Hackers just stole $40 million worth of bitcoin from Binance, one of the largest cryptocurrency exchanges in the world. It’s hardly the first time crypto has been targeted by thieves. For a technology that’s supposed to be hyper secure, in practice, it’s often proven itself to be, well, not.
Binance, which is based in Taiwan, announced on Tuesday that hackers were able to withdraw about 7,000 bitcoin through a single transaction, amounting to $40 million. Hackers employed various methods, including phishing and viruses, in what the company described as a “large scale security breach.” Withdrawals and deposits on the platform have since been suspended. Fortunately for Binance customers, the company will use its emergency insurance fund, so customers won’t personally incur any losses.
Bitcoin and other cryptocurrencies have proven a prime target for hackers despite their characterization by proponents as super safe and impregnable. One of the biggest such cases was Mt. Gox, which collapsed in 2014 after losing $460 million, apparently to hackers. In 2016, hackers stole $72 million worth of bitcoin from exchange Bitfinex. And in 2018, hackers stole $500 million in digital tokens from exchange Coincheck.
According to the Wall Street Journal, more than $1.7 billion in cryptocurrency has been stolen over the years, most of which has come from exchanges and been centered around Asia.
The Binance heist, like the previous exchange hacks, should serve as a warning to cryptocurrency investors: Your money might not be as safe as you think it is.
“It’s like robbing a bank, except you can do it from a thousand miles away, from the comfort of your home, and the money you get is virtually untraceable and you can disguise it by laundering it through multiple wallets in a matter of minutes,” said Robert Long, an attorney at GreenbergTraurig and former federal prosecutor.
What Happened at Binance, Briefly Explained
According to a statement from Binance, hackers obtained user API keys, two-factor authentication codes, and other information to execute their plan and withdraw 7,000 bitcoin in a single transaction.
The hack impacted Binance’s so-called “hot wallet,” which is basically storage that connects to the internet and is used for liquidity so bitcoin can be exchanged. According to Binance, just 2 percent of its total bitcoin holdings were in its hot wallet. The rest was presumably in “cold storage,” meaning bitcoin kept offline. Had Binance kept more of its bitcoin in its hot wallet, the hack could have been much worse.
Binance said the hackers “had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time” and that the transaction was structured to pass its security checks. Binance customers won’t lose money, though, thanks to its “Secure Asset Fund for Users,” an emergency insurance fund it’s had in place since July 2018.
What Makes Bitcoin Exchanges So Hackable
Talking about bitcoin’s security is a two-pronged discussion: one is the technology itself, and the other is how it’s transferred and stored.
Blockchain, the ledger technology upon which bitcoin is based, is very safe and secure. It’s an “immutable or almost immutable record of who has transferred bitcoins to who,” Peter van Valkenburgh, research director at public policy advocacy group Coin Center, told me. “The problem of security is, alright, who’s allowed to make transactions on the blockchain? The answer is anyone who has the keys that match bitcoins in a particular address.”
If you have your own “keys” — basically, a set of letters and numbers corresponding to your bitcoin — then it’s secure. But once you hand them over to someone else, such as an exchange or wallet, for storage, then it’s up to that organization’s cybersecurity systems and practices to keep the currency safe. Plenty of organizations have been susceptible to data breaches — look at Equifax, Yahoo, and Target. Cryptocurrency exchanges are no exception.
The thing with bitcoin is that once it’s gone, it’s gone. You no longer have the key, someone else does. That same fundamental security of the blockchain that you took advantage of, the hacker now does, too.
“If Binance has a vulnerability in their security system and a hacker’s going to exploit and retrieve that value, which is immutable and totally secure at a fundamental level, and move it from Binance’s wallet to their wallet, then they now take possession of its coin,” Jeremy Gardner, a cryptocurrency entrepreneur and managing partner at the investment firm Ausum Ventures, said. “This is a feature in bitcoin, not a bug.”
You can’t get you bitcoin back.
“These types of currencies are unbelievably attractive to a thief or a hacker because of the anonymous nature of it,” John Sedunov, a professor of finance at Villanova University, said. “There’s more of an appeal, because if I go rob a bank, I’m on camera, etc. If I steal a bitcoin from an exchange, I have a string of random letters and numbers attached to me, and nobody is going to figure out who I am.”
The Wall Street Journal in 2018 laid out other elements that make bitcoin theft particularly appealing:
Unlike stock exchanges, which facilitate trading but don’t actually hold securities on behalf of investors, many cryptocurrency exchanges charge fees for trading and store currencies for their customers. Analysts say that makes cryptocurrency exchanges like sitting ducks. Thieves that manage to break in can do something akin to robbing a bank—getting hold of valuable cryptocurrencies that they can cash out of.
Cryptocurrency exchanges are “easy to breach, with minimum effort and expense from attackers and with maximum return on investment,” said Robert Statica, president of BLAKFX, a cybersecurity firm in New York.
Regulations around bitcoin vary by country as well, meaning some places require exchanges to follow stricter guidelines than others.
When hacks do occur, international and national law enforcement agencies do get involved in attempting to track criminals down, and the penalties apply as they would any type of theft. In the US, law enforcement agencies such as the FBI have taken action against thieves and other illegal uses of cryptocurrency.
How To Invest in Bitcoin Securely (Hopefully)
Investing is always risky, including and perhaps especially when it comes to cryptocurrency. Beyond the security concerns, there’s the simple fact that crypto is subject to some pretty wild price swings. Case in point: At the end of 2017, the price of bitcoin hit nearly $20,000; right now it’s under $6,000.
If you’re invested in crypto — or thinking of getting started — there’s not a lot you can do to prevent price swings (beyond maybe don’t put a bunch of bitcoin on your credit card). But there are security precautions you can take.
Some people choose to store their crypto on their own, but for the less tech-savvy, there are exchanges and digital wallets run by third parties. Van Valkenburgh laid out some simple advice on how to evaluate different options: pick a large operation, look for one that’s regulated and compliant with laws, especially in the United States, and pay attention to emergent best practices, such as exchanges that use cold storage and have insurance.
“Shop around for a good exchange,” he said. He mentioned Coinbase as a potential option that fits those criteria in the United States.
Gardner said a safer option than an exchange would be a wallet that relies on cold storage, where the point is to safely store cryptocurrency, not trade it. Some examples are Xapo, BitGo, and Coinbase’s “Vault.”
Crypto is still a budding space, and while it’s come a long way from the Mt. Gox days, it’s still got a long way to go in maturing, including when it comes to security. The Binance episode is the latest piece of evidence along those lines.
“It’s a kind of precaution,” Sedunov said. “When you think about where to invest, you want to make sure these people are being good custodians to your security.”
Correction: A previous version of this story stated that bitcoin owners were not able to track their currency once stolen. They can trace it, but they cannot get it back.