Cryptocurrency exchanges have become one of the most attractive targets for cybercriminals. The security breach experienced by one of Turkey’s largest cryptocurrency exchanges has also provided an example of the events that these platforms can be exposed to. In this article, we aimed to provide an in-depth look at the technical details of cybersecurity incidents affecting cryptocurrency exchanges around the world and the various information security attack techniques that threaten both exchanges and account holders.
Mt. Gox Attack (2014)
One of the most devastating security breaches occurred at Mt. Gox, once the world’s leading bitcoin exchange. In 2014, it was revealed that the exchange had lost 850,000 bitcoins to theft. The attackers used a technique called a “transaction malleability attack” to withdraw the funds. In this type of attack, the attacker is usually the recipient of the transaction, not the originator. The attacker creates a transaction that transfers funds to an address controlled by the attacker, such as a cryptocurrency withdrawal request. The attacker then waits for the transaction to be broadcast on the relevant network and changes the transaction’s identifier (transaction ID) without changing the content of the transaction (recipient’s address, amount, etc.).
In this type of attack, the same transaction can be broadcasted with a different ID. After the change, even if the amount requested in return for the withdrawal transaction is transferred to the recipient’s wallet, the transaction is seen as unsuccessful with the change of the ID used for verification and the relevant amount is sent again or deposited back to the sender’s account. After the change, the requested amount is transferred to the account and the same amount is sent again to the account of the cryptocurrency recipient or sender. In this way, even if it is later realized that the transaction was successful, an unfair profit is obtained equal to the amount of cryptocurrency that was requested to be transferred.
Poly Network Attack (2021)
Poly Network, a cross-chain decentralized finance platform, suffered a major cyberattack on August 10, 2021. Attackers exploited vulnerabilities in the platform’s smart contracts to steal approximately $610 million worth of various cryptocurrencies. The attack was caused by a vulnerability in Poly Network’s smart contracts that allow for asset transfers between Ethereum, Binance Smart Chain (BSC), and Polygon networks. After Poly Network publicly disclosed the attack, it contacted the attackers to return the funds. Interestingly, the attackers began returning the stolen assets within a few days.
Following the Poly Network attack, a widespread security debate has erupted in the DeFi community. Platforms and users have emphasized the importance of implementing more audits and security measures to ensure the security of smart contracts. Poly Network has taken various steps to increase the security of the platform, such as bug bounty programs, by collaborating with security firms, and strengthened its protocols to prevent similar attacks in the future. This incident has once again demonstrated how vital security protocols are for cryptocurrencies and DeFi platforms, and the importance of being vigilant against ever-evolving cyber threats.
CryptoCore and Lazarus Group Attacks
Another example with a high impact on the cryptocurrency market is the attacks carried out by the CryptoCore and Lazarus groups. Although the net financial impact of the attacks is unknown, the total amount is estimated to be over $200 million. The common characteristics of the attacks of these two groups are that they usually last for a long time, have a high consistent impact, and include social engineering techniques.
The attacks carried out by the CryptoCore group generally begin by sending carefully differentiated spear-phishing emails to companies’ senior executives and IT staff. These emails, which direct the recipient to websites containing malicious content or contain attachments containing malware, allow the group to infiltrate the victim’s computer and steal usernames, passwords and other login information through malware and keyloggers. Using this information, the group aims to infiltrate accounts on cryptocurrency exchanges and seize large amounts of cryptocurrency.
The biggest difference between the attacks of the two groups is that the Lazarus group is thought to be a hacker group supported by the North Korean government. From a technical perspective, the biggest difference is that the attacks carried out by the Lazarus group are more sophisticated. Lazarus’ attacks include advanced cyber attack techniques such as monitoring network traffic using zero-day vulnerabilities, infiltrating critical systems and creating backdoors. Therefore, it seriously endangers the security infrastructure of the target institutions. Lazarus’ attacks are usually carried out in the form of complex cyber operations that are thought to be state-sponsored and aimed at financial gain.
Bitfinex Attack (2016)
Bitfinex, one of the world’s leading exchanges, suffered a major security breach in 2016, losing approximately 120,000 bitcoins. Although it is known that the attack affected multi-sig wallets, it is still unknown exactly how it happened.
Coincheck Attack (2018)
Japan’s Coincheck exchange suffered a cyberattack in 2018 in which approximately $534 million worth of NEM tokens were stolen. The attack occurred via hot wallets connected to the internet where NEM tokens were held.
We see that attacks targeting cryptocurrency exchanges include different techniques, including but not limited to the following:
Phishing AttacksSoftware VulnerabilitiesExploitsDistributed Denial of Service (DDOS) AttacksInsider ThreatsSocial EngineeringAttacks Targeting APIs
Cybersecurity incidents affecting cryptocurrency exchanges highlight the importance of robust security measures. As exchanges increase their measures, the attack techniques used by cybercriminals are also evolving. However, it is important to remember that attackers have made a career out of this. Exchanges should take the following precautions as a minimum:
Implementing comprehensive security protocols, Obtaining threat intelligence, Conducting regular security audits, Providing training to employees and carrying out activities that will increase their awareness of cyber information security (providing information about current attacks, etc.), Adopting advanced security technologies.
In order to protect individual accounts, users should be vigilant, use strong and unique passwords, enable two-factor authentication, be sensitive about emails and avoid clicking on links they do not recognize, and be careful about phishing attempts. It is important to remember that ensuring the security of money is not only the responsibility of the service provider or financial institution.