Cryptocurrencies have evolved from an obscure side project to a multi-billion dollar alternative asset class over the past decade. While the blockchain was designed for secure transactions, the immutable and online nature of the technology makes it an attractive target for cyberattacks. The proper cyber hygiene is imperative for anyone holding cryptocurrency.
Many criminals use social engineering to trick users into handing over their account credentials or cryptocurrency. Others hack into crypto exchanges and online wallets to steal cryptocurrency. It's important to understand these attacks and take the right precautions to avoid becoming a victim.
Let's take a look at three of the most common attacks and steps that you can take to protect yourself.
Hacked Crypto Exchanges
Hackers recently stole more than 7,000 bitcoin from Binance, the world's largest crypto exchange by volume, in May 2019. The attack demonstrates that even the largest exchanges aren't immune from cyber attacks despite their investment in security.
The sophisticated cyberattack transferred then-$41 million — and now $83 million — worth of cryptocurrency in a single transaction after accessing user API keys, two-factor authentication codes and other information. The attackers are now moving the bitcoin into various accounts in an attempt to launder and cash out their stolen funds.
Binance's Secure Asset Fund for Users, or SAFU, covered losses from the attack. The SAFU program keeps ten percent of all trading fees generated by the exchange to protect users in the event of an attack. The coins are stored in their own cold wallet to keep them protected in the event of a cyberattack — but not all exchanges have these kinds of policies.
There are several ways to protect yourself from these attacks on exchanges:
- Insurance: Many exchanges have some kind of insurance policy for users to ensure that their capital is safe even in the event of an attack. For instance, Coinbase has an insurance policy in place and holds less than two percent of customer funds online where it's exposed to attack.
- Two-factor Authentication: Many exchanges support two-factor authentication, which requires both a password and a security code to access an account. These security codes are sent via SMS message to a cell phone or can be accessed via a smartphone app, such as Google Authenticator.
- Unique Passwords: Many people use weak passwords across multiple accounts without changing them on a regular basis, which represents a major security risk. It's a good idea to ensure passwords are unique for each account and are updated on a regular basis (e.g. every three months).
Two-factor authentication has become a popular way to secure crypto accounts from cyber attacks. Even if a password is stolen, criminals cannot access the account without access to the target's phone or authentication app. It's easy to assume that these measures keep your account safe, but there are some ways that cyber criminals can still gain access.
SIM-swaps occur when attackers pose as the owners of victims' mobile phone numbers and convince telecom providers to grant them access to their calls and messages with a SIM card. With access to a valid phone number, attackers can bypass two-factor authentication methods by receiving confirmation codes via text message or requesting password resets.
For example, cryptocurrency investor and entrepreneur Michael Terpin recently won a $75 million judgement against Nicholas Truglia, hacker that used the SIM-swap hack to gain control over Terpin's account and steal $23.8 million worth of cryptocurrency in 2018. Truglia used the same technique to defraud at least six other victims.
There are several ways to protect yourself from these attacks:
- Cold Storage: Long-term investors may keep most of their cryptocurrency stored offline in cold storage and only the coins that they need on exchanges or online wallets. For example, the Ledger Nano or Trezor are two popular hardware wallets for safely storing crypto offline.
- Set a PIN: Many wireless carriers enable users to create a PIN or passcode on their account, which adds another layer of protection against SIM-swap attacks. These PINs or passcodes should be different than the passwords used on other accounts that could be compromised.
- Alternative Authentication: Authentication apps may be more secure than SMS-based two-factor authentication. Physical two-factor authentication methods, such as Yubikeys, are even more secure since they require attackers to physically steal the USB device to access TFA codes.
What is Social Engineering?
Social engineering occurs when criminals trick victims into transferring cryptocurrency into their wallets or turning over their account credentials — often with the promise of money.
The most common social engineering attack is a pyramid scheme or so-called high-yield investment program, or HYIP. The perpetrators of these schemes ask victims to invest their cryptocurrency into a 'fund' that returns a certain percentage each month. The scam works as-advertised until there's not enough money coming in from new users to pay off old users.
Another common social engineering attack involves free cryptocurrency giveaways. Attackers impersonate companies or celebrities and offer an attractive giveaway, but a small investment is required to facilitate the transaction. For instance, they may request that you send $50 worth of bitcoin to receive $200 worth, so they know your wallet address.
There are several ways to protect yourself from these attacks:
- Be Skeptical: Most offers for free cryptocurrency or higher than average returns are either high-risk or outright scams. Be wary of any of these offers — especially if they are limited time offers that require you to act now. If you're not sure, ask a professional for advice.
- Regulation and Reputation: Legitimate cryptocurrency funds are regulated by government or industry groups, such as the SEC or FINRA. They also have established reputations among large investors or other funds of funds. If you're not sure, ask a financial advisor for advice.
The Bottom Line
The dramatic rise in the value of cryptocurrencies has made them an attractive target for cyberattacks. While most attacks are done through social engineering, there are several technical hacks that can avoided with the proper security precautions. Keep the tips we've mentioned in mind to secure your accounts and rest easy knowing that you're safe from common attacks.
Sign up for ZenLedger to track your cryptocurrency transactions and automatically prepare popular tax forms.