Security Incidents with Custodial and Non-Custodial Wallets

Binance Security Accident A group of attackers managed to gain a large number of API keys, 2FA codes and sensitive information. They obtained control over several user accounts and made withdrawal requests worth 7000 BTC having bypassed Binance’s pre-withdrawal risk management checks. Attack type: Multi-pronged takeover attack Damage: 7000 BTC withdrawals from users’ accounts; 1 week of suspension on withdrawals. Lessons learnt: Constant and transparent communication with users and the community is extremely important during a crisis; covering loss in full helps to gain user loyalty. Security reinforcements: Created zero trust security controls around sensitive data to prevent unauthorised access and attacks. https://www.binance.com/en/blog/all/security-incident-recap-336904059293999104

Coinbase became a victim of a cyber attack A Coinbase employee received a fake SMS message that contained links that when clicked brought the victim to the phishing website. To receive an authentication token the attacker called the compromised Coinbase employee and convinced them to perform certain actions on their device. Attack type: Social engineering Damage: No funds lost, no user information compromised Lessons learnt: Employees need to be better trained Security reinforcements: Security awareness education for employees https://www.binance.com/en/blog/all/security-incident-recap-336904059293999104

Mt Gox Incident Bilyuchenko and Verner, two Russian residents, gained unauthorised access to Mt. Gox’s wallets in September 2011 and began methodically stealing Bitcoin. Bilyuchenko was one of the operators of the exchange. Attack type: Intentional theft Failure cause: Weaknesses in the protocol, vulnerabilities of hot wallets, lack of transaction monitoring Damage: 850,000 Bitcoins loss. The exchange was not able to repay the users. Mt. Gox declared bankruptcy, 7+ years of lawsuits, CEO was arrested and was acquitted of most charges in 2019 Lessons learnt: Lack of financial state analytics, lack of transaction monitoring, poor customer support and security problems that are not timely fixed can lead to serious problems. https://www.reuters.com/investigates/special-report/bitcoin-gox/ https://blog.wizsec.jp/2015/04/the-missing-mtgox-bitcoins.html https://www.nytimes.com/2015/08/02/business/dealbook/mark-karpeles-mt-gox-bitcoin-arrested.html

BitKeep BitKeep users reported transactions from their accounts that occurred when they were not using the service. BitKeep team investigated the issue and discovered that attackers managed to fool users into downloading fake wallets. By downloading the malicious file that looked like version 7.2.9 of the Bitkeep wallet, users lost their private keys/seed words to attackers. Attack type: Copycat Android app installed via phishing Damage: Over $8 million Lessons learnt: The importance of educating users to download apps from official sites only, and checking the authenticity of websites and apps before entering sensitive information. https://www.halborn.com/blog/post/explained-the-bitkeep-hack-december-2022 https://cointelegraph.com/news/bitkeep-exploiter-used-phishing-sites-to-lure-in-users-report

Trust Wallet Trust Wallet security vulnerability was discovered by researchers in the frameworks of a bug bounty program. The breach caused two exploits that resulted in users’ assets loss. Attack type: Vulnerability in CSPRNG based on MT19937 used for private key generation Damage: $170 000 Lessons learnt: Cryptography flaws hit hard, collaboration with security experts is essential. Security enhancements made: Increased number of security audits, engaging security experts, internal security reviews. https://community.trustwallet.com/t/wasm-vulnerability-incident-update-and-recommended-actions /750786

Atomic Wallet Atomic Wallet was attacked, and the team received reports that their wallets were compromised. The exploit affected 100 addresses, affecting users of various blockchain networks. Attack type: Undisclosed Damage: $100 million Security enhancements made: Changing server access, turning off 3rd party services that could cause possible breaches, the team is working on the app update to boost security, security audits are being conducted. https://cointelegraph.com/news/atomic-wallet-hack-statement-exploit-unanswered-questions

Prime Trust Prime Trust went bankrupt, having lost the password to a physical crypto wallet with $38.9 million in it. Damage: $76 million of company assets was used to purchase ETH to fund customer withdrawals. The funds trapped in the wallet are worth $38.9 million. Lessons learnt: A single security measure is not enough. A proper risk profile and threat model should minimise risks of such events. https://www.404media.co/crypto-startup-prime-trust-files-for-bankruptcy-after-losing-passwor d-to-38-9-million-crypto-wallet/