Phishing, malware, exchange hacks, vulnerability exploits, 51% mining attacks.  If these terms are new to you, welcome to the world of cryptocurrency security.  While cryptocurrency technology is based on high-tech cryptography, there are tons of scams and hacks out there to defraud both individual holders and crypto businesses (like cryptocurrency exchanges) out of their coins.  At the same time the blockchain technology is also not in all cases immune for attacks.

For as long as there have been mediums of exchange there have been shady characters who make it their life’s work to part you from your money. With the rise of the internet and online banking, shopping and now cryptocurrency, these shady characters have developed sophisticated scams and hacking strategies which they continue to improve upon and that allow them to intercept funds and defraud consumers. The methods that they employ to swindle cryptocurrencies in some cases have had a little to do with the blockchain technology itself but most of their focus has been on how unaware consumers are and their sloppy or nonexistent practice of digital hygiene.  In other cases security vulnerabilities of businesses are being exploited by hackers that attack honey pots of large centralized stored crypto funds (exchanges). Let’s bring some different levels of security into perspective: security of the cryptocurrency’s blockchain network, third party security and individual security.

Security of a cryptocurrency’s blockchain network

Make no mistake: nothing is 100% secure. A cryptocurrency that is the native coin of a decentralized, distributed blockchain network serves as a security feature. It is the reward miners receive for securing the network by committing computer power to the network. As long as enough computer power is committed by the miners, a blockchain becomes unhackable due to the cryptographic security in the protocol.

51% Attack

Only if a malicious party is able to accumulate 51% of the total computer power of the network it would be able to undermine the security by being able to reverse transactions or double spend. Because the design of the security model of mining rewards is such that being an honest miner is more lucrative than the benefit from the cost of attacking the network with a 51% mining attack, there is a financial incentive to not perform such an attack, which ensures the network security. HOWEVER, this only applies if the computer power of the network is high enough to make it incredibly expensive to perform such an attack. Coins of much lower value and with a network with much lower hashing power (computer power) have already been successfully attacked by hackers that have been able to do double spendings (or create massive amounts of new coins as rewards for themselves). So especially for “lower cap” altcoins (most of the coins below the top 10 marketcap coins, but even some in the top 10) this security risk is a lot higher than for example bitcoin, which has by far the highest level of network security due to the highest amount of computer power that is dedicated to the network by miners.

Bugs and vulnerabilities in computer code

Many cryptocurrency platforms (such as Ethereum) have protocols that allow for advanced smart contracts and the creation of customized tokens. A lot of software coding is required for programs (and tokens) that run on these platforms, but also for the platform protocols themselves. Because of the extended features and coding options available, the complexity has increased a lot and this also has increased the risk of bugs and vulnerability in the written code. In some cases new applications or functions are well audited, but there are also cases where it came out that no sufficient auditing was performed before the code went live, which has in some cases resulted in those bugs or vulnerabilities to be exploited and millions have been lost because of it. A very famous example was the DAO hack, where hackers were able to steal millions from investors by exploiting a vulnerability in the DAO smart contract. The younger and the more complex any cryptocurrency project, the higher the risk of bugs or vulnerabilities that could lead to hacks of the platform, token or dapp, which can result to investors’ funds to be lost or stolen. This is a security risk that should not be underestimated. The older, more established, most audited projects with the most prominent developers working on, the lower the risk of child deceases in the computer code (though still a present risk).

Even though many altcoins have faced the above mentioned security risks and others have a fairly present risk of being exposed to these threats, the Bitcoin blockchain network itself remains unhacked and unbreached (at least up until publication of this article). In its 9 years of existence the bitcoin network has also not been down not even once (even centralized established payment networks like VISA can’t claim that).

3rd party risk

As soon as you use a third party service that stores your crypto, that usually means that they control the private keys of the crypto you have sent them. And as the saying goes: “your private keys, your crypto; NOT your private keys, NOT your crypto”. This is important to realize, because services that take over the role of a bank in crypto space are generally unregulated entities to which you send your crypto in good faith, but if they decide to exit scam (runaway with all crypto deposited by users), their service gets hacked and funds stolen, they go bankrupt or a government entity decides to seize all funds, you will generally lose your money and have little to no hope to get anything back. The whole philosophy of crypto is that users have full control over their own funds (with their own private keys), so storing them with any third party service already goes against that principle and exposes you as a user to potentially unwanted additional risks. Of course services like exchanges may be necessary to use to be able to exchange coins to other coins/tokens or to either cash in or cash out to fiat currency, but you should be aware that using 3rd party services has been a reason of many millions of lost and stolen crypto as long as crypto exists. Most common are crypto exchange hacks, where either the exchange itself gets hacked and loses funds that can result into all losses being “socialized” among all users or the exchange going bankrupt (all users lose their funds). The most notorious exchange hack was the Mt Gox hack in 2014 (see examples below). It is also important to make sure you use trusted, verified wallet software applications, because some less reputable software may contain bugs and/or are vulnerable for hacking, or are scammy phishing software in and out of themselves.

Decentralized Exchanges

Thankfully, decentralized exchanges (DEX’s) are here and gaining in popularity. Altcoin.io, Idex.market (ethereum based DEX) and Shapeshift.io, among others, are beginning to change the way crypto holders exchange assets. ShapeShift is even incorporated into the Jaxx wallet – which has been downloaded more than 1.2 million times –  allowing users to swap coins at the speed of network, for the current exchange rate and from a wallet on their phone. Shapeshift claims that their take is approximately 0.5% of the transaction. Decentralized Exchanges or in hybrid form (partly centralized, partly decentralized, like Shapeshift) allow for a user to keep control over its own private keys (no account deposit required) and trade/exchange/swap their currencies directly peer-to-peer; this eliminates most of the third party risk.

Examples of hacks and third party security risks

Below is a very busy chart of the biggest crypto hacks and scams. Since its inception in 2011, there have been quite a few!

The biggest at the top of the chart is Mt Gox. Beginning in late 2011 bitcoin began to disappear from the hot wallet on the Mt Gox exchange. The leak was discovered in February 2014. During the intervening 26 months, bitcoin just trickled away.  Two-hundred thousand of the missing coins were recovered, however, the exchange sought regulatory protection from creditors and then went out of business.

Coincheck, the second largest above, discovered that it had been hacked in January of 2018. They lost 500 million NEM tokens valued, at the time, at 530 million USD. They ended up reimbursing 260,000 users of it’s ‘services’ with their own holdings. Their website begins with: “We would like to offer our sincerest apologies…” Somehow, they are still in business although not accepting new accounts.

Personal security risk

Holding your own private keys (which means that you and only you can control your funds) allows you a lot of freedom all the opportunities that come with cryptocurrencies. With that freedom also comes a lot of responsibility for the security risks that are involved with protecting your personally owned crypto. These risks include primarily phishing attempts, hacking/malware and loss of private keys.

Phishing

Phishing is “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.”  In terms crypto security, phishing looks like this: a website created to generate private IOTA wallet seed passphrases was used to collect wallet keys.  An estimated $4 million in tokens was stolen by site operators after operating for an unknown about of time.

Malware Stealing

Malware is “software that is intended to damage or disable computers and computer systems.” Some malware can steal private wallet keys which are then used to steal coins. The most common type of malware is used to scan hard drives for wallets, which are then uploaded to a remote server and compromised. In 2014 it was reported that a malware virus spread through the Pony botnet and stole $220,000 in cryptocurrency from 85 wallets.

In our article Common Cryptocurrency Scams and How to Avoid Them we will go further into the specific risks around phishing, hacking and scamming, so we strongly recommend you read that article as well, so you’ll be more equipped to protect yourself and your money against bad actors. The article link is repeated at the end of this article.

Loss of private keys

One way or the other, if you manage the private keys to your own crypto funds, you will either need to safely backup the seed phrase to your crypto wallet (even your hardware wallet requires this) or you need to safely store for example the private keys of a paper wallet. These should not be saved on any device that connects to the internet (hackers will find them), but ideally be written down by hand, made water proof and preferably stored in a secured, fire proof location. If possible even on at least 2 geographically separated locations. Already many people have lost access to millions of their crypto assets because their device was irreversibly broken, their seed phrase or private key lost in fire, stolen by thieves or otherwise been lost. And once you have lost your private keys, you lose access to your funds forever and it’s unrecoverable. Make sure you have a good and save storage of your private keys and/or seed phrase. In case you lose your backed up seed phrase, but still have access to your wallet, it is vital that you install a new wallet with a new seed phrase and then move all your funds to the new wallet.

Summary

Make no mistake — cryptocurrency can be hacked.  It not only can, it has been. Even though blockchain technology is based on distributed ledger technology, which makes transactions hard to fake, to some extent cryptocurrency is still vulnerable to hacking.  A bigger issue than transactions being invalidated on the blockchain itself, is that coins will be stolen from centralized sources or from individuals wallets. For you to become a successful and savvy crypto investor and user, it is vital to master the necessary knowledge and recommended behavior around the different levels of cryptocurrency security practices.

Stay vigilant of security risks related to your wallet and your computer.  Be sure to read one of the most important articles on our site that dives deeper into this topic: Common Cryptocurrency Scams and How to Avoid Them. You’ll be glad you did!

Disclaimer:

This article was written to the best of our knowledge with the information available to us. We do not guarantee that every bit of information is completely accurate or up-to-date. Please use this information as a complement to your own research. Nothing we write in any of our articles is intended as investment advice nor as an endorsement to buy/sell/hold anything. Cryptocurrency investments are inherently risky so you should never invest more than you can afford to lose.

Have questions? Ask in our group!