Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
Overview
Hacks on blockchain have always been controversial topics throughout history. Countless exchanges and platforms have been exploited by talented attackers who made away millions of dollars without leaving a trace.
Numerous great articles have been focusing on the discussion of the procedure and impact of an attack, but this article steps aside to emphasize the technical approach of the attack. No worries. Rather than going through sophiticated techie murmurs, this post translates the attack method into a format that is more friendly for children and grandparents.
Various hacks have different levels of details opened to the public. Some hacks disclosed too few, and some missed the after-attack measurements. This article will try to record and explain as much as possible.
Let’s get started!
Bitcoin Out of Thin Air — 92 Billion BTC
Date: Aug 2010
Attack
An integer overflow flaw in Bitcoin’s code has been exploited at block #74638 to generate 92233720368.54277039 BTC. The overflow has resulted from a type UINT64_MAX that can hold an integer up to at most 2⁶³-1, giving the number 9223372036854277039.
After Attack
Bitcoin community canceled all relevant transactions and rolled back the ledger to the pre-hack state.
AllinVain — 25,000 BTC ($500,000)
Date: Jun 2011
Attack
World’s first cryptocurrency hacks victim. The hacker broke into the victim’s hard drive and transferred a large chunk of balance to an external wallet.
Mt. Got 1st Hack — 2609 BTC ($50,000)
Date: Jun 19 2011
Attack
The attacker obtained an auditor’s credentials and altered the nominal value of BTC to 1 cent. Afterward, the attacker transferred 2609 BTC from some clients to sell at this low price and purchased back nearly 650 BTCs from another account.
After Attack
Mt. Got suspended the operations for several days but then carried it on.
from https://steemit.com
Bitcoinica: Hacked 3 Times — 122,000 BTC ($430,000)
Date: Mar / May / Jul 2012
1st Attack
The attacker decrypted the Bitcoinica’s hot wallets hosted on the Linode’s server and made away with 43,554 BTC. Some individuals who used Linode’s server have also been hacked.
2nd Attack
The attacker got access to Bitcoinica’s database, obtained users’ private identification information and sensitive details, and stole 38,000 BTC.
3rd Attack
The attacker stole 40,000 BTC, but it has been reported that Bitcoinica’s funds were held in Mt. Gox secretly, which was later refunded.
BitFloor — 24,000 BTC ($85,000)
Date: Sep 2012
Attack
The attacker obtained the unencrypted private keys that stored online for backups.
After Attack
BitFloor refunded the users, but it eventually closed down due to regulatory measures from its associated banks.
Mt. Got 2nd Hack — 750,000 BTC ($350 million)
Date: Mar 2014
Attack
The attacker found transactions malleable. The details of the transactions can be edited to make it like it never took place.
Specifically, in a general transfer transaction, the attacker (the receiver) was able to manipulate the sender’s signature before it goes into the blockchain, and changed the transaction ID. This new and tampered transaction has a chance to overwrite the sender’s original transaction, in which scenario, the attacker gets the funds yet it seemed like the sender does not successfully put the original transaction into the blockchain. The attacker (the receiver) can, therefore, ask for an additional transfer, who will eventually receive the funds twice.
After Attack
Mt. Got halted all BTC transactions right away. No refunds were made. Eventually Mt. Got filed for bankruptcy.
from https://cryptoiscoming.com
Poloniex —97 BTC (12.3% of all its BTC)
Date: Mar 04 2014
Attack
The attacker exploited the faulty design of Poloniex’s withdrawal code. Because of that, the withdrawal requests were processed simultaneously instead of sequentially, the attacker could send multiple withdrawal actions within a short period of time to withdraw more than the balance allowed, making the balance negative eventually.
After Attack
Polonies reduced all its holders’ balance by 12.3%, and later on repaid all the losses.
BitStamp — 19,000 BTC ($5.1 million)
Date: Jan 04 2015
Attack
The attacker stole 19K BTC from Bitstamp’s operational hot wallet.
After Attack
BitStamp suspended all operations. And it moved on to use a multi-sig wallet.
from http://theconversation.com
The DAO — 3.6 million ETH ($55 million)
Date: Jun 2016
Attack
Clearly, it’s due to reentrancy. Lots of tutorials on it.
After Attack
Ethereum community planned to do a soft fork but found another DDoS vulnerability inside the code, so a hard fork was inevitable. Right now we have Ethereum (new version) and Ethereum Classic (old hacked version).
from https://steemit.com/
Steemit.com —Steem and Steem Dollars ($85,000)
Date: Jul 2016
Attack
The attacker hit 260 Steemit accounts and drained their balances.
It’s a human error that was caused by a UI design flaw. Some users might not be aware of the difference between the memo and the password, and accidentally pasted their password at the memo field, which will be submitted along with the transaction. Those passwords will be kept public and immutable on the blockchain of Steemit! A simple script can simply scrape the passwords of numerous users who made this fatal mistake.
Bitfinex — 120,000 BTC ($72 million)
Date: Aug 2016
Attack
Bitfinex switched to use BitGo’s multi-sig wallet 12 months ago. The attacker found a vulnerability in its multi-sig architecture and took advantage of it.
After Attack
Bitfinex issued BFX tokens to compensate victims, which are redeemable in USD. The victims lost are refunded slowly and steadily afterward. The attack made the price of BTC drop from $607 to $515 in just a few hours.
from “Daily value of your cryptocurrency wallet”
CoinDash — ETH ($7 million)
Date: Jul 2017
Attack
The attacker manipulated the ICO address posted on CoinDash’s website to lure investors into incorrect place for exchanging Ether for CoinDash tokens.
Wrap-up
Hope you enjoy the brief intro to the techniques of each of the big hacks. Some of the attack details remain confidential and there’re not much opened to the public, I have tried my best to organize and present the truth based on the references below.
There are 12 more hacks to go, including Veritaseum, Parity 1st hack, Enigma, Tether, Parity 2nd hack, NiceHash, Coincheck, BitGrail, Google Adwords, Bancor, Coinrail, Zaif, and a real bloody hacker fight that I have experienced.
Stay tuned!
Great References
- https://medium.com/bitfolio-org/the-biggest-cryptocurrency-hack-in-the-history-of-blockchain-22380febfaa2
- https://coinsutra.com/biggest-bitcoin-hacks/
- https://blocksdecoded.com/cryptocurrency-hacks/
- https://u.today/top-3-biggest-bitcoin-hacks-and-frauds-in-history
- https://www.coinannouncer.com/the-hack-history-of-blockchain/
- https://blockonomi.com/mt-gox-hack/
- Hack on blockchain itself: https://coincentral.com/blockchain-hacks/
- https://cryptopotato.com/lessons-learned-from-the-biggest-crypto-hacks-in-history/
- https://cryptopotato.com/market-declines-as-korean-crypto-exchange-coinrail-faces-hack/
- https://www.benzinga.com/fintech/17/11/10824764/12-biggest-cryptocurrency-hacks-in-history
- https://www.ccn.com/biggest-theft-history-know-far-530-million-coincheck-hack
- https://www.blockstuffs.com/blog/top-10-blockchain-hacks
- Blockchain Graveyard: https://magoo.github.io/Blockchain-Graveyard/
Acquire security consultancy from blockchain white-hat hackers. Turing Chain is for your blockchain business safeguarding. Be careful not to be 0xdead!
Understand Top 25 Blockchain Hacks in History in 5 Minutes (1) was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.