Over the summer, an anonymous hacker stole roughly $600 million in cryptocurrency from Poly Network, a decentralized finance network many outside the crypto world had likely never heard of. Then the hacker gave it back.
Four months later, hackers stole at least $150 million from crypto exchange Bitmart. According to one analysis, unidentified hackers used a stolen private key to open two “hot wallets” and extract funds.
Security incidents like these are not new in the crypto world, but the size of these hacks appears to be growing as cryptocurrency prices have surged over the past year, drawing more mainstream attention.
Five of the 10 largest crypto thefts of all time have happened this year, according to data compiled by consumer website Comparitech. And these incidents may only continue due to increased cryptocurrency usage, according to financial tech experts.
Here’s what you should know about what’s happening — and how to keep your digital assets safe.
What is happening?
The two main targets of crypto hacks currently are centralized exchanges and decentralized finance (DeFi) services, according to Tom Robinson, chief scientist at London-based crypto compliance firm Elliptic.
Centralized exchanges have been the prime target of hacking groups for several years. These exchanges store a user’s assets in “hot wallets,” or digital wallets that are connected to the internet. This makes them more accessible for users, but also potentially more vulnerable to savvy hackers.
The recent BitMart hack was one such example. Another is the Coincheck attack in 2018, which saw roughly $530 million stolen, making it the biggest crypto heist ever — until the Poly Network incident this year, according to Comparitech’s data.
DeFi services are a newer part of the crypto world. DeFi software applications cut out exchanges all together, as they are run directly on top of blockchain platforms, and hacks of these services are usually due to coding errors or issues with design of apps, according to Robinson. Major examples include Poly Network as well as a more recent hack of Badger DAO, a platform that gives users vaults in which to store bitcoin and earn profit. The Badger DAO hack resulted in the loss of $120 million.
What’s clear from the majority of these attacks this year is that it’s often a vulnerability that’s being exploited,” says Rebecca Moody, head of research at Comparitech. “With the industry growing at an exponential rate and relying on open source technology, this leaves platforms open to exploitation when hackers are able to find a weakness in the code.”
What are you really at risk of losing?
Just because an exchange suffers a hack doesn’t necessarily mean you lose all your money.
Each crypto service has varying levels of resources to cover hacks. BitMart, for example, pledges to cover all stolen assets.
According to crypto-crime analyst Joe McGill of TRM Labs, if an entity does not have the ability to compensate impacted users, there is still the chance that law enforcement — like the IRS Criminal Investigations Cyber Unit — is able to recover the stolen funds.
But there is no guarantee. While many banks typically offer deposit insurance up to a certain amount, there is no such promise when holding crypto assets in a third-party service. Some companies might have insurance to cover losses, but the level of coverage — if there is any at all — varies by platform.
As for the cryptocurrency that’s stolen, it could be gone forever. “More often than not, hackers successfully get away with stolen funds as cryptocurrency is virtually untraceable and easily disguised by laundering it through wallets in a matter of minutes,” Adam Morris, co-founder of Crypto Head, told CNN Business.
How can cryptocurrency holders protect themselves?
When using a crypto wallet or exchange, experts say users should scrutinize the scale and professionalism of the company behind it.
“Do they have people responsible for cybersecurity? Does the company have a good track record? What’s the size of the company? How many employees does it have? Those are all indicators that you can have confidence that that business is going to secure your assets in a responsible way,” says Robinson.
There are also basic security measures users can take when accessing their crypto account. McGill recommends two-factor authentication or hardware keys, which are essentially passwords kept on offline devices. He also recommends requiring approval for all crypto withdrawals as well as whitelisting addresses, which only allows certain addresses in your contact list to receive crypto funds from your account.
“There is no 100% guarantee of avoiding cybercrime,” McGill warns, but he said it is important to understand the exchanges being used, their history with cybercrime and the response systems in place.
Another way to protect one’s crypto assets, according to Morris, is to use a hardware wallet, known as “cold storage,” rather than storing it with a service. While considered the most secure method of storing crypto, this route puts all the responsibility on the user to store private keys. If those keys get stolen or lost, there is no larger financial entity to offer support.