What's actually happening when a cryptocurrency gets hacked?
In late January, the Japanese cryptocurrency exchange Coincheck was hacked, costing 260,000 users over $530 million in NEM, a cryptocurrency similar to bitcoin. This is the largest hack of its kind, but not the first. The previous record holder for largest crypto-heist was Mt. Gox, another exchange that saw $450 million in bitcoin stolen in 2014 leading to civil and criminal actions.
With cryptocurrency hacks in the headlines, the takeaway for many has been that blockchain, cryptocurrency’s underlying software protocol, is the vulnerability. As one high school friend posted recently: “If blockchain is so revolutionary, then how is it so easy to get hacked and lose your coins?”
A question that prompts a teachable moment.
The Coincheck and Mt. Gox hacks did not compromise the blockchain protocol underpinning the individual currency’s security. The hack occurred to a third-party exchange, a place to hold and trade cryptocurrency, like a digital bank robbery. So, while the money is gone, the currency’s blockchain is intact.
In fact, it is rare that a blockchain protocol is the vulnerability that leads to a cryptocurrency hack. Blockchain Graveyard, an aggregator of information pertaining to cryptocurrency hacks, reports that in only three of the 51 incidents they analyzed was the protocol the root cause.
Even though blockchain is built in a way to be extremely difficult to hack, it is clear that cryptocurrencies are not without their security risks. Chainalysis, a bitcoin forensics company, reports that hacks and scams cost people $95 million in bitcoin in 2016, up from $3 million in 2013.
To better understand the security issues, it helps to know how cryptocurrency is created.
Cryptocurrency, often called a token or coin, is created through a process called mining, the crypto-version of minting. Mining bitcoin, for example, requires high-powered computers to complete complicated math problems to create new bitcoins, each of which is denoted by a hash, like a unique serial number, within a block on a blockchain.
Once created and on the blockchain, that bitcoin can be traded by its owner. To indicate ownership, the owner of the cryptocurrency has a private hash that pairs with the public hash, which is a type of two-factor authentication. Proof of ownership is public, however, since many people and organizations use pseudonymous names for their accounts, it may be difficult to know who actually owns what bitcoin.
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
To be able to trade a bitcoin requires one of two things: significant technical know-how or a third-party to manage the trade of the virtual asset. As the popularity of cryptocurrency grew, users of the novel technology were less technically savvy, which created a business opportunity for “exchanges” and “wallets,” which aid users handling cryptocurrency.
It is here that otherwise secure cryptocurrencies are being stolen through online exchanges’ and wallets’ security vulnerabilities, like in the case of Coincheck.
In the same way that a local bank robbery does not compromise the U.S. Mint, a hack of a crypto-exchange does not mean a blockchain protocol is vulnerable. Unlike a robbed bank, however, an exchange does not fall under various banking and finance rules and policies that help keep your money secure.
So, regardless of who is getting hacked, when buying cryptocurrency, it is best to remember: buyer beware.