Written by: Julia Gerstein, a crypto trading bots enthusiast and a content writer at TradeSanta. My final goal is to help readers find what they need, understand what they find, and use what they understand appropriately.
On Nov. 27, 2019 around $52 million worth of Ethereum (ETH) was transferred from the UPbit hot wallet to the address of someone who is now known as UPbit Hacker #1. This, of course, is not the first or the last hack in the long list of crypto exchange breaches. Still, the more time passes, the more millions get nabbed, which raises concerns about lessons learnt.
At present, there are hundreds of exchanges on the crypto market, so we are not going to look into all of them. It is probably fair to assume that most of them are not interesting hack targets.
In this piece, we decided to take a look at the exchanges that are known to have considerable trading volume and have been on the market for a while.
We’ll start with exchanges that have highest trading volume, then look at the ones with lowest wash trading and finish with the popular exchanges that weren’t hacked despite their long history on the market.
How many were attacked? And which ones were not hacked at all?
Top exchanges hacked
The initial criterion for this particular group of exchanges to get the “top” spot is their trade volume. As of writing, Binance has got a $ 686.54 mln daily trade volume, OKEx reports $ 339.73 million and Bitfinex – $ 49.40 million.
Binance – 7,000 Bitcoin (BTC) stolen, May 7, 2019
How many hacks: 1 reported hack
Reimbursement: Binance claimed to refund users’ lost coins from its emergency fund, SAFU.
The mechanics of the hack: hackers obtained users’ API keys and then transferred funds from trade-only access accounts to withdrawal access accounts.
OKEx – allegedly more than 600 Bitcoin (BTC) stolen, Aug. to Oct. 2017
How many hacks: no reported hacks
Reimbursement: the platform has always denied that it had been hacked. However, multiple users reported their accounts being breached within the same time frame. Rumour has it that one user lost more than 200 BTC.
The mechanics of the hack: OKEx stated that several users’ passwords were stolen.
Bitfinex – 120 000 Bitcoin (BTC) stolen, Aug 2, 2016
How many reported hacks: 2 hacks reported here and here
Reimbursement: in order to reimburse the users, back in 2016, the exchange came up with a strategy where they issued BFX tokens that were redeemable in USD, and investors were reported to get their money back. In November 2018, the company was alerted that the U.S. government had obtained Bitcoins believed to be proceeds from the 2016 hack. Since then, they have retrieved roughly 28 Bitcoins from the government.
The mechanics of the hack: the attackers were able to exploit a vulnerability in the multisig wallet architecture of Bitfinex and BitGo that processed withdrawal requests from the hacker that had obtained access to Bitfinex’s keys.
“Cleanest” Exchanges Hacked
In September 2019, the Blockchain Transparency Institute published their latest report on the cleanest cryptocurrency exchanges, which included Kraken, Poloniex, Coinbase and Upbit.
The ranking was based on the least percentage of wash trading in the ecosystem as well as real trade volume reports.
So, let’s see which of those trading venues have been hacked so far.
UPbit – around $52 million in Ether (ETH) stolen, Nov. 27, 2019
How many hacks: 1 reported hack
Reimbursement: according to Lee Seok-woo, CEO of UPbit’s operator, Dunamo, the exchange will refund users’ lost money with the company’s assets.
The mechanics of the hack: at the time of writing, there is still no information on the specifics of the breach.
Poloniex – about 12.3% of the total BTC supply, Mar. 4, 2014
How many hacks: 1 reported hack
Reimbursement: Tristan D’Agosta, a.k.a. @busoni, said on Bitcointalk that he takes full responsibility for this and is committed to repaying the debt of BTC. “The exchange funds are 12.3% short. Because there is not enough BTC to cover everyone’s balances, all balances will temporarily be deducted by 12.3%. Please understand that this is an absolute necessity.”
The mechanics of the hack: the hackers found a vulnerability in the withdrawal code of Poloniex.
Coinbase – $100 000 stolen, May 15, 2019
How many hacks: 1 reported hack
Reimbursement: none
The mechanics of the hack where $100 000 was stolen: SIM port attack. According to a user hacked, the attacker first learned that the victim had money. Then, they spoofed this person’s mobile provider to impersonate him and requested a new SIM. Once they obtained the victim’s SIM, they ported it to their phone with a goal to initiate the password reset flow via email. When they hacked the user’s email address, they worked their way into the user’s Coinbase account.
Still Not Hacked
This group describes the exchanges with significant trading volume that haven’t been hacked yet. Interestingly, those exchanges also turned out to be pioneers of the niche and were established long before the 2017 hype.
HitBTC
Established in 2013, HitBTC is one of the oldest cryptocurrency platforms that has been working towards innovations.
These days it is looking to implement FPGA chips and is considering fiber-optic cables as well as colocation data centres.
So, maybe the innovative approach keeps them safe? Whatever the case, their website claims that on the security side, they “reserve the right to take different measures of protection, which include, but are not limited to a diversification of crypto assets in different allocations whether on a segregate record (account) or not.”
Kraken
Founded in 2011, Kraken is one of the oldest trading venues in the niche. Its reputation was challenged once in 2016 when multiple claims emerged that users’ personal accounts were compromised and assets nabbed.
Yet, Kraken didn’t comment and issued a petition to the FBI’s Cyber Crimes Division instead.
A month into the investigation, the platform’s users were presented with the clarification, in which the exchange stated it was never compromised.
The exchange stated that users lost their funds because of man-in-the-middle actors and asked everyone one more time to enable security features, such as two-factor authentication for withdrawals or the Global Settings Lock to restrict unfamiliar IP access.
Huobi
Huobi was founded in 2013 by Leon Li, a former computer engineer at Oracle. The exchange once wrongly deposited 920 Bitcoins and 8,100 Litecoins into 27 different accounts, but reimbursed all the users later.
According to their website, in 2019, the trading venue has completed the security upgrade of their wallets.
Those included their Investor Protection Fund, OTC merchant deposit, project team deposit of Huobi Next, listing voting of Huobi Next, eco-fund investment locking, Global Elites deposit, etc.
The exchange applies cutting-edge technologies allowing users to run TradeSanta bots on top of it and storing investors’ funds in dedicated multi-signature cold wallets.
In Summary
Is there a hope that the best of the best will be able to eliminate all threats coming from the attackers some day? Yes, there is! The group of exchanges that haven’t been hacked so far is proof of that.
However, we’re not there yet 100%. Losses from digital currency illegal acts soared to $4.4 billion in Q3, 2019, up more than 150% from $1.7 billion in 2018.
So the night is young for the ecosystem of exchanges. If you take away one thing from this guide, remember to keep your cryptocurrencies under your control and in cold wallets rather than on exchanges.