Well, crypto got hacked again. This time it was the exchange BitMart, which announced a hack of at least $150 million on the evening of Saturday, Dec. 4.
Blockchain security firm Peckshield — which spotted and tweeted out a warning of the leak about an hour and a half before BitMart CEO Sheldon Xia announced it — put the losses at closer to $200 million.
hot wallet compromised? @BitMartExchange https://t.co/pfb7215pBO pic.twitter.com/v2C1KYtaqd
— PeckShield Inc. (@peckshield) December 5, 2021
Read more: Crypto Exchange Bitmart Confirms $196M Lost in Security Breach
Saying that the stolen funds were “a small percentage of assets on BitMart,” Xia added that customers will not suffer any losses, promising “BitMart will use our own funding to cover the incident and compensate affected users.”
The theft comes less than a week after decentralized finance (DeFi) project BadgerDAO was hit for $120 million by a hacker who drained funds directly from users’ wallets. Which comes just four months after the mid-August attack in which a hacker drained a staggering $612 million from another DeFi project, Poly Network (and, strangely enough, promptly gave it all back).
DeFi is an especially inviting target, and the lack of central control means there’s less pushback against crooks. DeFi projects have been hit to the tune of $10 billion so far, according to a recnet report from crypto intelligence firm Elliptic.
Also read: DeFi Losses Top $10B From Exploits, Fraud, Theft
Then there were the 6,000 Coinbase users whose wallets were drained in a phishing attack in October.
So, what’s going on? Well, business as usual.
A Juicy Target
There’s a couple of reasons for all these hacks, starting with how large they are. When you’ve got the largest vault around, you’ll attract all the top criminals. Especially when, like crypto, your vault isn’t too secure.
Remember, one of the early ways bitcoin broke into mainstream consciousness was when a hacker drained $350 million in bitcoin from the Mt. Gox exchange in a February 2014 hack.
Part of the problem is that exchanges need “hot” wallets that are connected online for their ongoing transactions, which can run to billions of dollars daily.
Indeed, the cause of the BitMart breach was the theft of the private key of two of the Cayman Islands-based exchange’s “hot” wallets, according to Xia.
1/4 In response to this incident, BitMart has completed initial security checks and identified affected assets. This security breach was mainly caused by a stolen private key that had two of our hot wallets compromised. Other assets with BitMart are safe and unharmed.
— Sheldon Xia (@sheldonbitmart) December 6, 2021
There are two types of bitcoin and cryptocurrency wallets, whether you’re a billion-dollar exchange or an individual user with a few hundred dollars invested. Hot wallets are connected, cold wallets are “air gapped” — meaning there is no connection to the internet. They aren’t at risk from hackers, just normal thieves, fires and forgetting your password.
Which is why crypto custody firms have become so important as institutional investors and banks get involved. They need professional security facilities and experts. And insurance.
See: Mastercard’s CipherTrace Deal Brings Trust and Blockchain Forensics to Crypto Space
Some top exchanges like Coinbase and New York-based Gemini, as well as solely institutional client-focused firms like Fidelity Digital Assets, offer institutional custody services. Security and blockchain tracing is another hot area of business. On Nov. 30, public cryptocurrency exchange Coinbase announced the acquisition of Israeli crypto security firm Unbound Security, following hard on the heels of Mastercard’s purchase of top blockchain intelligence firm CipherTrace.
Related: Coinbase to Buy Crypto Security Tech Firm Unbound Security
Security Holes
One big problem exchanges have is getting retail clients to focus on improving their own security.
The BadgerDAO hack seems to have been related to clients giving permission to bad actors to access their personal vaults. Getting users to embrace basic security measures like two-factor authentication (2FA) has been a struggle over the last couple of years.
Another take: Facebook Will Mandate 2FA for High-Risk Users
DeFi is a particular problem, as the truly decentralized projects have no central authority, which doesn’t only mean there isn’t a full-time security team.
That’s a big problem that was on display in late September, when the DeFi project Compound lost $70 million.
The good news in that case was no individual lost any funds. Rather, a hacker discovered a bug had been introduced in an update, and was able to mint $70 million in new COMP tokens.
The problem, according to Robert Leshner, CEO of lead project developer Compound Labs, was that “there are no admin controls or community tools to disable the COMP distribution; any changes to the protocol require a 7-day governance process to make their way into production.”
Which is a long time to wait to fix a bug.