The Long Forgotten $1 Billion Cryptocurrency Heists

You might want to reconsider how you store your cryptocurrencies. The history of cryptocurrency contains a litany of virtual robberies. Cryptocurrency heists are like the bank robberies of the wild west. Perhaps this list of the largest cryptocurrency heists will remind you why it is important to secure your cryptocurrency funds.

The history of cryptocurrency contains a litany of virtual robberies. Cryptocurrency heists are like the bank robberies of the wild west. In just 5 years, the industry has suffered dozens of losses to the tune of $ 1 billion.

Unlike bank robberies, however, malicious hacks are not covered by deposit insurance. You ought to take all the necessary security precautions when storing your cryptocurrencies. Leaving your funds on exchanges is a risk you cannot afford.

Perhaps this list of the largest cryptocurrency heists will remind you why it is important to secure your cryptocurrency funds.

  • Mt. Gox, 2014: 744,408 Bitcoins Lost

Mt. Gox, an exchange based out of Japan, set the record for the industry’s largest heist. In 2014, the exchange was one of few that allowed trading dollars for bitcoin. It quickly became popular, attracting clients from all around the world. At its peak, Mt. Gox handled 70% of all bitcoin transactions in the world.

But the exchange bit off more than it could chew. As a custodian of millions of customers' bitcoin funds, it turned into a lucrative honeypot for malicious hackers. Trouble began on February 14 when customers complained of late withdrawals. The company, headed by Mark Karpeles was unable to explain the delays in withdrawals.

The truth was, Mt. Gox had been compromised, and had been leaking funds to hacker's bitcoin address. While the management made every effort to cover up for the losses, the damage was irreparable. A leaked internal crisis management document revealed Mt. Gox was insolvent and had been covering up losses for close to 2 years.

Mt. Gox dented the reputation of cryptocurrencies and set back the industry by two years. A bankruptcy case continues to date. 200,000 bitcoins recovered from the hack have since been refunded to customers out of the 744,408 total.

  • BitFinex, 2016: 119,756 Bitcoins Lost

The BitFinex hack was the second largest in the history of exchange heists. In August of 2016, Bitfinex, based out of Hong Kong, lost nearly 120,000 bitcoins valued at $75 million.

Bitfinex had switched to an alternative storage system that separated clients funds into segregated wallets. The change in policy was necessary to comply with the CFTC, a commodities regulators. BitGo was the official security partner and provided an additional security layer for customer funds. The exchange moved from a cold storage vault system to individually labeled customer wallets. 

In this setup, BitGo transferred customer funds only at the request of Bitfinex. There was no limit as long as BitFinex presented the necessary private keys. BitFinex held 2 of 3 keys required, while BitGo used the third to authorize transactions. 

Hackers made their way into BitFinex's servers, stealing BitGo's API keys and using them to authorize BitGo's system to release 119, 756 bitcoins to their address.

To date, Bitfinex is yet to compensate customers for their lost funds. The exchange also suffered a massive reputation loss.  

  • Bitstamp, 2015: 19,000 Bitcoins Hacked

Bitstamp has clawed its way back to a reputable exchange after losing 19,000 bitcoins to a hacker in July 2015.

Bitstamp's hackers launched persistent phishing attacks for 6 weeks on 6 of Bitstamp's employees. They contacted employees via skype after conducting a background search on each of them. Luka Kodric, a systems administrator, was contacted via skype and email on December 11th, 2014. Under the pretense of seeking membership, the hackers sent documents which Luka consequently downloaded. 

Luka's computer was infiltrated and provided a route for hackers to fetch wallet.dat files and password phrases. A malicious VBA script was wrapped together with an application word document. The script was programmed to run automatically and pull files from the host machine. 

A week later on January 4th, the hackers siphoned 18,866 bitcoins from Bitstamp’s hot wallet including incoming customer deposits valued at $5.2 million. Bitstamp lost an additional $ 2 million from reputational damage and loss of customers.

Since the attack, Bitstamp switched to cold storage wallets using Xapo's vault service and added a multi-signature wallet access feature to its systems.

  • The DAO, 2016: 36,000,000 Ether

The DAO was a decentralized autonomous organization whose governance structure was a smart contract code. A malicious attacker took advantage of a bug feature to siphon off 33% of the total funds raised by the DAO.

The DAO was the largest crowdfunding project in history, contrived as an investment vehicle for its 11,000 members. Just like corporations, the DAO raised money from investors, about 11 million ETH valued at $150 million. Members were entitled to vote on suitable investment proposals. Unlike a corporation, however, no human beings were in charge of running it. It purely resided on the Ethereum blockchain and managed by code.

On 18th June, a hacker exploited a bug in the DAO and funneled out 3.6 million Ether valued at $50 million. Because smart contracts are designed as stand alone agreements, the creators were unable to roll back the losses.

  • Cryptsy Exchange, 2016: 13,000 Bitcoins, 300,000 Litecoins

Cryptsy exchange got hacked in July 2014, but the management only came out clean 18 months later. For over one and a half years, the exchange tried to make amends by channeling their revenues back into clients wallets. This strategy failed miserably forcing the company to file for bankruptcy.

Lucky7 - the pseudonym of the attacker, found his way into Cryptsy’s code and installed a Trojan malware. The trojan malware enabled him to access private information including wallet passphrases. Lucky7 went on to transfer 13,000 bitcoins and 300,000 litecoins valued at $6 million from Cryptsy’s safe.

Cryptsy's management, led by Paul Vernon, made efforts to restore customer funds while keeping mum about the hack. Over 12 months went by without a public statement. Soon, however, customer complaints of late withdrawals piled up. Blaming technical difficulties for suspended trading and delayed withdrawals only worked for so long.

Cryptsy finally came clean in January 2016, admitting the $6 million hack and filing for bankruptcy. 

In conclusion

The cryptocurrency industry is fraught with many more incidences of hacks. As a cryptocurrency investor, always secure your funds in a wallet that you control. If you need to have any funds on an exchange, have a bare minimum.

Fortunately, the industry has taken lessons from these past failures. Cryptocurrency exchanges today are far more mature and professional in handling customer funds.