From Mt. Gox to FTX: A Decade of CeFi Hacks, Part I

In the rapidly evolving landscape of digital finance, Centralized Finance (CeFi) platforms have been both a boon and a bane. While they have democratized access to financial services and assets, they have also become hotbeds for security vulnerabilities, attracting hackers and cybercriminals like moths to a flame. The title “From Mt. Gox to FTX: A Decade of CeFi Hacks, Part I” encapsulates the journey of CeFi platforms, from their nascent stages to their current complexities, all while grappling with the ever-present threat of hacks and security breaches.

The infamous Mt. Gox incident of 2011 and 2014 serves as a grim milestone in the history of CeFi hacks. It was a wake-up call for the industry, highlighting the urgent need for robust security measures. But as we moved forward, the vulnerabilities seemed to evolve in tandem with the technology. The advent of Decentralized Finance (DeFi) brought new opportunities but also new challenges, adding another layer of complexity to an already intricate ecosystem.

In this first part of our series, we will delve into the most significant CeFi hacks that have plagued CeFi platforms over the past decade. We will explore the underlying vulnerabilities, the impact on users and the industry at large, and the lessons learned. Our aim is to provide a comprehensive understanding of the risks involved in using CeFi platforms and to shed light on the steps being taken to mitigate these risks.

So, fasten your seat belts as we embark on a journey through a decade filled with technological advancements, financial innovations, and unfortunately, a series of hacks that have left an indelible mark on the world of centralized finance.

Overview

Since its inception more than ten years ago, the cryptocurrency market has skyrocketed by an astounding 300,000%, drawing in a plethora of skilled developers and capturing the attention of renowned investors such as Paul Tudor Jones, Ray Dalio, and Stanley Druckenmiller. Regrettably, this dramatic surge in the value of Bitcoin has not only attracted well-intentioned participants but also malicious entities like hackers, con artists, and swindlers. Based on Bitcoin’s valuation as of October 2021, we calculate that the financial toll from just the most significant hacks is approximately $88.6 billion. To put this into perspective, the estimated annual value of the entire Mexican drug trade is around $13 billion, according to a 2006 White House report.

Types of Cyberattacks

Cyberattacks are a significant obstacle to the growth of businesses in the cryptocurrency sector. These incidents have the potential to undermine trust across the entire crypto ecosystem, especially since one of the fundamental advantages of cryptocurrencies is their supposed immunity to unauthorized access and theft. In this brief article, we examine some of the most impactful CeFi hacks, thefts, and fraudulent activities that have transpired over the last ten years. For each incident, we offer a succinct background, explore the factors that facilitated the attack, and consider the ensuing regulatory and cybersecurity implications. Generally, these cyberattacks fall into three distinct categories:

1. Security Breach: This is the most prevalent type of cyberattack, often occurring when hackers identify a weak point in the security framework and maximize their exploitation of this vulnerability. This compromises the essential infrastructure of the exchanges, leaving them virtually unprotected. Such breaches are a primary reason why exchanges are perpetually updating their security features to better safeguard their users’ assets.
2. Human Error Hack: This category of cyberattack usually involves phishing emails or malware infiltrating the system, enabling hackers to access the private keys of the exchanges’ wallets. This form of attack is particularly glaring for many exchanges because it exposes their lack of attention to detail. Often, the exchanges are unaware of the ongoing attack, indicating a level of negligence on their part.
3. Agency Problem: This type of cyberattack is an inside job, not resulting from negligence or subpar security measures. Either the founders vanish, taking with them the cold wallet containing customer assets, or they collaborate with external hackers to gradually drain the wallet over a prolonged period. This is the most difficult form of attack to prevent, as internal bad actors are elusive and skilled at hiding their intentions until the timing is right for their illicit activities. Given the history of this type of attack, it’s not uncommon for crypto exchanges to offer some form of insurance against such internal security breaches.

Details of CeFi hacks Events

1. June 2011 – Mt. Gox: Part 1

In 2011, Mt.Gox, then the leading exchange in the crypto world (originally established for Magic: the Gathering Online Exchange), fell victim to a hack involving 2,643 BTC, equivalent to $30,000 USD at the time. Although the sum was relatively modest, this incident set the stage for more significant breaches that would later plague the exchange. During the attack, a computer belonging to one of Mt.Gox’s auditors was compromised. The hackers manipulated the Bitcoin to USD exchange rate to a mere $0.01. After altering the rate, the attackers gained access to the clients’ private keys. Utilizing these compromised accounts, they set up sell orders and acquired the undervalued Bitcoins through other accounts. Ultimately, the attackers made off with over 2,000 BTC using this scheme.

Additional Information: Ledger’s Flashback on the Mt.Gox Hack (www.ledger.com/hack-flasback-the-mt-gox-hack-the-most-iconic-exchange-hack)

2. March 2014 – Mt.Gox Hack: Part 2

The second chapter of the notorious Mt.Gox saga stands as one of the largest CeFi hacks in terms of the number of Bitcoins stolen from a single entity. Prior to the calamity, Mt.Gox was responsible for over 70% of global Bitcoin transactions. The exchange lost more than 850,000 BTC in the hack, with 750,000 belonging to its customers. This led to a sharp decline in Bitcoin’s value, dropping more than 32% within a month.

The roots of this massive breach can be traced back to the initial hack in June 2011, where attackers gained access to client private keys. Before September 2011, Bitcoin Core Wallet lacked encryption features for added security, making a private key file alone sufficient for wallet access. In this case, the breach didn’t occur through client accounts but via the wallet.dat file, which was Mt.Gox’s own Bitcoin wallet’s private key file. With this file, the attackers could access all the stored Bitcoins without needing any specialized passwords.

What’s baffling is that nobody at Mt.Gox seemed to realize that the keys had been compromised. Many assumed that the funds had been transferred to more secure addresses. Compounding the problem, customers continued to deposit Bitcoins into these compromised addresses from 2011 to 2014. The theft persisted until it was finally discovered in March 2014 that Mt.Gox no longer had the Bitcoins.

This catastrophic event ignited widespread discussions about enhancing exchange security and the growing necessity for cold and hardware wallets. Companies like Trezor and Ledger, which specialize in security, did not exist at the time of the breach. Since then, a plethora of security firms and advanced technologies have emerged to bolster the protective measures for exchanges.

Additional Information: Ledger’s Flashback on the Mt.Gox Hack (www.ledger.com/hack-flasback-the-mt-gox-hack-the-most-iconic-exchange-hack)

3. July 2014 – Mintpal

Mintpal, a well-known altcoin exchange of its time, was specifically targeted for its holdings in VeriCoin. Before the attack, the exchange had control over more than 30% of the existing VeriCoin, valued at $2 million USD. The hacker aimed solely at VeriCoin, not other assets. In response, Mintpal collaborated with other exchanges and VeriCoin developers to execute a soft fork. This allowed VeriCoin to roll back its blockchain to a point before the hack, effectively returning the stolen VeriCoin to Mintpal. The exchange then manually reimbursed VeriCoin holders and traders. The move was largely supported by the community, as it restored normalcy to the situation.

Additional Information: Ledger’s Flashback on the Mt.Gox Hack (www.ledger.com/hack-flasback-the-mt-gox-hack-the-most-iconic-exchange-hack)

4. January 2015 – Bitstamp

The security breach at Bitstamp led to the theft of 19,000 BTC, valued at approximately $5.1 million USD at the time, as reported by Coindesk. The hack resulted in increased selling pressure, evident in the open interest in derivatives on both BitMEX and OKCoin.

The method of this breach was different from the previous two hacks. Instead of directly hacking into private keys and emptying unaware customers’ accounts, the attackers used Skype and email to communicate with Bitstamp employees. They sent files containing malware, and one of the system administrators at Bitstamp, Luka Kodric, downloaded the malware, compromising the exchange’s system.

After gaining access, the attackers were able to reach two servers that held the wallet.dat file for Bitstamp’s hot wallet and the password for that file. The company acted swiftly to limit the damage. According to a report by Bitstamp’s General Counsel George Frost, the company was aware of the theft by the evening of January 4th.

In response to the breach, Bitstamp made the costly but necessary decision to completely rebuild its trading platform and related systems from scratch, rather than restarting the existing system. The company executed this overhaul using a secure backup in a “clean room environment.” Post-incident, Bitstamp also shifted its distribution network to Amazon’s cloud infrastructure located in Europe.

Additional Information: Coindesk Article on Bitstamp Hack (www.coindesk.com/unconfirmed-report-5-million-bitstamp-bitcoin-exchange)

5. August 2015 – BTER

The crypto exchange BTER, based in China, experienced a hack resulting in the loss of 7,170 BTC, valued at approximately $1.75 million USD. What sets this hack apart from others is that the stolen BTC came from a cold wallet, which is generally considered secure because it’s not connected to the internet. Speculation arose on Reddit that this could have been an inside job, as someone would need physical access to the cold wallet to carry out such a theft. As of the time this information was recorded, BTER announced via its Weibo account that it had reported the incident to local law enforcement and had taken other wallets offline as a precautionary measure.

Additional Information: Tech in Asia Article on BTER Hack (www.techinasia.com/bitcoins-lost-after-china-cryptocurrency-exchange-hack-bter)

Summary of CeFi hacks

The table that follows provides a summary of the cryptocurrency heists discussed earlier. In many instances, the precise date of the theft is either undisclosed or not known, so we’ve included the month in which the event took place. The BTC and USD equivalents are calculated based on the value of the stolen cryptocurrency at the time of the theft, using end-of-the-month BTC and USD rates. In situations where a direct conversion rate is not available, we’ve used a three-way conversion through BTC to USD, utilizing the mid-price at the end of the respective month.

Protocol	Date	Impetus	Amount in Coin Stolen	Amount in USD	Type
Mt.Gox Hack	June 2011	Mt.Gox Private Key Hack	2,643 BTC	30,000	Security Breach
Mt.Gox Hack	March 2014	Mt. Gox Transaction Malleability	850,000 BTC	460,000,000	Security Breach
Mintpal	July 2014	Mintpal Hack	8,000,000 Vericoin	2,000,000	Security Breach
Bitstamp	January 2015	Bitstamp Malware Attack	19,000 BTC	5,100,000	Human Error
BTER	August 2015	BTER Inside Job	7,170 BTC	1,750,000	Agency Problem