If you haven’t heard about the recent Cryptopia hacks (cough…make that two), then there’s a chance you haven’t checked “Crypto Twitter” in the last several days, or you’re living under a rock. After a two week-plus hiatus, the Cryptopia hackers went at it again, pilfering north of 1,675 ETH from over 17,000 Cryptopia wallets.
So, let’s take a look at the timeline of the recent hacks of this New Zealand-based exchange, and brush up on several security reminders everyone storing and using crypto should employ.
The Cryptopia Hack Timeline
On January 15th, 2019, Cryptopia issued the following statement, acknowledging that on the 14th of January, 2019, they suffered a security breach – resulting in “significant losses.”
Cryptopia subsequently tweeted that they were unable to update anyone, as the hack had now become a police matter – further noting that the police were continuing to investigate this crime. In the interests of “protecting funds and wallets,” Cryptopia locked down the exchange, taking it offline.
On January 20th, 2019, Elementus – a blockchain analysis and infrastructure firm – reported that as much as USD $16 million in Ethereum (ETH) and other ERC20 tokens were stolen. According to the Elementus blog, the public Ethereum blockchain shows funds being siphoned from two core wallets and accounts as early as January 13th.
Adding insult to injury, Elementus reported that a cool $16 million in ETH and ERC20 tokens wasn’t all, as hackers had resurfaced, and this time around, stolen more than 1,675 ETH from 17,000 Cryptopia wallets. Hackers “took their time,” removing assets and Ethereum over nearly 5 days. Several theories speculate that Cryptopia had ultimately stored private keys on a single server with no redundancy. Additionally, Elementus stated:
“Cryptopia no longer has control of their Ethereum wallets, and the hacker still does.”
At date of publish, Elementus has concluded that there still are nearly 2,000 Ethereum wallets and roughly USD $46,000 in ETH at risk.
So, what can we take away from this? Simply put, not your keys, not your crypto.
Below are three security reminders for users HODL’ing and trading cryptocurrencies.
Cold Storage is Key
As we noted above, “not your keys, not your crypto.” When determining whether to store you cryptocurrency and altcoins via cold storage, we generally recommend employing the “one-month rule.” The one-month rule dictates that should you accumulate more than one-month’s salary on a cryptocurrency exchange, you should then move it offline to cold storage. One month isn’t doctrine, and you should consider moving funds to cold storage if you’ve accumulated any amount of cryptocurrency that you’re not comfortable with losing.
Ultimately, hardware wallets will run you anywhere from USD $60-$150, depending on which wallet you decide to go with. However, that’s a small price to pay for assurance that you’re crypto isn’t going to be pilfered by rogue hackers. Paper wallets are also an option for securing one’s funds, however, general wear and tear (and other elements) could leave you high and dry should it become damaged enough.
Keep in mind that storing your private keys or seed online is not cold storage, and is considered a “hot wallet,” so make sure that your private keys are never “kissed” by an Internet connection.
Both Ledger and Trezor are two reputable and popular hardware wallets for securing one’s funds. Furthermore, if you’re looking for a hardware wallet that is geared towards mobility, consider checking out the CoolWallet S. You can read up further about several of the best Bitcoin and crypto hardware wallets out there by checking out this article.
Keep a Watchful Eye For Punycode
Cryptocurrency’s meteoric rise over the years has also generated a meteoric rise in another industry – the industry of scamming and phishing. We aren’t dealing with technologically illiterate persons who need to physically gain access to your device or holdings to take everything anymore. We’re dealing with some of the most sophisticated con artists and scammers out there. And, they know how to get creative.
One of the most worrisome issues plaguing present-day cryptocurrency security is the complexity and perceived authenticity created by intricate phishing attacks. Always make sure you double-check the URL you are inputting, or bookmark it, so you can automatically go to the site without worry. Although not used in the Cryptopia hack (errr…hacks), the below phishing method is worth keeping an eye on when accessing websites and your cryptocurrency funds. It’s known as “punycode.”
Simply put, punycode is a specific representation of Unicode, which allows hackers and malicious actors to convert letters and characters to ASCII, a small and restricted character set. Due to its miniscule nature, it’s often easy for the untrained eye to fail to pick up on such micro-changes to text or characters. Think of the German language, which utilizes punycode for letters (ex. München).
So, how can you tell the difference between legitimate websites and malicious ones?
- To start, we strongly recommend looking for the green ‘https’ and word ‘Secure’ directly next to a website’s URL. Green will give you a heads up that the website in question has actually obtained the necessary SSL certificates.
- Once again, bookmark pages that you frequently visit, as it will help cut down on misspelling and “auto-fills.”
- Finally, always double check the URL to make sure it matches your intended destination. Always trust your gut too. If a website is bombarding you with unsolicited pop-ups the second you land on their homepage, it probably isn’t the right website to be depositing and storing crypto on.
Two-Factor Authentication: A Bare Minimum
Make sure to backup your cryptocurrency exchange logins and accounts with two-factor authentication (2FA). Doing so should be the bare minimum step you take to secure you holdings and personal information. Specifically, 2FA requires a user to enter a one-time password (OTP), which is generated and sent to their application or smartphone.
Note that there is one method of two-factor authentication that reigns supreme, and that is Google Authenticator. Michael Terpin is a perfect example of what can go wrong with 2FA should you opt for SMS authentication instead. To refresh your memory, over a year ago, Michael Terpin (a well known Bitcoin thought leader and CEO of Transform Group) fell prey to a $24 million dollar altcoin hack, whereby 21-year old Nicholas Truglia socially engineered a “SIM swap.” SIM swapping refers to the process where hackers go into a wireless carrier’s store or contact them on the phone and pretend to be the target in question. They then transfer SIM information to a new phone, and voilà, they’ve now gained access to one’s accounts.
Security experts and researchers have adamantly warned against using text messages as a means to validate security logins online, as there have been numerous large-scale attacks over the years.
Google Authenticator is an application completely distinct from one’s cell phone carrier, and generates time-constrained codes on an app (usually for 30 seconds) and phone. Should a user fall prey to a malicious hacker, who then moves a user’s phone number to a different phone, the generated code would remain unaffected.
Just make sure to backup your private keys when using Google Authenticator and other 2FA apps.