Skip to content
Bitcoin
Naked Security Naked Security

Bitcoin’s soft and vulnerable underbelly

Your bitcoins are only as safe as your private key

How can you lose playing the cryptocurrency investment game? Let us count the ways.

Yes it’s obvious, or should be, that simply investing in Bitcoin or its hundreds of crypto colleagues can be a wild ride. You can make money fast, but you can also lose it fast. Any sober financial adviser will tell you only to play with money you can afford to lose.

But there are ways beyond the fluctuating value of a currency that you can lose as well, and with no prospects of your investment bouncing back. Cryptocurrency exchanges are websites where such currencies are bought, sold and stored. For Bitcoin and its ilk they’re a soft and vulnerable underbelly.

Bitcoin owners can spend, sell, trade, donate or otherwise use their bitcoins with little fear of the strong cryptography behind it being cracked. It’s as close to bulletproof as you’ll get – so long as you keep your private keys private.

If you upload your private keys to an exchange to make trading easier then your keys are at the mercy of that site’s security.

Websites can be hacked and keys can be stolen. And there is no Federal Deposit Insurance Corporation (FDIC) to protect your assets – the exchanges are not backed by any governments or central banks.

Besides that, they are run by people who may or may not be trustworthy and who are not regulated. They might be as clever as Satoshi. They might not. They might be crooked. They might be incompetent. Their sites might be insecure. All that can add up to serious subtraction – as in the loss of millions.

One victim is Dan Wasyluk, who served as the opening anecdote in a Reuters story last week about the risks of cryptocurrencies, which began by noting that he had, “discovered the hard way that trading cryptocurrencies such as Bitcoin happens in an online Wild West where sheriffs are largely absent.”

In Wasyluk’s case, about three years ago he and some colleagues took bitcoins they had raised for a tech venture and parked them in escrow with a company running an exchange called Moolah. Months later the exchange collapsed. The former CEO, Ryan Kennedy, who created the exchange under the name Alex Green, is awaiting trial in Britain after pleading not guilty to fraud and money-laundering charges.

The group’s loss of 750 bitcoins was estimated at about $3 million, and Wasyluk, probably correctly, doesn’t think he’ll get any of it back, given that Kennedy is currently serving jail time on a rape conviction.

Wasyluk is not an outlier. Given the underground nature of the entire cryptocurrency structure, it should be no surprise that Reuters found that the exchanges, “have become magnets for fraud and mires of technological dysfunction … posing an underappreciated risk to anyone who trades digital coins.”

As David L. Yermack, chairman of the finance department at New York University’s Stern School of Business, put it to Reuters, “If you’re a consumer, there’s nothing to protect you.”

That has been made painfully clear a number of times – Reuters reported that there have been, “at least three-dozen heists of cryptocurrency exchanges since 2011,” and that more than 980,000 bitcoins have been stolen, which would have a value today of about $4b.

One of the most prominent was Japan-based Mt. Gox, which Naked Security’s Paul Ducklin called the “Big Daddy of Bitcoin exchanges.” As he put it, in 2014, “it made a, ‘So sorry, they seem to have vanished,’ announcement about a whopping 650,000 bitcoins, worth approximately $800 each at the time.”

Claims approved by a bankruptcy trustee are more than $400m, but three years later, nearly 25,000 Mt. Gox customers are still waiting and hoping for some kind of reimbursement.

And a year ago in August, hackers breached an authentication system at a Hong Kong exchange called Bitfinex and stole an estimated $72m in Bitcoin – an amount second only to Mt. Gox. Investors did eventually get partial reimbursement, but took what Coindesk described as, “a 36% haircut.”

There are plenty more stories like that. Tyler Moore, assistant professor of cybersecurity at the University of Tulsa’s Tandy School of Computer Science, who has researched the vulnerability of Bitcoin exchanges, told Fortune that from 2009, when Bitcoin was created, through March 2015, 33% of all operational Bitcoin exchanges were hacked.

This doesn’t seem to be putting people off from cryptocurrency trading though – there are now an estimated 900 different types in existence. Its fundamental selling points – that it circumvents the conventional money system and promises anonymity – are pretty compelling.

Add to that the spikes in value – a bitcoin was worth barely more than $1000 at the beginning of the year and is currently at $4350 USD. But they are also vulnerable to “flash crashes” – sudden, precipitous drops in value. As Reuters reported:

On May 7, traders on a U.S. exchange called Kraken lost more than $5 million when it came under attack and couldn’t be accessed, according to a class-action lawsuit filed in Florida. During the incident, the suit alleges, the exchange’s price of a cryptocurrency called ether fell more than 70 percent and the traders’ leveraged positions were liquidated. They received no compensation.

And those damages weren’t even from theft.

It has long been said that it doesn’t matter how secure your organization, or personal information and assets, are if you connect them with third parties that are less secure. So take note: Exchanges are third parties.

3 Comments

that is why sir, that the people behind the reinforcement of blockchain technology, is creating a decentralized exchange, where the people have all the safety a private transaction has to offer. no more need for licensed 3rd party exchanges , those than can be hacked by evil forces, or, controlled by the banks and government. the best solution here is decentralized everything : government can see the exchange’s transactions, but everyone has no power to manipulate one. less cost,less interference from governments and banks, safer transactions than governed by a central figure.

Wonder if converting to “paper wallet” that is securely stored off-site mitigates much of this?

A wallet that you control mitigates this but makes trading difficult. If you want to let software perform trades on your behalf, based on buy or sell criteria, then you have to trust the exchange with your money.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?