Decoding the Biggest Blockchain Hacks and Blockchain Cybersecurity with Yotam Dar

Ishan Pandey: Hi Yotam, welcome to our series “Behind the Startup.” Please tell us about yourself?

Yotam Dar: Hi Ishan, it is a pleasure to be here. I am a blockchain cybersecurity expert and I have been working in this industry for quite some years with smart contracts, data protection, and all the good stuff. As a cybersecurity expert in general, I keep my profile and social media information confidential and not accessible to the general public to ensure that no social engineering-based cyberattacks take place.

Cybersecurity experts always say that your social media profiles are a gold mine for hackers and as professionals working in this field, we like to have no digital footprint to protect ourselves and our clients from such cyber threats. It’s all about security for us!

Ishan Pandey: What is the status of cybersecurity in the present day, and how blockchain technology could help us fend against future cyberattacks? What is the source of the recent spike in cyberattacks and hackers targeting and violating user privacy?

Yotam Dar: Let me talk about an exciting development here. Coinbase has observed something unusual in Ethereum Classic, one of the cryptocurrencies available for purchase and sale on Coinbase’s famous exchange platform. The company’s blockchain, which records all of its transactions, was under assault.

An attacker had obtained control of more than half of the network’s CPU power and was rewriting its transaction history. This allowed users to spend the same bitcoin several times, a practice known as “double spends.” The assailant was caught on camera stealing $1.1 million from the victim. No money was taken from any of Coinbase’s accounts, according to the company. However, Gate.io, a second popular exchange, has confessed that it was not so fortunate, losing roughly $200,000 to the attacker (who, strangely, returned half of it days later).

This doomsday scenario was primarily speculative a year ago. However, the so-called 51% assault on Ethereum Classic was only the latest in a slew of recent blockchain hacks that have raised the stakes for the embryonic sector.

Since the beginning of 2017, hackers have stolen approximately $2 billion in bitcoin, largely from exchanges, and that’s just what has been made public. This isn’t merely a case of opportunistic lone wolves. Complex cybercrime gangs are now doing it as well: analytics company Chainalysis recently reported that only two groups, both of which are still active, may have stolen a total of $1 billion from exchanges.

It’s not as though we should be surprised. Thieves are attracted to blockchains because fraudulent transactions cannot be undone, as they can in the old banking system. Aside from that, we’ve known for a long time that, just as blockchains have distinct security characteristics, they also have distinct vulnerabilities. Marketing slogans and headlines claiming that the system was “unhackable” were completely incorrect.

Since Bitcoin’s inception a decade ago, this has been known, at least in principle. But, as a result of a Cambrian boom of new cryptocurrency initiatives over the last year, we’ve begun to see what this means in practice—and what these fundamental flaws might imply for the future of blockchains and digital assets.

The more complicated a blockchain system is, the more likely it is to be put up incorrectly. The firm in charge of Zcash—a cryptocurrency that utilizes incredibly hard arithmetic to allow users to trade in private—revealed earlier this month that it had quietly addressed a “subtle cryptographic weakness” that had been mistakenly baked into the system. An attacker may have used it to create a limitless amount of counterfeit Zcash. Fortunately, no one seems to have attempted this. Lucky!

The protocol isn’t the only thing that needs protection. To trade bitcoin or host a node on your own, you’ll need to use a software client, which might be vulnerable. In September, developers of Bitcoin Core, the primary client, had to hurry to repair an issue (also kept secret) that may have allowed attackers to generate more bitcoins than the system allows.

Still, the majority of the recent high-profile breaches targeted exchanges, which are websites where users can purchase, sell, and keep bitcoins. Many of the heists might be attributed to poor security tactics.

Ishan Pandey: Which sector is under the most amount threat in terms of a cyber security breach?

Yotam Dar: DeFi protocols are easily the most vulnerable to cyber security threats. Hackers broke into Poly Network, a blockchain-based platform, and stole more than $600 million in cryptocurrencies, making it the largest heist in the decentralized finance industry, gaining traction among investors.

According to Tether’s chief technical officer, the business behind the world’s third-largest cryptocurrency by market capitalization froze around $33 million in USDT tokens connected with the suspected hacker’s wallet address.

SlowMist, a blockchain-based security startup, released a statement hours after the incident, claiming to have tracked down the attacker’s email, IP address, and device fingerprints, as well as other identification evidence.

SEC Chairman Gary Gensler warned less than a week before the Poly attack that rising decentralized finance systems, often known as DeFi, require greater regulatory supervision. Traditional financial middlemen such as central banks and exchanges are largely bypassed by the platforms, which instead depend on blockchains—and frequently their own cryptocurrencies—to complete transactions. According to Gensler, such tactics may violate securities, commodities, and banking laws, and he urged Congress to strengthen its oversight of the cryptocurrency business, which he compared to the “Wild West.” Meanwhile, institutional investors have been warming up to the industry, with Goldman Sachs filing last month to launch its own DeFi exchange-traded fund.

Private key security attacks come in a variety of forms. A recent example was Cryptopia, a worldwide bitcoin exchange based in New Zealand. Cryptopia’s servers were hacked in January 2019, and the exchange’s private keys were used to move cryptocurrency to an unnamed external exchange. Between 9 and 14 percent of their cryptocurrency, worth roughly $30 million NZD, was taken. Cryptopia’s activities were momentarily halted, and the company was finally liquidated.

The dispute culminated in Ruscoe v Cryptopia Limited (in liquidation), a long-ruling by a New Zealand Court that had to assess how the exchange’s residual assets should be split to account holders and unsecured creditors. The court ruled that cryptocurrencies constituted property and that Cryptopia was the trustee of several trusts, one for each cryptocurrency, with the beneficiaries being all account holders who held the appropriate kind of coin.

Hackers have also stolen the keys to bitcoin wallets. Of course, like almost every other business in Canada, marketplaces are vulnerable to data breaches from various sources. Mt Gox, one of the earliest bitcoin exchanges situated in Tokyo, is one of the most well-known instances. Mt. Gox was responsible for more than 70% of worldwide bitcoin transactions during its peak in the early 2010s. Hackers exploited stolen credentials to send bitcoins in 2011. Several thousand bitcoins were also “lost” due to flaws in network protocols.

Individuals and businesses are still vulnerable to phishing assaults, despite the security measures that blockchain provides. This fraud uses numerous methods, such as email, to gain a user’s credentials without their knowledge. For example, using false URLs, fraudsters send wallet key owners emails masquerading as a genuine source, requesting their credentials.

SIM switch assaults are also a typical occurrence. An Ontario youngster was arrested earlier this week for allegedly stealing $46 million in cryptocurrency via a SIM swap assault. According to reports, the police, with the help of the FBI and the US Secret Service, confiscated various pots of cryptocurrencies worth more than $7 million. Another company, BlockFi, which provides crypto services to both consumers and institutions, was the victim of a SIM swap hack. Only personal information and not money were obtained in this situation. In another example, hackers used a SIM swapping method to obtain data from Coinsquare, a cryptocurrency trading site, but they were unable to utilize the data to steal any crypto assets.

Hackers have been known to take advantage of technical flaws in blockchain networks. The Poly network hack, which happened in August 2021, is an example of this. Ethereum, Binance Smart Chain, and Polygon were among the blockchains targeted. The Poly Network, a cross-blockchain interoperable bridge that allows users to move crypto-assets from one blockchain to another, was the target of the attack. Tokens are locked on a source blockchain and unlocked on a destination blockchain to complete transfers.

The Poly Network Keepers sign blocks of the source blockchain that contain the original transaction once a transaction has happened on the source blockchain. The keeper then sends the signed block to the destination blockchain’s smart contract manager. If the signatures are legitimate, the smart contract manager evaluates them, and if they are, the contract conducts the transaction on the target blockchain. The hacker took advantage of a flaw in the smart contract management EthCrossChainManager. In essence, the hacker was able to fabricate fictitious transactions that enabled him to free tokens on the destination blockchain while keeping them locked on the source blockchain. The hacker accomplished this by altering and compromising trusted entities known as “keepers” stored in the EthCrossChainData contract and allowing cross-chain transactions to unlock tokens on the destination blockchain without locking them on the source blockchain effectively duplicating tokens across two blockchain networks. The attacker was able to mislead the EthCrossChainManager contract into executing cross-chain transactions that weren’t genuine on the source blockchain by seizing control of the keepers. By attacking

Poly Networks’ cross-chain protocol, the hacker was able to replicate over $600 million worth of tokens across the networks, leaving the tokens remaining in the hands of the original users uncollateralized and the valuable tokens under the hacker’s possession. Those who had tokens on the source blockchain lost money. The money was subsequently returned to the Poly Network by the hacker.

The DOA, an unincorporated entity known as Slock.it UG (“Slock.it”), is another well-known example of a technological flaw exploit. A Decentralized Autonomous Organization (DAO) is a “virtual” organization represented in computer code and operated on a distributed ledger or blockchain. The DAO was founded by Slock.it and its co-founders to function as a for-profit corporation that would produce and hold assets via the sale of DAO Tokens to investors to finance initiatives. An attacker exploited a weakness in The DAO’s code to steal around one-third of The DAO’s assets after DAO Tokens were sold but before The DAO could begin supporting initiatives. The hacker started diverting ETH from The DAO, causing roughly 3.6 million ETH, or 1/3 of the total ETH generated by The DAO offering, to migrate from The DAO’s Ethereum Blockchain address to an Ethereum Blockchain address controlled by the hacker. Fortunately, Slock. It’s co-founders and others supported a “Hard Fork” to the Ethereum Blockchain before the hacker could transfer the ETH from that address. The “Hard Fork” allowed DAO Token holders to reclaim their assets as if the attack had never happened.

Routing Attacks are another option for hackers. Blockchains depend on huge data transfers in real-time. Hackers may disrupt real-time big data transfers by hijacking IP prefixes or temporarily disconnecting connections, preventing the system from reaching a consensus. Participants on the blockchain are unaware of the issue, but fraudsters may have extracted private data or currency behind the scenes. The Border Gateway Protocol (BGP), the routing information protocol that specifies how IP packets are delivered to their destinations across the Internet, has vulnerabilities. A hacker may modify BGP and intercept the blockchain network to route traffic to locations selected by the hacker using a so-called BGP Hijacking Attack.

Other components, such as blockchain wallets, may potentially have underlying cryptosystem weaknesses. They normally employ public and private key pairs for signatures and are as secure as the cryptosystem they use. The public-key algorithm used for these keys is vulnerable to known attacks.

Other sorts of assaults to steal crypto-assets are also possible on blockchains. The “51 per cent vulnerability assaults,” which most cryptocurrencies are potentially vulnerable to, are a well-known attack vector. Proof of work is a popular methodology for confirming transactions in blockchains. This procedure, also known as mining, entails nodes investing a significant amount of computational power in order to establish that they are trustworthy enough to add fresh transaction information to the database. If a miner or group of miners gains control of a majority of the network’s mining power, they may manipulate and modify blockchain information at will, such as reversing transactions and launching a double-spending assault by constructing another version of the blockchain (a fork). These criminals may make the fork the official version of the chain and then use the same bitcoin to spend it again (double spending). 51 percent of attacks were carried out on a number of lesser currencies, including Verge, Monacoin, and Bitcoin Gold, resulting in robberies of $20 million. A 51 percent assault was also launched against Ethereum Classic, in which an attacker with more than half of the network’s CPU power attempted to alter the transaction in order to steal more than $1 million. In another occasion, the mining pool “ghash.io” was responsible for almost 42% of all bitcoin mining power. The fact that a single mining pool accounted for such a large percentage was cause for alarm, and many miners left the pool.

According to research, smart contracts are also vulnerable to a variety of other security flaws. The “Balance Attack” and “Sybil Assaults” are two more sorts of attacks. Future technological advancements will definitely offer additional security concerns for blockchain systems to overcome. Quantum computing, for example, has the power to break the encryption used in blockchains and cryptographic codes, upending fundamental security assumptions.

Quantum computers are believed to be able to swiftly crack a blockchain’s cryptographic techniques, rendering the encryption useless. To keep ahead of the curve, quantum-resistant techniques will be required to minimize future security vulnerabilities.

Ishan Pandey: Please tell us a little bit about blockchain technology and how it can be utilized in the cybersecurity and data protection industry?

Yotam Dar: Blockchain technology is great and sometimes impractical from an enterprise perspective for protecting or storing data depending upon commercial usage. It is important to note that blockchain technology and its subsets, such as Zero-Knowledge proofs, are groundbreaking as they allow users to share or verify information without sharing the information.

It is important to note that blockchain is one of the most secure types of database because it is decentralized in nature and distributed across nodes, due to which there is no single point of failure. However, it is essential to note that from an enterprise level, sometimes storing and accessing the information on a blockchain can be complex and costly, due to which a lot of enterprises are not taking this route even though it sounds good on paper. In a public blockchain, one information is added in a block; it cannot be removed, which is problematic due to data protection regulations worldwide. Further, it is essential to note that permissioned and private blockchains have the ability to remove or amend such blocks. It is important to note that this only complicates the processes because the same features can be executed on a Database Management System (DBMS).

Nonetheless, blockchain is great for authenticating, verifying and keeping a single immutable ledger of transactions. Blockchain will be beneficial for creating a secure and private permissioned database where enterprises can share information and business insights in a decentralized and sure manner.

However, the issue is always going to be compliance with GDPR and other regulations as such information may contain sensitive and financial information.

Discussing GDPR in detail, it is essential to note that the GDPR is founded on the idea that there’s at least one natural or legal person – the data controller – toward whom data subjects can exercise their rights under EU data protection legislation in connection to each personal data point. These data controllers must adhere to the GDPR’s requirements. On the other hand, blockchains are distributed databases that aim to achieve decentralization by replacing a single actor with a large number of participants. The absence of agreement on how to define (joint-) controllership impedes the distribution of duty and accountability.

Secondly, the GDPR is predicated on the notion that data can be amended or wiped to meet legal obligations, such as Articles 16 and 17 of the GDPR. However, in order to preserve data integrity and enhance network trust, blockchains make unilateral data alteration extremely difficult. Furthermore, blockchains highlight the difficulties of conforming to data minimization and purpose limitation criteria in the existing data economy.

Therefore, currently, Public blockchain does not comply with such regulations, but the regulator cannot do anything about it because it is a software (bitcoin) with no legal entity behind it.

Ishan Pandey: What are the basic privacy norms that an entity dealing in the blockchain technology should abide by in terms of user protection? In your opinion, will a decentralized infrastructure promote and uphold better transparency, efficiency, responsibility, and fairness whilst also sharing more value with more betting participants?

Yotam Dar: The Zero-Knowledge Technology is a public blockchain industry privacy solution that assures the blockchain never has access to its customers’ data or encryption keys. With Proofs-of-Ownership, zero-knowledge is also known as private end-to-end encryption, implying that only users can access their data files.

Before files are sent to the cloud infrastructure, they are encrypted on the user’s local device. To protect the data, two-factor authentication is used. After the encrypted data is uploaded, the platform’s algorithm divides it into numerous blocks and distributes it around the platform’s nodes. These nodes regularly audit the network, assuring enough storage capacity, data integrity, and availability.

Users may securely share their data files with others using a private link, allowing them to read or safely alter the files. Cloud storage services will enable customers to clear space on hard drives or local storage networks – servers by relocating data to be stored and hosted on cloud infrastructure, maintaining data availability in accordance with current worldwide privacy and data security regulations. Users are also protected from hardware failures, cyber-attacks, and data breaches.

Ishan Pandey: Cryptocurrencies are partially responsible for the massive volumes of climate-warming carbon pollution released by them at the time of trading. What are your thoughts on the negative influence of crypto on the environment?

Yotam Dar: To be honest, mining cryptocurrencies do have an environmental impact. Such as mining Bitcoin. However, most cryptocurrencies are not DpoS, POS, and other consensus mechanisms that do not require proof-of-work. However, here it is critical to note that the behemoth which is consuming the energy is Bitcoin. As proof-of-work cannot be changed with Bitcoin, Bitcoin mining should move to more renewable resources with less carbon footprint.

Ishan Pandey: COVID-19 enhanced the predominance of working remotely, thereby providing more entry points for cyber-attacks, and thus, we are now experiencing more cybercrime and data compromises than it used to be. How can this be efficiently dealt with and what kind of privacy norms should be introduced within the blockchain space?

Yotam Dar: The cybersecurity framework of the startup must be planned and protected. With more and more people working remotely, the cyber security environment is shifted to home, where, unfortunately, the employers have not planned for such a situation. With blockchain startups, the risk is heightened more due to the fact that were are talking about millions of dollars of crypto-assets getting hacked. Therefore, it is critical for employers and blockchain startups to map and have proper policies and controls in place to protect their data and client assets.

Ishan Pandey: What new trends are we going to witness within the crypto ecosystem especially in the post-covid-19 era? Also, what does the roadmap ahead of blockchain technology look like?

Yotam Dar: We will see a lot more hacks across new blockchains where the programming language is still new and has not been tested out yet. It’s a battlefield!