3 Key Takeaways From Last Year's Biggest Crypto Hacks

By Lior Lamesh, CEO of GK8

2020 will be remembered as the year institutions, everyday investors, and business giants began to take cryptocurrency seriously. Responding to author Ben Mezrich’s tweet saying he will never refuse being paid in Bitcoin again, Elon Musk teased “me neither." As their prices soared, cryptocurrencies were welcomed by global regulators, led by the OCC’s letter of intent published back in July, authorizing U.S. banks to start offering custody of digital assets.

The rise of crypto over the last year was accompanied by cyber-attacks and hacking incidents on digital assets that netted $1.8 billion over the first 10 months of 2020. As crypto becomes institutionalized, going from a niche investment to a mainstream asset held by tens of millions of consumers in the U.S alone, banks are expected to take the plunge into the digital asset space. With big banks joining the party, hackers will become more incentivized to attack than ever before.

Indeed, 2021 may very well be the year hackers shift their sights from crypto exchanges to commercial banks that begin handling crypto. One thing is certain: hackers will try to exploit the “learning curve” that banks will inevitably go though as they enter a new domain that requires very different security protocols and technology that those currently employed in banks’ IT infrastructure.

No two hacks are identical. But by closely examining the major crypto hacks that took place over the past year, we can draw three key learnings that can bear valuable insights, helping banks better protect themselves in the crypto space.

1. Hot wallets are hackable

Altsbit is a small Italian crypto exchange. KuCoin is one of the largest exchanges in Southeast Asia. Harvest Finance is a niche smart contact DeFi protocol provider, and Exmo is a UK-registered exchange serving customers mainly in Russia and the Ukraine. What do these four have in common? They were all hacked in 2020, with hackers stealing private keys from their Hot Wallets. Each of these exchanges quickly admitted the hack and clarified that it was limited just their hot wallets. In fact, they went out of their way to stress that their Cold Storage devices remained intact. Which is the perfect segue to the next takeaway from 2020 hacks:

2. Cold wallets are indeed hack-proof; the problem is that storage solutions that claim to be cold aren’t really cold

Cold wallets also claim to enable signing on transactions and managing crypto assets without being connected to the internet, keeping users’ private keys outside the reach of hackers. In reality, this claim is only partially true, at best. Here’s why: In order to make a cryptocurrency transaction, each user must obtain a string of auto-generated data created by the blockchain. This random string is absolutely mandatory in validating the signed transaction -- without this signature, the miner will simply disregard the transaction and avoid from inserting it into the blockchain.

No matter how safe users keep their Cold Wallets, the moment they want to buy, sell or move around Bitcoin, Ethereum or any other digital currency, they need to connect the cold wallet to the internet. Once connected, cold wallets become vulnerable to attacks. Skilled hackers know how to creatively find attack vectors on virtually any machine connected to the internet. Sure, it might take them time and effort, but the general rule of thumb is that it takes an average investment of $1M to hack a single PC. Once hackers set their sights on a PC with a cold wallet plugged into it, they will find a way to hack it. Since any transaction to the blockchain is irreversible, hackers can use your private key to create a transaction and drain your account from all its digital assets minutes after they take over your local environment.

3. Unclear key management protocols are an accident waiting to happen

Something strange happened to global crypto exchange OKEx back this Fall: Its founder went missing, taking with him exclusive access to users’ private keys. OKEx announced a withdrawal freeze on all of its assets, which ended up lasting over five weeks. While there was no direct out-of-pocket loss, the reputational damage to OKEx was severe, undermining the fundamental trust between the exchange and its customers. The key takeaway from the OKEx incident is that any institution handling crypto can’t afford to run an architectural flow with a single point of failure. This is exactly where effective governance, control, and compliance are required in safeguarding digital assets from both hackers and inside jobs. Simply put: no single person should have access to all private keys—no matter how high their pay grade is. 

In summary, 2021 has great potential for going into the books as the year in which crypto enters the official mainstream, with banks becoming major players in this market. But the premise for this rosy prediction is that bankers learn from the painful lessons that 2020 hacks taught us. Otherwise, they will find themselves as the targets of cyber attacks that will bear catastrophic consequences, in direct financial loss, reputational damage, and loss of goodwill.

Lior Lamesh is the CEO and Co-Founder of blockchain cybersecurity company GK8

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.