With over a billion dollars worth of coins stolen in crypto hacks in 2018, we take a look at the top 5 cryptocurrency hacks in 2018.
The distributed architecture of blockchain technology is one of the strongest appeals for cryptocurrencies as a secure form of money. Since the creation of Bitcoin in 2008, blockchain technology has gained a credible reputation for being a secure network that is extremely hard to infiltrate.
A decentralized network is far less prone to hacks and security attacks as compared to a traditional centralized structure since the latter is vulnerable to a single-point-of-attack.
It is much easier to hack a single database as compared to a distributed network made up of many databases.
However, despite the security strength of blockchain technology, various hacks have occurred within the cryptocurrency industry. These cyber-attacks are not focused towards the blockchain itself, but towards the several institutions and entities within the ecosystem, such as cryptocurrency exchanges and digital wallets. These targets are much easier to hack as compared to the blockchain itself, and the perpetrators can get away with a tremendous amount of coins and tokens worth millions!
Let’s take a look at the top five cryptocurrency hacks in 2018.
Top 5 Cryptocurrency Hacks in 2018
1. IOTA Phishing Attack
$4 million worth of IOTA coins was stolen from user wallets after they generated seeds on a fraudulent phishing website called Iotaseed.io (not defunct). IOTA holders were caught like a rat in a trap in this phishing scheme since it was advertised at the top of Google search as an official IOTA seed generator.
Phishing is a fraudulent attempt to steal sensitive user information such as credit card details, usernames/passwords and personal information by disguising as a credible and trustworthy website.
Visitors that created their IOTA wallet on Iotaseed.io provided hackers with their private keys for their wallet, thereby compromising the digital wallets. The cybercriminals behind the phishing website had been collecting passwords and seeds for an unknown period of time, and finally cleaned out the wallets of unaware IOTA users on January 19, 2018. At the same time, some of the full nodes on the IOTA network also suffered from a Distributed Denial of Service (DDoS) attack, which compromised the ability of the network to validate and process transactions. Upon further investigations, however, the IOTA founders claimed they did not find any connection between the DDoS attack and the fake phishing website.
Unfortunately, little could be done to reverse the transactions since the blockchain was created to be immutable and tamper-free. Moreover, the hackers abused valid user credentials, so all the transactions were legitimate from the point of blockchain security.
2. Coincheck Hack
On January 26, hackers compromised user accounts of Coincheck, a Japan-based cryptocurrency exchange. A whopping 560 million NEM tokens worth around $530 million at that time was stolen, making Coincheck’s hack one of the biggest the industry has ever seen, even surpassing the hack of Mt. Gox!
Upon further investigation, it was found that Coincheck exchange suffered from a security lapse that enabled the hack. Apparently, one of Coincheck’s internal computer systems was infected with malware that led to a data breach. The virus allowed attackers to collect many private keys a couple of weeks prior to the hack. Hackers successfully ran off with the stolen coins easily since the Coincheck kept their assets in hot wallets, which are more vulnerable to hacks than cold ones due to their connection to external networks.
Hot wallets are digital wallets that are connected to the internet, such as those at your cryptocurrency exchanges or your mobile app wallets. Cold wallets, on the other hand, are those that are not connected to the internet, such as hardware wallets and paper wallets.
In addition to that, Coincheck’s processes suffered from another vulnerability. There was no multi-signature (multi-sig) security process to strengthen the security process. Multi-sig requires multiple (trusted) users to confirm and approve transactions before sending the funds.
Fortunately, the NEM developers quickly responded to the attack and returned almost all of the stolen funds to the victims.
3. POWH Coin Hack
Proof of Weak Hands (POWH) Coin was advertised as a legitimate and autonomous pyramid scheme that rewarded early users with 10% of dividends. Despite several warnings towards this scheme, many investors still participated and the value of POWH Coin quickly grew to over two million dollars within a short period of time.
The idea behind POWH was simple: a parody pyramid scheme designed to be as transparent as possible. Using Ethereum smart contracts, POWH tokens would rise in value by 0.25% whenever a unit was bought and decreased by 0.25% when a unit was sold. This was similar to a game where those with an ‘iron hand’ (someone who could withstand the volatility of the market by not selling their coins) would be rewarded. Many invested in this project as a joke to make a quick buck.
However, on January 28, a white hat hacker managed to drain user wallets by exploiting a common blockchain vulnerability, an unsigned integer underflow. Essentially, the underlying smart contracts of POWH got hacked three days after the initial coin offering (ICO) went public. A total of 866 ETH worth over $950,000 was stolen.
(See more: Guide on Identifying Scam Coins)
4. Verge Hack
The Verge network hack was a prominent hack that was designed to generate excess Verge (XVG) coins fraudulently, rather than stealing the coins from unsuspecting users. Starting from April 4 to May 22, attackers exploited several blockchain security vulnerabilities, such as manipulating the blockchain’s difficulty, faking timestamps, and dominating the hashrate of the network. These actions allowed cybercriminals to mine (create) new coins at a higher rate, with a cumulative value of counterfeited coins that were worth over $1 million.
The hackers managed to dominate the Verge network three times for intervals of several hours at a go and disabled payments from other participants. During these intervals, they mined new cryptocurrency at a rate of 1,560 Verge coins per second. Additionally, the attackers reduced the mining difficulty of the blockchain by using fake timestamps and thereafter abused a single algorithm to generate new blocks faster.
In order to mitigate the attack, the Verge developers set limits on consecutive blocks created with one algorithm. However, the hackers successfully repeated their hack by exploiting two algorithms at once. The final solution from the blockchain developers was to reduce the block creation window to 10 minutes (similar to the Bitcoin’s blockchain), so it made the timestamp fraud impossible.
5. Bancor Exchange Hack
On July 9, cyber criminals hacked the Bancor exchange and enriched themselves with $23.5 million of native tokens. The unknown hackers compromised a wallet that was created to upgrade certain smart contracts. Possessing credentials from this wallet, the attackers then stole $23.5 million worth of cryptocurrency, of which $10 million was in the native Bancor (BNT) coins.
The mystery still remains as to how the attackers obtained credentials to one of the key accounts in Bancor. A leading theory is that there was a data breach from one of the Bancor developer's computers initiated either internally or accessed through phishing attempts. After getting access to the account, hackers invoked the withdrawTo function and transferred the funds to their account.
The developers of the exchange managed to freeze $10 million in BNT from being accessed, while the rest of the stolen coins were denominated in other cryptocurrencies. Bancor also transferred the smart contract ownership from the compromised account to other accounts. In order to prevent future attacks, the Bancor developers introduced a multi-signature confirmation to their smart contracts, requiring at least two trusted accounts to confirm and verify every transaction.
Although blockchain technology is inherently secure, there are always vulnerabilities and attack vectors that criminals can exploit to their advantage. These million-dollar heists negatively affect the reputation of cryptocurrency and blockchain technology as a whole, creating an apprehensive attitude from the general public. Cryptocurrencies are already complex and hard-to-understand for an average Joe, and news of hacks or cybercriminals getting away with their fraudulent attempts would further hinder mass adoption.
With every setback, however, there are definitely lessons that we can take away. For one, the attack vectors of these hacks can be rectified by the developers’ community to ensure that future projects or iterations would not suffer from the same security issue.
(You should also read: Guide to Market Capitalization: Everything You Need to Know About Market Cap)
Beneficial Resources To Get You Started
If you're starting your journey into the complex world of cryptocurrencies, here's a list of useful resources and guides that will get you on your way:
Trading & Exchange
- Crypto Guide 101: Choosing The Best Cryptocurrency Exchange
- Guide to Bittrex Exchange: How to Trade on Bittrex
- Guide to Binance Exchange: How to Open Binance Account and What You Should Know
- Guide to Etherdelta Exchange: How to Trade on Etherdelta
- Guide To Cryptocurrency Trading Basics: Introduction to Crypto Technical Analysis
- Cryptocurrency Trading: Understanding Cryptocurrency Trading Pairs & How it Works
- Crypto Trading Guide: 4 Common Pitfalls Every Crypto Trader Will Experience
- Guide to Cryptocurrency Wallets: Why Do You Need Wallets?
- Guide to Cryptocurrency Wallets: Opening a Bitcoin Wallet
- Guide to Cryptocurrency Wallets: Opening a MyEtherWallet (MEW)
Sponsored Ad: Your dog deserves to be healthy & happy
Get our exclusive e-book which will guide you on the step-by-step process to get started with making money via Cryptocurrency investments!
You can also join our Facebook group at Master The Crypto: Advanced Cryptocurrency Knowledge to ask any questions regarding cryptocurrencies.