Biggest Cryptocurrency Hacks Ever

In the last article, we took a look at some famous Bitcoin hacks and thefts. Today we will be examining hacks and thefts of other cryptocurrencies, excluding Bitcoin. Without further delay, let’s get into the list.

Cryptocurrency Hacks & Heists

#1 The DAO Hack

Amount in Ether: 3.6 million ETH

Ethereum’s DAO, (Decentralized Autonomous Organization) was hacked in June 2016

Amount in USD at the time of hack: $60,000,000

How did the hack happen?

The DAO “hack” was not an actual hack despite the misleading name. The attacker didn’t actually hack anything, they simply interpreted the Turing complete code in a way the authors of the smart contract did not intend, allowing them to withdraw ETH tokens into a “child DAO” which only the attacker could access. Ethereum has a very large attack surface due to it’s Turing complete Solidity smart contract language, making it orders of magnitude less secure than Bitcoin. The hacker’s actions were legal under the smart contract, and should have been allowed under the “code is law” ethos of Ethereum.

Amount recovered: 3.6 million ETH

The recovery was also not a “recovery”. Ethereum had a contentious hard fork to bail out Vitalik, and the Ethereum developers who had foolishly invested their funds into an insecure smart contract. This “bailout” sacrificed the immutability of the Ethereum network, created Etherum Classic (the actual true Ethereum chain which did not roll back the “hack” and actually kept the integrity of the network intact). The DAO “Attacker” even went so far as to write an open letter to the Ethereum developers where he makes many excellent points about Ethereum’s security flaws, which can be read here.

#2 Parity Wallet Hacks 1 & 2

Amount in Ether: 153,000 ETH & 513,774 ETH

Parity was hacked twice in 2017 just months apart.

Amount in USD at the time of hack: $30,000,000 & $160,000,000

How did the hack happen?

The first “hack”, which took place in July 2017, was another bug found in the code for the Parity multi-sig wallet contract, which allowed the attacker to withdraw 153,000 ETH. It was not a hack, again it was smart contract code interpreted in a way not intended by the developers.

For the second “hack” which took place in November 2017, a novice Ethereum developer named Devops199 became famous overnight for his involvement in the second Parity wallet “hack”.

Here is Parity’s statement of what happened:

“This user managed to gain access to the smart contract, effectively making themselves the owner of the contract. Subsequently, the user made the unfortunate move to “suicide” the smart contract underlying the multi-sig wallet which in turn blocked funds of 587 wallets with a total amount of 513,774.16 Ether. While the funds remain in the affected wallets, the wallets themselves are inaccessible.”

Again, not a “hack” but another vulnerability in the Solidity language itself. This huge attack surface caused Charlie Lee, creator of Litecoin to call Ethereum a hacker’s paradise.

Amount recovered: None

EIP-999 (Ethereum Improvement Proposal), is a controversial proposal by some of the victims of the Parity wallet hacks to roll back the blockchain to recover the lost funds, creating a bailout for those affected. The proposal has met resistance from the Ethereum community which now wants to maintain a charade of immutability, which was sacrificed at the very beginning with the DAO hack.

#3 Bitgrail Hack

Amount in Nano: 17 million NANO

Bitgrail announced, “unauthorized withdrawal” of 17 million NANO tokens.

Amount in USD at the time of hack: $170,000,000

How did the hack happen?

The hack was reported privately to Nano devs, by Francesco “TheBomber” Firano, who wanted them to roll back the chain to make up for the loss of 17 million NANO tokens. Nano claimed the issue was with the Bitgrail exchange being hacked and was not the Nano network itself that had the issue. Firano claimed that the issue was with the Nano block explorer and the way transactions were timestamped, not functioning correctly allowing the hacker to double-spend the tokens. Right now there is no clear answer as to what actually happened, as law enforcement is now investigating and are not releasing details to the case.

Amount recovered: None

So far it seems both Bitgrail and Firano are at a stalemate in the dispute with Nano devs over who is responsible for the hack. Class action lawsuits have been filed, and Nano is donating to the legal fund of the victims, but we won’t have any definitive answers until they have had their day in court.

#4 Coincheck Hack

Amount in XEM: 500 million XEM

XEM is the token for the NEM blockchain.

Amount in USD at the time of hack: $530 million

How did the hack happen?

Coincheck was the largest cryptocurrency hack ever recorded to date. It was caused by the exchange having extremely poor security procedures, where they kept the 500 million XEM tokens in a “hot wallet” a wallet that is connected to the internet, and is known for being much less secure than a cold storage wallet that is never connected online and does not expose the users private keys to attack. This was a rookie mistake, Coincheck should have known better.

Amount recovered: None

Coincheck announced they had stopped tracking the stolen coins, in March 2018. They had been able to provide some info to law enforcement, but it was a futile effort, as eventually, the thieves were able to get rid of coins on exchanges in Europe and Canada.

#5 Bee Token Hack

Amount in Ether: 890 ETH

In February 2018 the Bee Token Initial coin offering (ICO) was hacked for almost 900 ETH tokens.

Amount in USD at the time of hack: $928,000

How did the hack happen?

The thieves used a clever campaign of phishing to trick users into providing them with payments. Wikipedia defines phishing as:

“Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.”

The hackers mimicked the Bee token email accounts and website, and then sent messages to Bee token investors claiming if they sent Ethereum to an address controlled by the thieves, they would receive bonus tokens.

Amount recovered: None

Again the hackers were able to enjoy their ill-gotten gains.

#6 Verge Hack

Amount in XVG: 60 million XVG

The hackers were able to steal 1560 XVG tokens per second, which equals about $280,000 USD/hour.

Amount in USD at the time of hack: Unknown

How did the hack happen?

The Verge Twitter was hacked first, about two weeks before Verge was hacked. Verge was the victim of a 51% attack, which allowed a malicious actor to gain control of 51% the network, and spoof timestamps on blocks exploiting a bug in the Verge code, which allowed the hacker to mine a block every second. The Verge team tried to implement a patch, and unwittingly hard-forked the network unintentionally, sparking criticism at their utter incompetence. The unintentional hard fork caused the network not to be able to sync. They were able to fix it, but not until after the hackers got away with an unknown and astronomical amount of money.

Amount recovered: None

Another case of the villains riding off into the sunset, with a boatload of money.

#7  Coin Dash ICO Hack

Amount in Ether: 43,500 ETH

The Coin Dash hack was the first known breach of security of an ICO.

Amount in USD at the time of hack: $7.53 million

How did the hack happen?

Minutes after the start of the Coin Dash token sale, a hacker was able to change the Ethereum address to one controlled by the attackers on the Coin Dash website that investors were sending their payments to. Coin Dash only raised $6.4 million before the address switch. It’s estimated that the hacker was able to make off with 43,500 ETH.

Amount recovered: None

Yet another hack where the hackers got away clean.

#8 Seele ICO Hack

Amount in Ether: 2,162 ETH

The Seele ICO was another ICO targeted by hackers.

Amount in USD at the time of hack: $1,800,000

How did the hack happen?

The attack on the Seele ICO was yet another phishing attack. This time, attackers pretended to be two of the admins on Seele’s Telegram channel. They then offered “private sales” of tokens just days before the ICO. Members of the Seele Telegram community were duped into sending Ether to the wallet of the thieves. The thieves were able to abscond with almost $2 million in stolen ETH, before the Seele team was made aware and was able to alert the community.

Amount recovered: None

Yet another reason to practice good computer security, because the thieves were never apprehended.

#9 Veritaseum Hack

Amount in Ether: 31,700 ETH

The actual tokens stolen were Veritaseum (VERI) tokens, however, they were quickly dumped for ETH.

Amount in USD at the time of hack: $8.4 million

How did the hack happen?

The attack was quite sophisticated and may have involved one of Veritaseum’s corporate partners. The hackers were able to swipe 36,000 tokens from the Veritaseum origin account, during the ICO. They immediately sold the VERI tokens for ETH and then laundered the proceeds. Reggie Middleton of Veritaseum tried to shrug off the theft with the following quote:

“the amount stolen was miniscule (less than 00.07%) although the dollar amount was quite material.”

Amount recovered: None

Once again the hacker shows us how they operate almost with impunity.

#10 Bithumb Hack

Amount in Ether: Unknown

The amount of ETH actually stolen by the hackers was never released.

Amount in USD at the time of hack: Over $1 million

How did the hack happen?

The hackers managed to compromise an employee computer and make off with the personal data of 32,000 customers (3 percent of all customers). The hackers then began calling the victims using the stolen data to pose as members of Bithumb’s customer service team, and verbally phished the account verification codes from the victims allowing the hackers to withdraw funds from over a hundred customer accounts. Bithumb was the fourth largest exchange in the world at the time of the hack. The hack was rumored to be perpetrated by North Korea, but no substantial evidence of this has surfaced.

Amount recovered: None

Although the stolen funds were never recovered, Bithumb did reimburse about $90 USD to all customers, until the total losses could be tallied and the affected clients fully reimbursed. No follow up has been published announcing if they ever followed through with reimbursing the rest of the missing funds to customers.

 

 

 

 

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *