Imagine the start to your typical day. It probably goes something like this: you wake up to an alarm, complete your morning ritual of showering, brushing your teeth (I hope!) and ideally some breakfast and most likely some coffee or tea. You may check your emails before heading to work or perhaps its one of the first things you do once you get to work. Perhaps you also check your portfolio of stocks and cryptocurrency.
To your horror you notice that the exchange with your cryptocurrency is experiencing downtime… an email notice was sent out about a possible hack and that they are investigating… later, news comes out that over 30% of the cryptocurrency assets held on the exchange were stolen in a hack! You start to freak out. Was your cryptocurrency part of the 30% that got stolen? Or would the exchange just discount everyone’s account 30% and share the loss? It doesn’t seem to matter much because the market is crashing on the news, down 20% in 3 hours!
Unfortunately, situations like the one described above are not too uncommon in the crypto space… especially the early cryptocurrency days. Exchanges were few, with minimal to zero regulation for consumer protection. This left people who wanted to invest in Bitcoin and other cryptocurrencies early exposed to great risk.
There is a long trail of exchanges that have gone bottom-up or continue to struggle after a major hack. Although some have survived and continued to thrive. And all of the ones that did survive owned up to the mistake quickly, took action to fix the problem and compensated their clients.
Top 6 Cryptocurrency Exchange Hacks
Exchange/Nation: Mt. Gox, Japan
Hack Date: January 2014
Value stole/lost: ~$470 million USD worth of BTC then (worth $5.7 billion today), ~850,000 BTC
Details: One of, if not the most notorious exchange failure. It originated as a refurbished website by Jed McCaleb (Overnet, Ripple/XRP, Stellar) that was initially developed to trade Magic: The Gathering trading cards in 2007. In 2010 it was redeveloped to trade Bitcoin and USD. McCaleb sold the site to Mark Karpeles in March 2011. This exchange is no longer active and was rife with error and lost and stolen bitcoin. The whole exchange was a big mess with hacks that created a flash drop in BTC price to 1 cent allowing a hacker to acquire bitcoin and then sell it at its nominal price.
Mt. Gox then lost approximately 2609 BTC when they were sent to invalid wallet addresses in October 2011. Thats 2609 BTC gone forever. Decreased its limited supply.
Furthermore, lasting over a 2-3 year period ~850,000 BTC were stolen by an alleged Alexander Vinnik (Russian hacker). Most of the BTC was kept on a hot wallet and a hacker was secretly stashing away bitcoin from the hot wallet to other bitcoin addresses. A hot wallet is a wallet that stores bitcoin private keys, but it is a software that exists online (much like a Facebook account or a Google/YouTube account). Because the private keys are stored online they are always susceptible to attack. Due to this series of events, in 2014 Mt. Gox’s demise results in the loss of $473 million USD worth of BTC (~7% of the supply) and protection against bankruptcy claim.
I entered the crypto-sphere after the whole Mt. Gox debacle and I haven’t done extensive reading on it; however, it is well known as one of the biggest exchange disasters in Bitcoin’s history.
Exchange/Nation: Bitstamp, Slovenia
Hack Date: January 2015
Value stole/lost: ~19,000 BTC (worth ~$5,000,000 USD at the time, ~$75,000,000,000 today, fifteen times more valuable in almost 4 years)
Details: Founded in 2011, this exchange started as an alternative to the Mt. Gox exchange. It’s always useful to have more than one option out there for the consumer. However, due to the high value of Bitcoin it too was the target of an attack. An anonymous hacker was able to gain access to the exchanges hot wallet through multiple phishing attempts over many weeks. Apparently, the hacker would contact Bitstamp employees via email and Skype enticing (or “phishing”) them to open a file, or link containing malware. Eventually, the hacker succeeded in phishing one of the employees to open the malware. The exchanges hot wallet was compromised and the hacker walked away with 19,000 BTC.
Fortunately, Bitstamp was able to manoeuvre effectively and mitigate the loss of both assets and reputation. They rebuilt the entire exchange using a secure backup. It now employs multi-sig wallets (meaning that no one user alone can access the hot wallets) as well as cold wallet offline storage of the majority of their cryptocurrencies.
While sustaining a loss, Bitstamp did the right thing and is still operational today, ranking 23rd by exchange volume on CoinMarketCap.
Exchange/Nation: Bitfinex, Hong Kong (registered in the British Virgin Islands)
Hack Date: August 2016
Value stole/lost: ~120,000 BTC (worth ~$72,000,000 USD at the time, ~$485,000,000,000 today).
Details: Bitfinex took a new approach to security. With all the other hacks occurring they, certainly, would not fall prey to such vulnerabilities. They employed a multi-signature hot wallet. This meant that in order to move bitcoin from the wallet one would require multiple signatures. The exchange partnered with a company called BitGo who supplied the multi-sig wallet. In addition, the BitGo team would act as one of the signatures/authorizers of the multi-sig wallet, while Bitfinex would handle the other two. This allowed Bitfinex to provide better security while providing high liquidity since they felt safe leaving more bitcoin/cryptocurrency on the hot wallets rather than on cold wallets.
The fault was that Bitfinex essentially instructed BitGo to sign off on all their access to the hot wallets. So there was the facade of an extra layer of security but BitGo seems to have acted like a dumb party, complicit to poor security. The whole idea of having a multi-sig wallet is that each signature has the authority to challenge your access. Anyway… that leaves the hack in the hands of a fault on the Bitfinex team.
The exact details of the hack are not (yet) known… as far as I know. We can safely guess that one of two things happened: (1) the Bitfinex team was hacked with malware, or (2) compromised by malicious insiders.
Despite this fiasco, Bitfinex is alive and well today and is one of the top exchanges by volume. They acted to reimburse their clients who lost BTC with a BFX token (an IOU) which was redeemable for USD that was paid back slowly, allowing them to fix their system and not go bankrupt. Today they are the 7th largest cryptocurrency exchange (based on 24-hour volume, as of 20 December 2018 according to CoinMarketCap).
Exchange/Nation: Bitfloor, Unknown location
Hack Date: September 2012
Value stole/lost: ~24,000 BTC.
Details: Unknown details… all that I am aware of is that private keys were kept online unencrypted, and stolen by a hacker. I mean… thats a pretty silly thing to do, so its no wonder that the exchange is no longer running.
Exchange/Nation: Bitgrail, Italy
Hack Date: February 2018
Value stole/lost:~$150 million USD worth of a token called Nano.
Details: Controversial details… The Bitgrail exchange claimed that there was a bug/issue in the Nano currency code and that the crypto’s developer had deployed faulty software. However, Nano denies this and points the finger back at Bitgrail stating that the exchange was insolvent and scamming its users. But guess what? The Nano coin is sitting at spot 37 on Coinmarketcap (20th Dec 2018) valued at ~$138 million (very low for a cryptocurrency). And the Bitgrail exchange was disabled “temporarily” in May 2018… as of writing this post new user registrations are temporarily suspended … also it is not listed on CoinMarketCap Exchange list… but that does not 100% exclude it from being active.
Exchange/Nation: Coinrail, South Korea
Hack Date: June 2018
Value stole/lost: ~$40 million USD, caused a market dip of somewhere between $40-$50 billion due to the news and FUD that spread.
Details: Unknown details… rumours of North Korean spies though. Still active, although trading volumes are in the tens of thousands of USD daily. Aka virtually non-existent.
These attacks on exchanges have served as a blessing in disguise. They sent a clear signal: Bitcoin, Ethereum and other cryptocurrencies are valuable and people want them badly. Moreover, it drew attention, albeit negative, to the cryptocurrency industry. This got regulators involved. Moreover, it served as a warning to exchanges that want to be considered “top notch”, safe, secure and well renowned in the cryptocurrency space that they would have to take the issue of security and insurance seriously and to work with regulators.
Perhaps owing to the many faults of the early cryptocurrency exchanges are today’s major exchanges are significantly safer. Not wanting to fail like Mt. Gox, Bitfloor, Coinrail, Bitgrail, etc they doubled-down their efforts on security, cold storage, KYC, insurance, customer service etc.