As a global provider of mobile authentication, user verification and fraud prevention solutions, one of the main use cases we talk about at IPification is securing crypto wallets. This is why —
In 2022, we’ve seen over $1.9 billion stolen in cryptocurrency by August which constitutes a 60% increase from the same time frame in the previous year!
Recently, Kaspersky wrote about some of these cases on their blog which inspired me to analyze some of the biggest crypto heists so far, before delving into the ways in which you can protect your crypto wallets (or your crypto business).
Almost all huge crypto heists have one thing in common — subpar hot wallet cybersecurity
Let’s kick it off with a three-year long heist that cost Mt.Gox an estimated $480 million in cryptocurrency and ultimately led them into bankruptcy.
So that you understand the scale, Mt.Gox was a cryptoexchange in the early 2010’s, trading around 70% of the world’s bitcoin in 2013 — before it all crashed down in 2014.
It turned out that three years prior, in 2011, hackers had got hold of the hot wallet private keys and slowly started to steal bitcoins. In total, hackers had managed to siphon some 630k BTC into their accounts, forcing the company to stop trading and declare bankruptcy.
Because of the fluctuation in the value of bitcoin, the exact loss is debatable but it’s most often estimated at $480 million according to the value of bitcoin on the day before the company filed for bankruptcy.
This time around, we’re traveling to Japan where fraudsters stole around $500 million in NEM tokens from the cryptoexchange Coincheck in 2018.
Allegedly, the criminals had used malware to steal the private keys of the Coincheck hot wallets, after which they sold the NEM tokens on their website, 15% off.
Thankfully, while they had to pause for a while, this company didn’t disappear.
Finally, this wouldn’t be an analysis of hacking incidents without mentioning phishing, the culprit behind Ronin Network’s $540 million loss in March 2022.
The cybercriminal targeted one of the blockchain network’s employees by sending them a fake PDF file job offer with spyware inside, enabling the criminal to steal four validator keys. They only needed one more to have control of five out of nine keys total and get hold of the company’s cryptocurrencies.
They successfully recovered this key from a decentralized autonomous organization that the company had authorized to sign off transactions to handle user volume. And although the company has recovered from the incident, I’m sure we’ll all agree this should have been prevented.
So, where do we start?
Let’s find the common denominator! We can notice one thing in common, all of these crypto heists happened after hot wallets were compromised. And what can you do about it?
It’s simple. You have to protect access to your hot wallet by implementing, at the very least, two factor authentication with a phishing-resistant second factor.
How to protect yourself from crypto heists, an ode to multi-factor authentication
While 2FA isn’t anywhere near perfect, it’s way better than using only one factor (usually password) to access your hot wallet.
Users often reuse the same password across services and data breaches occur daily (make it a habit to check HaveIBeenPwned.com at least once per month), passwords can be easily phished, they are vulnerable to brute force or credential stuffing, or they’re simply weak.
I’ll just give you one stat — 71% of accounts are protected by passwords used on multiple websites, thus making up a significant risk surface.
But even if any of the scenarios from above happens, you’d have the second factor there to jump in and protect your accounts. Usually, this will either be SMS OTP 2FA or third-party authenticator 2FA such as the Google Authenticator.
If you have the option to choose, we always recommend the second option.
Vulnerable to phishing and SIM swapping, SMS OTP 2FA may very well introduce additional security risks instead of increasing the cybersecurity. On the other hand, third-party authenticator app 2FA is a whole other story when it comes to security — although it seriously deteriorates the user experience.
With it, users have to exit the wallet app, open the authenticator app, generate the code, copy the code, exit the authenticator app and go back into the wallet app, and finally, paste the code to gain access to their cryptocurrencies.
Having said that, it makes sense that solutions such as biometric or IPification would be much better options. Both take mere milliseconds to verify your identity yet offer incredible security.
Just remember that in this case, there is something to be said about data privacy concerns with biometrics. While passwords, pins, etc, can be changed when they become compromised, the same cannot be said for your fingerprints or other biometric features.
Authentication methods are never one-size-fits-all. The best ones for your app will always depend on your specific case. But experts at Team IPification can help!
Contact us today and schedule a free consultation!
