It’s no surprise that crypto exchanges draw the keen interest of hackers. There’s a fortune to be plundered. The only tools required are lines of code or a digital key, and the decentralized nature of blockchain makes for a clean getaway.
The scale of the threat, however, might come as a shock. Cybercriminals stole $4.25bn in 2021. In what was something of a vintage year for hackers, $100m+ heists occurred at least six times. For comparison, the biggest ever bank robbery in United States history netted less than $20m.
The nemesis of any emerging technology is experienced hackers. Crypto platforms are particularly vulnerable because they are so easy to set up. There are few of the regulatory or data security hurdles that conventional financial services have to clear. Neither is there any guarantee that an exchange has the cybersecurity resources to deal with relentless attacks.
Additionally, many crypto platforms use open source code, which allows hackers to compromise popular software libraries. As soon as the exchange updates its software, hackers can penetrate the defenses.
To avoid joining the roll call of compromised exchanges, crypto platforms should be aware of these seven common vulnerabilities.
Distributed Denial of Service (DDoS)
ZebPay, one of the oldest and largest crypto exchanges, revealed that hackers strike twice a month on average with denial of service attacks, which can paralyze the network. Any exchange is at risk. One recent attack blocked by Cloudflare flooded an unnamed exchange with 15.3 million requests per second. With the huge rise in the number of devices connected to the internet, there are more unsecured devices for hackers to exploit. Although the decentralized nature of blockchain offers a built-in defense against DDoS attacks, the exchange servers provide a focus for hackers. Increasing node storage, processing power and network bandwidth are the main strategies for limiting disruption.
Exploiting DeFi protocols
Traditionally, hackers have favored security breaches to obtain private keys. With DeFi attacks, they’re coming after faulty code. These are now the primary options for cybercriminals, with 75% of attacks targeting DeFi services to the tune of $1.4bn in 2021. That included the $600m PolyNetwork heist.
DeFi networks use peer-to-peer transactions across secure distributed ledgers that bypass centralized exchanges. Their software sits on top of blockchain platforms, but the open source code and administrator keys in their smart contracts make them vulnerable.
The goal of any phishing attack is to trick the victim into giving up their personal information or private key. The easiest way to do that is for hackers to send an email containing either a malicious file or link to a site with infected script. Whether the attack is aimed at individual wallets or entire exchanges, the subterfuge starts with an email or SMS, and it’s why any crypto exchange must have strict policies and safeguards in place to distinguish legitimate incoming mail from spam.
Unlike cold wallets, whose crypto assets are stored offline, hot wallets are connected to the network. If a hacker can obtain the private key, they can liberate the contents relatively easily. These attacks often yield crypto assets valued in the hundreds of millions. Poor security at web application level is inevitably to blame. Crypto exchanges must establish two-factor authentication and multisignature private keys in the first instance, and be ready to respond quickly to recover assets whenever an attack occurs.
Rather than trying to break into the exchanges themselves, hackers often find it easier to infiltrate the employee network. They may pose as a trusted authority or tech partner and exploit human vulnerabilities to trick employees into sharing passwords. They may also “bait” their victim by leaving an infected USB or device for an employee to plug into the network.
Social engineering attacks are made even easier at a time when the barriers between work and home are less distinct. Employees often use personal devices on the private network or work hardware on an unsecured home network. That’s why every company needs to have a rigorous data protection and security policy in place.
Too often, the assumption among the crypto community is that the decentralized nature of blockchain guarantees security. In fact, 60% of Bitcoin traffic passes through just three internet service providers. And a worrying number of crypto exchanges begin operations with fundamental software flaws. By targeting the points where decentralized traffic is centralized (i.e., exchanges) hackers can register new accounts, alter their balance, and make withdrawals. Other than thoroughly auditing code before launch, the priority for cybersecurity teams should be to keep all software patched and updated regularly.
Instead of targeting exchanges, cybercriminals will also turn their attention to the internet routing infrastructure to intercept traffic. The scam involves partitioning nodes to generate fake transactions, exploiting the centralized nature of Bitcoin nodes (of which 20% are hosted on just 100 IP prefixes). It’s a complex scam with a relatively simple solution — a secure relay network which sits alongside the existing exchange network and prevents hackers from diverting connections.
Risk management strategies to boost security
Crypto exchanges need to think and behave more like traditional banks regarding cybersecurity. As unpopular as that advice may be among the decentralized finance community, few organizations have more experience in fending off cyber attacks than banks. Similarly, banks have to meet strict compliance standards before launching any new service.
To mitigate the risk of cyber attacks, crypto exchanges should embrace the following:
Information sharing: With some 600 crypto exchanges worldwide, there’s plenty of opportunity for exchanges to consolidate their expertise and share resources on current threats and cybersecurity measures.
Cybersecurity 101: From greater scrutiny of third-party code to regular reviews and audits by a dedicated internal team (as well as white hat hackers), exchanges must position their security features as a market differentiator. That implies greater transparency about the resilience of the system, and fast communication with investors when something goes wrong.
Regulatory approval: As Coinbase has done in Italy and Binance in France, the leading exchanges can temper investor concerns by registering as digital asset service providers in selected markets. That doesn’t mean compromising on the decentralized spirit of cryptocurrency, but it can allow exchanges to shout more loudly about their compliance with established security standards.
Implement a framework: You can’t fight cybercriminals on an ad hoc basis. It needs established guidelines and procedures in place to pre-empt the next attack.
As emerging technologies like blockchain take their place alongside more established embedded finance products, the threats from hackers will evolve. That’s why regulation and compliance will inevitably shape crypto in the same way Know Your Customer and Anti-Money Laundering regulations have become enshrined in financial services.
With the International Monetary Fund proposing a global framework for cryptocurrency asset providers, there’s a strong case for paytech solutions that provide a stable and scalable process for business transactions. Zai helps businesses handle large crypto trading volumes within a fast, secure platform so that even when the crypto market is volatile, the payment workflows are reliable and trustworthy.
To find out how our solutions can support crypto platforms with tools that protect against fraud, get in touch here.
Download the guide below to discover the best ways to optimize your platform for UX and customer success.