This week has seen another major hack of a Bitcoin company leading to losses equivalent to tens of millions of U.S. dollars. In this briefing, we will take a look at the evolving threat landscape faced by companies involved in Bitcoin, what we know about the NiceHash incident, and how users can try to protect themselves.
On the 7th of December, Bitcoin marketplace NiceHash released a statement on social media informing users that they were hacked and that money had been stolen from at least one of their wallets. Users quickly began circulating a wallet address which was supposedly affected by the breach showing that 4,736.42 BTC had been stolen. At the current conversion rate, this works out to around $62M USD.
At the time of publishing this briefing, no further information on the hack itself is available.
NiceHash is a marketplace not for consumers buying and selling Bitcoin directly, but instead for miners (people operating the computers solving the cryptographic challenges leading to new Bitcoins) to rent out mining capacity to others. Like the traditional financial market, Bitcoin has developed a multitude of derivative markets over the past year.
The problem with scale
In traditional information security, the value of assets to protect changes relatively slowly. This is good, because which security measures are adequate hinges greatly on what needs to be protected. Measures that are perfectly sufficient for a private blog are horribly insufficient for a bank's backend.
Subsequently, the rapid change of value of BTC creates interesting and unique challenges for companies trading in it. Systems that were designed to securely store thousands of dollars worth of BTC just a year ago are now suddenly faced with the challenge of storing millions of dollars worth. While banks are under heavy governmental regulation and keep teams of security staff on hand for this task, the level of Security at Bitcoin startups is unregulated and thus ranges from excellent to non-existent.
Famously, the hack of MtGox in 2014 - the largest Bitcoin marketplace at the time - revealed that tens of millions of USD worth of Bitcoins were traded using a system originally designed to handle the trading of collectible cards (MtGox stands for Magic the Gathering online exchange).
Inversely, the rapid fluctuations in Bitcoin value can also be the saving grace of Bitcoin companies affected by a breach. If the value drops drastically, the damages become easier to pay. If the value rises drastically, the remaining Bitcoin may become valuable enough to cover the losses. This happened to MtGox as the fraction of the Bitcoin not stolen in 2014 now outvalue the dollar amount stolen at the time, leading to interesting questions for lawyers and prosecutors handling the case.
How can I protect myself?
As the value of Bitcoin continues to increase, users face the same challenges that companies do. It is recommended that you do not entrust your Bitcoin to marketplaces and wallet companies and instead store them in your own wallet on your own hardware. However even this raises interesting questions as early investors now find themselves with the challenge of physically securing a laptop or dongle suddenly worth millions of dollars from traditional threats such as fire, theft and robbery.