Cryptocurrency is so alluring. It’s like gold in the Wild, Wild West. It attracts the best and worst of humanity. It carries the promise of riches and freedom beyond your wildest imagination. With this promise, there is an opportunity for criminals to make millions of quick bucks through easy robbery, and not get shot (or hanged) for it. Hell, if they can safely launder the money, they may never get caught.
In the crypto world, modern-day highwaymen are black-hat hackers.
Here are 5 of their biggest heists:
5. Tether, $30.9 Million, November 19, 2017
Tether combines the best of fiat currency and blockchain technology, in order to create a form of digital money known as USD Tokens (USDT). You can use USDT for trading your “real world” money for Bitcoin, Litecoin, or Ethereum.
Basically, when you deposit $1 into your Tether account, you are given 1 USDT. You could also use Tether to convert your cryptocurrency into cold, hard cash.
On November 19, 2017, an external attacker gained access to a Tether Treasury Wallet, and siphoned off $30.9 million in tokens. This attacker used a Bitcoin address for the transaction, so the theft was basically irreversible.
Before the breach, Tether was under fire for its mollycoddling with Bitfinex, a fellow exchange company that had lost lots of investors’ money. Very serious allegations were being thrown around, including that Bitinfex used Tether’s assets to commit fraud.
To remedy the situation, Tether put some tough measures in place, which made it impossible for the attacker to redeem the stolen stash by turning it into fiat currency or bitcoin. At the end of the day, there was widespread panic, which led to the value of Bitcoin dropping.
4. Ethereum, $31 Million, July 20, 2017
Ethereum was launched in 2014, about 5 years after Bitcoin. It has since grown to be the second-biggest digital currency.
At noon on July 20, a hacker drained $31 million (153,037 ETH) out of three very large wallets, which belonged to Swarm City, Edgeless Casino, and æternity. The anonymous crook managed to change the ownership of the wallets by exploiting a parity-enhanced, multi-signature vulnerability. This flaw allowed anyone to change ownership of a wallet.
Developers from Swarm City were among the first to notice the theft. They quickly notified Ethereum Devs, who reached out to white-hat hackers for assistance in the possible recovery of the money.
What happened next was so extraordinary that it deserves a spot in the hacker hall of fame: The white-hat hackers established funds that could not be recovered, and swiftly started to secure other compromised accounts.
They followed the criminal’s methodology: stealing from similarly compromised wallets. But instead of keeping the money for themselves, they kept it safe from the attacker. All of these events occurred in less than one day.
3. NiceHash, 4,736.42 BTC, December 6, 2017
NiceHash is a Slovenian company that helps cryptocurrency miners buy or sell computing power. Transactions are carried out in Bitcoins. Miners pay as they mine, without taking undue risks. There are no upfront fees.
Sellers are also paid in BTC. On December 6, there was a serious security breach on their servers. Users on Reddit reported that they were unable to access their funds or make transactions. When they tried to log in, they were sent a message that maintenance was occurring.
The news finally broke that there had been a high-profile cyber-attack on the mining service. The final tally revealed that a wallet with 4,736.42 BTC had been hijacked, which disappeared into thin air.
As with most of the stolen Bitcoins in history, the money would possibly never be recovered. However, despite the extremely high amount of loss from the heist, NiceHash has been able to continue its mining operations. The CEO and founder, Marko Kobal, resigned, in order to give way to a fresh management team.
The company has managed to retain investor confidence, and has proceeded to fortify its defenses against future exploits.
2. Bitfinex, 119,756 BTC, August 4, 2016
In 2016, Bitfinex was the world’s largest Bitcoin Exchange, until it was overtaken by ANX. On August 4, unknown people stole about 119,756 Bitcoin from customer accounts. Thiefs took coins from customers’ wallets, despite the presence of multiple layers of security.
The breach occurred through a multiple-signature procedure, which enabled a transfer of funds. Here’s the way things were setup: Bitfinex would hold 2 keys, while another blockchain company, BitGo, would hold a third key. Together, these keys would enable BTC (and other digital money) to transfer it.
At the time, speculations were rife that the attacker might have commandeered BitGo’s API key, and used it to sign off on the transactions. However, BitGo announced on social media that the breach did not occur on any of their servers.
Bitfinex was transparent about the whole ordeal, and reassured the (understandably angry) customers that they were working to establish some sort of compensation.
They bought back some of their assets from their ICO, in order to pay back some affected customers. But they never traced the lost funds. Bitfinex still handles exchanges for BTC, LTC, ETH, and even fiat currency.
1. Mt. Gox, 744,408 BTC, June 19, 2011
The Mt. Gox hack led to the largest actual loss of BTC in history. It is unlike the other breaches listed above; they occurred due to high-profile black-hat hackers taking advantage of complex security vulnerabilities. The loss was a culmination of years of skimming and stealing a few BTCs at a time.
The most famous of these skimming hacks occurred in June 2011. A hacker (or group of hackers) purportedly accessed a computer belonging to one of the auditors, and exploited a security vulnerability to access Mt. Gox’s servers. The hacker(s) then changed the nominal value of the Bitcoin to 1 cent.
They then proceeded to siphon off around 2,000 BTC. Some customers unknowingly purchased 650 BTC, when the price was artificially deflated. Even though the hack made headlines around the world, none of the coins were ever returned.
To build up the confidence of investors, the company compensated the stolen coins, and placed a bulk of the remaining coins into cold storage. A couple of years later, the Japan-based company was the most robust Bitcoin exchange in the world.
However, woes were building underneath the façade. For starters, it had a partnership with Coinlab, its American subsidiary. Somehow, Mt. Gox ended up operating without a license in the US, which attracted the attention of the feds. Coinlab also sued them for $75 million for breach of contract. An ensuing investigation led to seizing $5 million, which dealt a substantial blow to the reputation of the company.
Believe it or not, it was just a tip of the iceberg. It turns out that there were deeper problems in the organization, and that the upper echelons of management may not have known about it.
The CEO of Mt. Gox, Mark Karpeles, was originally a developer. He was too busy basking in the glory of his creation: a currency-exchange platform. He was wowed by the fact that he’d built it up to be the biggest platform of them all. In fact, Mt. Gox handled more than 70% of all BTC trades at the time.
Trouble started brewing when the company did not develop a sufficiently healthy development culture for their software. In other words, there was no version to control. Since the CEO had to give his approval before most things could be done, developers had to deal with bottlenecking in the process.
As with any extremely valuable assets, vultures are always circling. Hackers took advantage of weak points on the exchange platform, in order to access the Bitcoins. And they made an offer: You could “ask” for BTC at any price.
Within minutes, there was a large sale of millions of dollars’ worth of coins, most of which were sold for pennies. The overall global price of BTC stabilized after a few more minutes. However, the damage was already done.
After all was said and done, Mt. Gox lost about 850,000 BTC. The exchange company had to declare bankruptcy. Hundreds of thousands of people lost money. Japanese authorities arrested the CEO, Mark Karpeles, for fraud. He pleaded not guilty, and was later released.
In 2014, authorities recovered some of the Bitcoin that was stored in older addresses. However, they didn’t send it back to the Exchange. Rather, they held it in a trust to pay back the creditors.
Bonus Hack: Bitcoin Itself, 2010
In 2010, an attacker spotted a bug in Bitcoin’s software and exploited it. This attacker was able to create a single block (#74638) that would create a transaction of 184 billion BTC. Yes, you read that right: It was 183,958,000,000 BTC more than was ever supposed to ever exist.
The transaction was split into three parts:
- There were 2 equal output values of around 92 billion BTC.
- A third showed a transaction fee.
It was instantly clear that someone had taken advantage of the software bug, which would later be on the list of Common Vulnerabilities and Exposure. The attacker tried to make massive profits (or massive tomfoolery) out of BTC’s blockchain.
Members of the community sounded an alarm about the error. They forced the creation of a hard fork. Basically, they pressed the restart button, and everything ran normally again. Well, it involved more than that: They performed a patch to correct the error, which meant the transaction was rendered invalid, and everything rolled back to normal.
Needless to say, it would have been a quadrillion-dollar transaction. However, Bitcoin’s investors are aware that there is a hard cap of 21 million BTC.