It’s not just lucky investors getting rich from crypto.
Hackers have made off with billions of dollars in virtual assets in the past year by compromising some of the cryptocurrency exchanges that have emerged during the bitcoin boom.
There have been more than 20 hacks this year where a digital robber stole at least $10 million in digital currencies from a crypto exchange or project. In at least six cases, hackers stole more than $100 million, according to data compiled by NBC News. By comparison, bank robberies netted perpetrators an average of less than $5,000 per heist last year, according to the FBI’s annual crime statistics.
Despite the large dollar amounts associated with these thefts, they often lack the drama or attention of traditional bank robberies. But cryptocurrency experts say they offer a warning to would-be crypto investors: Exchanges are now lucrative targets for hackers.
“If you hack a Fortune 500 company today, you might steal some usernames and passwords,” said Esteban Castaño, the CEO and co-founder of TRM Labs, a company that builds tools for companies to track digital assets. “If you hack a cryptocurrency exchange, you may have millions of dollars in cryptocurrency.”
Once an internet oddity that required a certain level of tech know-how to buy, cryptocurrencies have emerged as a more mainstream investment and speculation tool, spurring more than 300 companies to start up in recent years to offer people an easy way to buy and sell everything from bitcoin to more fringe “altcoins” such as the dog-inspired dogecoin.
Crypto exchanges work like traditional money exchanges, setting prices for various currencies and taking a small fee to let users trade one. But while a handful of countries have strict regulations in place, it’s relatively easy for tech entrepreneurs to set up an exchange nearly anywhere in the world and run it however they like.
Cryptocurrencies generally offer a certain amount of security — taking their name, in part, from “encryption.” But the exchanges that manage them, especially new ones building their businesses from scratch, often start with a tiny staff, which means few if any full-time cybersecurity professionals. Their developers may work frantically to make the code work, sometimes accidentally leaving flaws that give hackers a foothold. Combined with the fact that a volatile market often leaves them suddenly holding a fortune, exchanges are a particularly ripe target for criminal hackers.
Exchanges often keep access to some of their cryptocurrencies in so-called cold wallets, which live safely offline. The rest of it is in “hot wallets,” that are liquid and can be sent to users. That means that if a hacker can gain access to a particular employee account — a common security breach on the internet — they can pull off a major heist, said Dave Jevans, the founder of CipherTrace, a company that tracks theft and fraud in cryptocurrencies.
“If you steal the private keys to a hot wallet, it’s not like stealing a database of people’s names and Social Security Numbers,” Jevans said. “You’ve just basically stolen all their money.”
If an exchange is wealthy enough and plans ahead to have an emergency fund, it can compensate its customers if its operation is hacked, Jevans said. If not, they often goes out of business.
“Not every exchange is so wealthy or has so much foresight. It just goes, pop, ‘We’re out of business. Sorry, you’re all screwed,’” he said.
One of the biggest heists happened in early December, when the crypto trading platform Bitmart announced that hackers broke into a company account and stole almost $200 million. The company froze all customer transactions for three days before it allowed them to trade their money again.
The problem is exacerbated because many cryptocurrency projects, intent on avoiding government regulations, set up in countries whose law enforcement agencies don’t have much power to go after transnational hackers. Or if they are hacked, they tend to be less likely to call for government help on ideological grounds, said Beth Bisbee, head of U.S. investigations at Chainalysis, a company that tracks cryptocurrency transactions for both private companies and government agencies.
Some developers “want to be anti-bank and anti-oversight,” Bisbee said. “So when something like that happens, they’re not necessarily wanting to work with law enforcement, even though they’d be considered to be a victim and it’d be valuable for them to.”
While exchange hacks offer some similarities to the bank heists of old, they don’t leave behind the hallmarks that once made them front-page news. Public scrutiny of these hacks can be lacking despite the large dollar amounts. Most exchange hackers are not caught, leaving little closure for consumers. And there is rarely any physical evidence or real-world aftermath: no traumatized bank tellers or perp walks.
But some hacks do have happy endings. In one bizarre, public case, a hacker stole $600 million from the cryptocurrency platform Poly Network. Instead of blaming the thief, the company decided to appeal to his better nature, calling him “Mr. White Hat,” which is a cybersecurity term for a researcher working to help make things more secure. Poly Network thanked him for exposing a flaw in its code and asked for the money back. The hacker eventually relented and returned it all.
But those instances are rare. Usually, when major law enforcement agencies tackle a major cryptocurrency hack, they try to follow every lead, an exhausting process that moves far slower than the criminals they’re chasing.
Claire Georges, the deputy spokesperson for Europol, the European Union’s international law enforcement agency, said the agency is aware of a number of cases against hackers who steal digital assets. But she said building a solid case is a long, slow process that doesn’t keep up with the pace of attacks.
“We have a number of investigations going as we speak,” Georges said. “They take a long time, because we also would want to take down the whole criminal network,” she said. “These cases often feed into other cases.”
“They could go on forever,” she said. “These investigations usually take time.”