Crypto Heist: Revisiting the Most Infamous Hacks in Crypto History

crypto thefts.PNG

2020 is finally drawing to a close, and the whole of humanity is now drawing the curtains on what has been an eventful year. It’s safe to say the coronavirus outbreak was the major highlight of the year, with millions of lives and livelihoods affected globally.

Although the year itself threw the larger human collective in the throes of a global health crisis and a resulting economic crisis, it was an excellent year for the crypto space. More accurately, it was a year filled with memorable — and equally, infamous — events like the DeFi ‘boom’, Bitcoin’s record-smashing bull run, several flash loan attacks on DeFi protocols, PayPal’s dalliance with crypto, and many more.

Perhaps notably, however, we’ve seen firsthand how the criminal underbelly of the crypto space has advanced faster than expected. Hackers, scammers, … and just about every bad guy in crypto have all become savvier and annoyingly persistent in their dealings. For instance, blockchain analytics company CipherTrace earlier reported criminals stole a whopping $1.36 billion in cryptocurrency from January to May 2020 alone. 

In this article, we’ll take a closer look at some of the most high-profile hacks and exchange thefts in the history of cryptocurrency. We’ll examine in detail how each heist happened, what action(s) the affected parties took, and the aftermath of the heist.

Side note: This article doesn’t simply rank the hacks based on how much the criminals made off with in total. On the contrary, it goes further to closely examine which of the events left a lasting mark on the crypto space to date.

That said, here are the three most high-profile hacks and cryptocurrency exchange thefts, in no particular order.

backtesting the best strategies.PNG

Rebalancing

In this study, we will backtest a range of portfolio rebalancing strategies in an attempt to identify which configurations were historically the most successful.

1. Mt. Gox (2011-2014)

mt gox logo.png

Now-defunct crypto exchange Mt.Gox was hit by a series of thefts spanning several years (2011 to 2014), in what can be safely termed the most “talked-about” exchange heist in the crypto space.

Now, you might wonder how exactly it happened? We’ll get to that, but first, some context… 

Background

Mt. Gox (sometimes MtGox or Mt Gox) was a Bitcoin exchange based in Tokyo, Japan. It was founded by programmer Jed McCaleb in 2010.

Fun fact: Mt. Gox is an acronym for “Magic: The Gathering — Online eXchange”. McCaleb had initially created the website in 2006 for players of the online version of strategy card game Magic: The Gathering Online to trade cards. However, McCaleb eventually abandoned the project and repurposed the domain to develop the world’s biggest Bitcoin exchange.

The exchange operated between 2010 and 2014 and controlled over 70% of all Bitcoin trades at its peak. This popularity most likely made Mt. Gox a prime target for hackers, as it suffered several security breaches throughout its period of operation.

How It Happened

The first attack happened in 2011 when hackers used stolen wallet credentials to transfer about 80,000 BTC to another wallet. McCaleb later sold the exchange to Mark Karpelès, who became the CEO and largest shareholder. The former owner retained admin rights to audit transactions and was entitled to Mt. Gox’s profits for six months.

Some months later, another attack took place, which saw about 2,600 BTC moved using McCaleb’s auditor account. Given the influence of Mt. Gox on the Bitcoin market at the time, the second hack crashed the price of Bitcoin from $17 to one cent.

The final blow came in February 2014, when the exchange suspended Bitcoin withdrawals and announced they’d lost over 850,000 BTC (around 6% of Bitcoin’s circulating supply at the time). According to Mt. Gox, hackers stole 744,408 BTC from customer wallets and 100,000 BTC along with $27 million cash from Mt. Gox between 2011 and 2014. The news sent Bitcoin’s price crashing by 20%.

To answer the earlier question, the hacks have been put down by many people to poor management and pure negligence on the exchange’s part. They were aware of the security risks of storing users’ cryptocurrencies in a hot wallet, yet they did the same.

Blockonomi, in an article, explained that the private key could have been stolen as far back as the June 2011 attack when the hackers accessed the exchange’s wallet.dat file. With the file, the hackers had all they needed to steal as much Bitcoin as they wanted undetected.

(As you probably know, the wallet.dat file contains sensitive wallet information that allows you to access your crypto. Interestingly, the information in this file isn’t encrypted by default, meaning you’re at risk of losing your crypto holdings if someone gains access to your computer.)

wallet guide cropped.png

In this article, we will discuss how experts choose their cryptocurrency wallets and what types of wallets exist. Moreover, we will feature two of the best hardware wallets that are designed to maximize security.

The Aftermath

The stolen Bitcoins were valued at nearly half a million dollars when the theft was discovered. Even worse, the missing 650,000 BTC are worth more than $12.5 billion today.

The loss pushed the exchange into financial ruin, and it shut down in February 2014 after weeks of DDoS attacks and increasing customer frustration with withdrawals — the latter was attributed to ‘transaction malleability’ issues. The Tokyo-based exchange applied for bankruptcy protection in the Tokyo District Court and was liquidated in April 2014.

In March 2014, a month after it had filed for bankruptcy, Mt. Gox said it had discovered 200,000 BTC sitting in a forgotten wallet used during McCaleb’s tenure. The announcement was made by Karpelès, who admitted ‘finding’ the Bitcoin himself.

The former Mt. Gox CEO has been found guilty of deliberately manipulating the exchange’s financial records. He sometimes mixed his personal accounts with the exchange’s to falsify records and hide the thefts from both customers and the public.

Six years after the events of the Mt. Gox hack, and the whole debacle remains far from over. At the time of writing, the future of Mt. Gox remains a matter of speculation. Most of Mt. Gox customers from all around the world are still waiting to reclaim their funds, and it’s not yet certain if they ever will.

2. Coincheck (January 2018)

coincheck.png

The unwanted honor of the largest (i.e., in terms of value) crypto exchange hack in history should probably go to Japan-based exchange Coincheck. Although Mt. Gox was the biggest Bitcoin theft ever, Coincheck’s hack remains the biggest in the history of cryptocurrency. Fortunately, the exchange managed to survive the attack, although this was credited to the relative stability of the crypto market back then.

Background

Coincheck is a cryptocurrency exchange and wallet provider based in Tokyo, Japan. Coincheck was created by Koichiro Wada and Yusuke Otsuka in the summer of 2014 (although some sources cite 2012). It remains one of the largest cryptocurrency exchanges in Asia. In 2017, it reportedly handled the highest trading volume in Asia.

How It Happened

In January 2018, the Tokyo-based exchange was the target of an attack that saw over 523 million coins of the obscure cryptocurrency NEM stolen from customer accounts. At the time, the stolen coins were worth about $534 million.

Again, just like the Mt. Gox hack, a hot wallet was responsible for the theft. Coincheck stored all customers’ NEM tokens in a hot single wallet instead of using cold storage. The exchange later revealed how the hackers exposed security flaws in its system. This was after it had failed to implement NEM’s multi-signature contract, as recommended by NEM developers.

The Coincheck heist was the biggest ever, surpassing the infamous Mt. Gox hack in terms of the total value stolen. According to Lon Wong, president of NEM Foundation, the hack was "the biggest theft in the history of the world." Due to Coincheck’s weak security, the hackers had no difficulty in accessing the funds and transferring them. 

Of course, NEM developers could have helped recover the funds by hard-forking the blockchain to roll back the transaction records to an earlier time. However, the company opted against doing this (since they were under no obligation to do so), with NEM Foundation VP Jeff McDonald famously stating a fork is not an option.

The Aftermath

Coincheck would have gone under in no time, assuming the hack happened at an earlier time (say, 2011). However, the crypto space was at the height of the ICO boom in 2018, so the market was large enough to cushion the effects of such an event.

That said, Coincheck is still in ‘active service’ after surviving the hack, although it was bought in April 2018 by Monex Group, a Japanese financial services company operating mainly as an online brokerage.

At the time of writing this article, all the 260,000 customers affected by the hack have been reimbursed. The hack set new security standards for crypto exchanges.

leader icon.png

When your leader trades, you trade. Shrimpy will automatically update your portfolio to always match your leader’s. Browse through hundreds of cryptocurrency traders to copy.

3. ‘The DAO’ (June 2016)

dao logo.png

The DAO was the Ethereum community’s brainchild. It was the first attempt at creating a decentralized autonomous organization on the Ethereum network garnering immense popularity. As a reference, the Mt. Go hack was the biggest attack on Bitcoin, while The Dao hack was the biggest attack that rocked the Ethereum network till date.

Background

The term “decentralized autonomous organization” (DAO) refers to an entity that operates based on transparent rules enforced and maintained through smart contracts on a blockchain network. DAOs achieve decentralized governance by automating the decision-making process, thereby removing the need for a trusted central authority.

The DAO was funded via a 28-day token sale in May 2016 which attracted over 18,000 investors. The DAO crowdfunding campaign was one of the biggest in history, raising over 11.5 million ether valued at about $163 million (again, another source cites the total investment as 12.7 million ETH, worth around $250 million). Investments were nearly 14% of all ether tokens in circulating supply, as of the time of the crowd sale.

To enable investors to opt-out of The DAO, an exit door called the splitDAO function was created in the smart contract. As an investor, invoking the function would allow you to withdraw your ETH and, if you wanted, create your own “child” DAO by inviting other DAO token holders.

There was one drawback, however: after splitting off from The DAO contract, you’d have no access to your ether for the standard holding period — i.e., 28 days — before launch.

So far, so good, right?

Far from it… 

How It Happened

A paper published in May 2016 pointed out several security loopholes in The DAO’s design. The paper called for investors to hold off on major investments through The DAO until the holes were plugged, so to speak. According to the paper, authored by computer scientists Dino Mark, Vlad Zamfir and Emin Gün Sirer, “The current [DAO] implementation can enable attacks with severe consequences.”

A notable issue raised several times was the “recursive call” vulnerability (aka race to empty), a bug that would allow an attacker to recursively call a function from inside the function itself, thereby 'looping' the result of the function. This exploit was publicized by several articles in the crypto space, and even the DAO creators themselves acknowledged the bug and claimed they’d issued a fix immediately.

On June 17, 2016, the DAO was hit by an attack exploiting numerous vulnerabilities, particularly the recursive call bug. In this case, the attacker could “split” from The DAO smart contract recursively, thereby withdrawing their funds multiple times before the smart contract balance was updated. By the next day, the attacker had transferred 3.6 million ether — one-third of the total investment — into the newly created child DAO, valued at around $70 million at the time.

The Aftermath

According to the contract terms, the attacker couldn’t access the funds for 28 days. Since the funds were still technically present, members of The DAO and the broader Ethereum community were divided on what to do next.

Some members called for the stolen ETH to be recovered, and others branded the attack an unethical yet valid move, stating The DAO’s integrity was compromised and not the Ethereum blockchain. Some called for The DAO to be shut down — and their wish came true.

Eventually, the Ethereum network underwent a hard fork, allowing the funds in The DAO to be moved to a separate address where the original investors could recover their funds. However, members who weren’t in favor of the fork stuck with the original Ethereum blockchain, which is called Ethereum Classic today.

In September 2016, the DAO trading pairs were delisted from Poloniex, while Kraken delisted the DAO token later in December.

Key Takeaways

The crypto space continues to experience explosive growth, particularly in 2020 with a lot of milestones reached. However, high-profile hacking attacks and scams remain an ever-growing danger. Here are some important points you should note to safeguard your crypto.

  1. Exchanges are a hard target for hackers; they’re no place to let your coins “sleep peacefully”, not to mention HODL.

  2. Opt for cold storage over a hot wallet. You may argue hardware wallets are expensive, but is it really worth losing your crypto over less than a hundred bucks?

  3. “Not your keys, not your crypto.” Again, as this popular saying goes, ensure you use your personal wallet for storing your funds.

  4. These three infamous crypto hacks are either the result of negligence or the absence of proper security measures. Be a smart investor: don’t brag about your holdings online, and watch out for potentially unsafe files/software and suspicious emails.

breakproof.png

Proven Ways to Safeguard Your Crypto

The absence of a central authority or ‘trusted’ third-party places the burden on you. In plain English, you’re your own bank and as such, you’re largely responsible for safeguarding your crypto assets.

Additional Good Reads

How to Make a Crypto Trading Bot Using Python

A Comparison Of Rebalancing Strategies for Cryptocurrency Portfolios

Common Rebalance Scenarios in Crypto

Threshold Rebalancing for Crypto Portfolio Management

What Is DeFi? Guide to Decentralized Finance

About Us

Shrimpy is an account aggregating platform for cryptocurrency. It is designed for both professional and novice traders to come and learn about the growing crypto industry. Trade with ease, track your performance, and analyze the market. Shrimpy is the trusted platform for trading over $13B in digital assets.

Follow us on Twitter for updates!