Ironically, most of the bitcoin exchanges that suffered various security breaches and hacking attacks were once the largest trading platforms expected to run top-notch security protocols.
A recent study backed by the US Department of Homeland Security and Reuters revealed that around one-third of all Bitcoin exchanges since the birth of Bitcoin in 2009 have been hacked. As bitcoin started to gain mainstream adoption in early 2013, major cryptocurrency exchanges implemented advanced security measures to protect user funds. The multi-signature technology, arguably the most widely used security tool for bitcoin wallets and exchanges, appeared in August 2013, when it was first integrated by BitGo.
In contempt of the advancement in bitcoin security, many exchanges failed to remain on par with the trends in the market, which ultimately led to their demise and loss of hundreds of millions of dollars in user funds. Major bitcoin exchanges disregarded the fact that as security for crypto wallets strengthened, hackers with sophisticated and complex malware became more advanced as well.
Not only big bitcoin exchanges that held and processed millions of dollars worth of bitcoin like Mt. Gox, Bitstamp, Bitfinex, but even medium-sized marketplaces like Cryptoine, fell prey to hackers. Bitstamp for instance, which is still the sixth largest one in trading volume, lost US$5 million in a malware-based cyberattack.
So, what caused the world’s largest and most reputable bitcoin exchanges to be hacked?
For most of them, it ultimately comes down to two major issues in their systems: heavy reliance on hot wallets and poor integration of the multi-signature technology.
With Bitstamp, the security breach originated from a phishing attack. One of the employees at the exchange opened a random file sent to one of the company’s computer. The malware gave the hackers access to wallet.dat file allowing them to drain millions of dollars of user funds over time.
If the exchange had implemented the multi-signature technology or stored user funds in cold wallets, it could have completely avoided the massive loss.
The US$70 million loss of Bitfinex was a similar scenario. Most of the user funds were stored in hot wallets that were secured by a multi-signature technology-based system. However, despite the exchange’s partnership with multisig wallet protection service provider BitGo, the exchange suffered a major security breach which drained user funds out of hot wallets.
The reports submitted after the Bitfinex hack indicate that BitGo’s systems and servers were not compromised. Thus, it reveals that it was the poor integration of the multi-signature technology on behalf of Bitfinex development team that caused the losses.
As we directly notified our customers earlier today, our investigation has found no evidence of a breach to any BitGo servers.
— BitGo (@BitGo) August 2, 2016
To sum up, if most of the exchanges that were hacked from 2009 to 2016 had implemented proper multi-signature security systems and cold wallet storage, most if not all user funds could have been protected even if local servers were compromised.
Joseph Young