarket investigation could be a link to many other hacks, including the already mentioned Bitcoinica case.

A different theory accuses the BitMarket hack of being an inside job.

Although there are claims that many clients received their funds back, this is not confirmed by a large number of BitMarket customers.

BitFloor

In September of 2012, Vitalik Buterin reported for Bitcoin Magazine that 24,000 BTC went missing from the Bitfloor exchange.

The attack was blamed on poor handling of private keys by the exchange operators.

A key backup was made to one of the server’s hard drives. The key was unencrypted and the hackers obtained easy access to them.

Here the former BitFloor owner explains what happened and offers a few more technical details.

Bitcoin Savings and Trust

Bitcoin Savings and Trust (BST) wasn’t exactly a hack in the technological sense.

Instead, it was one of the first large scale Ponzi schemes operated using cryptocurrencies with over 500,000 BTC managed at a point in time.

As with all ponzies, customers started mass withdrawing funds, which BST couldn’t honor, so the system collapsed.

The main BST operator, Trendon Shavers, received a sentence of 1.5 years in a Texas prison for the scheme.

The relatively short sentence was a result of a plea deal where Shavers agreed to pay creditors U$ 40.7 million in damages to 48 investors.

 2013

Dogewallet

Such hack. Many coin. Very disappear.

Christmas of 2013 wasn’t a good time for Dogecoin investors.

The recently created half-joke-half-serious cryptocurrency had just suffered its first major heist.

Although it was a low value hack at just around U$ 13,000, it was relevant because most DOGE users were social media savvy and got the word out to thousands of readers.

A lot of social media users were first introduced to cryptocurrencies through the viral Dogecoin phenomenon.

DOGE users were also usually just having fun with the coins, tipping others, giving them away and such. So discovering that it could be the target of thieves was a shock for many Shibes (as DOGE enthusiasts call each other on social media).

GBL

GBL was a virtual cryptocurrency exchange based in China which operated at the btc-glb.com domain.

In October of 2013 the exchange simply vanished and was never heard of again.

When the exchange ran off with users’ funds, a major investigation began which led to Hong Kong. Checking the alleged HK address it was discovered that it’d been a fake address and no such business ever existed there. Further investigation led sleuths to China where it really operated.

The Chinese operation was also illegal as the exchange had none of the required permits.

There were many signs that things weren’t going well at GBL, including problems during withdrawals, hard withdrawal limits imposed in ad-hoc fashion, among others.

As far as I know, no one was ever brought to justice for the GBL hack. Over 1000 customers were scammed in the process.

Silk Road

Silk Road was raided by the FBI in 2013 and 172,000 BTC were seized.

At today’s prices this represents a U$ 1.8 billion value which is quite impressive.

The real hack in this case was how the authorities were able to track down Silk Road operator Ross Ulbricht.

Ulbricht set several footprints and made some really trivial opsec mistakes were made.

In one occasion, Ulbricht was attempting to recruit virtual assistants for his darknet marketplace and gave his personal Gmail address for contact.

Several such clues led the FBI to his name.

It is truly unfortunate that such a young and talented person must serve prison time for the rest of his life with no possibility of redemption.

The details of the Silk Road raid are beyond the scope of this article, but you can read more about it on Wikipedia.

 2014

MintPal

In July 2014 Mintpal, a popular altcoin exchange at the time, got hacked and over 10,000 BTC worth of VeriCoin was stolen.

Later that year over 3,700 BTC also vanished from MinPal.

In a stunning turn of events, it was discovered that a former security consultant who later purchased MintPal may have been behind it all.

Moolah founder Ryan Kennedy, aka Alex Green, became a suspect of stealing coins, claiming they were hacked and later selling them at LocalBitcoins.com

In another even crazier development, Kennedy was convicted of rape in 2016.

The list of Kennedy’s exploits also includes running off with funds from Dogebot (a Dogecoin robot on Reddit).

Ryan Kennedy is serving an 11 year sentence for 3 counts of rape. He was acquitted in 8 other rape charges.

He’s still being tried for the MintPal hack.

BitPay

A successful phishing attack against BitPay’s CFO Bryan Krohn was the intrusion vector for the BitPay heist.

Over 5000 BTC were stolen from the payment services company after the hacker used social engineering tactics to learn about Khron’s habits and workflow, presumably by reading his email history.

The hacker impersonated an influential client of BitPay to request large sums of Bitcoin in 1000 BTC chunks. 5000 BTC were stolen before the company decided to check with the client if the requests were legit, to which they received a negative reply. But it was too late by then, the funds were already in the hacker’s possession.

BitPay’s troubles were only beginning. The insurer refused to cover the losses, claiming it was BitPay’s negligence that led to the heist. BitPay later sued the insurance company over the ordeal.

Cryptsy

This was perhaps the second highest profile cryptocurrency scandal of 2014.

The Cryptsy heist hit Bitcoin very hard in the same year as the MtGox scandal and was also largely responsible for that year’s bear market.

This is a controversial hack which has many internal details that weren’t fully revealed to the public.

Sometime during 2013 over 13,000 BTC and 300,000 LTC disappeared from Cryptsy. The exchange kept working like nothing had happened until a year later the story of the 2013 hack was revealed.

The story came out because Cryptsy customers sued the company in the USA. Due to the earlier hack, Cryptsy was making it difficult for users to withdraw as to gain enough time to cover the losses. The plan didn’t work out and everything was revealed in 2014.

Later it was discovered that the person behind the 2013 hack was the same guy behind the Lucky7Coin.

Cryptsy’s CEO was later convicted and ordered to pay U$ 8 million in damages.

Poloniex

In March 2014 yet another high profile hack took place.

This time Poloniex, one of the top exchanges at the time, was the target.

The attack was quite clever and resembled the MyBitcoin wallet hack : it exploited the timing of transactions.

As it turns out, if you placed several withdrawal orders at exactly the same time, the system did not synchronize them, attempting to process as many as possible in parallel. A classic blunder in banking systems : before one transaction completes, the balance has been changed by another transaction but, by then, this transaction had already started with a positive balance.

When all the requests were done the balance was negative but it was too late – blockchain transactions are irreversible.

This hack also exploits a very common mismatch between credit cards, checks and cryptocurrencies. The former are reversible, the latter is not. So you can buy cryptocurrency, void the check and run off with the crypto. After the Poloniex withdrawals were processed, there was no way to roll them back on the blockchain, even though it would be possible to revert them within the system.

When the attack was finally identified, Poloniex had lost over 12% of its Bitcoin reserves.

Mt Gox

Magic The Gathering X-change.

That was the initial idea behind the mtgox.com domain name early in 2006, three years before Bitcoin processed its first transaction between Satoshi and Hal Finney.

Jed McCaleb was a RPG gaming enthusiast who bought the domain name in order to promote game item trade. But soon he got interested in Bitcoin and used the domain name for cryptocurrency trade instead.

Five years later, in 2011, McCaleb sold the domain to someone who has now become infamous in the world of cryptocurrencies: Mark Karpeles.

Karpeles was at the right place, at the right time.

During MtGox’s reign as the leading Bitcoin exchange in 2011, BTC went from just under a dollar to over U$ 31 in June of that same year. A spectacular 3100+% run that drew worldwide attention to Bitcoin for the first time. Bitcoin had become a high risk investor’s dream and MtGox was the tool that made most of it happen.

From June 2011 to December, Bitcoin also burst its first bubble. Prices dropped back to U$ 1 just as quickly as they’d multiplied tens of times. It was a crazy year.

In 2013 everything seemed back on track. Bitcoin peaked at U$ 1000 by the end of that year. It was an amazing run, multiplying over 1000x from just over a year earlier. This is when Bitcoin started to become a household name and high risk investors from all over the world jumped aboard.

I began mining at the end of 2013. In early 2014 my house had become a mess of wires and funny expensive heaters hooked up to motherboards everywhere.

This is when trading Bitcoin got on my radar. I opened an account with MtGox and verified my identity using my drivers license. Everything was going great. Unknowing that it wasn’t a good practice, I pointed my miners to the MtGox deposit address. This seemed great, I was buying and selling BTC, riding the wave.

Suddenly withdrawals were frozen. I couldn’t get my Bitcoins out of MtGox. For a few seconds that felt like an eternity, I simply froze.

I knew it was bad.

MtGox had become a blank screen staring back at me. I stared blankly at my miners still pumping BTC over to MtGox. The electricity bill sitting on my desk in front of me, under the computer monitor. Karpeles and his MtGox had destroyed my finances in an instant.

Switching off the mining operation and selling the hardware wasn’t the hardest part.

I’d gotten family members to invest in this with me. I owed each of them a bunch of money. The light bill was astronomical and I was broke. The MtGox coins were gone.

Watching the collapse of Bitcoin price throughout 2014 only made things worse. There was still some Bitcoin in my cold wallet but it was worth a tiny fraction of my debt.

MtGox and Mark Karpeles were responsible for unspeakable pain around the world. Thousands of honest investors had been hoodwinked and were left on their own. No support, no way to get the coins back, just a blank page.

But, in the end, investing in MtGox was entirely my fault for not performing due diligence. I learned the hard way that when you don’t hold the private keys, then you don’t own the coins. That’s the most important law of crypto.

MtGox had been hacked twice already in years before. I didn’t care to do any research, in fact I only found out about the earlier hacks much later.

Mark Karpeles had very limited security and computer programming knowledge and he made that public. It should’ve been a major red flag before investing in his platform.

His own accounts were hacked and internal MtGox accounting infos leaked online.

The MtGox source code that was leaked as a disaster. Users immediately found tens of bugs upon first sight.

The warning signs were everywhere but unfortunately many miners, investors and cryptocurrency enthusiasts like myself did not heed them.

It’s important to mention that, unlike the 2010 hack, the MtGox heist was completely unrelated to Bitcoin. It was due to bad implementation, bad security or perhaps a dose of foul play.

Bitstamp

In January of 2015 six Bitstamp employees were the target of a carefully planned phishing attack that cost the exchange 19,000 BTC.

This was one of the most clever hacks I’ve seen in crypto. A mix of social engineering and clever tactics led to a major heist.

Like most exchanges, the Slovenian company required KYC verification in order to lift limits for its customers.

During Skype chats with the verification team, the hacker was able to convince a Bitstamp employee to download a Microsoft Office document.

What Bitstamp didn’t know is this document was a carefully coded trojan horse.

When opened, the DOC ran a VB script that downloaded malware from the Internet. The malware ran and started to scrape the internal network for wallet.dat files.

The malware found several wallets and sent them to the hackers.

Fortunately, though, the cold wallets were offline and air gapped, which prevented further damage.

BTER

Just one month after the Bitstamp hack, BTER became the target of a different kind of attack.

A total of 7170 BTC were stolen in a rather unusual way: the cold wallets were targeted.

The amount was split mostly into 15 BTC chunks within the same transaction, which is unusual because they could’ve just sent the whole lot at once and pay less per-byte fees. Splitting stolen BTC into smaller chunks is usually done to avoid large transaction monitoring bots like @whale_alert on Twitter.

The exchange offered a bounty of over 700 BTC for the recovery of the BTC.

A year later users still complained that their BTC had not been returned.

Not too long before, BTER had already been victim of another hack, this time against NXT coins.

796Exchange

Chinese 796 lost 1000 BTC in a well crafted attack against its order processing system.

During the transfer of funds, hackers were able to intercept transactions and deviate them from the intended address.

796 CEO, Nelson Yu, promised all account holders that the financial backers would cover the losses and repay all customers.

Shareholders waived their dividends for that year in order to cover for the 1000BTC.

 2016

Gatecoin

In May 2016 an attack on Gatecoin’s hot wallets cost them U$ 2 million in damages.

As much as 185,000 ETH and 250 BTC were stolen in the heist.

Interestingly, The DAO ICO was at full speed during this hack. Gatecoin’s own DAO (decentralized autonomous organization) project thus got a lot of attention and received massive funding stemming from the hype around The DAO.

The DAO was notably hacked soon after as well, in what became one of the most famous cryptocurrency thefts of all time (see below).

Monero

A white hat hacker discovered a major flaw in Monero and disclosed it privately to the developers before making it public.

This particular story has a happy ending as the ethical hacker warned the cryptocurrency devs before exploiting it to his own profit.

Monero being 100% anonymous and untraceable, this hacker could’ve stolen millions of U$ and gotten away with it.

Shapeshift

In April 2016 an inside job cost Shapeshift U$ 230,000.

An employee had stolen U$ 130,00 one month earlier. After he was finally discovered and fired, he sold internal details to a hacker who later stole an additional U$ 100,000 from the popular cryptocurrency exchange.

There was little technical complexity to the hack as it was straight up old school theft.

Apparently a lawsuit was filed against the employee but Shapeshift declined to give details about it.

The DAO

The DAO hack was one of the most technically impressive ever devised.

Whoever crafted this exploit had a deep understanding of Ethereum smart contract language Solidity and about the semantics of smart contracts.

The hacker exploited a badly coded section of the DAO smart contract. There was a function that performed a certain action before it updated the balance. The attacker found a way to make this function call itself several times recursively before updating the balance. As a result, over 36 million Ethereum were funneled out of The DAO ICO funds and into the hacker’s address.

The DAO had a significant impact in the history of Ethereum.

After the hack, there was enormous controversy as to whether Ethereum should fork the chain and reverse the hacked transactions. Long story short, those who believed the hack should be reverted remained in Ethereum and those who thought no transactions should ever be reverted due to badly coded contracts then founded Ethereum Classic.

So the original Ethereum blockchain, including the DAO hack is now called Ethereum Classic, whereas Ethereum (which was the original once) is the forked version with the DAO hack transactions rolled back.

The DAO is often cited in smart contract security guides due to the highly specialized nature of the hack. After DAO, all contracts are verified for the bug that led this otherwise highly successful ICO to its demise.

Interestingly, the attack author argued for the full legality of his actions, saying he only used a feature that DAO published voluntarily.

Bitfinex

This was one of the biggest BTC thefts of all time.  Over 119,000 BTC were stolen, the equivalent of U$ 1.14 billion dollars in today’s values.

It was a highly sophisticated hack that was able to piece together several very complex requirements in order to make such large withdrawals.

One of the most intriguing aspects of this hack is it involved multi-signature wallets. In this specific case, in order to move the funds, at least 3 people had to sign the transactions. How the hackers were able to obtain the 3 private keys necessary for this remains a mystery. Wild theories have circulated about it being an inside job.

In 2019 the US Government returned 27 BTC to Bitfinex. According to authorities they were able to trace these coins back to the 2016 hack.

Bo Shen

Cryptocurrency investor Bo Shen, head of Fenbushi Capital, had U$ 300,000 worth of Augur and ETH stolen from him in December, 2016.

The solen coins were immediately dumped in the market, causing a big price drop which Augur founder Jack Peterson explained as such:

SIM-swap SMS Hackfest

Numerous individual investors had their SIM cards swapped during the year 2016. Using social engineering at local telcoms, users could impersonate the client, get the phone number changed to a different SIM card.

With the new SIM card they could receive 2FA codes from cryptocurrency exchange logon processes.

Several SIM swapping busts were made in 2016 which, for some reason, became the year of the SIM spoofing hacks.

 2017

BitGrail

In late 2017, Italian cryptocurrency BitGrail was hacked and 2.5 million NANO were stolen.

Initially, the exchange reported the issue as a “maintenance”:

All investors had to do was scan BitGrail’s Twitter feed and see that it had been embattled for months, with tens of tweets apologizing and explaining technical issues.

After stressful exchanges between BitGrail and NANO developers, with mutual accusations, BitGrail shut down in 2018 and hasn’t been active on social networks since.

One year later, former BitGrail CEO was sentenced to pay all investors back for the lost funds.

dogetipbot

In May 2017 dogetipbot creator Josh Mohland posted a notice to Reddit users saying he was broke and he had spent all the dogetipbot DOGE coins to pay for his own expenses.

The bot was taken down, the coins were all wiped out and the only thing users could do was protest.

Mohland had filed for Chapter 7 bankruptcy for his business, which was aptly named Wow Such Business Inc (a reference to the Doge meme).

About U$ 150,000 of Reddit users’ DOGE coins were gone just like that.

Nicehash

Nicehash isn’t a traditional exchange. Instead of buying and selling cryptocurrencies, they deal hashpower.

You download a mining application which uses your computing power to produce the most profitable coin at the moment. It then converts the mined coin into Bitcoin and pays you BTC shares every hour.

In December 2017, just as Bitcoin hit the highest valuation ever, Nicehash fell victim to a hack that cost them U$ 60 million at the time.

The Bitcoin hot wallet where Nicehash kept miner funds was stolen – a 100% loss of funds.

Despite the worst predictions, though, Nicehash was able to return to business a few days later.

Tether

In November 2017, near Bitcoin’s all time high price, Tether announced that they’d lost 30.95 million USDT tokens.

Users then quickly noticed that the target Omni address had been frozen:

Questions were immediately raised about Tether’s power to fork the system and freeze addresses:

Tether’s history has no shortage of controversy.

Whether it’s their ties to Bitfinex or investigations by the New York Attorney General, Tether seems to find comfort in chaos. Over 90% of all daily Bitcoin volume is traded in Tether. Regardless of my opinion about this crypto asset, it’s still very relevant to the Bitcoin ecosystem.

Parity Wallet

Parity is a multi-signature Ethereum wallet. In July 2017 its source code was cleverly exploited and fell victim to one of the largest Ethereum thefts of all time.

Over 150,000 ETH were stolen in a single attack.

The way the funds were stolen is a masterclass for cryptocurrency developers.

The wallet included code that allowed it to abstract some functions. This code had a bug in it that allowed regular, non-privileged, users to run administrator-level functions. The attackers simply called the function which changes the contract owners. This function is usually reserved for a single ETH address and is set when the smart contract is deployed.

Parity, on the other hand, allowed the owner to be changed. After changing the contract owner, all funds deposited at the contract address were withdrawn.

Youbit / Yapizon

2017 was a bad year for Youbit. Within less than 9 months it was hacked twice and was forced to shut down when cryptocurrencies were at or near their all time high prices.

First, in April 2017, Youbit (then called Yapizon) was robbed of 4,000 BTC.

Then, in November, the exchange lost 17% of their total cryptocurrency balances in a second and more damaging hack.

North Korea was accused, by more than one research firm, of being behind the attack. But as often is with cryptocurrency hacks, tracing the true origin of hacks can be very difficult.

Youbit reappeared briefly in early 2018, before fading again into oblivion.

EtherDelta

A serious vulnerability was discovered in the EtherDelta smart contract code which, combined with traditional Internet exploits (DNS, specifically) allowed hackers to steal funds from the DEX.

The security researcher who found this reported the flaw to EtherDelta before he made it public, allowing them to launch a new smart contract with the flaw corrected.

Unfortunately, a malicious hacker had already used the flaw to siphon out large sums of Ethereum.

The problem here was mixing a Dapp with traditional centralized app strategies.

Session data was collected using simple PHP scripts that anyone can write and host even for free in some cases. The scripts were accessed by users who fell victim to a poisoned DNS system which detoured traffic from its intended target to these PHP scripts. The bigger issue was EtherDelta accepting this session data as parameters on their decentralized exchange. Combining the old school hack with newly discovered flaws in the DEX’s smart contract allowed the hackers to get away with a major ETH heist.

The hunt for the EtherDelta hacker has been ongoing for years as we write this.

 2018

Monacoin and Monappy

In May 2018 Monacoin was hit with a selfish mining attack.

As you may know from Satoshi’s original whitepaper, the longest chain is always considered the official blockchain. If someone is able to craft a valid longer chain, they then lead the mining. In short, in a selfish mining attack, a miner solves a block but does not tell anyone. They must then solve the next block very quickly and then broadcast that next block. They then have the longest chain which only they have started to mine, before everyone else. If this advantage is maintained long enough, several blocks can be mined all by themselves before anyone else is able to catch up.

Perhaps one of the most harmless (and least valuable) hacks in this article, the total advantage obtained by the hacker was around U$ 90 thousand. Still not bad for a few moments of cleverness.

Bancor

In July 2018 one of Bancor’s wallets was hacked and U$ 12.5 million ETH were stolen along with NPXS and Bancor’s own BNT token.

Here’s a summary of the hack, from Bancor’s official Twitter

The Bancor hack generated an intense debate about decentralization.

Some claimed that if Bancor was truly decentralized, then it couldn’t operate a centralized wallet out of which users’ funds could be hacked. A really decentralized exchange also could not control accounts in any way, such as freezing funds.

Coincheck

One of Japan’s largest exchanges, Coincheck made history in early 2018.

Just as Bitcoin was coasting from its recent all time high record, Coincheck was hit with one of the greatest thefts in history when U$ 530 million were stolen in a single attack.

Contrast this with “The Great Train Robbery” where approximately U$ 63 million in today’s values were taken. While movies were made about the railway exploit and its perpetrators became as famous as Bonnie and Clyde, the Coincheck thieves remain completely anonymous and nobody ever mentions a heist almost 10x as big.

Details eventually emerged, showing several bad security practices by Coincheck.

All of their NEM was kept in a single hot wallet, which allowed the hackers to gain access to 100% of their funds as soon as they accessed the wallet.

Secondly, they did not employ multisig, requiring more than one person to sign large transfers. A single private key would do.

Being in Japan raised immediate comparisons to the MtGox scandal, which was based in Tokyo. Japan took several regulatory measures as a response to MtGox and Coincheck would also usher in several new requirements for crypto exchanges.

And, of course, North Korea was also accused of being behind this attack.

Zaif

2018 was a difficult year for Japanese cryptocurrency exchanges. Just as the dust had begun to settle after the Coincheck hack, in September 2018, Osaka-based exchange Zaif woke up to a terrible surprise.

Hackers had siphoned off about U$ 60 million (billions of Yen) in Bitcoin, Bitcoin Cash and Monacoin. Its hot wallets had been compromised and funds were sent away in minutes.

The company had to get a loan to pay creditors and entered a period of financial distress. Soon after it was sold and the new management relaunched the exchange.

IOTA

It was January 2018 when 85 IOTA investors found their wallets completely empty. In total, EUR 11 million had vanished.

Several police reports filed in Europe sent Europol after the thief. After initial investigations, Germany became the focus of the high tech pursuit.

The IOTA hack was unique in that it employed the wallet recovery seed to steal from users.

As reported by Reuters, a website called IOTASeed.io was being used by IOTA users to generate wallet recovery seeds. What these investors didn’t suspect is that a seed is effectively an encoded version of the private key! Each character in the seed maps to a numeric value in a table, which is then put together to form the 81 character seed used by IOTA.

Investors then generated seeds in iotaseed.io and went on with ther lives, not minding the fact that the people behind iotaseed had several perfectly valid private keys at their disposal!

Once investors funded their IOTA wallets, while the hackers monitored the blockchain for deposits, all they had to do was open their own IOTA wallet using the seed and transfer the funds out as if they owned the wallet themselves.

This reinforces the motto “if you don’t own the private keys, you don’t own the coins”.

Seed generators should never be used!

The same tactic was used by corrupt Nano Ledger sellers who were pre-configuring the wallets with a seed which came printed in a piece of paper inside the box. The sellers kept a copy of each seed. If you funded one of those Nano Ledger’s with any significant amounts, they’d mysteriously disappear!

VERGE Hack

In April 2018 a Bitcointalk user called ocminer posted a warning to the community about a possible 51% attack on the Verge cryptocurrency.

A highly sophisticated timing attack exploited one of Verge’s most interesting features: the timing of the rotating cryptographic algorithm. The attacker was able to fool the Verge algorithm by setting blocks with a date in the past, offsetting the system’s reference time for newer blocks.

From block 2007365 onwards, the attacker was able to dominate XVG mining and produce over 250,000 coins. Reports of the total hacked vary from U$ 15,000 to 250,000 or more (possibly undetected before).

A relatively small attack financially, but technically very relevant due to the unprecedented exploit.

Verge price collapsed after the attack and has never recovered.

Verge price decline after 51% attack. Chart: CoinMarketCap.com

POWH

Proof of Weak Hands – that’s the concept behind POWH. It was a deliberate Ponzi scheme! There was no secret about this – the original plan was to produce a semi-serious ERC-20 token which would behave in unusual ways by default. Source code was published and everyone who got involved knew what they were getting in to (which is striking because POWH received over U$ 1 million in funds).

POWH was exploited using something similar to the 2010 Bitcoin Hack we discussed early in this article : negative integer overflows. As explained before, when computers treat signed integers as unsigned, weird things happen. Like, for example, a number flipping from negative to positive with a very high value in it (when the interpreter/computer treats the high end sign bit as a value and not a flag).

Someone was able to generate a negative balance for POWH holders by exploiting a flaw in the smart contract. They were able to withdraw more than funds available and the negative balance was treated as a very large positive number. The resulting balance was then astronomically large amount of POWH tokens.

POWH disintegrated and so did its market value. The crowd’s U$ 1 million burned like kerosene in a instant.

 

Coinrail

It’d already been a few rough seasons for South Korean cryptocurrency exchanges when Coinrail was hit with a U$ 40 million heist in mid 2018.

Interestingly, relatively unknown ICO’s were targetted in this hack: Pundi X’s NPXS tokens, Dent (dental coin) and Aston X. TRON was the more notable tokan, having about U$ 1 million stolen from Coinrail customers.

The NPXS tokens were dumped at IDEX and mixed minutes later, making it impossible to get them back.

The Coinrail hack contributed to 2018’s massive cryptocurrency rout, further accelerating the losses that began in late 2017.

Bithumb

Bithumb’s working wallets were hacked and approximately U$ 30 million were stolen in mid 2018, further intensifying the hard hitting bear market.

About U$ 14 million were later recovered but U$ 17 mln were gone forever.

Bithumb has since deleted tweets related to the attack (such as https://twitter.com/BithumbOfficial/status/1009239883645243392) :

But the thread which stemmed from the above deleted tweet is still published:

Coinsecure

India’s largest cryptoasset exchange Coinsecure was hacked in April 2018. Founded in 2014 by Mohit Kalkra and Benson Samuel, Coinsecure grew at impressive speed until India’s government started to regulate and prohibit several activities related to cryptocurrencies.

Apparently, Coinsecure was using a single signature wallet to hold its funds. Differently from the 2016 Bitfinex hack, where the attackers were able to compromise a multi-sig system, here all the hacker had to do was gain access to one private key.

Coinsecure was able to refund the majority of its customers but it was forced to shut down soon after.

Here is their latest tweet, from the same month as the attack in 2018.

 

 2019

Binance

Binance’s impressive growth and dominance did not come without hurdles.

In 2019 the exchange faced some of its biggest challenges yet with alleged KYC leaks, blackmail and finally a hack that shook the cryptocurrency world.

For once, the funds were not SAFU. Or were they?

In May 2019, hackers used the Binance API to move U$ 40 million. The company did not publicize how many customers were affected. Binance CEO Changpeng Zhao (CZ) mentioned that the hackers were “very patient” and that they had gone to extreme care not to trip the system’s alarms, indicating that the hackers had high technical skill and knew the innards of the system.

Bitcoin Reorg Controversy

This particular hack generated an enormous controversy when CZ implied that he could convince certain large players in Bitcoin to reverse the transactions.

It’s been long speculated that this is possible, since over 51% of the hashrate is concentrated in China. CZ allegedly made a few phone calls and was able to convince over 51% of Bitcoin hashrate to reorganize the Bitcoin blockchain.

After immense backlash….


…..CZ came out and said he’d “decided” not to “pursue” the idea.

For anyone who can put 2 and 2 together it became obvious that the > 51% hashrate concentration in China remains a major problem.

But most of the Bitcoin community was happy with the convincing apologies that followed.

The point is….Bitcoin can be reorganized if enough of the hashrate colludes. This isn’t new, it’s right there on Satoshi’s original whitepaper from 2008.

Satoshi Nakamoto assumed that the high cost for performing a 51% attack would be an incentive to mine BTC and earn honest coins instead of hacking the chain.

But the reorg can be done – and with the Binance hack now we know it’s been considered as recently as May 2019.

Bithumb

Just months after the 2018 hack, Bithumb falls again.

3 million EOS and 20 million Ripple (XRP) got stolen by Bithumb insiders.

According to a post on the Bithumb blog, the main cold wallets containing customer funds were safe. The hacked wallets were from Bithumb’s operational sector.

As of August 2019, Bithumb continues in normal operation.

Cryptopia

Just two weeks into 2019 Cryptobia was hacked and over 20,000 ETH were reportedly stolen. The exchange kept a low profile about the hack several hours into the incident, having given users a brief notice of technical issues:


There were initial suspicions that the EtherDelta hacker could’ve been behind the Cryptopia attack, but this was later denied by several experts.

 

CoinBene

CoinBene customers woke up to a surprise in March 2019. The system was “under maintenance” and would be inaccessible for a while.

There was a problem, though: tons of funds were being illegally siphoned out of CoinBene’s wallet just as customers stared at a regular downtime notice.

The stolen tokens were quickly exchanged for the more valuable Ethereum using decentralized exchanges such as EtherDelta.

Estimates of the total worth of stolen cryptoassets range from U$ 100 to over 200 million.

Some strange transactions involving tokens hosted in the platform led some users to suspect foul play.

As of September 2019, Coinbene is operating normally.

DragonEx

Singapore crypto enthusiasts faced an unexpected maintenance notice on DragonEx’s interface early March 24, 2019.

The seven year old exchange had a good track record and users didn’t suspect anything beyond the system upgrade notice. But there was more to it in this case.

A Telegram message posted by Joanne of the DragonEx staff publicized all addresses involved in the hack.

Investigations into the theft are still ongoing.

Bitpoint

Tokyo based Bitpoint was hacked in July 2019. U$ 32 million are reported lost.

Large sums of Bitcoin, XRP and ETH were stolen in yet another Japanese cryptocurrency exchange heist.

The hack involved old school wallet theft. The private keys were obtained by hackers who simply signed transactions, emptying the compromised hot wallets.

Bitpoint is fully licensed in Japan and abides by the Japanese Financial Services Agency’s stringent compliance requirements for financial institutions.

Per the Japanese regulations the exchange must refund its customers, which it did soon after the hack was detected.

Unfortunately decentralized cryptocurrencies completely ignore regulations and only obey the laws of security and cryptography.

Some of the funds have been recovered, but investigations are still ongoing.

Conclusion

As you can see, the number of hacks is increasing with time.

2019 was especially active year for cyber thieves. As more and more cryptocurrency services are launched we can expect related crime to rise with it.

Most hacks have several things in common: poor handling of user input, mixing decentralized and centralized software paradigms (passing session variables and keys between centralized apps and Dapps for example) as well as structural problems, such as adopting single signature wallets for exchange hot and cold wallets.

As we can see, there is no specific target for hackers. Centralized, decentralized, hot wallets, cold wallets all have been compromised in both sophisticated and trivial hacks.

The cryptocurrency culture has introduced millions of average computer users to good security practices. Cryptography is no longer confined to banks and top secret operations, regular users have learned to encrypt their wallets, their hard drives and even their online communications.

Cryptocurrency has revolutionized the world of security. Never has so much value been stored in such tiny little codes we know as private keys.

Still, with all this development in information security, we can see that there’s still a lot more to be learned and done.

We’ll update this article with newer hacks as they happen so we invite you to bookmark it and return for future updates!

  Leave a Comment