CoinFox recalls the most notorious hacks of the year that gave a good shake to the industry and taught a tough lesson to those who do not care enough about security.

Shapeshift: a traitor victim 

This spring, Shapeshift exchange was unlucky enough to be hacked three times in a row. The first attack happened on 14 March, carried out by one of the company's employees, according to Shapeshift. He helped 315 BTC (about $130,000) to leak from a hot wallet. The offender was promptly detected and fired, while the exchange started moving the platform to a more secure software and hardware infrastructure. 

The second attack took place on 7 April. Cybercriminals stole 97 BTC, 3600 ethers and 1900 litecoins. Only two days later, on 9 April, one more cyberattack followed when hackers stole 57 BTC and 2,200 ethers from ShapeShift’s servers. Overall, the attacks resulted in a loss of about $100,000. 

It turned out that the fired employee sold security information to hackers, making them able to carry out the April attacks. One of the criminals acknowledged purchasing access to ShapeShift’s API from a former staff member.  

Gatecoin: pulling the pieces together 

Gatecoin exchange fell prey to a dire cyberattack in May, losing 185 bitcoins and 250 ethers. The attack lasted several days, the total amount stolen estimated at $2 mln at the time of the hack. The loss made 15% of all cryptoassets on Gatecoin accounts.  

As the exchange reported, the first attack began on 9 May and lasted for three days.  On 13 May, Gatecoin had to suspend its activity.  

To pay back the stolen money to original owners and to keep the company afloat, Gatecoin launched a fundraising campaign. The main channels were equity investment, debenture investment and profit from block trades. $500,000 came from a listed Japanese investor, and 5,000 ethers from Poloniex exchange. The investments were partially used to set up a better security system and to employ new cybersecurity specialists. 

Steemit: attack as a push to innovation 

On 14 July, the blockchain-based social network Steemit fell prey to a hack. 260 accounts were compromised, $85,000-worth of Steem-dollars and tokens were syphoned off.  

As it was explained a few days later, the attack on Steemit did not target the Steem blockchain nor its servers: 

“As some of our users have mentioned, the Steem blockchain was never hacked. Likewise, our servers were never hacked. Instead, the hacker exploited browser-side vulnerabilities, a challenge that every Fortune 500 company faces as well. After patching the problem, we are now at work on a new multi-factor authentication solution that would prevent similar attacks from happening again.” 

Users, even those unable at that time to access their accounts, could see all transactions in the Steem blockchain through a read-only monitoring tool steemd.com. This also motivated a number of users to propose “making the entire source of Steemit.com available on GitHub, to allow for backup hosting by the community,” the idea supported by the lead developer Dan Larimer. 

To bring compromised accounts back to original users, a new "revolutionary" recovery solution was proposed on 17 July introducing the element of “the trusted individual” or “someone who can identify you independently of your key.” Later, a more traditional four-step restoration procedure was implemented, involving other social networks as an option for authentication. 

The DAO: the hack that split Ethereum

The decentralised Ethereum-based investment fund that once hit an all-time record raising over $132 mln in a crowdsale, was robbed on 17 June. This caused a significant decrease in the price of ether. 

The offender drained the cryptocurrency from The DAO to one of the child DAO’s created using the platform’s split function. The attacker called the split function recursively inside the original split, thus repeatedly collecting ether within a single transaction. 

However, due to the platform design, the attacker could not withdraw the stolen tokens from the child DAO at least for another 27 days, and this proved necessary time for Ethereum developers to come up with a solution.  

First, the group of developers known as “Robin Hood” rescued 72 mln ethers to safer child DAOs. Then Ethereum successfully performed a hard fork to roll back the exploiting transaction. More than $40 mln worth of ether has been transferred from the attacker's account to a rescue smart contract.  

However, not all Ethereum users were happy about the “hard fork”. They argued that this move would undermine the platform’s credibility, violate the basic principle of blockchain operation – its inalterability – and challenge the decentralised character of the entire ecosystem. This resulted in the emergence of Ethereum Classic - an alternative pre-fork version of the blockchain and related token, which is now increasingly traded on cryptocurrency exchanges.  

Bitfinex: keep an eye on your keys 

On 2 August, Bitfinex reported a massive hack which led to the loss of 119,756 BTC, resulting in a temporary plunge of the cryptocurrency price. The reasons that made the attack possible are still being investigated. 

According to the current security scheme, when a user initiates a withdrawal, Bitfinex signs the transaction with its keys and sends it over to security provider BitGo for them to add their signature. If someone gets access to Bitfinex' servers, they can abuse Bitfinex keys and then verify the transaction at BitGo, which at this stage is unable to distinguish between the original owner and the hacker. 

Therefore, it is likely that the intruder obtained the signing key of the exchange and started sending withdrawal signing requests to BitGo, which were processed without further checks. Bitfinex representative Zane Tackett admitted that on Reddit. 

It is remarkable that  the Hong Kong exchange held 2/3 of the keys to multiple individual users' accounts, except for verified US customers who could keep the third key to themselves. In case if only Bitfinex' keys were compromised, verified US customers would not suffer. However, one of the clients in the States has already acknowledged being robbed of their coins. 

According to the company, "there were limits in place to restrict the amount of bitcoin that could be signed for a withdrawal," and now Bitfinex is trying to investigate how these limits were bypassed. As for BitGo, it denies being hacked. 

Bitfinex promises to reopen access to the site soon so that users could enter their accounts, and to compensate the stolen funds to their owners.

Lyudmila Brus