Crypto Theft is becoming more and more widespread. Thanks to the growing popularity of cryptocurrencies and ICOs, the cases of criminal acts are increasing. PlanetCompliance explains how these thefts work and what you can do to protect your valuable coins.
If you own Ether*, the chances are high that at one time you were using the highly popular MyEtherWalletto store your tokens. MyEther Wallet or short MEW is a free, open-source, interface for generating Ethereum wallets.** It can be used to create a wallet to send, receive and store Ether or ERC-20 token.
Last month, MEW was at the centre of a hack that resulted in users losing about $150k. It is the latest prominent example of the rising threat of crypto theft. Plenty of other examples, in many cases with much higher losses have taken place.
Picking up speed
The fact that these seem to become more frequent isn’t surprising either. If you simply look at the numbers, it has become a much bigger game over the last XXX years and thus much more attractive for crooks. Only three years ago there were only approximately five million blockchain wallets in existence; last year the count stood at 21.5 million. At the end of 2015 one Ether was worth less then a dollar; at its all-time high in January 2018 it was worth more than $1250. Alternatively, just think about the increasing number of ICOs and the all-time cumulative ICO funding currently standing at almost $13 billion. That’s a lot of coins out there and you see now why more people are interested in stealing those precious coins. And the list of Blockchain scandalsand successful hacks is long:
In 2014 $473 were stolen from the Japanese bitcoin exchange Mt. Gox.
The second biggest breach of a Bitcoin exchange platform was when 120,000 units of BTC with a value of $72 million at the time were stolen from Bitfinex in August 2016.
In January 2018, Coincheck was hacked and more than 500 million XEM coins were stolen, worth about $400 million.
And in March, Binance, one of the world’s largest crypto exchanges, told its customers that it has prevented a large scale phishing and stealing attempt, outlining the details of a plot by “well organised” hackers to manipulate the market and steal some of its users’ digital coins.
What happened at MEW?
Getting back to the MEW hack and what actually happened there. The official statement of the MEW team was posted on reddit and explains that the breach happened as a result of the hijacking of their Domain Name System servers. This caused visitors of MyEtherWallet to be redirected to phishing websites.
It is our understanding that a couple of Domain Name System registration servers were hijacked at 12PM UTC to redirect myetherwallet[dot]com users to a phishing site.
This redirecting of DNS servers is a decade-old hacking technique that aims to undermine the Internet’s routing system. It can happen to any organization, including large banks. This is not due to a lack of security on the @myetherwallet platform. It is due to hackers finding vulnerabilities in public facing DNS servers.
A majority of the affected users were using Google DNS servers. We recommend all our users to switch to Cloudflare DNS servers in the meantime.
Affected users are likely those who have clicked the “ignore” button on an SSL warning that pops up when they visited a malicious version of the MEW website.
We are currently in the process of verifying which servers were targeted to help resolve this issue as soon possible.
In short, the breach happened as a result of the hijacking of their Domain Name System servers. As a result visitors of MyEtherWallet were redirected to phishing websites.
How to protect yourself from Crypto Theft
So, what can you do to protect yourself from Crypto Theft? It’s difficult to guarantee to always maintain 100% safety, but there are a number of steps to reduce the risk and keep your coins safe.
1) Always use strong passwords. It’s tempting to use 123456″ and “password” and it still seems to be a very popular choice, but you don’t even need a fancy algorithm to crack such accounts in no time.
2) Use two-factor authentication (2FA) like Google Authenticator. Make sure though to store your backup words for the 2FA processes offline and in a safe place. It is either very painful and time consuming to recover access or simply impossible.
3) Don’t use your phone number or text messages for account verification, nor email for account recovery. These can easily be hacked and give unauthorised access to criminals.
4) Don’t use hot wallets but cold storage. Hot wallet refers to a wallet that is online and connected to the Internet, for exchange, if you keep your coins on an exchange. Cold storage refers to either hardware wallets or paper wallets. Hardware wallets store a user’s private keys on a secure hardware device as the name indicates. These devices can be USB keys and smartcards. A paper wallet is physical document that contains of the information generate the private and public keys of your cryptocoins, which you need to access your wallet and make transactions. As opposed to hot wallets, cold storage is offline and cannot be hacked. A word of warning though with regard to cold storage: the paper wallets or USB keys need to be stored in a safe place like a fireproof safe. Why? You’ll find out at the bottom.
5) Don’t share your private key or let others store them. It may be convenient to let exchanges store them. Exchanges may have good defences but if they get hacked, chances are your private keys fall into the wrong hands, too.
6) Check websites, double check the URL, google the name of the cryptocurrency/ICO and add “scam” or “reviews” to get an idea if things are legitimate or a fraud. Also for token sales, do not trust any address except the one posted on the official site. Be aware of suspicious links in emails or social media messages as hackers use them to install malware.
7) Lastly, use common sense, if things seem to be too good to be true, it’s likely they are not. No one is giving Ether (or other cryptocoins) away for free, not even Vitalik Buterin.
Anything else?
Obviously, this is not a conclusive list and as we said, 100% safety is an illusion as the following examples will show but it’s a good way to deal with the problem. As for the examples, here are our three favourites, which could easily be replaced by many other examples of people losing their cryptocoins:
The Welsh IT guy who threw out his hard drive and wants to go through a landfill site to recover it. Why? He was one of the early miners in Bitcoin and the hard drive he in 2013 accidentally binned held the 7,500 Bitcoins be mined. With a BTC all time high close to $20k, that would have been worth $15m at one point, but even at current it’s a lot of money sitting on that landfill. By the way, the local city council denied his request to access the site as its against the law, but chances are slim that the hard drive could still be used after five years amongst toxic waste.
The tech journalist who lost the piece of paper with the pin to his hardware wallet (that’s what we meant before by safe places to keep your cold storage) with 7.4 BTC, tried a hypnotist to recover the code without success, but eventually found a way to retrieve the pin the allegedly unhackable Trezor hardware wallet with the help of a 15-year old. It’s quite a funny story and you can find it here.
The wallet owner who by accident took control of a digital wallet service and then destroyed ETH worth $300 million. In November 2017, Parity, an Ethereum wallet that can be integrated into web browsers, was trying to fix bug a hacker had already exploited to steal $32million. While doing this, it had inadvertently left a second flaw in its systems that allowed one user to become the sole owner of every single multi-signature wallet. When the user discovered that he had basically stolen the $300m worth of Ether, he panicked and deleted the code which had transferred ownership of the funds. That in turn meant that instead of returning the coins to their rightful owners, they were simply lost.
* Just to avoid confusion, Ether is the cryptocurrency whose blockchain is generated by the Ethereum platform even though Ethereum is often used synonymously with Ether, even on the big crypto exchanges. For sake of clarification we’ll go with Ether in this article though.
** MEW also holds plenty of information on cryptocurrencies, wallets, exchanges etc, short the whole crypto world, so it is definitely worth having a look simply for that.