The recent Upbit hack is a stark reminder of the danger of storing your crypto on an exchange. We explored seven major hacks that happened this year, each one bolder than the last. The lesson? Not your keys, not your crypto.
Cryptopia went dark on Jan. 15 after it discovered a “security breach” with “significant losses.” It stayed dark, and mostly silent, through the rest of January and deep into February. The site claimed it could not comment during the police investigation of the estimated $16 million hack.
It is not clear how Cryptopia was hacked, but investigators discovered in August that Cryptopia had been pooling users’ funds in a catchall wallet. The New Zealand exchange tried to right its ship after the hack and even briefly reopened trading services in March. But the revival was not meant to be: the exchange went into liquidation in May and 10 days later filed for bankruptcy.
DragonEx of Singapore lost an “undisclosed” amount of user funds in a March 24 hack. It initially declined to estimate how much but days later it revealed over telegram that it lost $7 million in the security breach. DragonEx did not appear to promise users a full refund, as other exchanges generally did in 2019. Instead, it said it was working on a “preliminary compensation plan” that would reimburse victims’ lost funds in Tether or Dragon Token equivalent.
Hackers targeted Bithumb in March for $13 million of EOS and the South Korean exchange later learned it was missing $6.2 million in XRP. The heist came less than a year after another massive hack: $31 million in late 2018. Bithumb suspects that the hack was an inside job as it spotted an “abnormal withdrawal” from one of its wallets. The exchange claims it lost no user funds in the hack.
Hackers stole a massive 7,000 bitcoin haul worth some $40.7 million from Binance in May. The world’s largest exchange by volume found a vulnerability in its hot wallet, though it claims that only 2 percent of total funds were in that wallet at the time of the hack. Funds quickly moved through a network of smaller and smaller wallets as hackers tried to wash their stolen coins. Some of the funds were eventually turned into fiat. In response, Binance shuttered deposit and withdrawal services for a week to beef up security protocols. The exchange reopened services on May 15. It pledged to refund users from its emergency fund.
Singapore’s BiTrue exchange lost $4.2 million of its users’ funds in June. Hackers targeted XRP ($4.01 million) and ADA ($231,800) in a breach that exploited BiTrue’s internal user access review process. Using what they learned, the hackers then transferred 9.3 million XRP and 2.5 million ADA into different exchanges. BiTrue says it worked with partner exchanges to freeze those funds and further promised to refund all users affected.
Japanese exchange Bitpoint lost $28 million in a July hack that hit 50,000 users. It is not known how the hackers breached Bitpoint’s security, though it forced Bitpoint to halt trading for a month. Soon after the hack, Bitpoint’s parent company, Remixpoint, promised to reimburse affected users. Trading in Bitpoint’s five supported cryptos (bitcoin, bitcoin cash, ether, litecoin and XRP) started up again in August.
Upbit is the latest hacking victim after losing $49 million at 9:00 UTC on November 26, 2019. An “abnormal transaction” resulted in a 342,000 ether loss in a few minutes. The exchange said that the loss didn’t come from user funds and that it has suspended all functions for at least two weeks.
As the year winds down, these hacks represent the massive – and precarious – risks exchanges and users take with their private and public wallets. What will 2020 bring? Here’s hoping for fewer losses from fewer big names in the crypto ecosystem.