In 2019, hackers stole approximately $282 million from crypto exchanges, a drop of ~66% from the $865 million taken by malicious actors the year prior. This decrease is a direct effect of cryptocurrency exchanges improving their security through the use of more secure platforms and improved monitoring. But several hundred million dollars in losses is certainly substantial enough to emphasize the ongoing security challenges facing exchanges today.
The New Zealand-based exchange Cryptopia suffered an attack on user wallets that began on January 14 and lasted nearly five days. This hack was highly concerning because after the exchange’s assets were drained from its core pair of hot wallets the hackers were able to access more than 76,000 secondary hot wallets belonging to users. This theft resulted in $16 million in losses in ether and dozens of ERC-20 tokens, according to a report from blockchain data analytics firm Elementus.
Trading on the exchange was suspended until March; after attempting a comeback, Cryptopia halted its operations in May and went into liquidation. Some of the stolen assets were frozen by Binance after the hackers moved ERC-20 tokens onto its exchange. Customers of Cryptopia are still waiting to be compensated.
Through a spoof link on LocalBitcoins’ official forum, hackers gained access to users’ information when clients attempted to log in—7.9 bitcoins were stolen from a half-dozen users in this phishing attack. This was a relatively small incursion that the Finland-based exchange addressed quickly.
Singapore’s DragonEx exchange was hit on March 24, with some $7 million across 20 cryptocurrencies—including BTC, ETH, XRP, LTC, and EOS—stolen from the firm and its users. DragonEx quickly alerted authorities in Singapore, Estonia, Thailand, and Hong Kong, and asked other exchanges for their cooperation in tracking the funds.
With the assistance of some of those exchanges, DragonEx was able to retrieve a portion of the stolen assets. The exchange planned to compensate users by replacing 10% of the stolen assets with the original currencies and the other 90% with bonds that DragonEx would buy back.
The CoinBene loss is controversial as the exchange itself has not admitted what happened, but the logs show around $105 million in coins moved during what the company claimed was “maintenance.” This gaping discrepancy combined with a lack of accountability has led industry observers to assume it was an attack.
On March 29, South Korea’s largest crypto exchange, Bithumb, was hacked for the third time in two years. The attack, which appeared to be perpetrated by insiders, took more than 3 million EOS and 20 million XRP (valued around $19 million) from the exchange—user wallets were not affected as these assets were protected in cold wallets. The thieves quickly laundered the funds, with the bulk of the assets being sent to addresses not owned by exchanges, making recovery nearly impossible.
Total Amount Sum: $282 million
In early May, one of the largest crypto exchanges, Malta-based Binance, announced that 7,000 bitcoins—worth approximately $40 million—were stolen in a single transaction.
Binance said a variety of techniques, including phishing and viruses, were used to compromise its security, and an analysis by crypto security firm CipherTrace said “hackers used a multi-pronged takeover attack to obtain API keys, two-factor authentication codes, and other personal information from a large number of users.” Binance’s losses were covered by its Secure Asset Fund for Users, an emergency insurance fund, and no customer assets were taken.
GateHub was targeted through its wallet’s API, which exposed the exchange to a $10 million attack right as the markets were high, dealing a major setback to this XRP Ledger wallet.
Singapore-based exchange Bitrue was hacked on June 27, and around $4.3 million in XRP and Cardano (ADA) were stolen from its hot wallet after a hacker exploited a vulnerability in the Risk Control team’s second review process to access the personal funds of about 90 users.
Half of the stolen assets were transferred to private wallets and half went to a handful of exchanges. Three exchanges—Huobi, Bittrex, and ChangeNOW—froze $1.35 million of the stolen funds, which Bitrue expected to recover. In late June, Bitrue resumed trading on its exchange and announced that all affected customer accounts had their assets replaced.
The response by Bitrue and other exchanges was praised as “a sign of increasing sector maturity” in a Brave New Coin op-ed.
Japanese exchange Bitpoint was hit by hackers on July 12. An estimated $28 million of BTC, XRP, ETH, BCH, and LTC were stolen—about 75% of which belonged to Bitpoint customers. The exchange said unauthorized access to the private keys of its hot wallets facilitated the theft. Affected customers were due to be repaid in cryptocurrency.
Amount Stolen Per Exchange
November brought the hack of $500,000 worth of 23 different tokens from Vietnamese exchange VinDAX—which primarily sells tokens for little-known blockchain projects. Although details were scarce about the attack on VinDAX, The Block reported that the exchange sent emails to the affected projects asking them to loan the exchange their tokens so that customers could make withdrawals.
Upbit’s hot wallet was compromised in this late November attack, and due to the lack of security controls in place hackers were able to move $342,000 of ether off the exchange. Because of this breach, Upbit performed a complete security overhaul of its wallets.
Due to the frequency of attacks (successful or not) and increased scrutiny from governing bodies, cryptocurrency exchanges have been working tirelessly to implement new security features, including multi-signature technology and insurance against losses.
Users can improve their security by using multi-factor authentication, storing long-term investments in cold wallets, and ensuring their tech is locked down.
Although all manner of digital currency was taken in 2019 hacks—using methods including phishing, viral attacks, and insider breaches—cooperation between exchanges led to stolen assets being recovered in multiple cases. However, many users’ funds were not recovered, and exchanges are dealing with how to cover the losses, if at all. In one attack, no coins were taken at all, but the hackers gained access to personal user data—throughout the year, over 510,000 pieces of information were stolen.
Although the number of exchanges successfully breached increased by five in 2019 over the year before, the amount stolen was reduced by two-thirds. Increased cooperation between exchanges and security measures like cold storage mitigated some losses, and the industry continues to focus on strengthening resistance to malicious attacks.
BitGo is focused on working with clients, partners, and regulators to deliver innovative security, custody, and liquidity solutions that can reduce risk and increase transparency in the digital asset markets. For more information on the services BitGo offers, visit here.