Blockchain was developed as an unhackable technology, and Bitcoin indeed withstood cyber attacks for a long time. However, hackers have finally found weak spots in this technology that seems to be bulletproof to its users and developers.
Investing in cryptocurrency, people tend to rely too much on the security of the blockchain. Unfortunately, this creates various attack vectors like bugs in software code, insecure user credentials, or fraudulent ICO. All these vulnerabilities are successfully exploited by hackers who can steal a million dollars from user wallets at a time.
In this article, our goal is not to scare you. On the contrary, we want to give you the weapon of knowledge and explain how five of the most unexpected and devastating blockchain hacks in 2019 happened and whether these attacks were mitigated. Let’s get started.
1. The IOTA phishing attack
$4 million worth of IOTA coins was stolen from user wallets after they generated seeds on iotaseed.io (now offline). The IOTA customers were caught like a rat in a trap of this phishing website because it was advertised at the top of Google search as an official IOTA seed generator.
The website visitors provided hackers with their private keys in order to obtain a unique seed. Cybercriminals had been collecting passwords and seeds for an unknown period of time, and finally cleaned out the wallets of unaware IOTA users on January 19. At the same time, some of the IOTA network full nodes also suffered from a DDoS attack, which made them unable to protect their assets. However, the IOTA founders claim they didn’t find any connection between the DDoS attack and the fake seed generator.
Unfortunately, due to the decentralized nature of blockchain, the IOTA foundation can’t control the distributed ledger. Moreover, the hackers abused valid user credentials, so all the transactions were legitimate from the point of blockchain security.
2. The Coincheck hack
On January 26, hackers compromised user accounts of Coincheck, a Japanese crypto exchange, and stole 560 million NEM tokens worth around $420 million. This biggest cryptocurrency theft to date revealed many Coincheck problems.
Later, the inner investigation in Coincheck showed that one of their internal computer systems was infected with malware that led to a data breach. The virus allowed attackers to collect a large number of private keys many weeks before the blockchain hack.
The hack was successful because the exchange kept node assets in hot wallets which are more vulnerable to hacks than cold ones because of their connection to external networks. Besides, there was no multi-signature security that requires to confirm each transaction with multiple sign-off before sending funds.
Fortunately, the NEM developers quickly responded to the attack and returned almost all funds to victims.
3. The POWH Coin hack
Proof of Weak Hands Coin was advertised as a legitimate pyramid scheme that rewarded early users with 10% of dividends. Despite multiple warnings telling people not to invest money in this self-sustaining pyramid, the value of POWH Coin quickly grew to over two million dollars.
However, on January 28, a white hat hacker managed to drain user wallets by exploiting a common blockchain vulnerability, an unsigned integer underflow.
A malicious user can have two wallets: the first one with a zero balance and the second one with a positive balance. Then, they authorize the first wallet to make transactions from the second wallet. When they transfer tokens from the first wallet using this authority. The software ignores the fact that the transaction is cashing out the second wallet and instead subtracts tokens from the wallet with a zero balance. Since, there can’t be a balance with negative numbers, the software wrapped around to the highest possible number. In the result, the first wallet gets a huge number of coins on its balance that can be easily transferred to any account or cashed out.
This bug in the contract code let the attacker withdraw nearly 2000 Ethers or $2.3 million collected from crowdfunding efforts.
4. The Verge hack
The Verge network hack was initially aimed not at stealing but at generating cryptocurrency. Starting from April 4 to May 22, attackers exploited several blockchain security vulnerabilities, such as manipulating the difficulty, faking timestamps, and getting the domination over the network. These actions allowed cybercriminals to mine new coins at a higher rate and finally counterfeit cryptocurrency on the total value of $1 million.
Hackers managed to dominate the network three times for intervals of several hours at once and disabled payments from other users. During these intervals, they mine new cryptocurrency at a rate of 1,560 Verge coins per second. Besides, attackers reduced the difficulty of mining by using fake timestamps and then abused only a single algorithm to generate new blocks faster.
For mitigating the attack, the Verge developers set limits on consecutive blocks created with one algorithm. However, the hackers successfully repeated their hack by exploiting two algorithms at once. The final solution from the blockchain developers was to reduce the block drift window to 10 minutes, so it made the timestamp fraud impossible.
5. The Bancor exchange hack
On July 9, cyber criminals hacked the Bancor exchange and enriched themselves with $23.5 million of cryptocurrency tokens. The unknown hackers compromised a wallet that was created to upgrade some smart contracts. Having credentials from this wallet, the attackers stole $23,5 million in cryptocurrency, $10 million of which was in Bancor coins.
It still remains unknown how the attackers obtained credentials to one of the key accounts on Bancor. Perhaps, there was a data breach from one of the Bancor developer’s computers initiated either internally or by phishing. After getting access to the account, hackers invoked withdraw function and transfer funds to their account.
The exchange developers conducted an investigation and managed to freeze $10 million in BNT, while the rest of the stolen coins was in other cryptocurrencies. Bancor also transferred the smart contract ownership from the compromised account to other accounts. In order to prevent future attacks, the Bancor developers introduced a multi-signature confirmation to their smart contracts, so each transaction would require a confirmation from at least two trusted accounts out of four.
Hacking blockchain is becoming a high-rewarding activity for cybercriminals, as these attacks can bring them million dollars. In addition, the user anonymity supported by the majority of the blockchain networks prevents hackers from being identified. As a result, none of the attackers involved in the five blockchain hacks listed above was caught as of today.
The good news is that in most cases, blockchain developers reacted fast enough to stop the attack and return stolen funds to their rightful owners.