According to the Cryptocurrency Anti-Money Laundering Report from Ciphertrace some $927 million had been stolen from cryptocurrency exchanges in the first three quarters of 2018 alone. That total will almost certainly have hit, if not smashed straight through, the $1 billion mark by now. So, who were the hackers behind the heists and how did they get away with it?
The how remains sadly predictable throughout the year, truth be told; exploiting vulnerabilities in crypto wallet software and servers, social engineering/password compromises and insider theft. The who covers equally predictable territory with lone wolf criminal opportunists at the lower end of scale through to well-resourced nation-state actors at the other.
So, there’s a 21 year old opportunist criminal who managed to steal $1 million from the Coinbase and Gemini accounts of San Francisco resident Robert Ross after convincing the victims mobile network provider to assign that phone number to his own device. Once he had succeeded in this SIM-swapping endeavor, an increasingly common method used to compromise otherwise secure accounts by gaining access to two-factor authentication codes sent via SMS, the criminal was able to access the crypto accounts with relative ease.
Then there are the state-sponsored actors.
North Korea remains firmly in the cross-hairs for anyone investigating cryptocurrency theft, especially at the bigger end of the attack scale. One group in particular, the Lazarus Group, is thought to have been involved in a number of attacks. Often launching their attacks out of China, possibly in order to try and obfuscate accurate geo-political attribution, the Lazarus actors are widely thought to be nation-state players tasked with cyber heists to help boost the beleaguered North Korean economy. In this regard, Lazarus is thought to have been spectacularly successful: more than $571 million in cryptocurrency is reported to have been stolen by the Lazarus Groupsince the start of 2017 and it is thought that 65% of stolen cryptocurrency ends up in North Korea.
In June 2018, $31.6 million across multiple cryptocurrencies was stolen from the South Korean Bithumb exchange. Investigators from Alienvault tracked the Lazarus Group distributing malicious documents created using the Hangul Word Processor (HWP) to cryptocurrency users in South Korea earlier in the year. Alienvault concluded that while it couldn’t be certain the malware linked to in those HWP documents was responsible for the Bithumb heist “it seems a likely suspect.”
If you are surprised at that $1 billion figure being quoted as the total haul from cryptocurrency heists in 2018 alone, you really shouldn’t be. The Japanese crypto-exchange Coincheck theft that was disclosed in January, for example, was responsible for $532 million alone. The methodology behind the biggest cryptocurrency hack of the year has never been made public. However, the Japan Times reported at the time that regulators had urged Coincheck “to address security concerns about the way it manages customer assets” prior to the attack. Whereas most cryptocurrency exchanges manage assets cold wallets, that is ones that are offline, Coincheck apparently managed all of its NEM coins within hot wallets connected to external networks to enable quick trading. Unfortunately, hot wallets are notorious for taking a soft approach to security in order for that trading activity to take place rather than the multiple authentication methods routinely applied to cold wallet funds.