Lessons from Crypto Exploits

What was once a niche world has gone mainstream, bolstered by celebrity endorsements, grandiose claims that digital coins will one day usurp fiat currency, and viral stories of ordinary people amassing unimaginable wealth overnight.

The mass influx of investors into the digital markets has created a new environment in which cybercriminals are thriving. Although security failures do exist, blockchain technology is generally secure. However, the rebranded technologies that constitute the broader ecosystem remain vulnerable, resulting in a surge in scams, hacks, and schemes.

Over the past year, HackerOne has seen a 147% increase in vulnerabilities reported to crypto and blockchain organizations. Out of those reported, an alarming 24% were high or critical in severity.

As security researchers know, no system, no matter how advanced or secure it may seem, can be entirely invulnerable. Though, to the uninitiated, advertising buzzwords and the involvement of large institutions and governments lend a sense of legitimacy, leading many to overlook security concerns. This lack of caution has resulted in billions lost.

Combined with human error and its largely unregulated nature, which makes it challenging to recover what has been stolen, the cryptocurrency market has become an attractive target for those with malicious intent.

This arena is especially attractive to cybercriminals as they no longer have to establish extensive networks of money mules and cover their tracks through long series of transactions between multiple institutions. Now, as long as they can steal a private key or a list of passphrases, they can easily launder the stolen funds using a “mixer” service to break the traceable chain of possession.

In recent headlines, hackers stole ~$1.4B in Ethereum in what is now the largest cryptocurrency heist on record, with blockchain analysts linking the attack to North Korea's Lazarus Group.

In this article we will review cautionary tales of those who overlooked the risks and draw what lessons can be learned.

SIM Swaps

The Subscriber Identity Module (SIM) card of a mobile device is used to identify and authenticate a user so they can access their carrier’s network: allowing them to make calls, send text messages, and access the Internet. By associating a subscriber with a SIM card, the network ensures that calls and text messages are routed to the intended recipient. The SIM card contains the phone number associated with the subscriber and also stores the contact list and text messages.

Originally, SIM cards were physical electronic chips that could be removed from and inserted into a device. Now, modern devices integrate embedded SIMs (eSIMs), which are built directly into the device. eSIMs enable service carriers to remotely manage your mobile service, including transferring your phone number from one device to another. This makes it easier for users to switch devices while retaining the same phone number and service.

However, this level of convenience has come at a cost.

In 2020, Joel Ortiz became the first person in the U.S. to be convicted for SIM swapping attacks, accepting a plea deal carrying a decade-long prison sentence.

Many account recovery processes rely solely on security tokens sent via text message, making it easy for perpetrators to hijack their targets' accounts once they possess their phone number. While mobile providers do ask identity-verification questions, vast amounts of data from past security breaches are readily available on online forums, either for free or at a relatively low cost. These data dumps often contain full customer records, including the answers to the very questions carriers use to verify identity.

As victims lose service on their phones after a successful SIM swap attack, immediate incident response is obstructed, leaving attackers with a time window of opportunity.

By leveraging social engineering techniques, Ortiz stole over $5M in cryptocurrency by successfully transferring victims' phone numbers to a device under his control.

The Bitcoin Bandit

Before it was shut down by federal authorities, the darknet black market known as the “Silk Road” facilitated hundreds of millions of dollars in sales of illicit goods and services between 2011 to 2013.

In September of 2012, a bug in the underground platform was exploited by James Zhong. The website’s payment processing system had a race condition vulnerability, which allowed Zhong to duplicate the same withdrawal transaction. 

Over the course of 140 duplicated withdrawals, Zhong multiplied his initial deposit, an estimated 200 to 2,000 Bitcoin, into approximately 50,000 Bitcoin.

At the time, the cryptocurrency was valued below $13. About $650,000 had been successfully stolen.

When federal authorities raided Zhong’s home in November of 2021, they discovered a safe hidden beneath the bathroom floor containing a single-board computer with the stolen Bitcoin. Due to Bitcoin’s surge in value over the nine years since the heist, at the time of seizure, Zhong’s criminal proceeds had increased to $3.3B.

The Parity Multi-sig Wallet Bugs

To bind parties into transactional agreements, “smart contracts” are used. These digital contracts execute certain actions once the conditions of the agreement have been satisfied. These actions might include the release of funds or the transfer of digital assets.

As these contracts consist of code, they suffer from familiar vulnerabilities such as business logic, access control, and function call errors. Their public visibility and immutability on the blockchain further exacerbate any errors present. 

Analysis performed by HackerOne revealed that improper access control accounts for 10% of vulnerability reports within the crypto and blockchain sectors.

What are known as “multi-sig wallets” are smart contracts that require multiple private key signatures for execution. Users can access the smart contract source code from a repository, deploy it on the Ethereum blockchain, and then configure the owners and deposit funds. Each wallet represents a separate instance of the code.

In July of 2017, over $30M was stolen from three Parity multi-sig wallets due to a flaw that enabled all functions to become publicly callable. Thankfully, a group of white-hat hackers exploited the same bug in order to secure the funds of the remaining vulnerable wallets.

Only a day later, the subsequent release that addressed the vulnerability also included another bug which destroyed a library that Parity multi-sig wallets were dependent on. Since all state-modifying functions belonged to this library, ~$154M was frozen.

The Ronin Bridge Attack

A main draw of blockchain technology is the immutable ledger it generates. After the integrity of a transaction is validated by nodes on the network, they are processed and stored in blocks of data, each cryptographically linked to the previous one. Alterations to one block will change all subsequent downstream blocks, making tampering easily detectable, ensuring transparency in the transaction history. However, this linking creates challenges for interoperability between different cryptocurrency networks.

To exchange one cryptocurrency for its equivalent on another network, a "bridge" is used. These cross-chain bridges serve as escrow to the transaction, locking a certain amount of one cryptocurrency on its blockchain and automatically creating, or "minting," the equivalent value on another.

For example, if someone wanted to buy digital event tickets with Bitcoin, but the seller preferred Ethereum, the bridge would lock the Bitcoin on the Bitcoin blockchain and once the buyer received the tickets, the smart contract would execute and the value equivalent in Ethereum would be minted and deposited in the seller's wallet.

In March of 2022, ~$620M was stolen from the players and company behind the popular game Axie Infinity. Sky Mavis, the developers of Axie Infinity, had originally built on top of the Ethereum network to allow players to purchase and sell their in-game assets.

However, as Ethereum transactions were slow and the fees were expensive, in order to improve the player experience, Sky Mavis created their own Ethereum compatible blockchain called the Ronin network with the Ronin Bridge connecting the two.

To adhere to the decentralized nature of the industry, five out of the nine validator nodes of the network were distributed outside of the Sky Mavis’ control so they would not control the majority share.

However, once it became public knowledge that a handful of streamers were able to make a living playing Axie Infinity full-time, the game saw a surge in popularity. One of the outsourced validators gave Sky Mavis temporary access to a fifth node to deal with the increase in traffic.

Through a spear-phishing attack, hackers targeted a Sky Mavis developer to gain access to the network.

As the developer had high permissions into the Sky Mavis network, the hackers gained privileged access. The four validators under the company’s control, plus the fifth that access to was never revoked, were now under the control of the hackers, allowing them to validate and process transactions at will.

The FBI has attributed the attack to North Korea's Lazarus group. It is believed that the hermit nation, as a repeat offender, is responsible for billions in cryptocurrency heists on its own.

In an attempt to prevent the state-sponsored units from cashing out, the United States placed trade sanctions against Tornado Cash, a popular open-source cryptocurrency mixer that North Korea has used before in order to anonymize their conversions into fiat currency.

Takeaways

In many cases, these systems were rushed to market without sufficient security testing in an attempt to capitalize on the rising popularity of the cryptocurrency market. This is unsettlingly similar to the fast cadence at which other web applications are developed in order to meet release dates.

A critical observation is the widespread use of social engineering tactics. Attackers continue to exploit human error, manipulating unsuspecting users or even insiders to gain unauthorized access to systems. Phishing schemes, SIM swapping, and other forms of deception remain some of the most effective methods for criminals to bypass technological defenses and steal assets. This highlights the persistent gap between technological advancements and the human element that still plays a crucial role in security vulnerabilities.

Additionally, the underlying mechanisms of what is marketed as "new" technology has exhibited well-known weaknesses which can be attributed to simple coding errors. All of the components are still built with code, which is not impervious to fundamental security oversights.

Due to the decentralized nature of blockchain networks, enacting regulations has been challenging and undesired.

What can be done?

It is obvious that security must be taken more seriously when dealing with financial transactions at this scale. Here are some actionable steps that can push the industry toward a more mature state:

• Cryptocurrency platforms must undergo deeply thorough audits before being pushed into a production environment. The rush to capitalize on the surge of investors has left security as an afterthought rather than a priority. This includes an organization subjecting itself to third-party assessments before going live.
• As seen in these attacks, the vulnerabilities of the human mind provide the easiest routes to exploitation. Every single member within an organization should be educated on the techniques used and the procedures they should take once they recognize signs of a potential social engineering campaign. Such as how to report the incident and what details should be included in a report.
• Defenses against unauthorized access or account compromise should be multi-layered. Multi-factor authentication should be required for all accounts across all services. If an organization has the resources to implement the use of hardware keys or subscriptions to password management services, they should make the investment.
• Adhering to secure coding best practices should be enforced, as security is everyone’s responsibility, at every stage of development. Security standards such as ISO 270001, NIST, and the CIS Controls and Benchmarks provide a foundation that can be iteratively hardened over time.
• Organizations should have a clear view of all assets directly under their control as well as any that are outsourced to a third-party. This inventory should be documented and reviewed at regular intervals. Everything needs to be accounted for. Logging and monitoring processes should be centralized and configured to draw attention to events that display the characteristics of malicious activity, to the highest level of accuracy possible.
• Incident response plans should be rehearsed regularly to ensure panic is avoided when a real-world security breach occurs. These procedures should also adapt with any changes made to business operations.
• Communication channels should be open at all times, easily discoverable, and resilient to attack. Those who monitor these channels should be knowledgeable so prioritization is given to the vulnerability reports that demonstrate the most impact. Monetary or, at the very minimum, awards of recognition should be given to incentivize potential threat actors and security professionals alike to report vulnerabilities rather than taking advantage of them.

Conclusion

It is evident that cryptocurrency is here to stay, although it has yet to fully mature. As with any technological breakthrough, human error remains the weakest link. It is time for the digital financial industry to receive the same level of attention to detail in security protections as is given to physical branch locations.

Until this occurs, billions of dollars will continue to be lost by individuals investing their hard-earned money in concepts of the future.