With the 15th anniversary of the founding of crypto just around the corner, it’s surprising that we still have work to do to protect private keys from being compromised. So, let’s look at some real-life examples of crypto loss attributed to the loss or theft of private keys and how organisations could have prevented them.
Japanese-based exchange Mt. Gox filed for bankruptcy in 2014 after losing 850,000 Bitcoin, worth an estimated $450 million at the time. At one time, a massive player in the crypto universe, Mt. Gox, dealt with 70% of all Bitcoin transactions. The origin of the loss is thought to be the theft of the exchange’s hot Bitcoin wallet private key in 2011.
In 2016, another crypto exchange, Bitfinex, lost approximately 120,000 Bitcoin, which is now worth over $3 billion. Hackers stole Bitcoin from users’ wallets and transferred them to a single wallet. In 2022, the US Department of Justice recovered $3.6 billion in Bitcoin by tracing transactions from the destination wallet.
Binance, the world’s biggest crypto exchange, had 7,000 Bitcoin hacked in 2019. According to Binance’s CEO, Changpeng Zhao,
“The hackers used various techniques, including phishing, viruses and other attacks.”
It later emerged that hackers stole API keys, two-factor codes and other information, which enabled them to transfer more than 7,000 bitcoins to their wallets.
Coincheck, another Japanese crypto exchange and NFT marketplace ranked in the top 20 exchanges in the world, lost around $523 million in XEM coins during a hack in 2018. Again, funds were stored in a hot wallet rather than cold storage, making them more vulnerable to attack. The wallet did not have multi-sig authentication in place either, so one person could make transactions.
More recently, in November 2022, FTX had over $600 million stolen from its hot wallets. The security failings were appalling and left FTX’s customers’ funds wide open to hackers. Fraud charges have been made against founder Sam Bankman-Fried for stealing millions to pay off the debts of his hedge fund. Some of the hacked funds have now been recovered.
The speed of development in the crypto industry left security gaps in some organisations, which, if addressed earlier, could have prevented these hacks. The industry already has robust security protocols that all crypto service providers need to adopt to safeguard investors’ funds. Having a dedicated security team to manage infrastructure controls and security policies, and implementing an external audit programme should be standard practice. Safeguarding your keys requires specific controls which provide ultimate protection to your digital assets.
Storing your keys online opens them up to compromise. It’s much easier for cybercriminals to hack keys kept online than those held offline. However, if you store them in a safety deposit box or a hardware wallet, the risk of theft is hugely reduced.
Take several backups of your keys and store them in different secure locations. That way, if you lose access to your crypto, you can use your backup to get back into your wallet. Store your backup in a different place than you store your crypto, and if you are going to share it with someone, like a trusted third-party provider, encrypt it so they can’t access your digital assets.
It might seem obvious advice, but using a strong password for your keys can go a long way to securing your crypto. Best practice includes:
Ensuring your employees understand the importance of security and the risks of losing private keys can reduce the risks surrounding key loss and theft. Train them on the latest cybersecurity threats, including spotting phishing attacks and creating strong passwords. Introduce a crypto security policy to outline what’s expected of them and how to protect the company from crypto theft. Finally, encourage your team to report suspicious activity – erring on the side of caution can stop a cyber-attack in its tracks.
Losing private keys to crypto wallets can be devastating to an organisation. Apart from the financial implications for the business and its customers, the reputational damage can be extensive and hard to shake off. Having our key backup service as part of your cryptocurrency security strategy will provide you with confidence that your assets are securely protected and accessible if disaster should strike. Contact the team today to talk crypto security.