In light of the increase in exchange and wallet hacks, and even a few armed robberies, should the crypto community be looking for bank-like or commodity-level security for cryptocurrencies?
The current rash of cryptocurrency thefts, however, have been extraordinary. Three thieves, for example, were arrested Tuesday in New York City on allegations of a $1.8 million cryptocurrency robbery. The three are accused of stealing a cold-storage Ether wallet from a holder at gunpoint last November.
Darrell Colon, Allan Nunez, and suspected plot mastermind Louis Meza apparently kidnapped the victim to steal the funds. Under false pretenses, Meza is said to have arranged a meeting with the unnamed victim and then pretended to call an Uber to take the victim home. The “Uber” turned out to be a minivan driven by Nunez with Colon in the back, armed with a gun. The duo demanded that the victim turn over a flash drive that held his wallet and its keys. Colon, who purportedly confessed to investigators, claims the weapon was a BB gun.
According to the report, the victim was held in the minivan with a hood over his head for two hours before escaping. While captured, the victim witnessed Meza and fourth collaborator Cesar Guzman break into his house, where they stole a black box and used the flash drive to transfer the wallet’s contents to a personal account.
While this was not the first armed cryptocurrency robbery, the news highlights the fact that not all digital asset thefts occur online.
The arrest came in the midst of a rash of “traditional” exchange, wallet, and even network attacks, which may be contributing to recent market decline. In April, India-based Coinsecure announced the theft of 438.318 bitcoin – worth approximately $3.5 million at the time. Indian outlet The Economic Times reported the exchange‘s CEO, Mohit Kalra, as saying the funds were lost due to the leak of private keys. The company’s previous chief security officer is suspected of conducting an inside job.
“There was no need to be online while extracting the bitcoin. The private keys, which [were] never exposed to the internet for the past 4 years, [were] exposed,” Kalra said. “Funds were lost during the extraction of private keys … The hack that happened is also too good to be true. Almost like offering the password to your bank account [on] a platter to a hacker.”
Just this week, over $35 million in bitcoin was stolen from South Korean crypto exchange Coinrail. This follows the over $500 million hacking of NEM from Tokyo-based exchange Coincheck in late January.
The proliferation of such hacks – coupled with the emerging “real world” thefts – is coinciding with the increase in public awareness of the cryptocurrency, while security measures are failing to keep pace. Editor-in-chief of Business Insider UK Jim Edwards painted the problem in simple terms:
“There have been dozens of robberies of Bitcoin banks and exchanges, and millions of dollars have been lost. To put that in perspective, if robbers were routinely walking into brick-and-mortar banks and taking millions of dollars, with zero consequences and no arrests, it would make huge headlines every day. The media would be on high alert for the next heist. But on the Internet, Bitcoin thefts worth hundreds of thousands and millions of dollars happen on a weekly basis and no one cares.”
Maybe the weak link in cryptocurrency security isn’t the coins themselves, but us.
“Many crypto exchange hacks were easily preventable,” Eiland Glover, CEO of Kowala, told ETHNews. “In the case of Japanese exchange Coincheck’s $500 million loss, the funds were stored insecurely in hot wallets – cryptocurrency wallets connected to the internet – with a single private key. The hack could have been prevented by using a multi-signature hot wallet – one that requires the approval of multiple users in order to move money. Alternatively, Coincheck could have kept a greater percentage of the funds in cold wallets. Hackers only had to breach the single private keys to take total control of the cryptocurrency. This same attack vector was used in the Parity hack last year and the earlier Bitfinex hack.”
“Crypto industry-friendly regulatory frameworks are needed to resolve the security issues. Regulators must define the rules for exchanges, including requirements for security protocols, which allow them to grow and professionalize their businesses.”