The 2020 Year in Review: Major Blockchain or Cryptocurrency Accidents
If 2019 can be summed up as a wild journey, then 2020 will be totally unreasonable.Let's review these events in more depth to see what happened and how we can learn from them as an industry.
The following is a list of major security incidents in 2020. However, we will not list all the accidents one by one because there are too many.The first quarter of 2020:
Story: Cryptocurrency exchange Poloniex issues a password reset warning.
Summary: Poloniex issued a PSA statement regarding their email in late December 2019, stating that after posting a list of email addresses and passwords on a tweet, some users were forced to reset their passwords.
Story: YouTube account hijacked for cryptocurrency fraud.
Summary: Although this is not a new method of fraud, more and more people are using pre-recorded encrypted currency incident clips to hijack YouTube accounts and broadcast fake cryptocurrency coupons.
Story: After a $50 million hack, Upbit upgraded the security of its ETH wallet.
Summary: A South Korean exchange publicly stated that in November 2019, their hot wallet was stolen and 342,000 ETH (worth approximately US$50 million) was stolen.
Story: Teenagers accused of $50 million in fraud by blockchain experts.
Summary: Although many people think that using SMS 2FA on their accounts will make them more secure, SIM-Swapping is still a real threat in this industry. A teenager took advantage of this fact and netted $50 million from various entities. The 18-year-old man was arrested and faces multiple criminal charges.
Story: After the wallet was hacked, the IOTA cryptocurrency shut down the entire network.
Summary: IOTA shut down their network for a long time because hackers exploited a vulnerability in the official IOTA wallet (Trinity) application to steal users' funds.
Story: High-risk business: #DeFi and the growth story of Ethereum.
Summary: Taylor Monahan, the founder of MyCrypto, transcribed her speech on Defi and related risks at ETHDenver 2020. Taylor discussed potential pitfalls, previous attacks, what we learned and what we didn't learn from past mistakes, and what we can do to improve the room.
Story: Does the BZx flash loan attack herald the end of Defi?
Summary: A popular Defi protocol suffered two attacks in a short period of time through two flash loan vulnerabilities. Lost 1193 ETH in the first round and 2378 ETH at the end of the second round.
The second quarter of 2020:
Story: Hackers used vulnerabilities in the decentralized Bitcoin exchange Bisq to steal $250,000.
Summary: After Bisq discovered that the attackers used the software to steal funds from users, they took "unprecedented" measures and stopped the transaction. According to reports, the attackers stole 3 BTC and 4000 XMR.
Story: Found fake browser extensions for targeted users such as Ledger, Trezor, MEW, Metamask, etc.
Summary: MyCrypto and PhishFort published a research report that targeted cryptocurrency users by using Google ads to push malicious browser extensions that imitated well-known brands.
Story: Etherscan launches "ETH Protect" to identify and mark tainted ETH addresses.
Summary: One of the most commonly used blockchain explorers-Etherscan has launched a product that provides users with more information about addresses (pollution analysis) and quickly shows whether they have received cryptocurrency from a known wrong address.
Story: dForce lost $25 million in Defi smart contract vulnerability.
Summary: The loan agreement dForce, which is considered to be a compound branch with modified code, has been attacked similarly to the Uniswap liquid pool. The attack used a standard on the imBTC contract.
Story: "evil genius" teenager accused of stealing millions of cryptocurrencies.
Summary: A high-profile SIM exchange complaint submitted by Michael Terpin was published. At the time of the attack, one of the main criminals accused was only 15 years old. He was suspected of exchanging with multiple people and stole more than 23 million U.S. dollars.
Story: Supercomputers across Europe were hacked to mine cryptocurrency.
Summary: Multiple supercomputers in the United Kingdom, Germany, and Switzerland were infected with malicious cryptocurrency mining software. They used cracked SSH logins to mine Monero, a cryptocurrency that emphasizes privacy protection.The third quarter of 2020:
Story: Post-mortem analysis of the Twitter hacking incident.
Summary: On July 15, 2020, a large-scale account takeover campaign took place on Twitter, which included the use of certified political accounts to promote "trust transactions"/prepaid bitcoin scams. In total, "only" about $150,000 was stolen, which is a bit insignificant relative to the widespread exposure that bad guys have obtained from the accounts they have obtained.
Story: Working with Binance to return the stolen $10,000 cryptocurrency to the victim.
Summary: We (MyCrypto) are studying more phishing activities and have discovered another open port to a server used by criminals. Once again, we mingled between their phishing front-end and the communication channels of the criminals to clean up those phished assets so that they would not fall into the bad guys' pockets.
Story: Do these 10 things well and say goodbye to losing coins.
Summary: MyCrypto published a short ten-step best practice, introducing best practices and clear action items on how to protect cryptocurrency assets and related accounts. We used our extensive knowledge of how cryptocurrencies were stolen and compiled an actionable list.
Story: Hackers obtained $16 million worth of Bitcoin through a Bitcoin wallet attack.
Summary: A user did not install a critical security update on their Electrum wallet, and thus became a victim of an (old) attack, resulting in the loss of 1,400 BTC. The user was tricked into connecting to a malicious Electrum server, which allowed the rich text to pop up on an error. The error returned prompts users to update their Electrum software, but it links them to download malware.
Story: Escape from the Dark Forest.
Summary: Samczsun (and his companions) successfully saved $9.6 million from a flawed contract in a white hat operation. This story is interesting because Samczsun explained how they defeated the grab-run robot. They privately sent the signed transaction directly to the miners instead of broadcasting it to the transaction pool.
Story: KuCoin, a cryptocurrency exchange, was hacked and lost more than $280 million.
Summary: KuCoin, a popular Asian exchange, had their hot wallet stolen and was warned of a large number of Bitcoin and Ethereum withdrawals. KuCoin is investigating with international law enforcement agencies, and the exchange promised to use its insurance fund to cover all losses in customer funds.The fourth quarter of 2020:
Story: Cryptocurrency exchange Liquid confirms hacking.
Summary: Liquid confirmed that their domain name and email account have been compromised. The exchange believes that hackers may have obtained personal information, including email addresses, names, shipping addresses, and encrypted passwords.
Story: Hackers use GoDaddy employees to hack into encrypted websites Liquid and NiceHash.
Summary: A public report stated that there are conclusive data indicating that NiceHash and Liquid have been violated by its service provider GoDaddy.
Story: Tugou smart contract takes away 10.8 million U.S. dollars.
Summary: The smart contract of a liquid mining protocol (a copy of Harvest and Yearfinance) has a hidden back door that allows developers to directly withdraw the BTC, ETH, and DAI in the contract.
Story: After being hacked, Ledger added Bitcoin bounty and new data security.
Summary: Ledger claims that the most recent data dump for their customers came from a rogue agent, Shopify. Matt Johnson, Ledger's new chief information security officer, has developed new procedures and policies to prevent future data leakage and announced a 10 BTC reward for any information that led to the hacker's arrest.
Story: Cryptocurrency exchange EXMO claims that 5% of total assets have been stolen.
Summary: EXMO found suspicious behavior in their hot wallet and suspended withdrawals for investigation. The conclusion is that their cold wallets were not affected, but 5% of their hot wallets were stolen.
The goal for 2021 is the same as our goal for 2020: let us do better.