Author Topic: Does anyone else find it suspicious that crypto exchanges keep getting hacked?  (Read 1534 times)

ChpBstrd

  • Magnum Stache
  • ******
  • Posts: 4052
Quote
As of today, there are a total of 54 hacking events, with lost funds amounting to a total of approximately $2.4 billion at the time of these hacks, with the Mt.Gox hack of 2014 being the biggest casualty yet with $661,348,000 of stolen funds. The total amount does not include stolen user data and undisclosed amounts of stolen funds.
Note: This list doesn’t include exploits concerning DeFi platforms.
Source: https://cryptosec.info/exchange-hacks/

OK, just putting 2 and 2 together here. Why are so many cryptocurrency exchanges getting routinely hacked? It's not like you hear about daily bank collapses in the fiat banking world, or large corporations routinely getting hundreds of millions of dollars cleaned out of their treasuries due to some buggy code. Your broker has never lost your shares of stock. Imagine if large regional banks were disappearing every other month and boarding up their branches, if E-trade revealed half its customers lost all their stocks, or if General Motors suddenly closed their factories because a password was compromised. We'd be back to paper-based record keeping systems in no time!

Why crypto-exchanges in particular? The technology is available to have secure online banking and brokerages, so are we supposed to believe crypto-exchange operators are incompetent?

I suggest that most of these were insider attacks. People running these mysterious exchange businesses are accumulating people's assets, "hacking" their own sites, and collecting the crypto. They issue a sincere apology and erase everything about their involvement. The exchange shuts down and the operators move on to set up the next exchange, or maybe they repeat the process with their current brand. Looks like most of the previously "hacked" sites are still in business, some with "most trusted platform" written on their sites. I'll boldly predict they get hacked again a couple of years later.

This is how the crypto exchange economy works. The ability to rob your own bank is the incentive to set up such a business in the regulation-free Wild West, where the SEC, FDIC, and IRS are confused about their jurisdiction because the law hasn't caught up with this type of scam, it's often unclear where these businesses are located, and the people running these businesses tend to not put their real names and pictures on an "about us" page. Even if the people starting the business were honest, any one employee can hack their own exchange with impunity, so it happens.

These websites offering to pay high rates of interest on your crypto are particularly suspicious. Aggregate. Hack. Apologize. Repeat.

MustacheAndaHalf

  • Magnum Stache
  • ******
  • Posts: 4951
First, I'm happy my $2.5 billion estimate is so close to the article you reference.  And second, I think my reply in the other thread could be relevant here:

Actually 2022 q1 overshadows those figures, with an 8x increase in hacking that has brought losses in the past 3 months to $1.2 billion.
https://techcrunch.com/2022/04/04/q1-crypto-losses-spike-695-on-year-following-massive-hacks/

Because of the +700% increase, it's safe to assume prior hacks were a fraction of the prior quarter, but call it $2.5 billion total.  The market caps of BTC and ETH are $1.25 trillion, or 500x greater.  Using these rough numbers, is it fair to estimate 99.8% of crypto has been safe from hacks?

Askel

  • Pencil Stache
  • ****
  • Posts: 522

The technology is available to have secure online banking and brokerages, so are we supposed to believe crypto-exchange operators are incompetent?

Yes.

Hanlon's Razor- Never attribute to malice what is adequately explained by stupidity. 

I know a fair number of programmers, many of them quite good. They and even the not quite so good programmers want nothing to do with crypto. 

Also, there are very, very extensive security policies and procedures surrounding traditional banking that I'm guessing doesn't extend to crypto. 

Although, many security breaches do involve people on the inside of an organization so you might be partly right. 

bacchi

  • Walrus Stache
  • *******
  • Posts: 6141
It's incompetence bordering on negligence.

There are a LOT of sites and systems out there that have security holes. The holes are even known internally but they're obscure and the fix keeps getting pushed to the bottom of the to-do list. Add in an attractive target and the exchanges will be hit again and again.

Why don't banks get hacked as often? They have cyber security audits. Crypto exchanges don't have the time/inclination/money to hire an outside auditor for penetration testing.

GuitarStv

  • Senior Mustachian
  • ********
  • Posts: 19774
  • Age: 40
  • Location: Toronto, Ontario, Canada
Suspicious?  Nope.

It's crypto - where you have relatively safe/anonymous stuff that can't really be used without working with an unsafe non-anoynmous exchange.  No consumer protections and no recourse for theft . . . with self-regulated private companies running things?  Of course it's going to be hacked.  You would have to be delusional to believe that wouldn't be common.

ChpBstrd

  • Magnum Stache
  • ******
  • Posts: 4052
Hanlon's Razor- Never attribute to malice what is adequately explained by stupidity. 

It's incompetence bordering on negligence.

But what if you could "hack" Hanlon's Razor to commit the perfect crime?

Set up an exchange. "Ooops, we got hacked, everybody's coins have been transferred to some wallets that we can't trace to real people. Guess I must have written a hole in the code that somebody could exploit, because I'm just not that good at this. Too bad the hackers deleted all logs and other records so there's no evidence. Guess the logs should have been set up to transfer their data minute by minute to a separate secure system, but that's water under the bridge now. Really I shouldn't have clicked on that spearphishing email, but I just don't know any better despite being competent enough to set up a cryptocurrency exchange. Too bad I was stupid. Might as well just accept your losses because you made the mistake of using an exchange run by stupid people. Nothing to see here. Try again next time."


ChickenStash

  • Bristles
  • ***
  • Posts: 316
  • Location: Midwest US
I would imagine a lot of that is due to crypto exchanges being new-fangled tech built as rapidly as possible (ie. piss-poor testing) on the latest coding frameworks while a lot of the financial (and healthcare, legal, and other "older" industries) are still running core processing on decades old code on comparatively ancient tech that is less vulnerable simply because it's less advanced and has had more time to bake.

Like trying to remotely hack a Tesla versus a 1970 Chevelle. Get the exchanges built on Cobol running on an IBM mainframe or an AS400 and see what happens.

ChpBstrd

  • Magnum Stache
  • ******
  • Posts: 4052
I would imagine a lot of that is due to crypto exchanges being new-fangled tech built as rapidly as possible (ie. piss-poor testing) on the latest coding frameworks while a lot of the financial (and healthcare, legal, and other "older" industries) are still running core processing on decades old code on comparatively ancient tech that is less vulnerable simply because it's less advanced and has had more time to bake.

Like trying to remotely hack a Tesla versus a 1970 Chevelle. Get the exchanges built on Cobol running on an IBM mainframe or an AS400 and see what happens.

Interesting theory, but I wonder what is really so different about setting up a crypto exchange rather than a stock brokerage? The different part - where you're editing a blockchain rather than sending a signal to a clearing house - doesn't sound like the core security-related part.

If that part was the root cause of the security breaches, it would suggest a fundamental flaw with the concept of blockchain, and an advantage for traditional banking record-keeping. E.g. in traditional banking, an attacker must get into an account before they can create transaction records, and the rights to create transaction records are limited by account permissions to the assets in that particular account. Thus, individual account breaches do not affect the accounts of everyone at the bank. In a crypto exchange, OTOH, maybe there's a database with everyone's keys in it, and if you can get to that database you can steal all the keys in the entire exchange. I may be way off with all this conjecture, but it reminds me of conversations I've had with computer science nerds professionals about the fundamental reason Linux and Apple operating systems using account-based permissions are fundamentally more secure than Windows-based systems running off of a centralized registry. Most Windows malware has historically found a way to modify the registry.

The local bank I used for my checking account has a total of 5 branches and uses a commercial off-the-shelf online banking product loaded with features. Perhaps the difference is that if such a product wasn't available (or back in the day when it wasn't available) they just wouldn't offer online banking, whereas with crypto, somebody would cobble together their own buggy and insecure proprietary solution because if that's the only way an exchange could exist, then those are the only exchanges in existence. Maybe generic software for setting up exchanges will appear in the future, but we're ... how many years into the crypto trading economy? Perhaps a lack of demand for better software explains the crypto economy better than incompetence by hundreds of very smart programmers.

ChickenStash

  • Bristles
  • ***
  • Posts: 316
  • Location: Midwest US
My comment was mostly a tongue-in-cheek remark about how the far behind the times many of the older industries are and how bad companies are at building things (particularly bleeding edge tech) in a rush. I work in IT in some of those older industries so I get to watch a lot of the shenanigans up close.

I wasn't really thinking of the blockchain code, itself, but more about the other systems being used to manage and store the rest of the info needed to make it work - user info, passphrases, etc.

GuitarStv

  • Senior Mustachian
  • ********
  • Posts: 19774
  • Age: 40
  • Location: Toronto, Ontario, Canada
My comment was mostly a tongue-in-cheek remark about how the far behind the times many of the older industries are and how bad companies are at building things (particularly bleeding edge tech) in a rush. I work in IT in some of those older industries so I get to watch a lot of the shenanigans up close.

I wasn't really thinking of the blockchain code, itself, but more about the other systems being used to manage and store the rest of the info needed to make it work - user info, passphrases, etc.

If you really don't want something to fail you really don't want new code.

I did an interview at Bruce Nuclear a few years back, and the majority of their reactor control code was written in Fortan.  :P

simonsez

  • Handlebar Stache
  • *****
  • Posts: 1208
  • Age: 35
  • Location: Midwest
First, I'm happy my $2.5 billion estimate is so close to the article you reference.  And second, I think my reply in the other thread could be relevant here:

Actually 2022 q1 overshadows those figures, with an 8x increase in hacking that has brought losses in the past 3 months to $1.2 billion.
https://techcrunch.com/2022/04/04/q1-crypto-losses-spike-695-on-year-following-massive-hacks/

Because of the +700% increase, it's safe to assume prior hacks were a fraction of the prior quarter, but call it $2.5 billion total.  The market caps of BTC and ETH are $1.25 trillion, or 500x greater.  Using these rough numbers, is it fair to estimate 99.8% of crypto has been safe from hacks?
Are you saying 99.8% is good or bad?

If I walked into a bank and they told me the money I deposit/invest with them would be hacked on average 1 in 500 times (ignoring FDIC or SIPC), I don't think I'm making a deposit.

ChpBstrd

  • Magnum Stache
  • ******
  • Posts: 4052
First, I'm happy my $2.5 billion estimate is so close to the article you reference.  And second, I think my reply in the other thread could be relevant here:

Actually 2022 q1 overshadows those figures, with an 8x increase in hacking that has brought losses in the past 3 months to $1.2 billion.
https://techcrunch.com/2022/04/04/q1-crypto-losses-spike-695-on-year-following-massive-hacks/

Because of the +700% increase, it's safe to assume prior hacks were a fraction of the prior quarter, but call it $2.5 billion total.  The market caps of BTC and ETH are $1.25 trillion, or 500x greater.  Using these rough numbers, is it fair to estimate 99.8% of crypto has been safe from hacks?
Are you saying 99.8% is good or bad?

If I walked into a bank and they told me the money I deposit/invest with them would be hacked on average 1 in 500 times (ignoring FDIC or SIPC), I don't think I'm making a deposit.

The numbers also do not include any hacks where the amounts were undisclosed - which appears to be at least half the time. Presumably it would also be easy to miss hacks occurring on sites operating outside the US-centric primarily English language world, or in any case where a coverup occurred and the exchange is operating as a Ponzi. So it's a decent amount larger, and that's before we even get into non-hacks such as government bans on crypto ownership, government seizures, and ransoms.

Also, I assume the USD value of each hack is calculated as the price at the time of the hack. Thus we cannot add up all the hacks over the last few years, divide by today's price, and say X% of coins were lost or safe. The number of coins represented by the dollar amount has changed over time, in both the numerator and denominator.

Heckler

  • Handlebar Stache
  • *****
  • Posts: 1404


Also, there are very, very extensive security policies and procedures surrounding traditional banking that I'm guessing doesn't extend to crypto. 


LOL, ROLF.   Literally this morning, my bank asked their security question for telephone banking - who is the co-owner of my account?  I'll bet any one of you could guess their relationship, and if you knew my name find out thier name.  Thank goodness for two-factor identification and rolling passwords.

Michael in ABQ

  • Handlebar Stache
  • *****
  • Posts: 1762
    • Military Saints
Why do you rob banks? Because that's where the money is.


Given the choice between robbing a bank with security guards, a vault, etc. or robbing a business with lots of cash and minimal security and no vault - which would you choose?



Incidentally I was in a bank a couple of weeks ago when it was robbed. The guy walked in (with a mask on of course) handed the teller a note saying he had a gun and walked out 30 seconds later with a few thousand bucks. I was the only other customer in the bank, and I thought something was up from the other teller's body language but by the time I thought to myself "am I seeing a bank robbery?" the guy was walking back outside. He was in and out in less than a minute. It was the 9th bank he had robbed in 6 months. His total take was only about $25k and now he's looking at probably 20 years in federal prison as the FBI and local police had an eye on him and were following him as soon as he left the bank and arrested him at home a few hours later.

nalor511

  • Stubble
  • **
  • Posts: 145
First, I'm happy my $2.5 billion estimate is so close to the article you reference.  And second, I think my reply in the other thread could be relevant here:

Actually 2022 q1 overshadows those figures, with an 8x increase in hacking that has brought losses in the past 3 months to $1.2 billion.
https://techcrunch.com/2022/04/04/q1-crypto-losses-spike-695-on-year-following-massive-hacks/

Because of the +700% increase, it's safe to assume prior hacks were a fraction of the prior quarter, but call it $2.5 billion total.  The market caps of BTC and ETH are $1.25 trillion, or 500x greater.  Using these rough numbers, is it fair to estimate 99.8% of crypto has been safe from hacks?
Are you saying 99.8% is good or bad?

If I walked into a bank and they told me the money I deposit/invest with them would be hacked on average 1 in 500 times (ignoring FDIC or SIPC), I don't think I'm making a deposit.

But that's the major difference. Your bank has FDIC, your credit union has NCUA, your brokerage has SIPC, and your crypto has... No insurance

GuitarStv

  • Senior Mustachian
  • ********
  • Posts: 19774
  • Age: 40
  • Location: Toronto, Ontario, Canada
Incidentally I was in a bank a couple of weeks ago when it was robbed. The guy walked in (with a mask on of course) handed the teller a note saying he had a gun and walked out 30 seconds later with a few thousand bucks. I was the only other customer in the bank, and I thought something was up from the other teller's body language but by the time I thought to myself "am I seeing a bank robbery?" the guy was walking back outside. He was in and out in less than a minute. It was the 9th bank he had robbed in 6 months. His total take was only about $25k and now he's looking at probably 20 years in federal prison as the FBI and local police had an eye on him and were following him as soon as he left the bank and arrested him at home a few hours later.

Moral of the story is  . . .  always stop at 8 banks.  :P

waltworks

  • Walrus Stache
  • *******
  • Posts: 5244
Hacks are a feature, not a bug. Duh.

-W

ice_beard

  • Bristles
  • ***
  • Posts: 251
  • Location: East Bay, CA
A sketchy new financial "product" thats primary agenda item is to take advantage of the financially desperate and underbanked people is getting hacked?  Would have NEVER crossed my mind!  /s   
Crypto is such an awful, no legal problem solving scam.  I can't wait until the mess comes crashing down and we can get past this ridiculous mania.  I only hope the chaos doesn't bleed over into other markets too much.   

MustacheAndaHalf

  • Magnum Stache
  • ******
  • Posts: 4951
Why do you rob banks? Because that's where the money is.

Incidentally I was in a bank a couple of weeks ago when it was robbed ... His total take was only about $25k and now he's looking at probably 20 years in federal prison as the FBI and local police had an eye on him and were following him as soon as he left the bank and arrested him at home a few hours later.
There's a very entertaining book "Where the Money Is" by a veteran FBI agent who specialized in catching bank robbers.  That this guy was in and out of the bank in under a minute is not an accident... all bank robbers try to be faster and more efficient over time.  Well, except a pair of bank robbers who were obsessed with the movie heat, which is one of the crazier stories.
https://www.amazon.com/Where-Money-Tales-Robbery-Capital-ebook/dp/B00KIDR50C/

gooki

  • Magnum Stache
  • ******
  • Posts: 2782
  • Location: NZ
    • My FIRE journal
Quote
Why crypto-exchanges in particular?

Russia. They're easy targets for state sponsored theft.


MustacheAndaHalf

  • Magnum Stache
  • ******
  • Posts: 4951
Quote
Why crypto-exchanges in particular?

Russia. They're easy targets for state sponsored theft.
I think North Korea is more active, especially for it's size.  Russia makes huge profits from oil & gas sales, while North Korea's only export is hostility.

Gatzbie

  • Stubble
  • **
  • Posts: 104
This guy hacked $600m worth of Ethereum recently.

Looks like he is sending $300k or $3mil at a time into Tornado Cash to break it up into smaller amounts to sell it off most likely. Weird watching it "live" so to speak.

https://etherscan.io/address/0xbc25d57412a04956cdd95af07825c5c1f34d29eb
« Last Edit: April 07, 2022, 11:39:48 PM by Gatzbie »

Travis

  • Magnum Stache
  • ******
  • Posts: 3878
  • Location: South Korea
Hanlon's Razor- Never attribute to malice what is adequately explained by stupidity. 

It's incompetence bordering on negligence.

But what if you could "hack" Hanlon's Razor to commit the perfect crime?

Set up an exchange. "Ooops, we got hacked, everybody's coins have been transferred to some wallets that we can't trace to real people. Guess I must have written a hole in the code that somebody could exploit, because I'm just not that good at this. Too bad the hackers deleted all logs and other records so there's no evidence. Guess the logs should have been set up to transfer their data minute by minute to a separate secure system, but that's water under the bridge now. Really I shouldn't have clicked on that spearphishing email, but I just don't know any better despite being competent enough to set up a cryptocurrency exchange. Too bad I was stupid. Might as well just accept your losses because you made the mistake of using an exchange run by stupid people. Nothing to see here. Try again next time."

This has probably happened at least once. The Canadian exchange where the owner just disappeared/died/faked his death and took all the passwords with him is certainly a candidate. A surface level audit of that exchange's cyber security would have produced a list of vulnerabilities within minutes. It was a bank where the owner had the keys to everyone's safe boxes and the boxes were in his office.

To answer OP's question, it's not suspicious. If you have an environment with almost no controls and all the incentives to not play by any rules, this outcome is expected and every single hack is usually followed up by a litany of "I told you so's."

ChpBstrd

  • Magnum Stache
  • ******
  • Posts: 4052
The link in the OP must have been old/partial information, and there's no guarantee this one isn't too, but it looks like well over $3B worth of crypto was stolen just in 2021 and just in publicized attacks. The true amount is probably 2x or 3x that. The Coinbase hack was probably the biggest and its amounts were undisclosed.

https://crypto-corner.com/2021/04/20/hacked-crypto-exchanges/

Quote
With more than 40 hacks and breaches reported in 2021 alone, we are witnessing a continuous rise in crypto fraud-related incidents each year.
Over $3 billion in total losses have been recorded in 2021 and on average, the number of offenses grows 41% every year

Here are some selected exerpts. Ask yourself:how hard would it have been to do these as insider attacks?

Quote
The network revealed that the attacker installed a bug on the Binance Blockchain codebase of pNetwork.

You know who else could install a bug?

Quote
At least 6000 customers have been victims of unauthorized third parties exploiting a flaw in the company’s SMS account recovery process to gain access to multiple accounts, and transfer funds to crypto wallets not associated with Coinbase.

Huuuuh? Who designed that process, and why didn't they just use the standard techniques banks use for pw recovery? Oh, I get it...

Quote
Even as it is being liquidated following a previous breach that stole NZ$24 million (US$15.5 million), this exchange gets hacked again.

When people already think you write buggy code, that's the best time to steal what's left.

Quote
The attacker may have implanted malware into one of the exchange’s computers. As an employee accessed the affected machine to make two transfers, the attack was launched.

"Gosh, I have no idea why 'the attack was launched' from a script on my computer." What were you running, Windows XP?

Quote
In an official statement, the Tokyo-based organization shared that attackers hijacked one of Coincheck’s domains to carry out spear-phishing attacks on customers.

I suppose the password was "password123"? When's the last time something like this happened to Bank of America or Citigroup?

Quote
The largest bitcoin exchange in Canada lost $190 million in crypto following the death of its founder and CEO Gerald Cotten, the sole controller of the exchange’s cold storage wallets.

This is the most honest way to lose everyone's money: die with a passcode stuck in your brain wetware. But then again, why did one person control access to all the coins in an entire exchange? What was he planning? Banks and brokerages don't run this way.

And at least some insider attacks were publicized:
Quote
Allegedly, the founder took off with $2 billion USD of customers money and fled to Albania.

I can only conclude that:

1) Trading crypto is nothing more than putting one's wealth into the hands of a random stranger on the internet, or a bunch of random strangers on the internet. It is the exact opposite of a "trustless" transaction. There is no recourse if these people decide to run off with your "coins". All you know about them is that they're the type of person who sets up one of these crypto exchanges that keep "losing" customers' funds.

2) If most hacks were not insider attacks, it would be a missed opportunity on the part of the insiders, who can commit the perfect crime and always get away with it after some technical details hand-waving. There's minimal law enforcement, and 100% of digital evidence can be covered up or fabricated. It's not hard convincing oneself that the victims deserve it.

3) There is nothing to stop an exchange / wallet service from pulling a Bernie Madoff / classic Ponzi and displaying non-existent assets on customers' screens. Customers would believe they own X coins because their screen says so. They could also display fake audit information (IDK if exchange auditors are even a thing that exists). As long as there's not a run on the bank, so to speak, the organization could keep up this ruse for years with a minimal base of liquidity to handle the occasional sale request. Thus, it's a near certainty some unknown number of exchanges/wallet services are empty shells and their customers don't know it because they think they are HODL'ing.

4) Some percentage of the "liquidity" and "trading volume" in crypto is to facilitate these frauds or launder assets stolen out of exchanges. A lot of the "demand" for crypto is manufactured by the fraud itself.
« Last Edit: April 08, 2022, 01:47:54 PM by ChpBstrd »

Travis

  • Magnum Stache
  • ******
  • Posts: 3878
  • Location: South Korea

3) There is nothing to stop an exchange / wallet service from pulling a Bernie Madoff / classic Ponzi and displaying non-existent assets on customers' screens. Customers would believe they own X coins because their screen says so. They could also display fake audit information (IDK if exchange auditors are even a thing that exists). As long as there's not a run on the bank, so to speak, the organization could keep up this ruse for years with a minimal base of liquidity to handle the occasional sale request. Thus, it's a near certainty some unknown number of exchanges/wallet services are empty shells and their customers don't know it because they think they are HODL'ing.

4) Some percentage of the "liquidity" and "trading volume" in crypto is to facilitate these frauds or launder assets stolen out of exchanges. A lot of the "demand" for crypto is manufactured by the fraud itself.

This right here was how Bitconnect operated until it received enough bad press to shrink the inflow of new blood to its Ponzi Scheme. It collapsed within days. As it started to face tough questions and legal trouble, somebody took a peak behind the curtain and discovered that 75% of all trading done between the Bitconnect coin and the Bitcoin investors were loaning was by assets owned by Bitconnect itself. In that regard it also pulled an Enron.