This article was co-written by John Lloyd, chief technology officer of Casaba Security.
It’s no secret that cryptocurrency investing comes with a lot of risks.
After all, price swings can be wild in the crypto markets. In the stock market, a 1.5-2% swing in the Dow leaves investors freaking out. In the crypto markets, this doesn’t even count as volatility. When price swings happen here, they tend to be in the double digits, with dramatic ups or downs in specific coin prices seen as normal.
Then there are the scams. Fake ICOs, digital wallet theft, and social engineering attacks aimed at stealing investor logins. These risks are widespread, but the one good thing about them is that they usually boil down to unwise decisions on the part of the individual investor. As long as the investor doesn’t fall for a phishing email or a fake ICO promotion, the investor’s money is safe from these types of threats.
But there is another risk which crypto investors may be less aware of. This is the threat of back-end cryptocurrency attacks, which they have no control over and for which there is very little (if any) visibility at all.
An ecosystem has vulnerabilities
Back-end attacks are threats to the crypto platforms and services themselves, which the individual investor has a harder time avoiding since these are beyond their control. Cryptocurrency is particularly susceptible to these attacks because the underlying codebases which run these technologies are often undeveloped and vulnerable to attack.
The crypto ecosystem is compromised of numerous parts and pieces, from the actual coins to the exchanges, digital wallets, miners, ICOs, DAOs (Decentralized Autonomous Organization), smart contracts, virtual private servers, and hosting services.
Any of these components can be (and are) attacked by criminals to exploit weaknesses and vulnerabilities in order to steal money, harm the organization or end-users of it, or disrupt the overall process.
The crypto market is growing fast and processing large numbers of transactions without fully appreciating the risks.
Here are the back-end cryptocurrency attacks that investors need to know about:
Once as mythical as the Sasquatch, the 51% attack is no longer a speculative possibility — already this year, we’ve seen it used multiple times against smaller currencies like Monacoin, bitcoin Gold, ZenCash, Verge, and Litecoin Cash.
Also known as a “majority attack” or “double-spending,” a 51% attack can defraud cryptocurrency exchanges, putting users at risk of major price declines, blocked transactions, and bankruptcy of the exchange itself. The attack occurs when a person (or group) controls the majority of the blockchain’s mining power, often through the use of crypto-mining botnets, which allows them to deny other transactions while doubling their own. In September, a denial-of-service (DoS) bug was discovered in bitcoin Core that could have been used to crash bitcoinnodes and block transactions, in addition to manipulating those transactions through a 51% attack.
Businesses have been slow to adopt blockchain and one reason for this is that a blockchain transaction takes longer than a traditional payment processing network.
To fix this problem, cryptocurrencies are working on a new way to validate transactions — instead of requiring the whole network to sign off, only a few “nodes” would be needed to do so. But this poses a new problem. In theory, it could be possible for an attacker to collude with or provide as little as 1% of validating nodes in order to create fraudulent transactions, double-spend attacks, or to take the network offline.
Developers of sharding/proof-of-stake implementations are aware of the 1% attack and are building security into their protocols that will hopefully address this threat. However, investors and users still need to be cognizant of the potential risk and add it to the list of things to review when doing due diligence on a new coin or technology.
Monero recently patched a software bug in the “stealth address” system which could have been used to commit fraud and currency devaluation.
A stealth address is used to anonymize transactions from the cryptocurrency network. By accepting payments from unique, one-time addresses, the recipient can conceal who is paying them, how much, when, and how many payers they have. The problem is that this anonymization makes it difficult to verify the legitimacy of transactions.
The “burning bug” could exploit this vulnerability in stealth addresses by allowing a malicious user to send multiple transactions to the same stealth address, without verifying their authenticity. In practical terms, that means a criminal could use one legitimate XMR as the basis for a 100 XMR transaction that would leave the recipient holding 99 duplicated (i.e., fake and thus unspendable) XMR. The recipient is defrauded while the attacker is able to quickly liquidate or spend the credit received from the vendor. If exploited on a large enough scale that it left investors holding heavily devalued cryptocurrency, bugs like this could harm the reputability of a token.
Hackers can target Internet service providers in order to hijack bitcoin mining pools and steal the proceeds from those users.
This attack was first observed in 2014, when a hacker redirected online traffic from at least 19 ISPs (including Amazon, DigitalOcean, and OVH) to steal from bitcoin users. Each time, the redirection was exceptionally brief — just 30 seconds — but carried out multiple times, resulting in $9,000 worth of stolen cryptocurrency per day.
By redirecting network traffic at the ISP level (called BGP hijacking), the hacker is able to takeover legitimate miners — and in particular mining pools — thereby tricking them into continuing to use their computer processors for cryptocurrency mining while the actual proceeds are diverted to the attacker. Victims would be completely oblivious to the attack, unless they regularly check their network setups or have security measures in place against this type of network redirect, such as DNSSec.
Smart contracts, which are based on blockchain and transact in cryptocurrency, are also vulnerable to potential bugs and security flaws which could defraud those users.
Criminals have already exploited one of these flaws multiple times, called the “reentrancy attack.” This is when an attacker makes repeated calls to the payment component of the smart contract before the contract has had time to process the other payment calls. This allows the attacker to drain the victim’s cryptocurrency before the contract realizes there is no balance left.
This attack was used in 2016 to steal about $815 million in ethereum from the DAO, which helped to put this platform out of business. In October of this year, hackers pulled off a similar attack on the adult industry cryptocurrency SpankChain, stealing over $40,000 in a single weekend.
The tip of the iceberg for cryptocurrency attacks
These vulnerabilities are just the tip of the iceberg, as there are so many participants in the cryptocurrency and blockchain ecosystems. Since they all rely on code which may contain overlooked security flaws or other bugs, there is a multitude of new cryptocurrency attacks that could emerge in the next few years.
For instance, new reports warn of ongoing attacks targeting the exchanges by sophisticated North Korean hackers. This October, Trade.io disclosed a cold storage theft of tokens worth $7.5 million. The FBI also recently busted a phone-porting ring, which targeted mobile service providers to take over their customers’ cellular accounts in order to hijack their cryptocurrency accounts. Monero also warned in September that hackers compromised a popular browser extension called MEGA to steal users’ cryptocurrency and personal information.
The list goes on and on.
Only invest what you can afford to lose
Blockchain and cryptocurrencies are exciting technologies with amazing potential. But in the early days of these technologies, there are a lot of risks to the end user.
For this reason, it is important for any investor to do her homework and proceed cautiously. For instance, stick to the more prominent cryptocurrencies, exchanges, and wallets. Check to see if these service providers have active online communities that regularly report bugs and other problems, and how responsive the companies are to these complaints. Don’t put your life savings in cryptocurrency; only invest what you can afford to lose.
Jason Glassberg is co-founder of Casaba Security, a cybersecurity and ethical hacking firm that advises cryptocurrency businesses, traditional financial institutions, technology companies and Fortune 500s. He is a former cybersecurity executive for Ernst & Young and Lehman Brothers.