Imagine waking up one morning to find out hackers stole roughly 500 million USD from your company's crypto exchange. Now, imagine your customers begging for it back.
First Published 2nd February 2018
More and more, victims of cryptocurrency theft are turning to god.
4 min read | Reflare Research Team
Attackers breached Coincheck’s security and gained the ability to make transactions from the exchange’s NEM wallets. Exactly how this was accomplished is not in public knowledge at the time of publishing this briefing. With the newly gained access, the attackers transferred 523 million XEM (NEM is pluralized as XEM) to wallets they are assumed to control. The total value of stolen assets amounted to roughly 500 million USD at the time of the theft. The value of NEM has since decreased.
The theft victims appear to have been mostly Japanese nationals with some taking the desperate measure of sending messages to the thieves using NEM’s built-in transaction messages to plead for their money back.
Coincheck will likely face major legal repercussions from the hack. Preliminary investigations have concluded that much of the assets were stored in so-called hot wallets - coin stores that can be accessed over the internet. This is bad security practice and will likely open the exchange up to negligence lawsuits.
The difficulty of protecting valuable assets
Similarly to Coincheck, the infamous hack of Bitcoin exchange MtGox in 2012 also happened when roughly half a billion USD worth of BTC was stored on, and then stolen from the platform.
While these large-scale thefts are rare and plenty of smaller exchanges with poor security get hacked, these specific breaches raise an interesting question:
Is it possible to protect half a billion dollars worth of perfectly liquid assets?
At first glance, this question may seem absurd. Surely banks protect larger amounts of assets all the time. But apart from the issue of comparatively poor security at cryptocurrency exchanges which we have addressed in previous briefings, the comparison is also misleading. Banks don’t protect the actual assets, but mostly a representation of them. A bank holding billions of dollars in assets have the vast majority of them stored in electronic records. Unlike cryptocurrencies, these records are not the currency itself. If illegal activity is discovered, transactions can be rolled back. Bank branches and ATMs hold limited amounts of cash - a liquid asset - but the current state of cryptocurrency exchanges is akin to banks holding all of their assets in cash or gold in their branch locations themselves; and even stealing 500 million dollars worth of cash or gold would be more difficult than doing the same with cryptocurrencies due to the sheer size and weight of such amounts.
Buildings and ships may also be valued at half a billion dollars or more, but are more illiquid.
Therefore, we are faced with a novel problem: How can 500 million dollars worth of a perfectly liquid asset be protected? If the payoff is $500m, a conservatively calculating attacker can invest $100m into the attack. For this amount of money, no computer system outside of military and governmental (and likely not even those) is secure. $100m will buy zero-day exploits into any OS on the black market or can alternatively fund the research needed to discover them. $100m is enough to bribe any number of insiders who can assist the attack.
Cryptocurrency exchanges and heavy investors are thus increasingly moving their assets into cold storage - placing coins in dedicated hardware devices without network connections. But how can these devices be protected? A private investor holding $10m at his/her home would be well advised to invest in very good physical security and personal protection services to stave off traditional thieves and robbers. A company trying to protect hardware devices protecting $500m faces even greater challenges. $100m in attack budget could conceivably buy an army.
Summary
The perfect liquidity of cryptocurrencies creates some unique challenges in terms of information security and physical security. Mechanisms to protect such assets will likely be developed over time as the economic pressure increases. For the time being, we advise all private crypto-investors to place their coins into cold storage and - above certain values - place the devices themselves into safe storage in a safe deposit box or similar location.