Despite the significant growth of Bitcoin and other cryptocurrency prices in 2020, the amount of stolen cryptocurrency as a result of hacks is actually less than in 2019. According to a Ciphertrace report, the total amount of stolen funds equaled an estimated $468 million.
Most of the attacks in 2020 were made on DeFi projects, which speaks to the immaturity of this fast-growing segment. Nevertheless, the number of stolen cryptocurrencies from centralized services are still much higher. For example, as a result of the Kucoin hack, cryptocurrency was stolen in the equivalent of $275 million. DeFi hacks make up roughly 21% of the 2020 cryptocurrency hack and theft volume.
Nevertheless, hackers attack not just cryptocurrency platforms but also users. Every day, stories are published on the internet about how hackers stole a user’s cryptocurrency by gaining access to their wallet or exchange account. Some users have no idea how high the risk of hacking their account or wallet can be.
Described in this article are the five most popular ways users can lose their crypto.
Fake phishing websites
Phishing is a type of social engineering attack often used to steal user data, including mnemonic phrases, private keys and cryptocurrency platforms’ login credentials. Typically, phishing attacks make use of fraudulent emails that convince the user to enter sensitive information into a fraudulent website. The recipient is then tricked into clicking on a malicious link, which can lead to a phishing website or the installation of malware.
The simplest example of a successful phishing attack was the MyEtherWallet case from 2017. The cyber-criminals sent an email to the potential customer base of MyEtherWallet users and announced that they needed to synchronize their wallet to comply with the Ethereum hard fork. After clicking on the link, the user was taken to a phishing website that looked legit but contained an additional, barely noticeable character in the URL. Inattentive users entered their secret phrases, private keys and wallet passwords, thereby providing their data to attackers and losing their cryptocurrency.
The latest example of this was a successful attack on Ledger wallet users. The scam used a phishing email, directing users to a fake version of the Ledger website that substituted a homoglyph in the URL as in the previous case with MyEtherWallet. On the fake website, unsuspecting users were fooled into downloading malware posing as a security update, which then drained the balance from their Ledger wallet. From this example follows the conclusion that even hardware wallet users are not protected from phishing attacks.
Similar attacks were performed on cryptocurrency exchange users. That is, users would receive a letter with the link to a website that is identical to the original one but with a slightly modified URL. Thus, attackers steal usernames and passwords, and under certain conditions, they can steal cryptocurrency from an exchange wallet. Nevertheless, users have the opportunity to defend themselves even in a successful attack case, since exchanges offer additional protection tools.
API key theft
Some traders use trade automation tools called “trading bots.” With this type of software, a user must create API keys and allow certain permissions so that the bot can interact with their funds.
Commonly when a user creates an API key, the exchange asks for the following permissions.
View – allows viewing any data related to a user account, such as trading history, order history, withdrawal history, balance, certain user data, etc.
Trading – allows the placement and cancellation of orders.
Withdrawal – allows the withdrawal of funds.
IP whitelist – allows performance of any operations only from specified IP addresses.
For trading bot API keys, the exchange must have the view, trading and sometimes withdrawal permissions.
There are different ways for hackers to steal users’ API keys. For example, cyber-criminals often create malicious “high-profit” trading bots, available free of charge, to lure a user into entering their API keys. If the API key has the right to withdraw without IP restriction, hackers may instantly withdraw all cryptocurrency from the user’s balance.
According to the Binance official commentary, 7,000 Bitcoin hacks became possible after hackers gathered API keys, 2FA and other data.
Even without withdrawal permission, hackers may steal users’ cryptocurrency with a pump strategy, a certain low liquidity cryptocurrency trading pair. The most common examples of such attacks are the Viacoin pump and the Syscoin pump. Hackers have accumulated these cryptocurrencies and sold them at significantly overpriced rates during a pump using user funds.
Downloaded file exploits
There are a lot of zero-day and one-day exploits for Microsoft Word, Microsoft Excel and Adobe products that guarantee antivirus products will not detect malware and grant malicious actors full access to victim workstations and internal infrastructure.
Zero-day is a flaw in the software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw. The term “zero-day” may refer to the vulnerability itself, or an attack that has zero days between the time in which the vulnerability is discovered and the first attack. Once a zero-day vulnerability has been made public, it is known as an “n-day,” or “one-day” vulnerability. After a vulnerability is detected in the software, the process of developing malicious code begins, using the detected vulnerability to infect individual computers or computer networks. The most well-known malware that exploits the zero-day vulnerability in software is the WannaCry ransomware worm, a virus that extorted bitcoins for decryption.
However, there are many other malware programs that may gain access to users’ cryptocurrency wallets, as well as cryptocurrency exchange applications using zero-day exploits. The most widely known case of such an attack in recent years was the WhatsApp exploit; as a result, attackers were able to collect data from users’ crypto wallets.
Due to the active growth of the market, DeFi scammers are constantly launching new projects that are almost exact clones of existing projects. After users invest in these projects, scammers simply transfer the users’ funds to their own wallets. The biggest exit scam of this kind to date is the YFDEX case in which intruders stole $20 million of users’ funds two days after the launch of the project. Such scams are common since in most cases, project team members are anonymous, and there are no legal obligations because platforms are not registered entities. Previously, such fraud was associated mainly with ICO projects.
Nevertheless, similar cases occurred with centralized platforms. For example, the QuadrigaCX case, when the founder of the centralized exchange died, leaving the platform unable to access its wallets and process withdrawal requests for over $171 million in client funds. As a result, only $30 million of lost funds can be repaid.
Such cases arise all the time, so you need to carefully consider the platform before transferring your money.
Since the existence of cryptocurrencies, many fake applications of particular platforms or wallets have been created – a user completes a deposit to such an application and finds that the funds have disappeared. Intruders may create a copy of an existing application with malicious code or a new application for a platform that does not have an application – for example, the Poloniex case from 2017.
Since most crypto wallets are open-source, anyone can create their own copy of the wallet and inject a malicious code there. Topics regarding such wallets often appear on cryptocurrency forums, for example, fake apps posing as Trust Wallet.
How to protect yourself from intruders
As explained above, criminals have various ways to steal user funds and data. We recommend adhering to the following in order to best protect yourself against intruders.
- Always check the domain from which you receive emails.
- Set up anti-phishing code, if platforms you use offer such features.
- Only deposit to exchanges with good reputations. You may check the exchange’s ratings using the following services – CoinGecko, CER.live, CoinMarketCap, CryptoCompare, etc.
- Set up login IP whitelist, if platforms you use offer such features.
- Always research a crypto wallet before deciding to install it on your phone, even if it is ranked highly on your app store list.
- Set up IP restrictions for API keys.
- Do not invest in recently launched projects that don’t yet have any information about the team, investors, etc. During the DeFi hype, scammers launched dozens of scam projects in order to steal cryptocurrency from investors.
- Make sure you download documents and other files from a trusted source.
- Always perform regular security updates of your operating system.
- Download applications and corresponding updates only from official websites.
Along with the growth of the cryptocurrency market, new schemes continue to appear in hopes of stealing user funds and data. Users should be very careful about the emails and other notifications they receive.
In this article, we have described 10 points on how users can protect themselves from intruders. If you follow these measures, it will be difficult for hackers to steal your data or funds.