To catch up, check out my previous 2019 in Review.
If 2019 could be classified as a wild ride, 2020 could be classified as going off the rails.
Throughout the year we published articles covering such topics as whitehatting funds back from phishers
, discovering big campaigns pushing malicious browser extensions
, the top ten action items to prevent loss of your crypto assets
, and Risky Business: DeFi
. Each story we published addressed varying threat vectors that someone should be aware of when using cryptocurrency, with examples of real-life situations. The information shared in these stories are not just for the typical MyCrypto
/ Ethereum user either — the lessons can be applied across the industry, no matter what chain, exchange, or wallet you prefer.
Let’s take a deeper look back at these events to see what happened and how we, as an industry, can learn from them moving forward.
What follows is a list of the major security incidents of 2020. However, we will NOT be recapping all the rug-pulls that occurred, as there are too many to count…
The first quarter of 2020 started off with some good news and some bad news (minus the global pandemic and the following lockdowns). We had arrest confirmations and hardware hacking research, but we also had a rise in hacks and money loss.
Poloniex issued a PSA about their late-December 2019 email that announced some users were forced to reset their passwords after a tweet was made about a list going around containing email addresses and passwords.
Whilst not a new method of scamming, it became more popular for YouTube accounts to be hijacked and broadcast fake cryptocurrency giveaways using pre-recorded footage of cryptocurrency events with notable people in them.
A South Korean exchange publicly stated that in November 2019 their hot wallets were compromised, and a theft of 342,000 ETH (valued ~$50,000,000) took place
Story: [Teen Charged Over $50M SIM-Swapping Scam on Blockchain Experts(https://www.infosecurity-magazine.com/news/teen-charged-over-50m-simswapping/)
SIM-Swapping is a real threat in this industry, despite the assumption many people have that using SMS 2FA on their accounts makes them safe. A teenager exploited this fact, netting over $50M from various entities. The 18-year-old was arrested and is facing multiple criminal charges.
Kraken Exchange (Security Labs dept.) discovered and disclosed a physical attack vector that extracts seed phrases from most of the Trezor products.
IOTA shut down their network for a considerable amount of time as hackers exploited a vulnerability in the official IOTA wallet (Trinity) app to steal users’ funds.
MyCrypto founder Taylor Monahan transcribed the talk she gave at ETHDenver 2020 about DeFi and the risks involved with it. Taylor discusses potential pitfalls, previous attacks, what we learned and did not learn from past mistakes, and what we can do to improve the space.
A popular DeFi protocol suffered two attacks within a short amount of time via two flash loan exploits. The first resulted in a loss of 1,193 ETH and another 2,378 ETH was gone by the end of the second.
With the recent news of a global pandemic caused by Coronavirus (COVID-19), bad actors were creating campaigns to profit from the scare and uncertainty of the times by creating fake research groups from the CDC asking for Bitcoin donations.
Although not a new method of attack, a second attack occurred on the BZx protocol within a handful of days via exploiting flash loans.
In Quarter 2, we saw more smart contract exploits and brought attention to a large campaign publishing malicious browser extensions that mimicked known brands in the industry to gain access to user secrets.
Bisq took an “unprecedented” step and halted trading after noticing an attacker was exploiting the software to steal funds from users. It was reported that the attackers stole 3BTC and 4000XMR.
MyCrypto and PhishFort published a research piece on grim campaigns ramping up to target cryptocurrency users by using Google Ads to push malicious published browser extensions that mimicked known brands.
One of the most used blockchain explorers — Etherscan — launched a product to give users more information about an address (taint analysis) and quickly show if they have received cryptocurrency from a known bad address.
Lending protocol dForce, which is alleged to be a fork of Compound with modified code, was attacked with an offensive that was similar to one that happened to a Uniswap pool. The attack took advantage of a standard on the imBTC contract.
Information about a high profile SIM swap complaint filed by Michael Terpin was released. At the time of the attack, one of the main accused bad actors was only 15 years old when he allegedly SIM swapped multiple people and stole over $23M.
Multiple supercomputers in the UK, Germany, and Switzerland were infected with cryptocurrency mining malware via compromised SSH logins to mine Monero — a privacy-focused cryptocurrency.
dForce / Lendf
The Lendf hack is interesting because the ERC777 standard that was exploited to commit a re-entry attack was also abused to take advantage of a Uniswap pool (imBTC) a couple of days prior. But dForce did not audit their system, even though they supported the same token. There’s a good tweet thread from defiprime
on this — with evidence to suggest the code was forked from Compound Finance, which even in an open-source world is another can of worms.
When I'm looking at phishing kits, I found an open door in an active campaign, and monitored it for secrets being phished. In a rare turn of events, we managed to intercept cryptocurrency assets that were taken from victims. We swept the assets before the bad actors were able to and returned the funds to the verified owners.
On July 15, 2020, a massive account takeover campaign occurred on the Twitter platform, which included using verified political accounts to promote a “trust-trading”/advanced-fee Bitcoin scam. Overall, “only” about $150k was stolen, which is small relative to the wide exposure that the bad actors had from the accounts they gained access to.
When I was looking at more phishing campaigns and found another open door to a server that the bad actors were using. We, again, sat in the middle of their phishing frontend and the bad actors’ communication channels to whitehat sweep the phished assets away from the bad actors’ control.
MyCrypto published a brief ten-step article on best practices with clear action items on how to secure your cryptocurrency assets and associated accounts. We used our extensive knowledge of how cryptocurrency is stolen and composed an actionable list.
A user did not install critical security updates on their Electrum wallet and fell victim to an [old method of
] attack, resulting in a loss of 1,400 BTC. The user was tricked into connecting to a malicious Electrum server, which allowed rich text in an error popup. The returned error prompted the user to update their Electrum software, but it linked them to download malware
Samczsun (and crew) successfully exploited a vulnerable contract for $9,600,000 in a whitehat campaign. This story is especially interesting because Samczsun explains how they beat frontrunner bots by privately giving the signed transaction to a miner directly instead of broadcasting to the txpool.
A popular Asian based exchange, KuCoin, had their hot wallets compromised and were alerted to large withdrawals of Bitcoin and Ethereum. KuCoin is investigating with international law enforcement, and the exchange committed to covering the entire loss of customer funds with their insurance fund.
Ledger’s Data Breach
Ledger is one of the industry-leading hardware wallets with many customers in the space. In July 2020 they issued a statement about a data breach from their e-commerce platform and their marketing platform. They were alerted of a potential data breach from their bounty program on July 14, 2020. After an internal investigation, Ledger discovered the data breach occurred on June 25, 2020, affecting some of their customers. Twitter user UnderTheBreach tweeted
about a potential breach in May 2020.
KuCoin had a security breach and their keys were compromised. Assets worth a total of ~$281,000,000 were stolen. What is noteworthy with this attack is that various projects came to the aid to assist fund recovery, including Ocean Protocol, who forked their contracts
to remove the tokens issued to the attackers.
Liquid confirmed that their domain and email accounts had been compromised. The exchange believes the hackers may have had access to personal information including email addresses, names, shipping addresses, and encrypted passwords.
A report was published that said there is solid proof that NiceHash and Liquid were compromised through their service provider — GoDaddy.
A smart contract of a yield farming protocol (clone of Harvest and YearnFinance) had a hidden backdoor in it that allowed the contract to be drained of wBTC, ETH, DAI.
Ledger alleged/ that the recent data dumps on their customers came from a rogue Shopify agent. Ledger’s new CISO, Matt Johnson, set up new procedures and policies to prevent a data breach in the future and announced a 10 BTC bounty for any information that leads to the hacker’s arrest.
EXMO detected suspicious behavior in their hot wallets and suspended withdrawals to investigate. It was concluded that their cold storage was unaffected but five percent of their hot wallets were stolen.
If we compare our observations from my 2019 edition
, it seems the industry still needs to improve. Granted, there’s no such thing as 100% security, but sometimes history repeats itself.
If you store your assets in a “legitimate” exchange, you’re still at risk
The year was, again, filled with hacks on cryptocurrency exchanges that hold user funds, per usual. We are seeing more exchanges cover the losses with insurance funds, and while this is ultimately a win for those who use the exchange, it’s not something worth relying on.
Decentralized does not mean safe
While the attack surfaces are different for decentralized products (wallets, DEX’s), and the losses receive far less attention than the large exchange hacks, there is a multitude of ways for attackers to trick you into parting with your digital assets. Phishing campaigns continue to thrive and especially continue to target products that encourage using private keys and raw seeds via websites. With the rise of decentralized exchanges (DEX), it has become more common for users to lose money being rug pulled after “apeing in.”
Trusting third-parties with PII is not safe
Even trusting some of the most well-known brands in the space with your personal information, including shipping address, is not at all reliable. The data can be accessed via rogue employees or software vulnerabilities and sold on the underground markets. Although most threats using this personal information are likely to see little-to-no-action, it does cause concern, especially for those known to have large holdings. Your best bet is to set up a PO Box with an assumed name to send your physical cryptocurrency items to — ideally, you don’t want your home address attached to cryptocurrency.
The goal for 2021 is the same goal we had for 2020: Let’s do better.