Hacks, Heists, and Hostages: How to Secure Yourself and Your Money in Today’s Crypto Market

Imagine investing thousands of dollars into relatively obscure coins like NEM and TRON during the height of the Bitcoin boom, hoping they’d follow Bitcoin’s lead and explode onto the crypto-scene in the coming months. Now, imagine waking up weeks later to find that hackers had compromised your currency exchange platform and made off with hundreds of millions of dollars’ worth of cryptocurrency, including every last digital cent that belonged to you. Such was the reality for approximately 260,000 Coincheck Inc. users on January 26, 2018, when cybercriminals stole $530 million worth of NEM coins in the biggest heist to ever hit the crypto market. Yet, as shocking as the NEM heist was, the anonymous and untraceable nature of cryptocurrency has made it an extremely attractive target for criminals, and the hack was not the first (nor will it be the last) to devastate digital currency investors.

Indeed, reading through the list of crypto hacks and heists over the past four years is like reading Al Capone’s rap sheet. There have been at least 16 high-profile attacks on cryptocurrency traders and exchanges since 2014 – that’s an average of four attacks per year, or one major attack every three months.

Most of these attacks have occurred in the form of unsophisticated phishing schemes, where hackers either spoof a link to a legitimate currency exchange website or create convincing emails with links containing malware like the CryptoShuffler trojan, which lurks on a victim’s computer until they copy/paste a digital wallet address. Once the address has been detected, the trojan surreptitiously replaces it with the attacker’s address, thereby diverting the funds to the attacker’s wallet without the victim noticing until it’s too late.

Although less common, other, more sophisticated attacks, including state-sponsored cyber campaigns and violent kidnappings for (Bitcoin) ransom, have also been reported. South Korea, for example, has repeatedly accused the North Korean government of stealing billions of won in cryptocurrency from South Korean investors via exchange hacks and sophisticated ransomware attacks like 2017’s “WannaCry” epidemic. Meanwhile, enterprising criminals in Kiev, Phuket, Oxford, and New York have kidnapped individuals known to have substantial holdings in the cryptocurrency market. In nearly every kidnapping case, the attackers were armed, found their victims at – or near – their homes or offices, and held them until they provided their personal keys and transferred anywhere between $100,000 and $1.8 million in Bitcoin to the attacker’s account. Of these four attacks, only one of the suspects has been apprehended and charged with a crime.

Such devastating hacks, heists, and kidnappings, combined with increasingly dramatic fluctuations in digital coin prices, have led financial experts and economists to refer to cryptocurrencies as “an index of money laundering” that will never be stable or secure enough to be used as legitimate currencies. Whether these ideas reflect an antiquated view of a financial system that adapts to each new fintech innovation, or an accurate prediction of a new, unregulated global economy, has yet to be seen. What’s certain, however, is that the popularity of crypto coins grows with each and every Bitcoin boom, making them increasingly attractive to mainstream investors.

So how do you secure yourself and your money in such a tumultuous market?

Roderick Jones, Concentric Advisors Chairman and current CEO of digital security start-up Rubica, believes the first step to securing your money is to utilize two cryptocurrency wallets: one hot (for buying and selling), and one cold (for storing). Your hot wallet (which will likely take the form of a secure application installed on your phone or computer) should be used for all of your digital currency transactions and should only contain the amount of money you are comfortable losing if the wallet gets hacked. Your cold wallet (options include Trezor or Ledger Nano S), on the other hand, should house the bulk of your digital currency and should only be connected to the Internet when transferring money to or from your hot wallet, thereby safeguarding it from online intrusion.

Jones also recommends implementing enhanced cyber hygiene protocols, such as keeping your private key encrypted and never storing it on devices that you use all the time, such as your smart phone or personal computer. Additionally, investors should consider using two-factor authentication and password managers for all applications (including email), and adding a PIN or password to their phones, making it harder for attackers to seize control of their accounts by transferring their SIM cards to their own devices. Finally, anyone considering purchasing digital currencies is advised to research the coins and exchange platforms thoroughly in order to avoid putting money into questionable Initial Coin Offerings (ICOs), and to watch all transactions carefully to ensure the payment fields have not been swapped by hidden malware such as the CryptoShuffler, which are adept at diverting your investment funds to a hacker’s personal wallet.

What about potential kidnappings for ransom?

The first (and most obvious) answer is: don’t flout your net-worth or advertise your connections to the crypto world online. According to senior Google security researchers, attackers have reportedly used LinkedIn and other social media platforms to identify individuals who either work for cryptocurrency companies or are avid investors. Similarly, the individuals who have been kidnapped for ransom were likely targeted by their attackers because they were believed to have access to large sums of Bitcoin or Ether and the ability to transfer those funds to the criminals’ own personal wallets, leading New York County District Attorney Cyrus Vance, who is prosecuting one of the kidnapping cases, to warn that these types of crimes are likely “to become increasingly common as cryptocurrency values surge upward.”

Individuals with substantial digital currency holdings are therefore advised to use discretion when discussing their involvement in the crypto world and to employ robust physical security precautions.  Limit disclosure of sensitive personal information on social media and in public records that may be used by attackers (try reverse doxxing yourself to learn how much of your personal information is available). Traditional  security systems at your home and office help identify and prevent potential intruders, whereas employing protective services for public events and appearances reduces the likelihood of a kidnapping attempt.

Sound like a lot of effort? Maybe it is, but it’s worth the trouble to protect your investments (and yourself) from criminals. And who knows, maybe one day, you’ll be able to pay for the services in Bitcoin.

Jessica Klein
Jessica Klein
Jessica is a Risk and Intelligence Associate working in our Strategy and Intelligence group.