Researchers Claim Crypto Exchange Hacks Happen in Three Ways

Published at: Aug. 9, 2020

Researchers at the Black Hat security conference revealed that crypto exchanges might be vulnerable to hackers. Although crypto exchanges have high privacy and security to protect their funds, researchers still found three ways hackers can attack these crypto exchanges, according to Wired on August  9.  

The crypto exchange attacks were operating more like “an old-timey bank vault with six keys that all have to turn at the same time,” the report said. Cryptocurrency private keys were broken into smaller pieces. It means an attacker has to find them together before stealing funds. 

Aumasson, a cryptographer, and Omer Shlomovits, cofounder of the mobile wallet ZenGo broke down the attacks into three categories: an insider attack, an attack exploiting the relationship between an exchange and a customer, and an extraction of portions of secret keys.

An Insider’s job, open-source library flaws and trusted parties verification 

An insider or other financial institution exploiting a vulnerability in an open-source library produced by a cryptocurrency exchange is the first way where hackers can attack the exchange, says the report. It explained that:

“In the vulnerable library, the refresh mechanism allowed one of the key holders to initiate a refresh and then manipulate the process so some components of the key actually changed and others stayed the same. While you couldn't merge chunks of an old and new key, an attacker could essentially cause a denial of service, permanently locking the exchange out of its own funds.”

An attacker could also leverage another unnamed key management from an open-source library flaw in the key rotation process. The attacker can then manipulate the relationship between an exchange and its customers with false validation statements. Those with malicious motivations can slowly figure out the private keys from exchange users over multiple key refreshes. Then a rogue exchange can start the stealing process, according to the report. 

The last way researchers said attacks could occur is when crypto exchange trusted parties derive their portions of the key. Each party reportedly generates a couple of random numbers for public verification. Researchers pointed out that Binance, for instance, didn't check these random values and had to fix the issue back in March. The report added that: 

“A malicious party in the key generation could send specially constructed messages to everyone else that would essentially choose and assign all of these values, allowing the attacker to later use this unvalidated information to extract everyone's portion of the secret key.”

Shlomovits and Aumasson told the news that the goal of the research was to call attention to how easy it is to make mistakes while implementing multi-party distributed keys for cryptocurrency exchanges. Specifically, these mistakes can be even more vulnerable in open-source libraries. 

As Cointelegraph reported before, CryptoCore launched a phishing campaign against several crypto exchanges and managed to steal $200 million in two years.

Tags
Related Posts
Blockchain platform offers security and accountability that DeFi cannot
A fintech platform is taking on the decentralized finance craze with a focus on security, stability and accountability that DeFi platforms, by their very nature, cannot match. “Crypto has a reputation problem and we hope to fix that,” crypto exchange and lender YouHodler CEO Ilya Volkov said. “We want to be as safe and reputable as your local TradFi bank but with an innovative twist that lets users harness the power of blockchain-based financial services.” Call it TradFi with a fintech twist, as YouHodler offers crypto-collateral loans on 30 cryptocurrencies, an exchange with a fiat off-ramp, high-interest savings, and a …
Technology / July 27, 2021
Not your keys, not KuCoin's: Red flags ignored
Back in April of 2020, Cointelegraph took a close look at the KuCoin cryptocurrency exchange. Investigating the apparent lock of the primary domain name, which was a result of a legal case under the jurisdiction of the High Court of Singapore, we concluded that: In the absence of clarity from any of the individuals mentioned in this article, or from the company itself, users of the KuCoin cryptocurrency exchange will likely want answers on whether they are sending their money to Singapore, the Seychelles, China — or anywhere else in the world. Now $150 million is missing from KuCoin in …
Blockchain / Sept. 26, 2020
Bilaxy exchange suspends website after ERC-20 hot wallet hack
Bilaxy, a lesser-known cryptocurrency exchange, has confirmed a major hacking incident, reporting the losses of funds due to an exploit of the platform’s ERC-20 hot wallet. Bilaxy announced on its Telegram channel that the crypto exchange suffered a “serious hack” on Saturday between 6 pm and 7 pm UTC, resulting in the transfer of 295 different ERC-20 tokens. According to the exchange, the affected tokens were transferred by the hacker to a single address. At the time of writing, the tokens are valued at $170,600, with the most recent transaction sending out 50 Ether (ETH), or about $159,000, on Monday. …
Bitcoin / Aug. 30, 2021
Report: Blockchain-related hacks have declined in 2020
The amount of cryptocurrency and blockchain-related hacks has been decreasing over the course of 2020, a new report claims. According to data analyzed by VPN provider Atlas VPN, the number of hacks in the first half of 2020 dropped more than three times compared to the same period in 2019. The data is part of a report released by Atlas VPN on Oct. 28. According to Atlas VPN, 2019 was a record-breaking year for blockchain hackers that exploited 94 successful attacks in the first half of the year, while in H1 2020 there were 31. Per the report, 2019 as …
Technology / Nov. 2, 2020
Overview of Software Wallets, the Easy Way to Store Crypto
Similar to a bank account for fiat currency, a crypto wallet is a personal interface for a cryptocurrency network that provides reliable storage and enables transactions. Whether a cryptocurrency is securely stored or not, much depends on the wallet, which is only as secure as its private keys. Wallets are generally either hot or cold. The funds in a hot wallet can be spent at any time, online. A cold wallet functions in contrast: not intended for regular cryptocurrency transactions, but funds can be received at any time. Wallets can also be divided into three groups: software, hardware and paper. …
Blockchain / March 29, 2020