It’s not just happy investors who get rich with crypto.
Hackers got their way with billions of dollars in virtual assets over the past year by compromising some of the cryptocurrency exchanges that emerged during the Bitcoin boom.
This year there have been more than 20 hacks in which a digital robber stole at least $ 10 million in digital currencies from a crypto exchange or project. In at least six cases, hackers stole more than $ 100 million, according to NBC News. By comparison, according to the FBI’s annual crime statistics, bank robberies earned perpetrators an average of less than $ 5,000 per robbery last year.
Despite the large dollar amounts associated with these thefts, they often lack the drama or attention of traditional bank robberies. But cryptocurrency experts say they are warning budding crypto investors: Exchanges are now lucrative targets for hackers.
“If you hack a Fortune 500 company today, you could steal some usernames and passwords,” said Esteban Castaño, CEO and co-founder of TRM Labs, a company that creates tools for businesses to track digital assets. “If you hack a cryptocurrency exchange, you may have millions of dollars in cryptocurrencies.”
Once a curiosity on the internet that required a certain amount of technical know-how to purchase, cryptocurrencies have become a more established investment and speculative tool that in recent years has spurred more than 300 companies to set up to help people easy way to buy and sell anything from bitcoin to rand coins like the dog-inspired Dogecoin.
Crypto exchanges work like traditional wallets, setting prices for various currencies and charging a small fee for users to trade with. But while a handful of countries have strict regulations, it’s relatively easy for tech entrepreneurs to set up an exchange almost anywhere in the world and run it however they want.
Cryptocurrencies generally offer a certain level of security – they get their name in part from “encryption”. But the exchanges they manage, especially new ones that build their businesses from scratch, often start out with tiny staff, meaning there are few full-time cybersecurity professionals. Your developers may be frantic to get the code up and running and sometimes inadvertently leave bugs to stop hackers. Combined with the fact that they often suddenly hold a fortune due to a volatile market, exchanges are an especially mature target for criminal hackers.
Exchanges often retain access to some of their cryptocurrencies in so-called cold wallets, which live securely offline. The rest is in “hot wallets”, which are liquid and can be sent to users. That means that if a hacker gets access to a certain employee account – a common Internet security breach – they can carry out a major robbery, said Dave Jevans, founder of CipherTrace, a company that tracks theft and fraud in cryptocurrencies.
“Stealing the private keys to a hot wallet is not like stealing a database of people’s names and social security numbers,” Jevans said. “They basically stole all of their money.”
If an exchange is wealthy enough and plans an emergency fund, it can compensate its clients if its operation is hacked, Jevans said. If not, they often go out of business.
“Not every stock exchange is so rich or has so much foresight. It just goes, Pop, ‘We’re out of business. I’m sorry, you’re all screwed, ‘”he said.
One of the biggest heists came in early December when crypto trading platform Bitmart announced that hackers had broken into a company account and stole nearly $ 200 million. The company froze all customer transactions for three days before allowing them to trade their money again.
The problem is made worse because many cryptocurrency projects aimed at circumventing government regulations are based in countries whose law enforcement agencies don’t have much power to track down transnational hackers. Or if they’re hacked, they’re less likely to seek government aid for ideological reasons, said Beth Bisbee, director of US investigations at Chainalysis, a company that tracks cryptocurrency transactions for both private companies and government agencies.
“The ecosystem in general wants to be against banks and regulators,” said Bisbee. “When something like this happens, they don’t necessarily want to cooperate with law enforcement, even though they would be viewed as victims and it would be valuable to them.”
Exchange hacks, while offering some similarities to the old bank robberies, don’t leave behind the features that once made the headlines. Public scrutiny of these hacks may be lacking despite the large dollar amounts. Most stock market hackers don’t get caught, which leaves consumers with little shutter speed. And there is seldom physical evidence or real-world consequences: no traumatized bank employees or perpetrator walks.
But some hacks have happy endings. In one bizarre public case, a hacker stole $ 600 million from the Poly Network cryptocurrency platform. Instead of blaming the thief, the company decided to appeal to his better nature, calling him “Mr. White Hat, ”which is a cybersecurity term for a researcher working to make things safer. Poly Network thanked him for exposing a bug in his code and asked for the money back. The hacker finally gave in and gave everything back.
But these cases are rare. When major law enforcement agencies tackle a major cryptocurrency hack, they usually try to follow every lead, a grueling process that is much slower than the criminals who are tracking them.
Claire Georges, deputy spokeswoman for Europol, the European Union’s international law enforcement agency, said the agency was aware of a number of cases against hackers stealing digital assets. But she said building a solid case is a long, slow process that can’t keep up with the pace of attacks.
“We have a number of investigations ongoing as we speak,” said Georges. “They take a long time because we also want to shut down the whole criminal network,” she said. “These cases often flow into other cases.”
“You could go on like this forever,” she said. “These examinations usually take time.”