A Blog by Jonathan Low

 

Jan 29, 2018

How To Launder $530 Million In Hacked Crytocurrency

It's not all that hard to do. The volume of stolen cryptocurrency in last week's heist could be an issue but given the amounts of digital currencies that have already been stolen and will likely continue to be, it is prudent to assume that models for processing the illicit take are already available to the cognoscenti.

The irony is that the best safeguard for protecting cryptos may be the one they were established to evade - regulation. JL


Pavel Alpeyev, Andrea Tan and Yuji Nakamura report in Bloomberg:

Because transactions for Bitcoin and the like are all public, it’s easy to see where the NEM coins are -- even though they’re stolen. Coincheck has identified and published 11 addresses where all 523 million of the stolen coins ended up. Trouble is, no one knows who owns the accounts. The thief may be able to shake surveillance by going through a service that offers cryptocurrency trading without collecting personal data. Converting coins into a more anonymized currency, like Monero, could conceivably launder them.
Early Friday morning in Tokyo, hackers broke into a cryptocurrency exchange called Coincheck Inc. and made off with nearly $500 million in digital tokens. It’s one of the biggest heists in history, with the exchange losing more than 500 million of the somewhat obscure NEM coins. The hack has raised questions about security of cryptocurrencies around the world.

1. How did the hackers pull it off?

Coincheck hasn’t disclosed how their system was breached beyond saying that it wasn’t an inside job. The company did own up to a security lapse that allowed the thief to seize such a large sum: It kept customer assets in what’s known as a hot wallet, which is connected to external networks. Exchanges generally try to keep a majority of customer deposits in cold wallets, which aren’t connected to the outside world and thus are less vulnerable to hacks. Coincheck also lacked multi-signature security, a measure requiring multiple sign-offs before funds can be moved.

2. Where did the stolen coins go?

That’s one of the stranger aspects of these heists. Because transactions for Bitcoin and the like are all public, it’s easy to see where the NEM coins are -- even though they’re stolen. Coincheck has identified and published 11 addresses where all 523 million of the stolen coins ended up. You can see for yourself online. Trouble is, no one knows who owns the accounts. Each one has been labeled with a tag that reads "coincheck_stolen_funds_do_not_accept_trades : owner_of_this_account_is_hacker." NEM developers created a tracking tool that would allow exchanges to automatically reject stolen funds.

3. Does that mean the hackers won’t be able to cash in?

Not necessarily. The thief may be able to shake off surveillance by going through a “tumbler,” a service like ShapeShift that offers cryptocurrency trading without collecting personal data. Converting NEM coins into a more anonymized currency, like Monero, could conceivably launder them. But the huge total amount of money stolen presents a challenge. NEM trading was disabled on ShapeShift as of Monday.

4. What else can NEM developers do to fix this?

They could change the NEM blockchain by rolling back the record to a point before the attack. The so-called hard fork would create two versions of NEM, one that has never been hacked and another containing the stolen funds. While this approach worked for Ethereum in 2015, NEM Foundation Vice President Jeff McDonald said a fork is not an option.

5. Aren’t these exchanges being hacked a lot?

Yes, there’s a long history of thefts at cryptocurrency exchanges and wallets, dating back to the infamous robbery of Tokyo-based Mt. Gox in 2014. As prices of digital assets have soared, the platforms have become increasingly juicy targets for hackers. North Korean leader Kim Jong Un has allegedly sent his hackers out to swipe digital coins as his country faces tightening trade sanctions. One researcher estimates that more than 14 percent of Bitcoin and rival currency Ether has been stolen.
thefts in the lightly regulated world of cryptocurrencies are woefully frequent.
In less than a decade, hackers have stolen $1.2 billion worth of Bitcoin and Ether, two of the most popular digital currencies, according to Lex Sokolin, global director of fintech strategy at Autonomous Research LLP. If measured at today’s elevated prices, the figure would be much higher.
Here’s a look at some of the biggest thefts since 2012.

December 2017

  • NiceHash, a crypto-mining marketplace based in Slovenia, said on its Facebook page that its payment system was compromised and as much as $63 million worth of Bitcoin was stolen. The firm added extra security measures and sought the community’s help to analyze the breach.
  • Youbit said it would file for bankruptcy hours after losing 17 percent of its assets in a cyberattack. The South Korean exchange had suffered what it called an “accident” in April and its owner encouraged clients to keep their tokens in a safer form. South Korean investigators are looking into North Korea’s possible involvement in the hack.

November 2017

  • A security hole in the Parity Wallet resulted in losses of about $155 million, including in Ether and other tokens.
  • The company behind Tether said a “malicious” attacker stole $31 million worth of the cryptocurrency and sent them to an unauthorized Bitcoin address.

July 2017

  • A group calling itself the White Hat Group exploited a bug in the Parity Wallet software and attempted to launder stolen Ether, valued at about $30 million according to Security Week, through exchanges.
  • Just minutes after CoinDash’s launch of an initial coin offering, hackers made off with as much as $6.6 million worth of Ether. The Israel-based firm terminated its token sale. 

April 2017

  • A Bithumb contract worker’s personal computer that stored customers’ data files was hacked, resulting in the leak of personal and trading information of more than 30,000 users. The South Korean crypto-exchange was fined 58.5 million won ($55,000) by the local regulator for the breach.

August 2016

  • Bitfinex said hackers took 119,756 Bitcoin, valued at about $65 million. In April 2017, the exchange said it had repaid all customers.

June 2016

  • Decentralized Autonomous Organization, a leaderless venture-capital fund and what was then the highest-profile project using Ethereum, was hacked. About $50 million of members’ contributions to the fund were siphoned off.

May 2016

  • Hong Kong-based Gatecoin had about $2 million in Bitcoin and Ether stolen following a cyberattack.

March 2015

  • Two former U.S. federal agents who helped probe the illegal Silk Road Internet drug emporium were charged with wrongfully pocketing hundreds of thousands of dollars in Bitcoin.

January 2015

  • Bitstamp’s Chief Executive Officer reassured customers that the bulk of their Bitcoins were safe after $5 million the coins were stolen, according to a Fortune report.

February 2014

  • Mt. Gox, once the world’s biggest Bitcoin exchange, reported that tokens valued at about $480 million had gone missing. The firm filed for bankruptcy in Japan and the U.S., and said the disappearance was probably the result of a “massive theft.”

September 2012

  • BitFloor, based in New York, lost about $250,000 in Bitcoin after it was hacked. Months later in April 2013, the exchange announced it would shut and refund customer deposits, Bitcoin Magazine reported.

6. So what can you do to keep crypto-assets safe?

The lesson for crypto-enthusiasts is that exchanges are prime targets for hackers and no place to store your coins. One alternative is to keep the assets in software wallets, which come in online, mobile and desktop varieties. Hardware wallets are dedicated devices that offer an additional layer of security. For the extra paranoid, there is always the analog option: printing out the private keys for your coins on paper.

3 comments:

Anonymous said...

Please don't recommend online wallets as a safe alternative.

Unknown said...
This comment has been removed by the author.
Unknown said...

Well... why should they be a problem if they are official, with a valid https cert, and you make sure you are on the right domain?

Right, dns poisoning, mitm, phising... but those are also present dangers when working with your online bank..

Not saying that hardware wallets arent the safest choice, but we cant rule out official online wallets aswell.

https://neotracker.io/wallet
https://raiwallet.com

to name a few

Post a Comment