In early May, cyber hackers were able to transfer more than 7,000 bitcoins from one of the world’s largest cryptocurrency exchanges to their own wallets.
The bitcoin theft, from Taiwan-based Binance, was valued at around $40 million and part of a “large-scale security breach”, in which hackers used “a variety of techniques, including phishing, viruses and other attacks”, chief executive Changpeng Zhao said in a statement at the time.
While Binance covered the bitcoins lost through its own emergency fund, put aside in case of such a breach, the incident shone a spotlight once again on security standards of even the most popular exchanges.
Various investor surveys continually point to security as one of the major – if not the top – concerns holding back investor appetite in cryptos. So what are exchanges doing to prevent major security breaches from happening again?
The Binance hack took the all-time total stolen from cryptocurrency exchanges past the $1.35-billion mark, according to research by The Block consultancy. Approximately 59 per cent of this total was taken in 2018 alone.
Jonny Emmanuel, partner at law firm Bird & Bird, explains that targets have moved beyond the smaller exchanges, with bigger exchanges now being targeted.
Moscow-based Group-IB, which undertakes risk assessment for crypto exchanges, says cybersecurity factors to be taken into account include technical security levels, the reliability of basic storage, passwords, clients’ personal data, as well as know your customer (KYC) and anti-money laundering (AML) policies.
Nevertheless, according to Mr Emmanuel, “robust internal procedures are the most critical element. A lot of hacks of hot wallets [online] have occurred either because of compromised login credentials or an inside job.”
As a result, exchanges are taking a number of steps in an effort to shore up security and improve customer trust. While it very much remains an industry in transition, here are some of the latest methods being used:
Binance, which processes more than $1 billion on a daily basis, used the unconventional method of pre-announcing a $81-million transfer of bitcoins on Twitter last month. The tweet read “There will be a transfer of 9001 BTC soon, no need to FUD”, referring to the acronym many in the sector use to describe unwarranted fear, uncertainty and doubt, and included an emoji of a pair of shifty eyes.
Following the $40-million hack last month, Binance amended its user agreement to bar traders from the United States from its core platform starting in September. Binance will instead launch a separate exchange for Americans. They have also started to offer more formalised services, with fiat currency exchange launches in the UK, Uganda and Singapore planned to avoid legal uncertainty and to be more regulatory-compliant.
Adedamola Adetola, head of European business development at risk management firm KRM22, explains: “We’re seeing a cultural change in attitudes among exchanges towards risk management; they want to be prepared. In the past exchanges saw market surveillance as a nice to have, but now they want to be ahead of regulation, and also they see it as essential to having credibility in the market.”
Following the Binance breach, crypto wallet provider Komodo took the unusual step of hacking itself – and saved $13 million of cryptos in the process. The hack prevented fraudsters from accessing its users’ funds, after security researchers alerted the company to a vulnerability in its Agama wallet. Komodo’s cybersecurity team used the same tactic to move compromised cryptos to safety, stating they were able to sweep cryptos from vulnerable wallets “which otherwise would have been easy pickings for the attacker”.
4. Managed wallets
Major exchanges keep the overwhelming majority of user funds in cold wallets as opposed to hot wallets, which remain offline and safeguarded from hackers. Smaller amounts of user funds are kept in hot wallets to process withdrawals, but also back-up the amount held in the hot wallet with an emergency fund in the event of a security breach. However, private keys managed in a hot or cold environment at an institutional level are doomed for failure, says cloud-based wallet company Curv, and creates various types of cyber-risks and operational complexity.
5. Effective audits
Bird & Bird’s Mr Emmanuel also sees a trend towards increasing security audits, but says it is not without its challenges. “Exchanges can be self-certifying, but this only goes so far. There are moves towards third-party audit certification and ISO standards, such as 27001, which can demonstrate the exchange is robust, is using best practices and can actually mitigate reputation damage issues,” he says.
6. Sharing data
Binance has also started sharing data to frustrate hackers, allowing smaller exchanges to use big data from Binance to help detect and block certain transactions suspected to be connected to a security breach. In one instance, the Bitrue exchange, which lost over $4 million in a hacking attack, swiftly contacted Huobi, Bittrex and ChangeNOW when stolen funds were sent to those three exchanges. They were able to recover some of the funds, reporting: “The attack was soon detected, and activity was temporarily suspended on Bitrue. We alerted the receiving exchanges about the situation.” The affected funds and accounts were then frozen.
7. Collaborative ecosystem
By having a unified communication platform to suspend or freeze accounts connected to hacking attacks, exchanges are creating a challenging ecosystem for hackers to transmit proceeds from a security breach. Binance says it will actively block any stolen funds coming their way. The key is fast reporting by victims and real-time blocking by exchanges. This anti-fraud system, Binance says, will be made freely available to all “real soon”. The big four crypto exchanges in South Korea, including Bithumb and UPbit, have also established a communication line. Using public blockchain networks and tools provided by analytics companies such as Chainalysis, it will become easier for exchanges to detect, freeze and recover funds stolen by hackers.
CryptoCompare last month created a top 100 crypto exchanges ranking according to a CER cybersecurity score, with a top four of Kraken, Coinbase Pro, Binance and BitMex. The report states: “Obviously, cybersecurity is the most fundamental thing that must be addressed to the full extent by any exchange before commencing its operations: exchanges must take responsibility for users’ money and personal data.” CryptoCompare says the report will show the community which exchanges are sustainable and safe for using, and which are not.
Beyond security measures, insurance is an interesting trend. Curv created an insurance partnership with Munich Re, covering up to $50 million of digital assets for customers of their institutional wallet service. CryptoIns, supported by Swiss insurance broker Aspis, offers insurance services to a number of major crypto exchanges, with a new insurance policy purportedly covering losses from “cyberattacks on exchange software, theft, fraud and illegal actions of crypto exchange personnel”.
Is cold storage the answer?
Curv says the industry has created a narrative that the only way to securely hold digital assets is in offline cold storage. While this is understandable, given reported major losses, their assessment is that this cold storage-centric security approach is less secure, and limits the use cases, applications and overall adoption of digital assets at scale.
Curv offers a cloud-based wallet-service for institutions, using a cryptographic mechanism, based on multi-party computation (MPC), eliminating the private key altogether. With no private key in the signing mechanism, there is no private key to insure. Eliminating the private key and adopting a cloud-based model reduces the overall risk profile of digital asset operations and enables real-time access to assets.
Instead, Curv enables institutions to store and use digital assets securely and seamlessly, saying their insurance deal “is a major validation of our wallet service and specifically our cloud-based, cryptographically-enforced and distributed signing mechanism”.
Munich Re conducted a rigorous due diligence process to assess Curv’s cryptography, cloud deployment, architecture, security model and code before validating the threat model and risk structure. There are no more hot and cold wallets, but instead a universally accessible wallet that is governed by cryptographically-enforced corporate policies and controls.