An abridged history of exchange hacks
In this book, we’ve cautioned against holding large amounts of money in online exchanges. The reasoning behind that has a long and storied history of crime, skullduggery, and extremely poor choices.
If an institution holds a large sum of money, someone will eventually try to steal some. The cryptocurrency era has seen its fair share of would-be Bonnies and Clydes. Whether or not thieves are successful mainly relies on a combination of factors: the exchange’s competence, the hacker’s luck, and some skill.
Extremely attractive targets with insane amounts of money. Bitcoin and cryptocurrencies in general are attractive to criminals because the transactions are irrevocable, and the funds can be laundered. Contrary popular belief, laundering money via crypto isn’t easy at all. As KYC and AML legislation becomes more common, hacking exchanges has become significantly more difficult. However, people are still managing, with 1.4 billion in crypto stolen in the first five months of 2020 alone.
Beyond hacks, there are many different ways to lose funds to a crypto exchange. Below are some representative examples of what has befallen exchanges.
Mt. Gox – major incompetence
No discussion of exchange hacks is complete without a reference to Mt. Gox, a hack so large it has become legend. The sheer incompetence of the owner leading to such catastrophic losses makes the Mt. Gox hack the Bitcoiner’s equivalent to a campfire ghost story. Mt Gox also stands out as a two-parter, with breaches in 2011 and 2014.
Mt. Gox was founded in 2006 in order to facilitate the trading of fantasy game “Magic: The Gathering Online” cards. Founder Jed McCaleb relaunched Mt. Gox as a bitcoin exchange in 2010, selling the exchange to French developer Mark Karpeles in March 2011. In June 2011, 25,000 BTC was stolen, and Mt. Gox’s user database leaked. Famously, the price of Bitcoin dropped from $17 to one cent after a large BTC transfer.
Mt. Gox proceeded to become even more successful, at one point processing 70% of the world’s Bitcoin transactions.
In February 2014, Mt. Gox paused all bitcoin withdrawals, stating that the issue was due to a bug in the Bitcoin software. A few weeks later, the exchange wiped their Twitter feed, moved their office, and took the website offline. Leaked documents revealed that Mt. Gox was insolvent after losing 744,408 bitcoins over the span of years. The value of Bitcoin plummeted, dropping 36%, and a major liquidity crisis ensued.
QuadrigaCX – force majeure
At one point, QuadrigaCX was Canada’s largest Bitcoin exchange, processing nearly $2 billion in trades at a high point in 2017. Everything was going well for the exchange, up until founder Gerald Cotten died. With him went all knowledge of the private keys to cold wallets storing a fortune in Bitcoin. Cotten left behind a wife, two Chihuahuas, and 76,000 clients owed a combined $215 million in assets. Initially, the story went that Cotten had died and took all access to the exchange’s cold wallets with him to the grave. As more details came out, however, it became apparent that Cotten was running QuadrigaCX like a Ponzi scheme, and had misused client assets at will for years. Some even believe that Cotten faked his death in an elaborate exit scam. As of now, there are no solid answers.
Coinbase
In 2019, Coinbase was subject to a chillingly well thought out attack by a professional hacker group known as CRYPTO-3, or HYDSEVEN. The group spent between half a million to a million dollars to create an elaborate, multi-stage setup using the most sophisticated tools available at an incredible speed. Coinbase’s security team narrowly avoided disaster by catching and blocking the attack at the last minute. Had it succeeded, the hackers could have gained access to billions of dollars worth of customer funds. Hackers are taking the crypto space seriously, and large exchanges like Coinbase are tempting, high-profile targets.
BTC-e – force majeure (US gov’t)
Does the US government count as force majeure? BTC-e was a Russia-based exchange founded in 2011. Thanks to its lack of KYC requirements for users and relaxed approach to regulation, by 2016 BTC-e was the third biggest crypto exchange in the world, attracting legitimate investors as well as criminals looking to launder funds. The exchange’s owner, Alexander Vinnik, was indicted by the US Department of Justice in 2017 on 21 counts of money laundering. BTC-e was also suspected of being heavily involved with laundering some 300,000 BTC from MtGox. The exchange quickly folded. Another apparently unrelated but clearly connected exchange called WEX was set up soon after. WEX resulted in another set of scandals involving the Kremlin, the FSB (or FSB impersonators), and further losses.
BTER – not a cold wallet!
When is a cold wallet not a cold wallet? A cold wallet is commonly accepted to mean a cryptocurrency wallet that is not connected to the Internet. Cold wallets are conceptually much more difficult to hack. In 2015, China-based exchange BTER announced that 7,170 BTC had been stolen from cold storage. This puzzled users, leading some to believe it was an inside job. Seeing as the exchange had been hacked the previous year, and would then be hacked twice more after it rebranded to Gate.io, there may be some endemic security problems that haven’t yet been dealt with.
So, to cap that off, there are a few key principles to observe.
Crypto is borderless and has amassed a huge following around the world. With that in mind, it was difficult to choose the top 20 countries. Over the course of two months we combed through a wealth of primary and secondary sources to arrive at these conclusions. Of course, things are constantly changing, and there might be something you think we’ve missed. We’re already refining our methodology for the next global crypto ranking, but we’d love your feedback. What do you think? Share, comment, or take us to task for not including Switzerland.
- Don’t put bitcoin that you aren’t transacting with in hot storage
- Don’t keep bitcoin in an exchange for longer than absolutely necessary
- Never, ever, ever share your private keys or recovery phrase. With anyone. Ever. For any reason at all. Unless you want them to steal your bitcoin, in which case go for it.
References
- https://www.coindesk.com/crypto-criminals-have-already-stolen-1-4b-in-2020-says-ciphertrace
- https://arstechnica.com/tech-policy/2011/06/bitcoin-price-plummets-on-compromised-exchange/
- https://web.archive.org/web/20140210122955/https://www.mtgox.com/press_release_20140210.html
- https://blog.coinbase.com/responding-to-firefox-0-days-in-the-wild-d9c85a57f15b
- https://www.technologyreview.com/2019/08/08/133823/an-attempted-heist-at-coinbase-was-scary-good-even-though-it-failed/
- https://www.bbc.com/news/world-europe-50821547
- https://www.theverge.com/2017/7/29/16060344/btce-bitcoin-exchange-takedown-mt-gox-theft-law-enforcement