How to avoid a hack: Cryptopia ‘success’ case

“The Exchange Suffered A Security Breach” is a statement that makes the heart beat faster. There has never been a day when this phrase brought positive connotations because it always means hacks, data leakage, and the considerable loss of money. On January 15, 2018, such a phrase was published on Cryptopia, a New Zealand crypto exchange. The NZ Police and High Tech Crimes Unit are now engaged in the investigation. In turn, we assume that if the crypto industry had cybersecurity standards and requirements this hack could have been avoided.

About Cryptopia

Cryptopia was registered in July 2014 and launched later the same year. The exchange is run by the founders Rob Dawson and Adam Clark, who started the project originally “as a hobby”. In January 2017 they quit their jobs to work on the exchange full time. From May to December 2017 Cryptopia grew from 30,000 to ~1.5M registered users.

In May 2017 Cryptopia launched the New Zealand Dollar Token (NZDT), supposedly the first stablecoin whose value is supposed to be pegged to the New Zealand dollar.

So far as is actually known, Cryptopia’s peak trading volume this year occurred on Jan. 11, when it reached around $1,875,000.

Cryptopia was previously mainly famous for its record-breaking number of listed altcoins. One of the altcoins served Cryptopia a dirty trick in November 2018 when a 51% attack on AurumCoin occurred and more than $500,000 was stolen.

Today everyone knows about Cryptopia’s Hack Case, as this is absolutely one of the most incomprehensible and unusual hack attacks in recent years.

Currently despite the fact that according to New Zealand Police, Cryptopia is “ready to resume trading”, the exchange’s website still remains offline.

However, first things first, let’s get closer to the hack timeline and try to understand what happened and how the hack could have been prevented.

General Hack Details

First of all, we’d like to highlight that there are irregularities in the story of Cryptopia Hack. The incident was confirmed by NZ Police almost straight away, however, the primary details still remain unknown to this day. For example, it is not determined how exactly the attack took place, the total amount of funds lost and the current status of affairs. Still, we will try to sort out what happened to Cryptopia and determine how the attack could have been avoided.

After several days of short tweets from Cryptopia concerning the exchange’s unscheduled maintenance, on the 15th of January, Cryptopia finally made an official announcement that they had been hacked and had suffered“significant losses”.

Later, it turned out that at 1:30 PM, January 13, 2019 someone sent $2,437,018.55 from a Cryptopia wallet. Naturally, the transaction remained unnoticed. Next, the hackers began to withdraw funds from more than 76,000 other wallets until January 17. In total, $3.6 million in Ethereum was stolen, $2.4 million in Dentacoin, almost $2 million in Oyster Pearl, as well as smaller amounts in other tokens.

Remarkably, Oyster Pearl has already been involved in another scandal in October when it appeared that the project had gone through 3 automated smart contract audits which hadn’t identified the critical issue: one of the smart contract lines allowed a contract private key owner to open crowd sales at any point.

In the investigation conducted by Elementus, a blockchain company based in New York, an approximated value of stolen funds is around $23 million NZD ($16 million USD). It is also mentioned in the report that $3.2M were withdrawn to various crypto exchanges including Binance, Huobi, and HitBTC. Another ~$12M is still located at two addresses, and are hypothetically controlled by hackers:

• 0x9007a0421145b06a0345d55a8c0f0327f62a2224
• 0xaa923cd02364bb8a4c3d6f894178d2e12231655c

Unlike the hacker, Cryptopia employees no longer control the private keys of Ethereum wallets, and funds stolen from the exchange continued to flow to the ETH address.

On January 17, 2019, CEO Binance Changphen Zhao announced that they had managed to block the funds transferred by the attacker to their platform. Later, on January 29, an unknown attacker took out another 1,675 coins of Ethereum (more than $175 thousand at the current rate) of approximately 17,000 wallets of Cryptopia, which means that basically, the attack continued for 2 weeks following the initial announcement about the security breach.

Expert’s Opinion

Currently, the New Zealand police are conducting an extensive investigation of the Cryptopia hack, and they have been frank noting out that the process will most likely take a “considerable amount of time to resolve due to the complexity of the cyber environment”.  In the meantime, we have asked our leading Cyber Security Specialist Pavlo Radchuk to сomment on the situation and share with us his assumptions of what techniques and practices the Cryptopia hackers used.

Pavlo is a professional Application Security Engineer in both web/mobile and blockchain security. He has several years of experience and a Master’s degree in Cyber Security. Currently, Pavlo is managing all blockchain security projects at Hacken and working on smart contracts audits, blockchain and dApp security projects and web/mobile pentests.

Pavlo specified, “The Cryptopia hack is quite different from other exchange and wallet hacks. First of all, the funds were transferred from Ethereum accounts. Hacker needs to sign the transaction with an account private key to be able to transfer Ether or tokens to their personal account. It could have happened that hacker somehow gained access to Cryptopia’s private key storage. The fact that hacker gained access to private keys is confirmed by the fact that transfers continued several days after the breach was discovered.

Currently it is really difficult to determine exactly how the attack was taking place, however, we suppose that the intruder gained access to private key storage. It could be either an insider or a hacker who gained access via web endpoints or unprotected Cryptopia servers.

It would be misleading to claim that there are accurate and precise solutions for the perfect security solution, however, the risks of the breaches can be reduced. For example, security CERtified exchanges should pass penetration testing and have ongoing bug bounty programs. Who knows, if Cryptopia had an ongoing Bug Bounty Program, probably, some white hat hackers could have determined the vulnerabilities before the accident took place.”

The Need for Cybersecurity CERtification

We believe that if Cryptopia had undergone Cyber Security CERtification the hack on the exchange could have been prevented.

There is no doubt that crypto is progressively becoming more structured than it was in the beginning stages when hype and FOMO moved the industry. And although crypto is now not having the best time, market capitalization has reached $113 billion. Would you like to give 70% of that money to hackers? Or maybe 50%? We believe that you wouldn’t even agree to give a hacker 1% of that money. So what is the reason for all the market risk stemming from lacks proper security protocols?

A hacker can exploit even the tiniest bug in the system to steal millions of investors’ funds. For this reason, CER offers Cyber Security certification to ensure that a crypto exchange is compliant with security standards, has passed fundamental audits and opened a bug bounty program for direct communication and interaction with hackers.

How does CERtification work?

If an exchange has already passed security audits, has an ongoing bug bounty program, and if the reports are presented to CER & Hacken for scrutiny, then, we grant the CERtificate without Pen Test.

If not, Crypto Exchange Ranks together with Hacken cybersecurity experts check security levels and perform penetration testing. We check:

• Server Security
• User Security
• Crowdsourced Security

After the test, we provide a report with a detailed list of bugs and vulnerabilities and recommendations on how to improve them. Afterward, a crypto exchange should start a bug bounty program either self-hosted or on a platform such as HackenProof. As soon as the exchange improves its level of cybersecurity, we distribute a transparent and objective sign of safety for the whole community — Cybersecurity CERtificate.

Take the Cryptopia, BitFinex, CoinCheck hacks. This all could have been avoided if crypto exchange owners took care of Cyber Security and started bug bounty programs at the appropriate time.

CER learns from this experience and aims to bring relevant regulations and trust to the crypto industry. The market needs clear standards more than ever before. CERtification is the only visible and beneficial solution to encounter modern crypto issues.

We rank exchanges like no one else!

Go CERtified