The big bitcoin and crypto breach events are well-known news items. There was the Mt. Gox hack that saw $473 million in bitcoin disappear, the Bitfinex hack in which $72 million in value was lost overnight and the reigning champion crypto hack, the January 2018 Coincheck hack that saw $530 million in cryptocurrency go missing.
But while those big hacks — and the large sums of money heisted all at once — are eye-catching, bitcoin security expert Hartej Sawhney recently told CNBC that they might not be the biggest, or most costly threat to bitcoin security out there. The big, and under-discussed threat, he said, is the approximately $2.5 million that, in his estimate, is stolen from cryptocurrency exchanges all over the world every single day.
“Exchanges need to learn to value security, but they are not getting regular penetration testing from cybersecurity companies,” he said.
Sawhney, it is worth noting, is co-founder of Hosho, a cybersecurity firm that specializes in offering just those sorts of testing protection services to cryptocurrency exchanges.
But, he noted, from that vantage point he has a front-row seat to some of the more creative ways hackers gain access to systems and cryptocurrency exchanges. People are often as easier to hack than computers, he noted, citing the example of one exchange that found itself on the wrong side of a security breach because one of its employees was a dog lover.
“The hacker monitored the social feeds of this employee and gained access to realise that fact,” Sawhey explained. “They made a fake website and application for this employee to apply to compete in a local dog walking competition.”
One wrong opened email and one wrong opened PDF later, and the hacker had access to all of that employee’s keystrokes. From there it was short work to harvest all of her usernames and passwords, said Sawhney, which included several that were relevant to the exchange at which she worked. Within 48 hours of the employee applying to take part in a fake dog show, the exchange lost millions of dollars.
Hackers, he said, are always going to be looking for the path of least resistance into a system, whatever the contours of that path may be. And, he noted, there are lots of ways to mess with crypto firms — particularly those that aren’t regularly auditing their systems with penetration testing against fraud — including smart contract hacking or order book manipulation. Moreover, he said, hackers know which firms are thinking bigger and in more depth about their security solutions — and which ones are not.
The firms that are figuring out how to properly hold private keys and manage hot and cold storage of coins, he said, are more likely to be skipped over in favor of the “low-hanging fruit” of the less security-minded exchanges in the world.
The real losers, he said, are members of the public who are often totally unaware that these small hacks are going unreported every day — particularly as hackers are lining their pockets with millions.