The 5 biggest crypto heists of 2017

Blockchain companies and new cryptocurrencies have been flourishing this year. Their total market cap exceeded 177 Billions dollar in 2017 as hackers interest grew proportionately. In 2017 we witnessed quite a few large hacks causing these companies millions of dollars in losses.

Even though blockchain technology is fundamentally more secure when it comes to keeping your money safe, the ecosystem around it is filled with flaws that hackers are racing to exploit.

In this article I will analyse the biggest hacks of 2017.

Firstly, you must understand what an ICO is, as they played a key factor in a lot of hacks this year.

An ICO (Initial Coin Offering) is a way for blockchain companies to issue a token (a “coin” or “cryptocurrency”) in order to raise funds. It’s comparable to an IPO (Initial Price Offering) with the exception that these companies are usually running the ICO before having any working products (while IPOs are usually done to expand capital of a private company).

The way this works is pretty simple. The company opens the ICO, they give their Ethereum (or other) address to the public & the public starts sending money to this address. A smart contract running in the background will take responsibility to exchange the Ether for the company’s token.

1. The Enigma ICO

The Enigma hack is one of the “funniest” ever. The hacker didn’t have to use any technical skills to steal millions of dollars from users.

Earlier this year the Ashley Madison website got hacked and the database was leaked online. The hacker simply found out that the CEO of Enigma had its password leaked in the Ashley Madison hack. Luckily enough for the hacker, the CEO reused his password on several accounts such as his email & slack address.

From there, the hacker proceeded to start the ICO with a little difference: he changed the Ethereum address to his own address and there was no smart contract issuing tokens behind it. As a result users sent millions of dollars to the hacker thinking they were sending their money to Enigma.

2. The Parity hack

According to the Github page, Parity has as goal to be “the fastest, lightest and most secure Ethereum client”.

In this case the hacker took advantage of a bug in the MultiSig wallet (a kind of wallet that supposedly adds a layer of security by requiring other users to sign a transaction before it’s broadcasted on the blockchain) contract. It allowed him to take ownership of a wallet by sending a malicious transaction that gave him ownership. From there he was able to move all the funds to his own wallet. Learn more about the technical details here.

The hacker was able to steal 153,000 Ethereum. Following the hack, a group of white hat hackers proceeded to drain other vulnerable MultiSig wallets to their own wallets in order to prevent the black hat hacker to steal more funds from users. After the vulnerability was fixed they refunded users.

3. Coindash

Another ICO hijack. Similarly to the Enigma hack, the hacker was able to hack the Coindash website. Just 13 minutes after the ICO started the hacker managed to change the Ethereum address for his own and then calmly waited as users sent him $7 millions worth of Ether.

4. Veritaseum

Veritaseum is a project that “allows individuals and corporations to trade without brokers, loan without banks and contract without lawyers”.

This is how Reggie Middleton, CEO of Veritaseum described the hack:

“The hackers thwarted 2FA, on two different accounts, and finagled third party security among several other things. They went through quite a bit of effort; alas going through that much effort caused them to leave a breadcrumb trail as well. I hate thieves”.

Middleton refused to give more details about the hack arguing that it would only incite others to replicate it.

The loss was estimated to 8.4$ million worth of Ether.

5. Zerocoin

Zerocoin is a project that aims to bring anonymity to Bitcoin transactions. In February a hacker was able to exploit a flaw in the code that allowed him to create tokens out of thin air. From there on he proceeded to sell them on cryptocurrency exchanges resulting in an increase of price and market cap. The hacker was able to create 370,000 tokens worth 400 Bitcoins (a whopping $444,000 at the time).

 

These hacks are only the tip of the iceberg. Every day attackers are trying to hack and/or scam users by all means possible.

Here are some other hacking tricks that have been heavily used this year:

  • Typo squatting: Bittrex.com is one of the biggest cryptocurrency exchanges. A hacker bought domain names such as Blttrex.com (with an ‘l’), Bitrex.com etc. After the users gave their password and 2FA code the hacker would immediately log in on the real Bittrex.com website and steal all the funds from the users.
  • Slack Scams: Almost every project has an open Slack team. It’s a great way to communicate openly but it also opens the door to scammers.

This one is pretty clever. A user would think this message is for his own good and if you only read the domain on slack it looks completely legit even though it redirects to a fake website.

Another very popular scam consists of telling user about an “airdrop” for x coins holder. An airdrop is when a company decides to offer free coins to users who have been holding x coins (let’s say Ethereum for example) for some time. Usually the hackers are spreading these links on Slack and the websites are asking for your private key.

  • Social engineering: Recently the CEO of Paragon Coin, Jessica Versteeg, has been hacked, she lost access to her Gmail & other accounts. Hackers simply used an old trick and forced the phone company to hand them control of the CEO phone number.
<blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">
I need a contact at gmail 🙏🏼 <a href="https://twitter.com/sundarpichai">
@sundarpichai</a> <a href="https://twitter.com/gmail">@gmail</a> 
<a href="https://twitter.com/Google">@Google</a> my email has been hacked &amp; 
for some reason no one has been able to help me. <a href="https://t.co/EnTZ94q8mu">
pic.twitter.com/EnTZ94q8mu</a></p>&mdash; Jessica VerSteeg (@JessVerSteeg) 
<a href="https://twitter.com/JessVerSteeg/status/910704808704667648">
September 21, 2017</a></blockquote> <script async src="//platform.twitter.com/widgets.js" 
charset="utf-8"></script>

 

Tips to stay safe:

  • NEVER give your private key, to anyone.
  • NEVER give your private key, to anyone, ever.
  • If you need to give somebody your private key, DON’T DO IT. Your private key is private for a reason. Anyone who can access your private key can steal your precious coins.
  • Keep your coins out of exchange websites.
    This year we saw several crypto currency exchanges getting hacked like BTC-e & Bithumb. They were not the first and they won’t be the last. I myself reported security vulnerabilities to some cryptocurrencies exchange and can tell you they’re not always the most secure. Ideally you should keep your coins on cold storage, using a paper wallet or hardware wallet such as Trezor for example. However these wallets don’t support every crypto currency but every crypto currency has its own desktop wallet that you can use and they all offer encryption and backup possibilities.
  • Don’t trust anyone, especially on Slack.
    Nobody wants to give you free coins, there’s no 2FA on myetherwallet.com. If you have a doubt always check with official sources but even then you should be careful. Twitter accounts can also be hacked. You should be extra careful on Slack as there is no identity restriction. Anyone can pose as “Vitalik Butterin” there.
  • Code-review your smart contracts & every piece of code by professionals.
    If your company created a token or you’re raising fund via an ICO you should be extra careful with every piece of code. History has shown that even some code that was audited by the Ethereum foundation was found to be vulnerable. So if you’re developer that just learned solidity (Ethereum main smart contract programming language) and you’re using this as a basis for your smart contract to raise funds without reviewing it, you’re heading for disaster.
  • Passwords & 2FA
    It may seem obvious, but you should use 2FA whenever you can & never reuse passwords. If you reuse a password that has been leaked in a previous hack (Linkedin, Yahoo etc) it’s just a matter of time before you lose your coins.
  • Don’t use your phone number as a recovery option for your email address.
    Otherwise you might end up locked out of your email address like Paragon Coin CEO. I would suggest creating an email that you use only for this kind of websites, create several secure backups of your credentials and using 2FA.
  • Keep your identity private
    I’ve seen people on twitter posting pictures of themselves holding their ID card with a timestamp and directly asking @Bittrex to get verified… If you do that, it’s only a matter of time before someone uses that picture on another exchange and potentially gets you into a lot of trouble.

Best of luck out there!

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *