Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Incidents with Custodial and Non-Custo...

Cossack Labs
September 03, 2023

Security Incidents with Custodial and Non-Custodial Wallets

Building secure digital wallets is a challenge when it comes to balancing between convenience and security while fighting the threats. Let’s take a broad picture of security failures before investing in security solutions.

https://cossacklabs.com/blog/digital-wallet-security-architecture-guide/

Cossack Labs

September 03, 2023
Tweet

More Decks by Cossack Labs

Other Decks in Technology

Transcript

  1. Binance Security Accident A group of attackers managed to gain

    a large number of API keys, 2FA codes and sensitive information. They obtained control over several user accounts and made withdrawal requests worth 7000 BTC having bypassed Binance’s pre-withdrawal risk management checks. Attack type: Multi-pronged takeover attack Damage: 7000 BTC withdrawals from users’ accounts; 1 week of suspension on withdrawals. Lessons learnt: Constant and transparent communication with users and the community is extremely important during a crisis; covering loss in full helps to gain user loyalty. Security reinforcements: Created zero trust security controls around sensitive data to prevent unauthorised access and attacks. https://www.binance.com/en/blog/all/security-incident-recap-336904059293999104
  2. Coinbase became a victim of a cyber attack A Coinbase

    employee received a fake SMS message that contained links that when clicked brought the victim to the phishing website. To receive an authentication token the attacker called the compromised Coinbase employee and convinced them to perform certain actions on their device. Attack type: Social engineering Damage: No funds lost, no user information compromised Lessons learnt: Employees need to be better trained Security reinforcements: Security awareness education for employees https://www.binance.com/en/blog/all/security-incident-recap-336904059293999104
  3. Mt Gox Incident Bilyuchenko and Verner, two Russian residents, gained

    unauthorised access to Mt. Gox’s wallets in September 2011 and began methodically stealing Bitcoin. Bilyuchenko was one of the operators of the exchange. Attack type: Intentional theft Failure cause: Weaknesses in the protocol, vulnerabilities of hot wallets, lack of transaction monitoring Damage: 850,000 Bitcoins loss. The exchange was not able to repay the users. Mt. Gox declared bankruptcy, 7+ years of lawsuits, CEO was arrested and was acquitted of most charges in 2019 Lessons learnt: Lack of financial state analytics, lack of transaction monitoring, poor customer support and security problems that are not timely fixed can lead to serious problems. https://www.reuters.com/investigates/special-report/bitcoin-gox/ https://blog.wizsec.jp/2015/04/the-missing-mtgox-bitcoins.html https://www.nytimes.com/2015/08/02/business/dealbook/mark-karpeles-mt-gox-bitcoin-arrested.html
  4. BitKeep BitKeep users reported transactions from their accounts that occurred

    when they were not using the service. BitKeep team investigated the issue and discovered that attackers managed to fool users into downloading fake wallets. By downloading the malicious file that looked like version 7.2.9 of the Bitkeep wallet, users lost their private keys/seed words to attackers. Attack type: Copycat Android app installed via phishing Damage: Over $8 million Lessons learnt: The importance of educating users to download apps from official sites only, and checking the authenticity of websites and apps before entering sensitive information. https://www.halborn.com/blog/post/explained-the-bitkeep-hack-december-2022 https://cointelegraph.com/news/bitkeep-exploiter-used-phishing-sites-to-lure-in-users-report
  5. Trust Wallet Trust Wallet security vulnerability was discovered by researchers

    in the frameworks of a bug bounty program. The breach caused two exploits that resulted in users’ assets loss. Attack type: Vulnerability in CSPRNG based on MT19937 used for private key generation Damage: $170 000 Lessons learnt: Cryptography flaws hit hard, collaboration with security experts is essential. Security enhancements made: Increased number of security audits, engaging security experts, internal security reviews. https://community.trustwallet.com/t/wasm-vulnerability-incident-update-and-recommended-actions /750786
  6. Atomic Wallet Atomic Wallet was attacked, and the team received

    reports that their wallets were compromised. The exploit affected 100 addresses, affecting users of various blockchain networks. Attack type: Undisclosed Damage: $100 million Security enhancements made: Changing server access, turning off 3rd party services that could cause possible breaches, the team is working on the app update to boost security, security audits are being conducted. https://cointelegraph.com/news/atomic-wallet-hack-statement-exploit-unanswered-questions
  7. Prime Trust Prime Trust went bankrupt, having lost the password

    to a physical crypto wallet with $38.9 million in it. Damage: $76 million of company assets was used to purchase ETH to fund customer withdrawals. The funds trapped in the wallet are worth $38.9 million. Lessons learnt: A single security measure is not enough. A proper risk profile and threat model should minimise risks of such events. https://www.404media.co/crypto-startup-prime-trust-files-for-bankruptcy-after-losing-passwor d-to-38-9-million-crypto-wallet/