Part 1 (#25–#13)
Revealing techniques of 25 successful attacks on blockchain: from 2010 to 2018, $1.8+ billion USD.
Bitcoin Out of Thin Air — 92 Billion BTC
Date: Aug 2010
Attack
An integer overflow flaw in Bitcoin’s code has been exploited at block #74638 to generate 92233720368.54277039 BTC. The overflow has resulted from a type UINT64_MAX that can hold an integer up to at most 2⁶³-1, giving the number 9223372036854277039.
After Attack
Bitcoin community canceled all relevant transactions and rolled back the ledger to the pre-hack state.
AllinVain — 25,000 BTC ($500,000)
Date: Jun 2011
Attack
World’s first cryptocurrency hacks victim. The hacker broke into the victim’s hard drive and transferred a large chunk of balance to an external wallet.
from Wikipedia
Mt. Got 1st Hack — 2609 BTC ($50,000)
Date: Jun 19 2011
Attack
The attacker obtained an auditor’s credentials and altered the nominal value of BTC to 1 cent. Afterward, the attacker transferred 2609 BTC from some clients to sell at this low price and purchased back nearly 650 BTCs from another account.
After Attack
Mt. Got suspended the operations for several days but then carried it on.
from https://steemit.com
Bitcoinica: Hacked 3 Times — 122,000 BTC ($430,000)
Date: Mar / May / Jul 2012
1st Attack
The attacker decrypted the Bitcoinica’s hot wallets hosted on the Linode’s server and made away with 43,554 BTC. Some individuals who used Linode’s server have also been hacked.
2nd Attack
The attacker got access to Bitcoinica’s database, obtained users’ private identification information and sensitive details, and stole 38,000 BTC.
3rd Attack
The attacker stole 40,000 BTC, but it has been reported that Bitcoinica’s funds were held in Mt. Gox secretly, which was later refunded.
from bitcoinmagazine.com
BitFloor — 24,000 BTC ($85,000)
Date: Sep 2012
Attack
The attacker obtained the unencrypted private keys that stored online for backups.
After Attack
BitFloor refunded the users, but it eventually closed down due to regulatory measures from its associated banks.
from KryptoMoney.com
Mt. Got 2nd Hack — 750,000 BTC ($350 million)
Date: Mar 2014
Attack
The attacker found transactions malleable. The details of the transactions can be edited to make it like it never took place.
Specifically, in a general transfer transaction, the attacker (the receiver) was able to manipulate the sender’s signature before it goes into the blockchain, and changed the transaction ID. This new and tampered transaction has a chance to overwrite the sender’s original transaction, in which scenario, the attacker gets the funds yet it seemed like the sender does not successfully put the original transaction into the blockchain. The attacker (the receiver) can, therefore, ask for an additional transfer, who will eventually receive the funds twice.
After Attack
Mt. Got halted all BTC transactions right away. No refunds were made. Eventually Mt. Got filed for bankruptcy.
from https://cryptoiscoming.com
Poloniex —97 BTC (12.3% of all its BTC)
Date: Mar 04 2014
Attack
The attacker exploited the faulty design of Poloniex’s withdrawal code. Because of that, the withdrawal requests were processed simultaneously instead of sequentially, the attacker could send multiple withdrawal actions within a short period of time to withdraw more than the balance allowed, making the balance negative eventually.
After Attack
Polonies reduced all its holders’ balance by 12.3%, and later on repaid all the losses.
from Wikipedia
BitStamp — 19,000 BTC ($5.1 million)
Date: Jan 04 2015
Attack
The attacker stole 19K BTC from Bitstamp’s operational hot wallet.
After Attack
BitStamp suspended all operations. And it moved on to use a multi-sig wallet.
from http://theconversation.com
The DAO — 3.6 million ETH ($55 million)
Date: Jun 2016
Attack
Clearly, it’s due to reentrancy. Lots of tutorials on it.
After Attack
Ethereum community planned to do a soft fork but found another DDoS vulnerability inside the code, so a hard fork was inevitable. Right now we have Ethereum (new version) and Ethereum Classic (old hacked version).
from https://steemit.com/
Steemit.com —Steem and Steem Dollars ($85,000)
Date: Jul 2016
Attack
The attacker hit 260 Steemit accounts and drained their balances.
It’s a human error that was caused by a UI design flaw. Some users might not be aware of the difference between the memo and the password, and accidentally pasted their password at the memo field, which will be submitted along with the transaction. Those passwords will be kept public and immutable on the blockchain of Steemit! A simple script can simply scrape the passwords of numerous users who made this fatal mistake.
Bitfinex — 120,000 BTC ($72 million)
Date: Aug 2016
Attack
Bitfinex switched to use BitGo’s multi-sig wallet 12 months ago. The attacker found a vulnerability in its multi-sig architecture and took advantage of it.
After Attack
Bitfinex issued BFX tokens to compensate victims, which are redeemable in USD. The victims lost are refunded slowly and steadily afterward. The attack made the price of BTC drop from $607 to $515 in just a few hours.
from “Daily value of your cryptocurrency wallet”
CoinDash — ETH ($7 million)
Date: Jul 2017
Attack
The attacker manipulated the ICO address posted on CoinDash’s website to lure investors into incorrect place for exchanging Ether for CoinDash tokens.
Wrap-up
Hope you enjoy the brief intro to the techniques of each of the big hacks. Some of the attack details remain confidential and there’re not much opened to the public, I have tried my best to organize and present the truth based on the references below.
There are 12 more hacks to go, including Veritaseum, Parity 1st hack, Enigma, Tether, Parity 2nd hack, NiceHash, Coincheck, BitGrail, Google Adwords, Bancor, Coinrail, Zaif, and a real bloody hacker fight that I have experienced.
Stay tuned!
Great References
- https://medium.com/bitfolio-org/the-biggest-cryptocurrency-hack-in-the-history-of-blockchain-22380febfaa2
- https://coinsutra.com/biggest-bitcoin-hacks/
- https://blocksdecoded.com/cryptocurrency-hacks/
- https://u.today/top-3-biggest-bitcoin-hacks-and-frauds-in-history
- https://www.coinannouncer.com/the-hack-history-of-blockchain/
- https://blockonomi.com/mt-gox-hack/
- Hack on blockchain itself: https://coincentral.com/blockchain-hacks/
- https://cryptopotato.com/lessons-learned-from-the-biggest-crypto-hacks-in-history/
- https://cryptopotato.com/market-declines-as-korean-crypto-exchange-coinrail-faces-hack/
- https://www.benzinga.com/fintech/17/11/10824764/12-biggest-cryptocurrency-hacks-in-history
- https://www.ccn.com/biggest-theft-history-know-far-530-million-coincheck-hack
- https://www.blockstuffs.com/blog/top-10-blockchain-hacks
- Blockchain Graveyard: https://magoo.github.io/Blockchain-Graveyard/
Acquire security consultancy from blockchain white-hat hackers. Turing Chain is for your blockchain business safeguarding. Be careful not to be 0xdead!