How Crypto Gets Hacked: Issue #9
How Crypto Gets Hacked: Issue #9
Ronin Hack, NFT Phishing, KYC for Self-Custody Wallets, and thoughts from the SEC
Disclaimer: I’ll be talking about individual crypto projects in this series but this is for informational purposes only and not a solicitation to buy or sell any cryptoassets.
Do your own due diligence.
Sky Mavis’ Ronin Blockchain Gets Hacked
The largest and craziest story that happened recently was the hacking of the Ronin blockchain. Ronin was created by crypto gaming company Sky Mavis (the creators of the popular NFT game Axie Infinity) to help facilitate transactions for gaming.
They were trying to make this “sidechain” so that they could build a blockchain exclusively for gaming, with faster speeds and lower transaction costs than Ethereum, where the game was originally built. Unfortunately, higher speeds and lower cost also typically mean sacrificing security.
The hacker was able to steal 173,600 Ethereum and 25.5 million USDC from the network, about $625 million at the time. But how were they able to do this?
It was the equivalent of a 51% attack. Like I’ve talked about before, when someone is able to control over 50% of the hash power of the network, there is a lot of damage they can do. In this case, they were able to access the vault of cryptocurrencies and withdraw all the funds.
Typically in a decentralized network, you would want as many miners/validators as possible to make the network harder to attack. If a few large ones are compromised, no big deal, because the rest of the miners/validators can continue to operate and process transactions as usual and the compromised ones will become isolated if they try to steal from anyone. In the case of Ronin, they only had nine validators total, making it much easier to seize control of the network.
The attacker was able to steal the private keys to the four Sky Mavis-owned validator nodes, and one more owned by an Axie Infinity DAO. Why Sky Mavis decided to own 4 of the 9 total nodes and didn’t think to provide extra security measures to protect the private keys is beyond me. With 5 of the 9 total nodes, the attacker could then override transactions and validate their own withdrawals as they pleased.
Since the hack, Binance helped Sky Mavis raise money to help reminburse users for some of the stolen funds and fill the gap, and the hacker has been seen trying to use the mixer Tornado Cash to obfuscate the transaction history of the stolen Ethereum and hide their tracks.
Sky Mavis also vowed to increase the number of validators from 9 to 21, which should help blockchain security in the future.
My Take:
- Building a new blockchain is hard. Building in crypto in general is hard, and it’s better to use blockchains and decentralized applications that are time-tested.
- More distributed hash power is better for security.
- Are there ANY legal funds used through Tornado Cash? It seems like every time we hear about a hack, we hear about them trying to run it through Tornado Cash or some other mixer a few days later. Again, I’m not a fan.
NFT’s Are Getting Stolen Through Phishing Attacks
In the first case, NFT collector Arthur Cheong had 60 valuable NFTs stolen from his online crypto wallets, worth an estimated $1.7M according to Forbes. The hacker was able to take control over his “hot wallets” through an email attachment that looked legitimate, but actually contained malware:
In Cheong’s case, the attacker disguised the malicious file to appear as though he’d received a word document from a company in DeFiance Capital’s portfolio. Cheong says he was careful with his security practices and used a hardware wallet tied to a PC until recently becoming a more active NFT trader. “Hot wallet on mobile phone is indeed not safe enough,” he added.
It didn’t matter. Cheong tweeted that the thieves were also accessed a second hot wallet on his PC unconnected to a hardware wallet. The two affected wallets do not share the same seed phrases. The incident serves as a warning to all crypto users to maintain robust security practices.
In another case, The Block reported that scammers were using verified accounts on Twitter to help them steal valuable Bored Ape NFTs:
Earlier this month, BAYC launched an airdrop of ApeCoin tokens for Bored and Mutant Ape NFT holders. For this attack, scammers hacked multiple verified Twitter accounts in order to promote links to a URL impersonating an ApeCoin token airdrop site. Some of the Twitter accounts had more than 50,000 followers.
Unsuspecting victims who clicked on the phishing links included both BAYC NFT owners and non-holders willing to cough up 0.33 ETH ($1,130) to take part. However, instead of registering for the chance to claim ApeCoin tokens in a new airdrop, they found themselves faced with malicious code that gave the scammers access to their wallet.
Scammers and thieves are also using other techniques, such as adding verified checkmarks directly to fake NFT images, as described in the thread below:
My Take:
If you’re going to start putting large amounts of money to work in this space or have some valuable NFTs lying around on your computer, it might be time to invest in a hardware wallet and practice better security controls like 2-factor-authentication (2FA) if you aren’t already. Be aware of what you click on and be careful out there.
Europe Will Enforce KYC for Non-custodial Wallets
On March 31, the European Parliament’s Committee on Economic and Monetary Affairs (ECON) approved provisions to Europe’s Transfer of Funds Regulation that restricts Virtual Asset Service Providers (VASPs) from transacting with unhosted wallets without verifying their owners’ identities beforehand.
Further, VASPs will be required to report all crypto transactions worth more than 1,000 EUR to relevant anti-money laundering authorities.
A non-custodial wallet is also known as a self-hosted wallet, or one without any financial institution behind it. In other words, a wallet owned and controlled by an individual.
Having control over your own private keys is a staple of the crypto ecosystem, because having to trust another institution to keep your money and data safe goes against the “trustless” ethos of the crypto-sphere and is no longer necessary with the tech we currently have (browser wallets and hardware wallets).
CEO of Coinbase Brian Armstrong is not happy about it:
Coinbase co-founder and CEO, Brian Armstrong, described the legislation as treating “every person who holds crypto differently from fiat.”
“This means before you can send or receive crypto from a self-hosted wallet, Coinbase will be required to collect, store, and verify information on the other party, which is not our customer, before the transfer is allowed,” he said. Armstrong continued that Coinbase will be required to report their customers to authorities “any time [they] receive 1,000 euros or more in crypto from a self-hosted wallet.”
It could also potentially cause more problems than it tries to fix:
Unstoppable Finance posted that transactions between non-custodial wallets and centralized exchanges “would become way more costly and burdensome” due to the data collection requirements.
The team speculated that “smaller crypto companies with fewer resources” may ban transfers to self-hosted wallets to avoid the expenses, harming their competitiveness and driving European users to foreign platforms.
Unstoppable also warned that the databases storing names, home addresses, and other sensitive personal data would become the target of hackers and criminals, which could lead to increased incidents of hacking, phishing, and physical violence targeting crypto users.
My take:
This is a tough one for me and I’m not sure what the right answer is here.
One the one hand I see where the Europeans are coming from: we need a way to make crypto comply with KYC and AML laws to prevent terrorists, rouge states, and other bad actors from taking advantage of the benefits of cryptocurrency. As much as Brian Armstrong wants crypto to be treated like physical cash, it’s much harder to transport large amounts of physical cash across long distances and borders than it is to send crypto anywhere in the world in 5-10 minutes. They’re very different.
On the other hand, I would agree with Unstoppable that this may end up causing more issues. Once a startup decentralized application (dApp) gets its user server hacked and the personal information of thousands of users gets stolen, everyone will point back at this new law and blame them for passing it.
But I think it’s doable, and it may even create more jobs and companies who can service the “crypto-compliance, personal data storage service” market. Maybe even a decentralized crypto solution (such as Filecoin, Sia, or Storj) can take over the responsibility, preventing one server breach from compromising tons of personal information.
Those in the crypto-sphere are decrying this because they hate any type of government oversight, but it could end up being an even bigger opportunity for growth, innovation, and adoption in the long run.
SEC Calls for Disclosures and Oversight
According to Markets Insider, the SEC wants companies holding crypto for users to be treated differently than other brokerages:
Crypto-trading platforms that look after digital holdings for customers should book these on their balance sheets as their own liabilities and assets, the Securities and Exchange Commission has said.
They should also disclose the nature and amount of crypto assets held for customers in their company accounts, starting in June, the SEC said in guidance published on Thursday.
Crypto-trading companies that are publicly listed will have to make the change. Right now, they can record and disclose the digital assets they hold in custody on behalf of customers separately.
In future, any obligations to customers must be treated as liabilities, while any crypto assets held should be accounted for as an asset, the SEC indicated in its guidelines. This would likely enlarge affected companies' balance sheets.
. . . . .
The guidelines contrast with those for brokerages, which don't have to put customer assets on their books. The SEC pointed to particular risks involved with crypto assets and platforms for taking a different approach."The obligations associated with these arrangements involve unique risks and uncertainties not present in arrangements to safeguard assets that are not crypto-assets, including technological, legal, and regulatory risks and uncertainties," it said.
According to Axios, SEC Chair Gary Gensler is asking his staff to look into new areas they should investigate for crypto regulation:
Between the lines: The chair delineated four issues he would like to see his staff address.
Protecting retail traders in crypto in much the same way they are protected in equities. As an example, the New York Stock Exchange is regulated in ways that a Coinbase or a Kraken are not, which provides retail traders there more protections.
Teaming up with the Commodities Futures Trading Commission. Until crypto, commodities and securities didn't trade on the same venue, the agency's Scott Schneider explained to Axios. Because they trade side-by-side on crypto platforms in the form of tokens, though, the two regulators need to explore ways to work together.
Firewall custody of assets. Crypto's platforms take custody of assets (actual cryptocurrency), while regulated equity exchanges do not. Crypto often gets stolen from such exchanges, putting investors at risk (with Canada's QuadrigaCX serving as one cinematic example). Gensler wants to explore rules around separating exchange and custody functions.
Separate market making out. Regulated exchanges serve as a meeting place for buyers and sellers, but some crypto exchanges also do buying and selling in order to keep liquidity flowing. Gensler asked staff to look at whether separating these functions would be appropriate in crypto as well.
Gary Gensler also gave a talk at the University of Pennsylvania, where he gave prepared remarks. Here are some important quotes:
In February, you all might have noticed Super Bowl ads for several crypto platforms. This wasn’t the first time we’d seen some new innovations getting air time on the biggest TV event of the year.
Seeing these ads reminded me that, in the lead-up to the financial crisis, subprime lender AmeriQuest advertised in the Super Bowl. It went defunct in 2007. A few years before that, according to Axios, “Fourteen dotcom companies advertised during the 2000 Super Bowl, most of which are now defunct.”[1] I know many in the audience may just have been young children at the time, but the internet was relatively new back in 2000. The dot-com bubble burst, though, created significant tremors in our markets.
There’s no reason to treat the crypto market differently just because different technology is used. We should be technology-neutral.
Furthermore, these platforms likely are trading securities. A typical trading platform has dozens of tokens on it, at least. In fact, many have well in excess of 100 tokens. As I’ll address later, many of the tokens trading on these platforms may well meet the definition of “securities.” While each token’s legal status depends on its own facts and circumstances, given the Commission’s experience with various tokens that are securities, and with so many tokens trading, the probability is quite remote that any given platform has zero securities.
(On stablecoins) For instance, what backs these tokens so we can make sure that these holdings can actually be converted to dollars one-to-one? Further, stablecoins are so integral to the crypto ecosystem that a loss of the peg or a failure of the issuer could imperil one or more trading platforms, and may reverberate across the wider crypto ecosystem.
Then, thirdly from a policy perspective are all the other crypto tokens. The fact is, most crypto tokens involve a group of entrepreneurs raising money from the public in anticipation of profits — the hallmark of an investment contract or a security under our jurisdiction. Some, probably only a few, are like digital gold; they may not be securities. Even fewer, if any, are actually operating like money.
When a new technology comes along, our existing laws don’t just go away.
Gensler basically calling out crypto by comparing it to past bubbles tells you all you need to know about what he thinks of the entire space right now.
If you want to get into the mind of Gary Gensler and the SEC, I encourage you to read the whole thing.
My Take:
There’s going to be A LOT of regulatory changes over the next few years.
Investor protections, separating “commodity-like crypto” from “security-like crypto,” separating out the different functions of crypto trading… there’s just a lot there.
I have no idea what will happen for sure, but I’m pretty sure the SEC is coming for cryptocurrency, especially if it acts like a security offering.
Thanks for reading!
And I’ve just recently started a “buy me a coffee once a month” paid tier, so if I’ve helped you understand how crypto gets hacked, the downsides of crypto by looking into what could go wrong, or what is happening with crypto regulation, I would greatly appreciate your support. It would also help encourage me to keep writing and continue to become a better writer.
I appreciate you!