Hack all the coins.
The way we are finishing the year is saying a lot about what to expect next year…
Several exchanges have been hacked over the past weeks such as Tether ($31M) and Nicehash ($70M), and this is very unlikely to stop or even slow down given the current attention digital currencies and assets are having.
The modus operandi of such attacks varies especially when it comes to targeting an exchange directly. As any start-ups, exchanges and wallets have to focus on delivering and have to deliver a lot, under a short period of time.
This means that usually security isn’t the top priority, and when you are storing valuable data — or anything which a monetary value — this usually translates into breaches.
And such breaches are irreversible due to the decentralized nature of those crypto currencies/commodities/assets — unless a fork happens but this option is becoming increasingly unlikely and many are callling the DAO Ethereum fork a mistake as it created a wrong perception of safety from the end-users.
Moreover, once cybercriminals successfully complete a crypto-heists — nothing prevents them to transfer the initial crypto coins to multiple different coins to make it even more irreversible. Also, the rise of traction for privacy focused coins such as Monero (XMR), Verge (XVG), or Zcash (ZEC) will make it increasingly difficult (to not say impossible) to trace transactions. Groups such as TheShadowBrokers are already leveraging coins like Monero since June 2017, and even back in August WannaCry ransomware’s authors moved their Bitcoins to Moneros in order to wash them.
The higher the value of digital assets, the higher the incentive for cybercriminals to steal them.
The number of phishing websites increased, although those attacks have been around for a while. But a more interesting trend appeared — a more creative form of phishing through fake mobile applications for those exchanges or cryptocurrencies that don’t have an official wallet, and even pre-generated paper wallets.
The above does not require the attacker to compromise the backend infrastructure of its target and can easily be executed.
In late November, Bitcoin Gold wallet installer had been subverted — for almost a week — which means its users installed a wallet which had been modified by its attackers.
In the following days and weeks, we saw multiple wallets (MyEtherWallet, GateHub) alerting their users that fake mobile wallets have been spotted on the Android and Apple stores. This does not require much effort from the attackers unlike compromising a backend infrastructure.
Unlike traditional bank notes or wallets, it will be very difficult for end users to confirm the authority of softwares they install on their devices (smartphones or desktops). I surely, would not expect my family members to do so.
Even though, the average user will surely become more and more educated, and basic cryptography concepts (such as the difference between a private and public key) will at some point become more widely understood by users.
A friend reminded me there is still a long way until a such level of maturity from users will happen by telling me “haha, I applaud your optimism but I just had the CISO of a fortune 500 send me his private gpg key… Oops”.
And the traceability of software is pretty difficult, we have seen numerous times that signing softwares isn’t often enough as those certificates can easily be stolen and re-used for malicious purposes like we have seen with Stuxnet.
On top of that, in the case of certain editors — they would not necessarily communicate those risks with their users over emails or post it on Twitter. This significantly increase the friction for users to have access to such information.
This leaves both providers and users vulnerable from each layers.
- Base layer. Provider’s infrastructure can be compromised, just like we saw this year with some SWIFT Service Bureaus. This can lead to the money being stolen directly by the attackers (such as North Korea), or the software (e.g. installable wallets) they provide to users compromised — often referred as “supply chain attacks”.
- Middle-layer. Certain platforms such as Ethereum introduced a software layer on top of the immutable blockchain, more commonly called “smart-contract”. Although, like any piece of software they can have vulnerabilities and we have seen that multiple times with cases such as DAO and Parity hacks.
- Top-layer. If the base layer, we have seen that this can leave users with rogue wallets that they obtained from the provider directly (e.g. Bitcoin Gold). But this week episodes where multiple wallet providers had to step forward to inform their users that fake wallets were in circulation are leaving users even more vulnerable. And those are usually poorly communicated.
GateHub warning their users about a fake Android app (14 December 2017).
One thing for sure is that, we we are seeing now is only a preview of what will be seen in 2018 when it comes to cryptocurrencies and digital assets and their risks.
Recent wallet subversions
26 November 2017 —Bitcoingold ($BTC)
11 December 2017 — MyEtherWallet ($ETH)
13 December 2017— Bitcoin Paper Wallet ($BTC)
14 December 2017— GateHub ($XRP)