UK Markets closed

Why crypto exchanges keep getting hacked and how to protect yourself

Oscar Williams-Grut
Senior City Correspondent, Yahoo Finance UK

Binance, one of the world’s biggest cryptocurrency exchanges, has been hit by a $41m hack — just the latest in a string of thefts in the crypto world.

Malta-based Binance announced in a blog post on Wednesday that “hackers used a variety of techniques, including phishing, viruses and other attacks” to withdraw 7,000 bitcoin.

Binance has suspended withdrawals for the time being but promised to cover any losses using an in-house insurance fund.

The price of bitcoin (BTC-USD) fell sharply on the news but has since recovered. Binance is one of the key exchanges for bitcoin volumes and seen as one of the more secure operators in the industry.

However, no crypto platforms are immune to targeted attacks. $1.2bn worth of cryptocurrency was stolen through theft, scams, and fraud in the first three months of 2019, according to a recent report from cryptocurrency compliance company CipherTrace. That compares to £1.2bn stolen through bank fraud in the UK in 2018.

Crypto has been associated with exchange hackings since Japan's Mt Gox was hacked in 2014. Photo: REUTERS/Toru Hanai

Why is crypto vulnerable to hacks?

Crypto has had an unwanted association with hacking since 2014 when MtGox, then the world’s biggest bitcoin exchange, lost $450m in an attack.

Exchanges like MtGox and Binance are the biggest target because they hold large pools of crypto funds.

In traditional financial markets, the role of holding assets and making markets for them is generally separated. Exchange operators make markets for stocks or currencies but assets are stored with specialised custodians once people trade.

While this kind of practice is becoming more common in crypto, it is still far from the norm. Most exchanges will both make markets and hold people’s cryptocurrencies for them.

READ MORE: CFO of $1bn crypto exchange on Facebook's blockchain plans: 'Their goal is to wall off other people'

The issue is that this creates huge pools of customer funds that make for attractive targets. Because these exchanges don’t specialise in security like a custodian, they are seen as an easier target.

Security standards can vary greatly across the more than 250 exchanges around the world. Crypto is still a relatively new industry and has yet to establish universal standards. It has no central authority to make sure everyone keeps up standards even if they did exist.

The logo of Binance at the Delta Summit, Malta's official Blockchain and Digital Innovation event. Photo: REUTERS/Darrin Zammit Lupi

Even those who keep the highest standards can be vulnerable to attack, as the Binance case shows.

“One of the things that we really pride ourselves on is the safety and security of our platform,” CFO Wei Zhou told Yahoo Finance UK in a recent interview. “Our platform is attacked every day — hackers, scammers, fraud artists.”

Binance said only its “hot wallet” — an industry term for a pool of funds that can be accessed online — was hit in Wednesday’s attack. This wallet only had 2% of its total bitcoin funds.

This suggests that Binance divided customer funds across different wallets, including “cold wallets”, which are USB sticks or hard drives not connected to the internet. This is best practice.

READ MORE: Supercar rallies and nurseries on the blockchain: Remnants of crypto boom remain despite bear market

“The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time,” Binance wrote in its blog post.

“The transaction is structured in a way that passed our existing security checks. It was unfortunate that we were not able to block this withdrawal before it was executed. Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that.”

The exchanges aren’t always to blame. Often the easiest way to attack is to target users rather than the exchanges themselves.

Hackers and scammers do this in the same way they do with regular banks: phishing emails, fake websites, and viruses that steal your data. This appears to be what happened in the Binance case.

The newness of the industry can also increase risks because exchanges “typically have difficulty gaining traditional banking relationships,” CipherTrace wrote in its recent report.

“This forces digital asset businesses to deal with “shady” operators, and often in countries like Panama where fraud is sometimes de rigueur... The net result for cryptocurrency users and investors is risk.”

How can you protect your money?

A top tip is to store your crypto on a personal “cold wallet” rather than leaving it on an exchange. So long as it’s not connected to the internet, hackers or scammers won’t be able to reach your crypto there.

However, a “cold wallet” increases your risk of loss. Make sure you guard the key to the wallet closely and don’t lose your USB stick or hard drives.

If you chose to store your funds in a “hot wallet” — either your own or on an exchange — then make sure you’re educated on the risks. Phishing scammers may try and trick you into giving over the key for your wallet for example.

READ MORE: Crypto price crash actually good for business, say entrepreneurs

Phishing is a scam used across finance, not just crypto, but there are some crypto-specific scams to watch out for. A common one is using an apparently “random” cryptographic key generator to collect people’s private keys.

In cryptocurrencies, people have both a public and a private key for their wallets. Both are a string of numbers and letters that unlock the online wallets. The public key can be shared openly to allow people to send you funds but the private key must be guarded, as it will allow anyone into the wallet.

Private wallet keys run to 51 characters and people often turn to an online generator to come up with one. Some scams have involved people setting up apparent random generators that actually collect people’s data, allowing them to get into other people’s wallets and steal funds.

Bitcoin is an electronic money that has seen an incredible increase in 2017, its price has reached 20,000 euros. Photo: Chesnot/Getty Images

Another crypto-specific fraud is an exit scam, where people raise funds for fraudulent projects or fake exchange losses before making off with customer funds.

In general, the best way to protect yourself is to educate yourselves on these risks and more. Thoroughly research the exchanges you’re using or investments you’re making in the space.

“Buyer beware” is a common phrase in finance but is particularly true in crypto. As long as there are no central authorities or rules enforcing standards or certifying entities, the responsibility of researching risks lies with customers.

“CipherTrace strongly believes that sound regulation — i.e., rules designed to keep bad actors out of the crypto economy — not only encourage banks to accept digital asset businesses as customers, but also benefits digital asset businesses, users, investors, and governments trying to build healthy and safe crypto economies,” the company wrote in its recent report.


Oscar Williams-Grut covers banking, fintech, and finance for Yahoo Finance UK. Follow him on Twitter at@OscarWGrut.

Read more: