Why Cryptocurrency Exchange Hacks Keep Happening

A Bithumb exchange office in Seoul. Last month, Bithumb said it lost over $30 million worth of bitcoin and other cryptocurrencies in a cyberattack.


Photo:

Jean Chung/Bloomberg News

Executives at Bithumb, a popular cryptocurrency exchange in South Korea, sensed something awry last month.

After a rival was hacked earlier in June, Bithumb experienced a rise in failed user logins and unauthorized access attempts, according to an exchange official who asked not to be named. Bithumb added more online security personnel to conduct extensive checks and moved more of its digital currency reserves into offline storage.

It wasn’t enough. On June 19, Seoul-based Bithumb said it lost over $30 million worth of bitcoin and other cryptocurrencies in a cyberattack. It has since recovered some, lowering its loss estimate to $17 million.

/* 4u Graphics Standalone */ @media all and (max-width: 585px) body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-4u, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-4u-wrap, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-4u-margin, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-4u-bleed, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-4u-header, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-4u-inline display: block !important; max-width: 300px; body.template-standalone:not(.nc-exp) .djai2html-tagline float: left; body.template-standalone:not(.nc-exp) .djai2html-foot, body.template-standalone:not(.nc-exp) .djai2html-headline, body.template-standalone:not(.nc-exp) .djai2html-leadin max-width: 300px; margin-left: auto; margin-right: auto; /* 8u Graphics Standalone */ @media all and (min-width: 666px) and (max-width: 745px) body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-8u, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-8u-wrap, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-8u-margin, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-8u-bleed, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-8u-header, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-8u-inline max-width: 620px; display: block !important; /* 12u Graphics Standalone */ @media all and (min-width: 586px) and (max-width: 665px) body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-12u, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-12u-wrap, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-12u-margin, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-12u-bleed, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-12u-header, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-12u-inline max-width: 540px; display: block !important; /* 16u Graphics Standalone */ @media all and (min-width: 746px) body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-16u, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-16u-wrap, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-16u-margin, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-16u-bleed, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-16u-header, body.template-standalone:not(.nc-exp) .wsj-ai2html-1531516083470show-16u-inline max-width: 700px; display: block !important; body.at4units .wsj-ai2html-1531516083470show-4u, body.at4units .wrap .wsj-ai2html-1531516083470show-4u-wrap, body.at4units .margin .wsj-ai2html-1531516083470show-4u-margin, body.at4units .bleed .wsj-ai2html-1531516083470show-4u-bleed, body.at4units .header .wsj-ai2html-1531516083470show-4u-header, body.at4units .inline .wsj-ai2html-1531516083470show-4u-inline max-width: 300px; .wrap .wsj-ai2html-1531516083470show-8u-wrap, .wrap .wsj-ai2html-1531516083470show-12u-wrap, .wrap .wsj-ai2html-1531516083470show-16u-wrap, .margin .wsj-ai2html-1531516083470show-8u-margin, .margin .wsj-ai2html-1531516083470show-12u-margin, .margin .wsj-ai2html-1531516083470show-16u-margin max-width: 300px; body.at4units .wsj-ai2html-1531516083470show-4u, body.at8units .wsj-ai2html-1531516083470show-8u, body.at12units .wsj-ai2html-1531516083470show-12u, body.at16units .wsj-ai2html-1531516083470show-16u, body.at4units .bleed .wsj-ai2html-1531516083470show-4u-bleed, body.at8units .bleed .wsj-ai2html-1531516083470show-8u-bleed, body.at12units .bleed .wsj-ai2html-1531516083470show-12u-bleed, body.at16units .bleed .wsj-ai2html-1531516083470show-16u-bleed, body.at4units .header .wsj-ai2html-1531516083470show-4u-header, body.at8units .header .wsj-ai2html-1531516083470show-8u-header, body.at12units .header .wsj-ai2html-1531516083470show-12u-header, body.at16units .header .wsj-ai2html-1531516083470show-16u-header, body.at4units .inline .wsj-ai2html-1531516083470show-4u-inline, body.at8units .inline .wsj-ai2html-1531516083470show-8u-inline, body.at12units .inline .wsj-ai2html-1531516083470show-12u-inline, body.at16units .inline .wsj-ai2html-1531516083470show-16u-inline, body.at4units .offset .wsj-ai2html-1531516083470show-4u-offset, body.at8units .offset .wsj-ai2html-1531516083470show-8u-offset, body.at12units .offset .wsj-ai2html-1531516083470show-12u-offset, body.at16units .offset .wsj-ai2html-1531516083470show-16u-offset, body.at4units .wrap .wsj-ai2html-1531516083470show-4u, body.at4units .wrap .wsj-ai2html-1531516083470show-4u-wrap, body.at8units .wrap .wsj-ai2html-1531516083470show-8u-wrap, body.at12units .wrap .wsj-ai2html-1531516083470show-12u-wrap, body.at16units .wrap .wsj-ai2html-1531516083470show-16u-wrap, body.at4units .margin .wsj-ai2html-1531516083470show-4u, body.at4units .margin .wsj-ai2html-1531516083470show-4u-margin, body.at8units .margin .wsj-ai2html-1531516083470show-8u-margin, body.at12units .margin .wsj-ai2html-1531516083470show-12u-margin, body.at16units .margin .wsj-ai2html-1531516083470show-16u-margin display: block !important; .at12units #wsj-article-wrap[data-articleCentered=”true”] .inline .wsj-ai2html-1531516083470show-12u, .at12units #wsj-article-wrap[data-articleCentered=”true”] .offset .wsj-ai2html-1531516083470show-12u display: none !important; .at12units #wsj-article-wrap[data-articleCentered=”true”] .inline .wsj-ai2html-1531516083470show-16u, .at12units #wsj-article-wrap[data-articleCentered=”true”] .offset .wsj-ai2html-1531516083470show-16u display: block !important; .at8units #wsj-article-wrap[data-articleCentered=”true”] .inline .ai2html_export, .at8units #wsj-article-wrap[data-articleCentered=”true”] .offset .ai2html_export margin: 0 auto; max-width: 620px;

Swiped

Some of the biggest hacks on cryptocurrency exchanges and platforms

#wsj-ai2html-1531516083470 position: relative; overflow: hidden; width: px; display: none; .wsj-ai2html-1531516083470aiAbs position: absolute; .wsj-ai2html-1531516083470aiImg display: block; width: 100% !important; #wsj-ai2html-1531516083470 p font-family: Arial,Helvetica,sans-serif; font-size: 13px; line-height: 18px; margin: 0; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-4-0 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 13px; line-height: 18px; font-weight: 300; text-transform: uppercase; color: #323232; margin-top: 1px; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-4-1 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 13px; line-height: 18px; font-weight: 300; text-transform: uppercase; text-align: center; color: #323232; margin-top: 1px; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-4-2 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 25px; font-weight: 500; text-align: right; color: #323232; margin-top: 1px; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-4-3 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 25px; font-weight: 300; text-align: right; color: #323232; margin-top: 1px; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-4-4 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 25px; font-weight: 500; color: #323232; margin-top: 1px; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-4-5 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 18px; font-weight: 300; color: #323232; margin-top: 1px;

Value of coin loss, in millions

DATE OF HACK

EXCHANGE/PLATFORM

ORIGIN

Japan

Japan

Italy

Hong Kong

Slovenia

Germany

South Korea

South Korea

U.K.

South Korea

Israel

Jan. 2018

Jan. 2014

Feb. 2018

Aug. 2016

Dec. 2017

April 2016

June 2018

April 2017

July 2017

June 2018

July 2018

Coincheck

Mt. Gox

BitGrail

Bitfinex

NiceHash

DAO

Coinrail

Youbit

Parity

Bithumb

Bancor

$535

$450

$170

$77

$70

$55

$40

$35

$32

$32

$24

#wsj-ai2html-1531516083470 position: relative; overflow: hidden; width: px; display: none; .wsj-ai2html-1531516083470aiAbs position: absolute; .wsj-ai2html-1531516083470aiImg display: block; width: 100% !important; #wsj-ai2html-1531516083470 p font-family: Arial,Helvetica,sans-serif; font-size: 13px; line-height: 18px; margin: 0; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-3-0 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 13px; line-height: 18px; font-weight: 300; text-transform: uppercase; color: #323232; margin-top: 1px; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-3-1 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 13px; line-height: 18px; font-weight: 300; text-transform: uppercase; text-align: center; color: #323232; margin-top: 1px; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-3-2 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 25px; font-weight: 500; text-align: right; color: #323232; margin-top: 1px; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-3-3 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 25px; font-weight: 300; text-align: right; color: #323232; margin-top: 1px; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-3-4 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 25px; font-weight: 500; color: #323232; margin-top: 1px; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-3-5 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 18px; font-weight: 300; color: #323232; margin-top: 1px;

EXCHANGE/

PLATFORM

ORIGIN

DATE OF HACK

Value of coin loss, in millions

Japan

Japan

Italy

Hong Kong

Slovenia

Germany

South Korea

South Korea

U.K.

South Korea

Israel

Jan. 2018

Jan. 2014

Feb. 2018

Aug. 2016

Dec. 2017

April 2016

June 2018

April 2017

July 2017

June 2018

July 2018

Coincheck

Mt. Gox

BitGrail

Bitfinex

NiceHash

DAO

Coinrail

Youbit

Parity

Bithumb

Bancor

$535

$450

$170

$77

$70

$55

$40

$35

$32

$32

$24

#wsj-ai2html-1531516083470 position: relative; overflow: hidden; width: px; display: none; .wsj-ai2html-1531516083470aiAbs position: absolute; .wsj-ai2html-1531516083470aiImg display: block; width: 100% !important; #wsj-ai2html-1531516083470 p font-family: Arial,Helvetica,sans-serif; font-size: 13px; line-height: 18px; margin: 0; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-2-0 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 13px; line-height: 18px; font-weight: 300; text-transform: uppercase; color: #323232; margin-top: 1px; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-2-1 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 13px; line-height: 18px; font-weight: 300; text-transform: uppercase; text-align: center; color: #323232; margin-top: 1px; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-2-2 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 25px; font-weight: 500; color: #323232; margin-top: 1px; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-2-3 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 25px; font-weight: 300; text-align: right; color: #323232; margin-top: 1px; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-2-4 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 25px; font-weight: 500; text-align: right; color: #323232; margin-top: 1px; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-2-5 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 18px; font-weight: 300; color: #323232; margin-top: 1px;

EXCHANGE/PLATFORM

Value of coin loss, in millions

ORIGIN

DATE OF HACK

Coincheck

Mt. Gox

BitGrail

Bitfinex

NiceHash

DAO

Coinrail

Youbit

Parity

Bithumb

Bancor

Jan. 2018

Jan. 2014

Feb. 2018

Aug. 2016

Dec. 2017

April 2016

June 2018

April 2017

July 2017

June 2018

July 2018

Japan

Japan

Italy

Hong Kong

Slovenia

Germany

South Korea

South Korea

U.K.

South Korea

Israel

$535

$450

$170

$77

$70

$55

$40

$35

$32

$32

$24

#wsj-ai2html-1531516083470 position: relative; overflow: hidden; width: px; display: none; .wsj-ai2html-1531516083470aiAbs position: absolute; .wsj-ai2html-1531516083470aiImg display: block; width: 100% !important; #wsj-ai2html-1531516083470 p font-family: Arial,Helvetica,sans-serif; font-size: 13px; line-height: 18px; margin: 0; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-1-0 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 20px; font-weight: 500; color: #323232; margin-top: 1px; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-1-1 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 18px; font-weight: 300; color: #323232; margin-top: 1px; #wsj-ai2html-1531516083470 .wsj-ai2html-1531516083470-aiPstyle-1-2 font-family: Retina,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 18px; font-weight: 300; text-align: right; color: #323232; margin-top: 1px;

Exchange/platform, origin, date of hack and value of coin loss in millions of dollars

Coincheck (Japan, January 2018)

$535

Mt. Gox (Japan, January 2014)

$450

BitGrail (Italy, February 2018)

$170

Bitfinex (Hong Kong, August 2016)

$77

NiceHash (Slovenia, December 2017)

$70

DAO (Germany, April 2016)

$55

Coinrail (South Korea, June 2018)

$40

Youbit (South Korea, April 2017)

$35

Parity (U.K., July 2017)

$32

Bithumb (South Korea, June 2018)

$32

Bancor (Israel, July 2018)

$24

Note: DAO was created by German-based Slock.it.

Sources: Autonomous Research, staff reports

Since 2011, there have been 56 cyberattacks directed at cryptocurrency exchanges, initial coin offerings and other digital-currency platforms around the world, according to an analysis by Autonomous Research, a London-based financial-services research firm, bringing the total of hacking-related losses to $1.63 billion. Some of the biggest hacks occurred at Japanese exchanges Mt. Gox in 2014 and Coincheck this past January. The most recent hack took place on July 9, when hackers swiped $23.5 million worth of cryptocurrencies from an Israeli platform called Bancor.

The increasing frequency of hacks points to the vulnerabilities of cryptocurrencies and the platforms people use to trade them, adding to broader investor worries about fraud and lax regulation of the industry.

Many attacks have centered around Asia, a hotbed for cryptocurrency trading. Four of the seven hacks so far this year have been in the region, with over $800 million worth of cryptocurrencies stolen—already more than any other calendar year. Cyberthieves could be targeting more popular trading venues, a potential risk for investors in the U.S. and elsewhere.

Unlike stock exchanges, which facilitate trading but don’t actually hold securities on behalf of investors, many cryptocurrency exchanges charge fees for trading and also store currencies for their customers. Analysts say that makes cryptocurrency exchanges like sitting ducks. Thieves that manage to break in can do something akin to robbing a bank—getting hold of valuable cryptocurrencies that they can cash out of.

Cryptocurrency exchanges are “easy to breach, with minimum effort and expense from attackers and with maximum return on investment,” said

Robert Statica,

president of BLAKFX, a cybersecurity firm in New York.

Recent cyberattacks have hurt market sentiment. After a steep slide this year, bitcoin dropped further after the Bithumb incident in June. Currently sitting at around $6,300, bitcoin trades near its low for the year and well off its record high near $20,000 established in December.

The hacks are “bad for users, bad for exchanges and terrible for confidence,” said

John Sedunov,

an assistant professor of finance at Villanova University. “If I don’t have confidence in where I’m storing my crypto assets or where I’m investing, how can I really trust any of this?”

Not all investors are ruffled by the hacks. Lee Gui-im, a retiree in Seoul, hasn’t been able to access her cryptocurrency assets for a month after Coinrail, the other South Korean exchange breached last month, temporarily shut down all services. That hasn’t discouraged the 61-year-old from continuing to attend meetups to identify her next cryptocurrency investment.

“Every exchange is in danger of hacks. This isn’t just Coinrail’s problem,” said Ms. Lee as she was leaving a blockchain company info session this past week. “I haven’t lost faith in [crypto] coins—just exchanges.”

There are currently 205 cryptocurrency exchanges in operation, many of which are based in Asia, according to research firm CoinMarketCap.

Chainalysis, a New York-based blockchain-analytics firm, said South Korea has been a ripe area for hackers because of the market’s rapid growth in a short amount of time. The South Korean won is one of the most commonly used fiat currencies for trading cryptocurrencies.

“There simply are many targets there,” said

Kim Grauer,

senior economist at Chainalysis, adding that “some exchanges have not been able to maintain the proper level of defense as they have grown.”

Regulatory gaps in South Korea also make it less compelling for exchanges to step up security efforts, said

Stacy Scott,

managing director at cybersecurity and investigations firm Kroll.

A government inspection of 21 cryptocurrency exchanges in South Korea earlier this year found that no firm met all 85 inspection standards established by authorities, but there is no law to penalize exchanges that fall short.

Bithumb said late June it is working with other exchanges around the world to track down and recover stolen digital coins that may have been moved to other trading venues. Coinrail is planning to resume services on July 15 after a monthlong operating hiatus. The exchange said it has so far recovered three types of virtual currencies that were stolen, but hasn’t disclosed how much it lost. An earlier Wall Street Journal article estimated that $40 million worth of digital coins were taken.

“These are incredibly fragile technologies that are highly vulnerable to attacks,” said

Alan Curtis,

chief executive at a cryptocurrency startup called Radar Relay.

Mr. Curtis’s firm operates a newer type of cryptocurrency trading venue called a decentralized exchange. Launched less than a year ago, Radar Relay operates a peer-to-peer platform that allows people to trade cryptocurrencies with each other directly, similar to how people connect with each other via a site like Craigslist to buy and sell goods and services.

Decentralized exchanges, however, tend to lack liquidity and make up a small percentage of the market’s overall trading volumes, said

Lex Sokolin,

global director of fintech strategy at Autonomous Research.

“I don’t know if there’s a silver bullet that will stop the hacking other than investing significantly in infrastructure and cybersecurity,” he said.

Write to Steven Russolillo at steven.russolillo@wsj.com and Eun-Young Jeong at Eun-Young.Jeong@wsj.com

Let’s block ads! (Why?)


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *


Sunnywebmoney.Com


CONTACT US




Newsletter


Categories