Why does the crypto industry keep getting hacked?
It’s not just the roller coaster valuations that make cryptocurrency risky. There are also the security issues.
Last week saw several major crypto hacks. One affected wallets mainly related to solana coins, and another hit Nomad, a blockchain bridge where users exchange assets on different blockchains. The losses were around 200 million dollars.
And these are just the latest hacks. So far this year, more than $1 billion has been stolen.
So why is this industry such a target?
Josephine Wolff is an associate professor of cybersecurity policy at the Fletcher School at Tufts University. The following is an edited transcript of her conversation with Marketplace’s Meghan McCarty Carino.
Josephine Wolff: One of the things you worry about a lot with cryptocurrencies is that there are a whole bunch of intermediary organizations and companies involved, and each one is building software that can potentially be broken. So you have different organizations coming up with blockchain ledgers that record these individual transactions. But you’ve also got companies building wallets that hold people’s digital assets. And then you have cryptocurrency exchanges. So each of these different types of software layers in the cryptocurrency ecosystem creates an opportunity to break something and steal money.
Meghan McCarty Carino: When we look at some of the big hacks that are known, do they have factors in common?
Wolff: If we look at the type of major money laundering breaches surrounding cryptocurrency, there is often a common thread in a cryptocurrency exchange that has failed to effectively protect its users’ credentials. So people are able to steal not just one or two passwords, but all the passwords from a database. Or somebody has implemented the cryptocurrency wallets in an insecure way in a way that it’s possible for somebody to get in there and transfer money out of those wallets without even needing the passwords and the credentials that users would traditionally use, so I would say that definitely are two weak points — the wallets and the exchanges.
McCarty Carino: Why do you think we’ve seen cybercriminals seem to be targeting wallets and exchanges?
Wolff: I think two related reasons. One is that there is a lot of money in this ecosystem. And the second is that there is an almost total lack of regulation around most of these intermediaries. So you have wallet providers, you have cryptocurrency exchanges, you have all these people who are kind of effectively playing the role of a bank, or at least part of what we traditionally rely on banks for, but without all of the oversight and regulation.
McCarty Carino: So what can companies in this ecosystem do to better protect themselves against these hacks?
Wolff: The large part of this that we have largely found out for traditional banks and finance companies has to do with record keeping. Things like know-your-customer laws, anti-money laundering regulations, where if someone comes in and says, “I want to open a cryptocurrency account or wallet and transfer money in and out of it,” then institutions can say, “OK, we need some information about you. We need to see your ID, we need to keep track of certain large transactions or transactions in and out of the country,” things like that. It doesn’t prevent theft, but it allows some types of police and law enforcement after the fact to go back and say, “OK, if we’re trying to trace what happened here, do we have any records that make that possible?” On the blockchain and wallet side, a lot of this is actually about testing software security. It’s about trying to understand, “OK, as I’ve written code to say, this is Meghan’s wallet, this is Josephine’s wallet, I’ve left some bugs in that code that will allow someone to get in there and change who those cryptocurrency tokens is assigned in this type of software that we have written? And that’s really traditional software testing, hiring people to try to hack it, to see if they can find any vulnerabilities. Taking time for the development process, which I think is also often a big challenge in these cryptocurrency settings where things move really fast and people are always trying to get ahead of the next thing.
McCarty Carino: Is there anything individual consumers can do?
Wolff: It is quite difficult. When we look at most of these hacks, it’s not really about whether individuals used good passwords or practiced good security hygiene, it’s really about whether the institutions they trusted did a good job of securing their cryptocurrency wallets.
McCarty Carino: What does the current landscape look like for protection and government supervision? And how does it vary from country to country?
Wolff: There are some rules, certainly in the US, that apply to cryptocurrency exchanges. They are required to comply with most traditional know-your-customer and anti-money laundering regulations. However, different states have taken different approaches. Famously, the state of New York announced that they were going to require BitLicenses, and a whole bunch of other places have sort of tried to implement their own types of regulatory oversight to make sure that there’s less opportunity for cybercriminals to pass through these types of cryptocurrency exchanges. In other countries, we have seen very different approaches. China has taken an approach that basically cryptocurrency is illegal – we don’t want anyone to buy or sell it in our country. Russia has essentially taken an approach that we are not going to monitor anything done in cryptocurrency exchanges, but we want people to pay taxes on cryptocurrency earnings. And then there is a tax framework that they have tried to develop in recent years. And what this means is that you kind of have a very easy way to move money between countries and find the country where there’s going to be the least concern about what you’re doing with your cryptocurrency, which has been very beneficial to a lot of cybercriminals.
McCarty Carino: Could more government oversight and regulation of the industry solve some of these problems?
Wolff: I think it could. The challenge here is that even if the US can kind of get its act together and figure out how to regulate cryptocurrencies, if they want restrictions, they’re still going to have this big problem that, for example, most of the big ransomware rings are based on . out of Russia and Eastern Europe. And it’s not a problem that a single country can really solve even where there are so many different exchanges.
The Verge reports that one of the cryptosystems targeted — Solana — said its own investigation showed no evidence of a breach of protocol and that only one type of user wallet was compromised.
Another hacking target, Nomad, offered a bounty for the stolen tokens, according to Bloomberg News. The company said that anyone willing to return 90% of the hacked funds will not be prosecuted and can keep the remaining 10% as a reward.
We also aired a feature last month on state-sponsored crypto hackers in North Korea.
Wolff wrote for Slate earlier this year about probably the most famous alleged crypto-hackers: a New York couple charged with laundering $4.5 billion. It’s a colorful story — one that, she wrote, feels like a “far-fetched movie plot.”
Apart from the astronomical sums involved, the accused had positioned themselves as a sort of crypto-quasi-celebrity, sharing advice and amateur rap videos on social media. One of these videos isn’t exactly safe for work—think dance moves and language to fit the bill.
It’s something else. Let me tell you.
