How hackers stole $188 million from an Italian cryptocurrency exchange

0
37


When Italian exchange BitGrail lost almost $200 million of Nano (trading as XRB) in one of the largest cyber-heists ever performed, many scrambled to try and protect their digital assets.

Hackers had managed to drain the exchange of XRB coins at the price of $11.05 each by making unauthorised transactions to near-untraceable accounts.

In the process, the cyber criminals made off with approximately $187,850,000 worth of XRB.

READ MORE: Inside the bomb-resistant, laser-protected vault people are storing their Bitcoin in

READ MORE: Bitcoin.com founder sells all of his Bitcoin, citing ‘high risk’

Tyler Moffitt, senior threat research analyst at Webroot, said that the weak link in cryptocurrency safety isn’t the user but the exchange.

“With almost $200M stolen, these hacks on exchanges appear to be never-ending,” Moffitt told 9Finance.

“Most hacks are performed by stealing the private keys to the addresses that were not secure enough, but this case was even worse.”

WATCH: Australian man invents ‘Straya Coin’, the most true-blue cryptocurrency ever

Moffitt said that a loophole in the exchanges coding allowed the hackers to artificially inflate the balance in their digital wallets, and then withdraw funds that aren’t theirs.

“When withdrawing XRB from the bitgrail exchange, the checks for your balance withdraw are only client-side javascript. This allows anyone to edit their own javascript to say they have enough XRB to withdraw – even very large amounts,” said Moffitt.

“This gaping security hole was abused quickly to drain the exchange of the entire balance of XRB.”

The cyber security expert recommends that if possible crypto investors should take the keys to their digital wallets offline.

“This just reiterates that you should never store large amounts of any crypto in an exchange – make the trade and then get it out,” said Moffitt.

“If you aren’t in control of your private keys, then you aren’t in control of your crypto.”

WATCH: Is Bitcoin a legitimate investment, or a risky gamble?

Cryptocurrency security basics Q & A

If talk of cyber hackers and private keys has you scratching your head, there’s no need to worry: here are the absolute basics of protecting your cryptocurrency.

What are private keys?

If you purchase cryptocurrency like Bitcoin, you can either leave it on the exchange you bought it via, or transfer it into a digital “wallet”. Moffit highly recommends transferring your crypto into a wallet and then making the “key” highly secure.

“A private key is a key that unlocks a wallet. It’s a string of hexadecimal characters. It’s very important to keep safe,” explains Moffitt.

Here’s an example of a private key from the Bitcoin wiki:

“E9873D79C6D87DC0FB6A5778633389F4453213303DA61F20BD67FC233AA33262”

How do hackers get your private keys?

As Moffitt explains, simply keeping your private keys in a word document on your computer is not as hacker-proof as you might imagine.

“Storing in plain text on your computer is a terrible idea as malware will scan for these keys,” said Moffitt.

“Other types of malware will also be sneaky and will spy on your clipboard and sense when you are pasting a crypto address when sending and will replace the address you meant to send to with their address.”

Moffitt points out that in the BitGrail case it wasn’t the user’s fault for storing their private keys in easily available locations – it was “very bad code” on the exchanges part that allowed the theft to occur.

Where should you keep your private keys?

Because Bitcoin isn’t a tangible asset like cash, many people believe it’s not necessary to purchase a safe or a vault spot in order to protect it – but Moffitt says storing your private keys in a thief-proof location is best practice.

“Use hardware wallets or paper wallets printed out to store your private keys and keep them in a safe,” recommends Moffitt.

“Holding all of your crypto in an exchange is a bad idea because they are in control of your private keys and they can get hacked.”



Article Source

LEAVE A REPLY

Please enter your comment!
Please enter your name here