2018 could be the year of cryptocurrency hacks.
With bitcoin recently pushing past the $19,000 level (despite crashing hard on Friday) and a slew of other cryptocurrencies like ethereum, litecoin and Ripple making rapid price gains in its wake, it’s never been a more bullish time for digital currency investors. But there is always a price to be paid for such success and in this case cryptocurrency’s massive surge in popularity is likely to trigger an epic wave of crime.
Already on December 4th, the SEC announced it shut down an initial coin offering (ICO) for allegedly defrauding investors of $15 million. However, while fraud is an inherent risk of cryptocurrency, as wallets, exchanges and ICOs all take place with little to no legal or regulatory oversight, it is hacking which presents a far more serious threat for investors because it is so widespread and so difficult for the average person to avoid.
Hacking has been a recurring problem for this industry from the very beginning. In fact, a report last year from the US Department of Homeland Security found that 33% of bitcoin exchanges were hacked between 2009 and 2015, and one-off scams and attacks on individual investors have been occurring throughout that time as well.
But if prices continue to rise, it will incentivize many more attacks. After all, cryptocurrency cyber heists are now extremely lucrative, with the opportunity to make tens of millions of dollars from a single attack. This will likely entice more hacking groups to expand their operations beyond traditional revenue streams – “banking Trojans,” “ransomware,” “carding,” etc. – to take on cryptocurrency investors as well. Cybercriminals go where the money is and right now the money is definitely in bitcoin.
The problem for investors is that there are so many ways a criminal can attack their cryptocurrency savings, and very little they can do to stop them. To make matters worse, there is no FDIC insurance for cryptocurrency – which means losses due to theft or fraud are unlikely to ever be recovered or reimbursed.
Over the years, hackers have targeted the cryptocurrency exchanges, digital wallets, ICOs, DAOs (Decentralized Autonomous Organization), mining companies, virtual private servers and hosting services, and more. In fact, on December 7th, a bitcoin mining company called NiceHash was hacked, leading to more than $60 million in losses for its customers.
Here are a few other examples:
2017: Tether hacked for $31 million
2016: Bitfinex hacked for $77 million; The DAO hacked for $50 million
2014: Mt. Gox hacked for $450 million
2012: Linode hacked for $200,000; Bitfloor hacked for $250,000
What these attacks demonstrate is how insecure many of the organizations are that play a key role in the cryptocurrency market (in addition to its 2016 hack, Bitfinex was also briefly shut down on December 12th by a distributed denial-of-service, or DDoS, cyber attack), but it also shows just how difficult it is for any company to protect the integrity of digital currency accounts.
However, the attacks on cryptocurrency institutions only tell half of the story. At the same time cybercriminals are trying to backdoor digital wallets and steal from exchanges, they are also targeting investors directly.
A recent report by Chainalysis estimates that as much as $225 million had been stolen from cryptocurrency investors in 2017, taken through phishing attacks that targeted initial coin offerings. As of now, there is a 10% chance that investors who participate in an ICO will be scammed — not by a phony ICO (as has been alleged in the PlexCorps case), but by hackers impersonating an official ICO and tricking people into submitting their payment credentials to them instead.
Recent news reports have also highlighted the threat of “phone-porting,” in which a hacker is able to hijack a person’s bitcoin account by first stealing their phone number. There has also been a substantial rise in a new type of malware that targets cryptocurrency. Dell SecureWorks estimates this type of malware, referred to as “cryptocurrency-stealing malware,” or CCSM, increased by 1,123% between 2012 and 2014. One specific malware strain, called CryptoShuffler, is believed to have stolen over $160,000 in bitcoin from individual investors this year.
Investors need to understand these risks. When it comes to the security to their cryptocurrency accounts, they are largely on their own. If they fall for a phishing email or their computer is infected with CCSM, they could lose everything. There are no guarantees, no backups. The same is true if an exchange, a digital wallet or a mining company are breached by hackers.
There are a few security measures individuals can take to better protect their accounts, like installing antivirus with anti-phishing support, setting up a firewall, protecting Internet connections with a VPN, adding two-factor authentication and password managers to safeguard logins, and using hardware wallets to store the cryptocurrency. However, in an age when even well-resourced corporations and government agencies struggle to contain the hacker threat, no one will ever be 100% safe. Those who invest in cryptocurrency need to be prepared for losses.
While cryptocurrency fraud has been happening for years, the rise in prices virtually guarantees that we will see more sophisticated cybercrime groups get into this market within the next year. Investors need to be more aware of these threats and take the proper security precautions to lower their risk.
Jason Glassberg is co-founder of Casaba Security (casaba.com), a cybersecurity and ethical hacking firm that advises cryptocurrency businesses, traditional financial institutions, technology companies and Fortune 500s. He is a former cybersecurity executive for Ernst & Young and Lehman Brothers.