This week, Max Hasselhoff, integration engineer from Bytecoin, takes a look at the Bithumb hack as well as a couple of other hacks and their historical context.
Last week we covered what we consider to be an existential threat to the prosperity of the crypto industry when we looked at scams. While the gravity of the damage that scams are causing to the industry cannot be overstated at this juncture, fate, as if on cue, was quick to remind us that scams are not the only thorn in the side of this burgeoning market.
The Bithumb hack, resulting in an estimated loss of about $19m, is a costly reminder that these early waters are often troubled waters, and scams and hacks are the veritable Scylla and Charybdis that must be navigated through in order for this nascent movement to reach that solid footing that is so palpable to those of us who believe.
If you are looking to reinforce your personal defenses against bad actors in the crypto sphere be sure to check out our latest blog post on the subject up on the Bytecoin page.
Out from Under Bithumb
This past Saturday Korean crypto exchange Bithumb released a statement saying that its monitoring system had noticed an abnormal withdrawal occurring on Friday, March 29th. The withdrawal consisted in 3.07 million EOS and 20 million XRP which comes to about $19m. Although the amount missing is sizable, Bithumb has clarified that all the funds stolen were company funds as all user funds are stored in cold storage.
In its statement, Bithumb goes on to say that it suspects that the hack was an inside job because it has found no evidence of any kind of external breach. As a result of the hack, Bithumb has moved its funds off of its hot wallet and into cold storage. The exchange has notified the appropriate authorities and has said that it expects to recover the funds stolen.
Part of their statement reads:
“As a result of the inspection, it is judged that the incident is an accident involving insiders because an external intrusion path has not been revealed. Based on the facts, we are conducting intensive investigations with KISA, Cyber Police Agency, and security companies.”
Bithumb has indicated that they will do everything they can to recover the lost funds in this case and ensure that situations like this are prevented in the future. In the past, they have shown tenacity in situations like this, and have been able to recover well. It is an unfortunate situation for the exchange, and we at Bytecoin support them in their efforts to neutralize the damage caused by the hack.
The notion that this hack was the handiwork of internal malcontents lends credence to determinations arrived at by crypto intelligence firm CipherTrace who recently released the findings of their 2018 study into cryptocrime. CipherTrace outlined the emerging threat that specifically inside jobs pose to crypto exchanges.
According to the report over 58% of all exchange hacks from 2018 occurred in Japan and Korea. While the first three quarters of 2018 saw hacks perpetrated predominately by outside intruders, the final quarter of 2018 showed a troubling rise in the amount of inside jobs happening to exchanges.
DragonEX Dealt a Blow
Moving from Korea to Singapore, DragonEx, an exchange trading hundreds of millions of dollars worth of crypto on a daily basis, was targeted by hackers who managed to steal about 7.09 million dollars.
The exchange posted an alert on its Telegram channel on Tuesday, March 26th notifying its users of the breach: “Several Judicial administrations were informed about this cybercrime case including Estonia, Thailand, Singapore, Hong Kong etc. and we’re assisting authorities with their investigation.
All platform services will be closed and the accurate assets loss recovery situation will be announced in a week. For the loss caused to our users, “DragonEx will take the responsibility no matter what.”
Later on, the DragonEx team notified its users that they had found the funds in question and had identified the addresses connected to the hack. Accounts responsible for the theft subsequently wired the stolen funds to KYC-protocol exchanges like Bittrex. DragonEx has said that whatever losses have been incurred by users as a result of the hack will be compensated for by the exchange.
The Long Arms of Lazarus
So who is responsible for the DragonEx hack? By a commodius vicus of recirculation we turn our vision back to Korea, where 306 Security, a Chinese security firm, has alleged that North Korean hacker collective Lazarus is behind the hack. 306 Security claims that Lazarus not only carried out the DragonEx hack, but was also behind the recent hacks of BiKi and Etbox as well as a long list of high profile cyber attacks over the past decade.
The security firm’s threat response team has revealed that as early as October of last year Lazarus registered two domains, wb-invest.net and wb-bot.org, to lay the framework for the future attacks.
Then they constructed a false mirror of the Worldbit – bot crypto trading software using the open source QT Bitcoin Trader and injected it with malicious code. Propped up by the malware, Lazarus launched the two trading sites they registered, and disguised them as normal automated crypto trading sites for the better part of half a year.
Then, via phishing emails, Lazarus was able to breach the ranks of internal staff at the aforementioned exchanges. According to JohnWick, another China-based security firm helping DragonEx with their investigation of the hack, Lazarus was able to get members of the customer service team at DragonEx to open links with an installation package named wbbot.dmg.
Lazarus buried a backdoor inside of the installation package with which they were subsequently able to obtain the exchange staff’s authorization credentials and the exchange’s private key.
Lazarus is a legendary group with a long history of cybercrime. The first action attributed to Lazarus is the 2007 “Operation Flame” DDoS attack on the government of South Korea. Lazarus is also alleged to have been behind the infamous Sony Pictures hack of 2014, the data breach that affected the Bank of Bangladesh in 2016, and the “wannacry” ransomware attack that happened in 2017.
The Bigger Picture
With the Bithumb hack, the total number of assets that have been stolen from crypto exchanges is now measured at over $1.3 billion. The most recent hacks, those of Bithumb and DragonEx, account for $26 million of that figure, just two percent of the total.
Roughly 61% of the total hacked was stolen in 2018, by far the most successful year for cyber criminals. As the crypto industry grows, exchanges, currencies, and consumers will all have to reckon with the dangers posed by hacking and take steps to ensure that efforts of a small minority of bad actors do not shipwreck the entire movement.
Max was born at the end of 80s in Frankfurt, Germany. He studied engineering and telecom at university, and had internships in the US and UK. At the same time he was coding on the side in С++ and scripting languages. After entering the Bytecoin team in 2016 as an technical support engineer, he rose through the ranks and now works as an integration engineer. Max is collecting vintage gaming consoles and loves English literature.