What is an exchange platform?
First of all, it must be understood that the exchanges are completely separate from the Blockchain itself. They benefit from a high level of protection (at least the main ones) but are far from being inviolable since they are after all a centralized web service rolled out on the cloud. Once your funds are sent on an exchange, they no longer belong to you and are therefore subject to the same hacking risk as the platform since they hold your private key.
The huge advantage but also the biggest flaw of cryptocurrency systems at the moment is the lack of regulation. This freedom implies a lower degree of security, since there is no one to turn to in case of fraud.
The main defense of exchange platforms is to keep funds on a cold storage, as it is not connected to the Internet and therefore almost impossible to hack. Although some platforms adopt this type of protection (Coinbase: 98% of cold storage funds), many others expose their clients’ funds to hacking risks.
There are many IT vulnerabilities and platforms rarely communicate on them. Nevertheless, the main hacking cause is most often due to poor management and a lack of emergency response plan rather than security loopholes.
Here is a list of the latest notable attacks:
- Mt. Gox in March 2014, suffered an attack to the malleability of transactions and lost 850,000 BTC or the equivalent of $460M.
- Cryptsy in July 2014, the famous developer of Lucky7Coin, uses malware to extort 300,000 LTC and 13,000 BTC on the exchange ($9.5M).
- Bitstamp in January 2015, the opening of a simple trapped file that one of the system administrators would have opened has resulted in the loss of 19,000 BTC or $5.1M
- Bter in February 2015, after being victim of a first attack before, has not learnt from this lesson and loses the equivalent of $1.7M or 7000BTC
- Bitfinex in August 2016, the platform sets up a multi-signature portfolio to strengthen its security, which will not prevent them from being hacked 120,000 BTC ($72M)
- NiceHash in December 2017, which is more of a Cloud Mining than a trading platform, loses 4000 BTC ($63M) due to a security breach in the payment system by compromising a company computer.
- Coincheck in January 2018, this platform usually uses cold wallets to protect against all types of attacks, however some security measures were not applied in this case, which resulted in the loss of 523 million NEM ($534M) equivalent to the total deposits of the platform that was stored on a single wallet.
- BitGrail in February 2018, NANO previously called RaiBlocks, which is a cryptocurrency based on a Blocklattice and not a Blockchain, attracted many investors. However, most of the reputed exchanges refused to list this Coin before a massive adoption. Consequently, the listing was carried out on smaller and less secure exchanges. This resulted in the loss of 17 million NANO or $195 million.
- Coinsecure in April 2018, some doubts remained about this attack which would have been organized by Hackers or directly internally… still the platform recorded a loss of 458 BTC (3.3M$)
- Coinrail in June 2018, this time the attack did not target a particular cryptocurrency but various altcoins. The Hackers stole NPXS ($19.5M), AstonX ($13.8M), DENT ($5.8M), TRON ($1.1M) and some other altcoins (in a smaller volume) the total loss registered was more than $40M
- Zaif in September 2018, the hack is recent and the investigation still ongoing therefore we can only speculate on the security breach. The Japanese exchange reported a loss of $60 million in BTC, Bitcoin Cash and MonaCoin.
As you have certainly understood now the best solution to make money with cryptocurrency is to become a hacker… joke.
For some time now, a new type of protection has appeared to bypass the security problems of exchanges: the DEX or decentralized exchange. This one secures funds through multiple storage points distributed over the Blockchain, which makes them less subject to large-scale computer attacks targeting centralized platforms. (cf. OmiseGo and IDEX)
Concerning the insurance offered by the platforms, we can mention the initiative of Binance, which has set up an emergency fund in case of hacking. Since July 14, 2018 they have allocated 10% of brokerage fees to this fund stored on an independent cold wallet.
Following the numerous hacks on the various platforms and the almost non-existent regulation on this type of market, insurers are reluctant to cover exchanges. In addition, the reimbursement policy for the few beneficiaries of this type of service applies only in very specific cases where the security of the platform itself has been compromised. To be more precise, don’t expect a refund in case of password hacking… Even if all the conditions are met to benefit from a refund following the piracy of the platform, please note that the insurers’ limits on exchanges are $5M. If you have followed the list of the different platform hackings you will see that this fund is obviously very insufficient in case of major attacks.
Want to learn more? The following articles may be of interest to you