Cryptocurrency exchanges have always been a prime target for hacking activity due to the vast amounts of cryptocurrency and money held within each exchange. Finding and exploiting weaknesses in exchanges can be very profitable for hackers, and such hacking activity has grown exponentially year on year.
In late December 2018, Coindesk published an article revealing that the amount of cryptocurrency stolen from exchanges increased 13 times in 2018 compared to 2017. Analytics firm Chainalysis reported that approximately $1 billion worth of cryptocurrency was stolen from digital currency exchanges in 2018.
Many successful hacking attempts can be attributed to the failure of cryptocurrency exchanges to secure their services, as can be seen from the following examples:
- in January 2018, Japan-based Coincheck fell victim to a hack in which 523 million NEM tokens (at the time worth $534 million USD) were stolen. This was due to the lack of protection mechanisms used, such as storing funds in “cold” (offline) wallets and using multi-signature protection requiring the approval of multiple parties to initiate transactions; and
- in June 2018, South Korean-based Coinrail fell victim to a hacking attack worth $40 million USD. Following the incident, Coinrail was unable to provide any information regarding the theft, prompting analysts to point to the lack of security personnel and limited investment in security within smaller cryptocurrency exchanges.
Hacking methods have also become increasingly sophisticated, with a rising trend of “51%” or “double spend” attacks launched by cybercrime organisations. A group that controls the majority of a blockchain’s computing power (thus a 51% attack) can create a separate chain which allows the group to re-spend funds that have already been spent on the original chain. An attack in January 2019 on Ethereum Classic caused $1.1 million USD worth of funds to be lost, with cryptocurrency exchange Gate.io losing $200,000.
A recent decision by an Italian Bankruptcy Court held that a director of an exchange operator was personally liable for not implementing suitable safeguards to avoid the loss of its users’ assets. Similar litigation is currently on foot in Singapore in relation to whether an exchange operator acted in “breach of trust” as a custodian. In addition, regulators in some countries such as South Korea have commenced conducting security audits on cryptocurrency exchanges.
Exchange operators must ensure that they take all reasonable steps to ensure the security of their users’ funds. Failure to do so may expose them to liability for breaching their duties to their users or cause them to be at risk of being shut down by regulators.