2019 Blockchain Security and Privacy Ecology Memorabilia

Source: SlowMist Security Team

The blockchain industry is developing rapidly in 2019.The concepts of centralized exchanges / decentralized exchanges, DApps, staking, CeFi / DeFi, Web3.0, etc. have gradually become familiar, and the influx of large amounts of funds has continuously attracted the attention of underground hackers. Transfer to the blockchain industry. According to the statistics of the Slow Mist blockchain hacked.slowmist.io , in the whole year of 2019, there were more than 130 security incidents in the blockchain industry, and the cumulative loss of funds exceeded US $ 5 billion. Exchanges, wallets, and DApps became Hackers attack the hardest hit area.

Slow Fog Technology will use this article to sort out the significant events that occurred in the blockchain security and privacy ecosystem in 2019, review the details of the event for readers, and attach a Slow Fog perspective to each event. Although this article lists only the tip of the iceberg, it is very representative.


ETC suffers 51% attack

Date of Occurrence: 2019-01-05

Event description:

In the afternoon of January 5th, the ETC block with a height of 7245623 changed. On January 7th, the SlowMist security team disclosed that ETC was suspected of 51% attacks, and many blocks were rolled back. In just two days, In the meantime, the ETC network suffered a total of at least 11 suspected double-spend attacks, with an ETC value of approximately $ 460,000. On January 8, the Gate.io Research Institute announced that it had confirmed that the ETC network had been attacked by 51% and targeted the attack. The ETC address of the user.

Slow Mist View
Public chains that have not been baptized with real attacks and have maintained evolution are not safe public chains. When double-spend attacks become common, public chains need to prevent and control double-spend attacks as part of the risk control mechanism. As a participant in the cryptocurrency ecosystem, preventing double-spend attacks may not just be the responsibility of the public chain. Exchanges, wallets, and investors must be vigilant.

No. 2

Cryptopia goes bankrupt after attack

Date of Occurrence: 2019-01-14

Event description:

On January 14, the New Zealand cryptocurrency exchange Cryptopia was hacked. The hacker stole a total of 16 million US dollars worth of Ethereum and ERC20 tokens, and then suspended its platform services, 13 hours before the tweet was issued. The company has stated that "the platform is undergoing unplanned maintenance", suggesting that the exchange has been hacked. Police subsequently participated in an investigation into the hacking incident, and the Cryptopia exchange was unable to continue operations. In May of this year, the Cryptopia exchange announced the closure and filed for bankruptcy protection, and the exchange owed more than $ 2.7 million to creditors.

Slow Mist View
The hacked incident of Cryptopia became the first "theft" of the exchange in the new year of 2019. Underground hackers turned the focus of the attack on the cryptocurrency exchange, and the offensive and defensive battlefield on the side of the cryptocurrency exchange became hot. Following the development of the cryptocurrency ecosystem, the professional corps of underground hackers have stepped into the world of blockchain attack and defense.


Many EOS DApps encounter transaction crowding attacks

Date of Occurrence: Starting January 2019

Event description:

In the early hours of January 11, 2019, EOS.WIN was hacked. The attacker of EOS.WIN uses a new attack method, which is a "transaction crowding attack". This attack method is the same as the previous attack method of bocai.game. The attacker first initiates a normal transfer transaction and then uses another contract account to detect the winning behavior. If the prize is not won, a large number of defer transactions are initiated to "crowd" the project's lottery transaction into the next block. This type of attack originates from the random number algorithm used by the project party to use the time seed, which makes the attacker increase the chance of winning, resulting in a successful attack.

Slow Mist View
There is no perfect random number scheme on the blockchain. As long as the variables on the chain are used as random number factors, there is a possibility of being hacked. Developers are recommended to adopt the random number security practice "Randomization in Contracts" officially recommended by EOS, or introduce a predictor. At the same time, a risk control mechanism is added to the contract design, for example, a large amount of prize pools are automatically suspended if they exceed a certain threshold.

No. 4

DragonEx hacked loses over $ 6 million in cryptocurrency

Date of Occurrence: 2019-03-24

Event description:

Cryptocurrency exchange DragonEx issued an announcement saying that the platform wallet was hacked, resulting in the theft of digital assets of users and the platform, involving more than 20 mainstream digital assets such as BTC, ETH, EOS, XRP, TRX, and a total loss of more than $ 6 million.

Slow Mist View
After the attack, security companies at home and abroad confirmed that the incident was the result of the hacker group Lazarus. By operating and simulating normal quantitative software, the organization entices the senior management of the exchange to use the external customer service of the exchange with high profits and high returns. There is a backdoor hidden in the quantification software. Once the software is delivered to a key human computer to run it will perform a series of infiltrations and hacking actions.

With the development of cryptocurrencies, the hacker group Lazarus has become more and more interested in cryptocurrencies, and the number of hacking attacks has also increased, showing the nature of APT. Let hackers no longer have opportunities.


Bithumb stolen 3 million EOS and 20 million XRP

Date of Occurrence: 2019-03-29

Event description:

On March 29, South Korean cryptocurrency exchange Bithumb admitted to being hacked. An executive said that at around 10:15 pm local time on March 29, an abnormal withdrawal was detected in the hot wallet. Hackers stole about 3 million EOS, valued at about $ 13.4 million, and 20 million XRP, valued at $ 6 million. As early as June 2018, the exchange lost $ 31 million worth of cryptocurrencies due to hacking, and Bithumb suffered two hacked incidents in less than a year.

Slow Mist View
Cryptocurrency exchanges have suffered a second attack and do not rule out internal ghosts. In the face of the magic of money, human nature can't stand the test, and the internal security risk control work of many exchanges is too lacking, which has prompted the inner ghosts to have sufficient motivation to commit crimes, resulting in the theft of coins in the exchange.


Binance stolen 7074 bitcoins

Date of Occurrence: 2019-05-08

Event description:

On May 8th, cryptocurrency exchange Binance issued a security announcement saying that on May 7th at 17:15:24, hackers stole 7,074 bitcoins (valued at approximately 40 million) from Binance Hot Wallet at block height 575012. US dollars). Hackers have previously discovered security vulnerabilities in the system, but have been patient until the system has a large amount of transactions.

Slow Mist View
As the professional hackers of underground hackers successively entered the field, professional underground hackers implanted through advanced phishing and Trojan horses, and finally obtained the private key permissions of the exchange, leading to the theft of cryptocurrency exchanges. Faced with the offensive of the professional corps of underground hackers, the security performance of the exchange side is extremely weak. The exchange can cooperate in depth with a trusted and professional security team, deploy security recommendations tailored to local conditions, and default to all untrustworthy mentalities to reach the world.


TokenStore was blasted away, taking away billions of users' assets

Date of Occurrence: 2019-06-10

Event description:

On May 31, TokenStore issued an announcement saying that due to hacking, the system will be fully upgraded and maintained for 10 days, and emphasized that the platform will continue to operate no matter what happens. On June 10, many users in the community reported that TokenStore was suspected to be running 10 days after the announcement of the upgrade was announced, and billions of investors' funds were lost in a roll.

Slow Mist View
Do n’t forget to dump the pot to hackers, it ’s a lot of tricks … Similar projects often use terms such as “high yield” and “latest blockchain technology” for packaging. In fact, they are Ponzi schemes. Distinguish carefully and never participate.


PlusToken runs away with about $ 2 billion in cryptocurrencies

Date of Occurrence: 2019-06-27

Event description:

On the evening of June 27, some investors found that their PlusToken wallet could not be withdrawn, and there were not many people who encountered the same problem. Some people found that the withdrawal time of as little as 10 minutes and up to 3 hours in the past has been unresponsive for several days, the app cannot be logged in, and the customer service is not online. It was later confirmed that PlusToken was running, and the scam had absorbed a total of more than 2 billion US dollars of cryptocurrencies, including 180,000 BTC, 6,400,000 ETH, 111,000 USDT, and so on.

Slow Mist View
PlusToken is the one with the largest amount of cases and the most victims in similar fund disk projects, which has brought serious negative impacts on the blockchain ecosystem. The Slow Mist AML system continuously tracks and traces the on-chain transactions of the PlusToken wallet. From the statistics, it is found that most of the cryptocurrencies have been cleaned using the Mixer and KYC-free currency exchange platform. Converted into fiat currency leaving.

No. 9

Bitrue stolen 9.3 million XRP

Date of Occurrence: 2019-06-27

Event description:

At 1 am on June 27, Singapore-based crypto asset exchange Bitrue suffered a major hacking attack. Its hot wallet lost 9.3 million XRP and 2.5 million ADA. The value of the stolen XRP and ADA exceeded 4.5 million U.S. dollars and $ 23.75 million.

Slow Mist View
Bitrue officials said that hackers used vulnerabilities in the risk control system to access users' personal funds and Bitrue hot wallets, thereby implementing theft of coins. Due to the lack of security awareness of the personnel inside the exchange, system defects that should not have been exposed have been exposed, giving underground hackers the opportunity to cause stolen coins.

In the blockchain world, the gap between offense and defense is obvious. The defense capabilities of most exchanges are not enough to resist the invasion of professional underground hackers. The construction of security system is very complicated. The defense needs to be comprehensive, but the invasion can be broken through at a single point.


BitPoint stolen about $ 32 million worth of cryptocurrency

Date of Occurrence: 2019-07-11

Event description:

Bitpoint hacked on July 11. Hackers attacked the exchange's hot and cold wallets, stealing approximately $ 32 million worth of Bitcoin, Bitcoin Cash, Litecoin, Ripple, and Ethereum, of which about $ 23 million of digital currency belonged to the exchange. user. BitPoint said the number of victims was close to half of the total number of users on the exchange, up to 50,000. The exchange stated that it will bear all losses of users.

Slow Mist View
Two-thirds of the stolen funds belonged to customers, and the Financial Services Department was completely destroyed. Although the method is not disclosed, it does not exclude APT-type attacks. Underground hacking attacks are becoming increasingly fierce, and cryptocurrency exchange-side security defenses face new challenges.


Third party issues lead to platform attacks

Date of Occurrence: July 2019

Event description:

On July 5, the NPM official blog posted an article stating that the NPM security team cooperated with Komodo to discover and block malicious poisoning threats against all users of the cryptocurrency wallet called Agama. The attacker put a malicious package into Agama's build chain and used this method to steal the wallet private key and other login passwords used in the wallet application.

Slow Mist View
The current technical architecture cannot be separated from the third-party JavaScript library. All project technical teams should force at least one core technology to review all third-party modules to see if there is suspicious code. You can also capture the package to see if there is suspicious. request.


BitMEX, Binance user identity information leaked

Occurrence dates: August, November 2019

Event description:

On November 1, 2019, when BitMEX sent a platform email notification, the email addresses of all recipients of the email were leaked because no blind copy setting was used. Afterwards, a researcher posted on Twitter that more than 23,000 email addresses had been collected.

Binance user KYC data leak incident occurred in August 2019. Someone publicly released Binance user KYC data through the Telegram group "FIND YOUR BINANCE KYC". After that, Binance released news that the KYC data and Binance system information transmitted by the Telegram group. No, the picture does not have a Binance specific electronic watermark, and it cannot be proven that it is from Binance.

Slow Mist View
User identity information should be encrypted and protected with high intensity. The platform should implement this strategy in the early architecture design to avoid such sensitive information leakage events.


Upbit stolen 342,000 ETH

Date of Occurrence: 2019-11-27

Event description:

The South Korean exchange Upbit announced that 342,000 Ethereum were stolen and have been transferred to an unknown Ethereum address (0xa098 … 029) with a total value of about 50 million USD. Previously, according to on-chain data monitored by WhaleAlert, Upbit frequently transferred large amounts of cryptocurrencies, including SNT, EOS, OMG, XLM, TRX, ETH, etc., with a total value of more than $ 100 million. Subsequently, an official announcement clarified that only ETH was stolen by hackers, and the rest of the assets were transferred to the cold wallet by the exchange for security.

Slow Mist View
At present, it is suspected that it is related to the APT (Advanced Persistent Threat) attack that has been active before. This attack is characterized by long-term latency until it encounters a large amount of operable funds and a large amount is stolen at one time. Of course, the possibility of inner ghosts cannot be ruled out. The stolen was Upbit's ETH hot wallet, and the cold wallet should be risk-free.

Attachment: Summary of Exchange Security Attack and Defense

A large number of security incidents occurred in the exchange field in 2019, each of which caused huge losses. Slow Mist Technology has a deep deposit in the security attack and defense of the exchange. We have concluded that there are mainly the following attack methods:

1. Inner ghosts commit crimes. Indeed, in the face of the magic of money, human nature can't stand the test, and the internal security and risk control construction of many exchanges is too lacking, which has prompted the inner ghosts to have sufficient motivation to commit crimes, leading to stolen coins;

2. Fake recharge vulnerability attack. Some exchanges have insufficient security experience on various public chains or tokens that are docked, leading to false funds in the recharge process, but the exchange system considers them to be true, resulting in stolen coins;

3. APT attack. Professional underground hackers use advanced phishing and Trojan implants to infiltrate layer by layer and eventually obtain the private key authority of the exchange, resulting in stolen coins;

4. Supply chain attacks. The third-party components used by the exchange were hacked with malicious code, which indirectly affected the exchange's security defense and led to stolen coins;

5. Carelessness. Due to the lack of security awareness of the personnel inside the exchange, system defects that should not have been exposed have been exposed, giving underground hackers the opportunity to cause stolen coins.

From these main attack methods, two main characteristics can be summarized:

1. The human nature of internal staff, lack of safety awareness and safety experience;

2. The gap between offense and defense is obvious. The defense capabilities of most exchanges are not enough to resist the invasion of professional underground hackers.