The cryptocurrency space has seen explosive growth over the past few years. However, with this rapid growth, the crypto space has also had its fair share of highly publicized hacks. Malicious actors have managed to make off with millions of dollars in their respective heists. However, with every pitfall, there is a lesson. So, in this article, let’s look at the five biggest bitcoin hacks of all time, in order to learn how to protect yourself. We have made the selection of the top crypto hacks based on the following categories:

  • The amount of money stolen.
  • The impact of the hack.

So, without any further ado, let’s take a look at the top 5 crypto hacks by amount of money stolen and the impact of the hack, as well as how you should protect yourself.

Top Crypto Hacks #1: The DAO Hack

Yes, that meme pretty much captures what happened during the infamous DAO hack. As you may know, the abbreviation “DAO” stands for Decentralized Autonomous Organization. DAOs are organizations that can run on their own, and which are free from centralized control. The main idea here is to create an organization that can run itself by itself.

The DAO contract that we will be talking about here will just be referred to as “The DAO.” In late 2016, the Ethereum community was buzzing due to the formation of The DAO. After attracting a whopping $150 million in funding, The DAO quickly became the largest crowdfunding campaign of that time.

So, what was all the hype all about at the time? What exactly was it that The DAO did? 

Think of how powerful a decentralized venture capital fund. A fund that doesn’t suffer from human error, or which is immune to investor manipulation. The DAO sought to:

  • Place due process and decision-making in the hands of an automated system.
  • Allow investors from all over the world to send money and get DAO tokens in return.
  • Enable token holders to vote on promising projects that deserved to receive funding from The DAO.

Overall, The DAO aimed to offer unprecedented flexibility, control, and complete transparency over the venture capital process.

So, what happened?

There was a bug on The DAO’s attack surface, which could cause a re-entrancy attack when triggered. So, what exactly does this type of attack do?

To understand this, check out the following hypothetical contract:

The contract shown above fulfills two simple roles:

  • It allows you to store your ether in a contract and maintains your balance.
  • It allows you to withdraw ether back to your wallet any time you want.

The highlighted section in the code above is where we face a major vulnerability.

  • Firstly, the code checks if the person withdrawing their ether has received their tokens or not.
  • If they have, the contract changes their balance to 0.

So, why is this an issue?

If we could somehow fool this contract into thinking that our balance is 0, we can manipulate them into constantly sending you funds to your wallet.

Reentrancy and DAO

The DAO had a “Child DAO” function wherein it enabled the participants to branch off and create their own DAO. This splitting function occurs via the following steps:

  • Gives the participant back their ether in exchange for DAO tokens
  • Updates the ledger and the overall token balance

The vulnerability here works something like this:

  • The contract takes back the DAO tokens and gives the user the appropriate amount of ether.
  • Before the contract can register the transaction, the user launches reentrancy and makes the code go back and return some more ether tokens.
  • As such, the contract enters a recursive cycle until it gets drained out.

This is exactly what happened with the DAO contract. The hacker exploited this very bug, and subsequently siphoned away $50 million worth of Ether.

Impact of the hack

While this may not be one of those high-profile crypto exchange hacks, its impact is still pretty extreme. Ethereum plummeted from $20 to $13. To reverse the effects of the hack, the community decided to go through a fork. A fork is a term used to describe a technique that splits the underlying blockchain protocol into two different chains – old and new chain. There are two kinds of ways that you can do this fork:

  • Soft fork: The old chain can still communicate with the new chain.
  • Hard fork: The old chain can no longer interact with the new chain.

The community initially opted for a soft fork, but this led to several complications and potential DDoS (denial of service) attacks. As such, the only path left for them was to do a hard fork, aka, create a completely new chain. Several in the community were against this because they looked at this method as a “cheap cop-out.” However, the plan went through, and this eventually split up Ethereum into Ethereum (new) and Ethereum Classic (old).

Top Crypto Hacks #2: Coincheck

Coincheck is a Japanese exchange that became notorious in 2018 when it got hacked for 523 NEM coins or $534 million. Lon Wong, NEM Foundation president, described the hack as “the biggest theft in the history of the world.” During this hack, over 260,000 investors got attacked.

So, how did one of the most high-profile crypto exchange hacks of all time happen? Gross mismanagement.

Coincheck and mismanagement

Cryptocurrency wallets broadly fall into one of two categories; either hot or cold. Cold wallets are isolated from the internet and are often used to store huge reserves of coins. Hot wallets are connected directly to the internet and are used to conduct transactions. Hot wallets also happen to be extremely risky since they are online.

Exchanges usually store the lion’s share of their crypto in cold wallets, while keeping a small percentage in hot wallets to ensure liquidity. Coincheck did none of this. They only had one wallet wherein they stored all their coins. This was extremely unprofessional from what, at that time, was the largest exchange in Japan.

The hackers spread a virus through an email that helped them collect all the users’ private keys. Following that, they drained $533 million worth of NEM from the exchange’s coffers.

Effects of the hack

The effects of the hack went from monetary loss to changing the sentiment of an entire nation. Firstly, NEM dropped by 20%. While Coincheck initially said that they would not be able to compensate the users for their losses, they eventually managed to do so by attributing a value of 88,549 yen for each of the lost currencies.

Coincheck representatives following the hack

Japan’s financial watchdog, the “Financial Services Agency,” ordered Coincheck to improve their security practices. On a more serious note, Japan’s overall sentiment towards crypto took a major hit following the attack. Coincheck’s President, Toshihiko Katsuya, later said in an interview:

“Most media, especially television broadcasters, were reluctant to have commercials for crypto after the hack. Since the Coincheck hack, the activity of individual Japanese traders went down by a lot..” 

All in all, this was one of the most devastating crypto exchange hacks. Monex Group, a traditional financial services company, has since taken control of Coincheck, which is still operational.

Top Crypto Hacks #3: Mt GOX

Let’s go from one mismanaged exchange to another. The Mt Gox incident was one of the most significant events in the early days of Bitcoin. Much has been written about it. However, the hack mostly comes down to gross mismanagement by the Mt Gox CEO, Mark Karpeles.

The firm launched in July 2010, and by early 2014 it was handling over 70% of all bitcoin transactions worldwide. To say that they were doing well is like saying Michael Jordan was ok at basketball. Regardless, there were plenty of issues going on behind the scenes that led to some red flags.

What led to one of the most infamous bitcoin hacks ever?

  • It lacked a Version Control Software (VCS), which enables you to keep track of all the changes made in the codebase. Not only does a VCS allow you to see when the underlying code was changed, but it also shows you who exactly was responsible for it. A VCS is critical in a company where multiple developers are working on the same project.
  • Mt Gox also didn’t have a legit testing policy. Customers were literally throwing their life savings to an exchange that was governed by untested code.
  • All the changes made to the underlying code needed to be approved by Karpeles himself. This created an unnecessary bottleneck. It was pretty ironic that an overly centralized company dominated the gateway to bitcoin – a decentralized currency.
  • Finally, if we were to highlight the main problem. Mt. Gox lacked proper leadership and management. The state-of-affairs were that Andreas Antonopoulos labeled it “a systemic risk to bitcoin, a death trap for traders and a business run by the clueless.” 
French national Mark Karpeles, former CEO of collapsed Bitcoin exchange MtGox, attends a press conference after his first hearing in Tokyo on July 11, 2017. Karpeles denied wrongdoing as his trial got under way in Tokyo on charges linked to the disappearance of hundreds of millions of dollars worth of the virtual currency. / AFP PHOTO / Quentin TYBERGHIEN (Photo credit should read QUENTIN TYBERGHIEN/AFP/Getty Images)

Mark Karpeles

The attack

February 7, 2014, came as a rude awakening to Mt Gox users, as the exchange suddenly halted all Bitcoin withdrawals. The exchange was under attack by a bug in Bitcoin’s software called “transaction malleability,” which enabled users to manipulate the bitcoin network to duplicate transactions. Mt. Gox desperately worked with the bitcoin core development team to fix the issue. However, they still ended up losing a staggering $473 million.

Impact

The company claimed that they lost around 750,000 of its customers’ Bitcoin holdings, and nearly 100,000 of its own Bitcoins. At that time, this combined total was around 7% of the entire circulating supply! The company filed for bankruptcy protection from its creditors. Directly as a result of this hack, the price of bitcoin dropped by 36%.

Top Crypto Hacks #4: Bitfinex

Up next, we have one of the biggest exchanges in the world right now, the Hong Kong-based Bitfinex. Bitfinex was hit for 120,000 BTC or $72 million on August 2, 2016. The core reason behind this hack was the severe mismanagement of multi-sig wallets.

What is a multi-sig wallet?

Imagine that you and two more of your friends share a treasure box. The box is full of all the loot that the three of you have recovered over the years. Now the three of you have an understanding that goes something like this – as long as two out of you three agree, you can access the loot inside the box.

This is pretty much how multi-signature (multi-sig) wallets work. These wallets are a lot more convenient than simple wallets because of the following reasons:

  • It’s a lot more secure.
  • It helps create a more democratic environment. A multi-sig wallet is perfect for a corporation since all the funds won’t be subject to the sole wallet owner’s whims.

Bitfinex and BitGo

BitGo is a premier multi-sig wallet service that teamed up with Bifinex. The idea was to bring in more security to their standard hot wallets by providing a multi-sign environment. The keys were divided among the owners to mitigate the inherent risk involved with hot wallets and protect users from potential phishing scams. 

Ironically, this exact security measure was what led to the hack. Bitfinex was a tad overconfident about the approach. As such, they reduced their dependency on cold storage and stored their customer’s money in these multi-sig wallets. However, at the end of the day, these wallets are still hot wallets, and that’s where this ended up becoming a major issue.

The attack 

The hackers attacked the Bitfinex servers and somehow got the exchange to sign off on illegal bitcoin withdrawals. In the process, they somehow also managed to work around BitGo’s security measures and got them to sign off on these transactions as well. The researchers eventually concluded that this system was broken from the get-go as BitGo was programmed to do whatever Bitfinex told them to do with a user’s funds. So, if you really think about it, these multi-sig wallets weren’t really multi-sig, to begin with. Following the attack, BitGo publicly declared that their servers weren’t the ones that were taken over by the attackers.

Aftermath of the attack

The price of a BTC fell by nearly 20%. Following the hack, Bitfinex issued a BFX token for its customers, an IOU for all the funds owed to them. Within a month, Bitfinex bought back 1.1% of the tokens outstanding. Eventually, on April 33rd, 2017, Bitfinex stopped trading their BFX tokens and started allowing their users to cash them out for the full value of $1/BFX.

Top Crypto Hacks #5 – NiceHash

NiceHash is a well-known Slovenian company that connects sellers of hashing power with hashing power buyers via a shared economy model. Founded by Marko Kobal and Matjaž Škorjanc, the company suffered a $60 million hack in December 2017.

The hack

In what has been described by Kobal as an “incredibly sophisticated attack,” at 4,736 bitcoins were looted from the company. It appears that the attackers used an employee’s computer to get their credentials and launch the attack. The company suspended operations for 24 hours and discovered that their payment system has been entirely compromised. They then went on to report the incident to the relevant authorities.

The aftermath

Kobal resigned as CEO on December 21, 2017, which was when the company also re-opened its marketplace to resume normal operations. They then initiated a “Repayment program” that successfully reimbursed 82% of the old funds by January 2020.

Top Crypto Hacks – Conclusion

Our purpose here is not to scare you off from investing in or believing in cryptocurrencies by telling you these scary stories. All these bitcoin hacks teach us several valuable lessons about investing in this space. Some of the main takeaways are:

  • Never store your money in an exchange’s wallet.
  • Always make sure that the project you are investing in has been thoroughly tested and audited.
  • Lastly, make sure that the project/exchange has a proper repayment plan in place to compensate its users in the event of a hack.

Did you like what you read here? If yes, then do check out some of our blockchain courses at Ivan on Tech Academy.