Crypto currency breaches, continued
As we have pointed out in previous briefings, cryptocurrency market places face several unique problems that put them at increased risk for cyber attacks. In this briefing we will review one of the larger recent cases illustrating this fact.
Israeli cryptocurrency startup CoinDash fell victim to a hacking attack earlier this week. The company was at the time holding its so-called ICO or “Initial Coin Offering”. A process commonly used by cryptocurrency companies to raise capital without a traditional IPO. While the later offers shares in the company, the former offers cryptographic tokens instead. Since these tokens can thereupon be traded freely, they behave very similar to shares without any regulation or governmental oversight.
To purchase coins, buyers were asked to transfer a certain amount of a cryptocurrency called Ethereum to a provided address. However as payments were made, attackers changed the address as thus diverted large portions of the cashflow to themselves instead of the company.
According to blockchain records, company managed to raise USD 6.4m before the attack. The hackers thereupon stole roughly USD 7.0m.
While CoinDash was quick to declare that they would honor all coin purchases - even those where funds were send to the attackers - the damage is quite likely to be fatal for the startup. Apart from losing more than half of the raised capital, the image damage done to the company is immense. Whether the attack was performed by insiders or unrelated attackers, investors and potential customers will have a very hard time regaining trust in CoinDash’s technical capabilities. The unregulated nature of cryptocurrencies further means that there is no way to roll back the theft or restore funds.
The unregulated, transparent and - at least initially - anonymous nature of cryptocurrencies are what makes them appealing to many users and investors. However the exact same attributes also introduce great risks.
Traditional financial networks are heavily regulated and watched to prevent fraud, money laundering and security breaches. While nothing is absolutely secure, the core transaction networks of major banks are among the most secure IT systems currently available with specialized teams monitoring transactions around the clock. If fraud should occur, transactions can usually be rolled back and the perpetrators prosecuted.
Most cryptocurrency startups however consist of small teams with widely varying technical expertise. While some companies manage to retain the required talent, time and funding to build highly resilient infrastructure, others don’t. Assessing the security of a company is virtually impossible for the general public. Furthermore, once fraud occurs, nothing can roll it back and the attackers - unless highly incompetent - remain anonymous.
We advise any individual or organization who is considering to engage with cryptocurrency - be it by accepting it as payment, investing in the technology, purchasing coins or doing business with entities holding significant amounts of their assets in coins - to take the significant added risk into account during the due diligence process.