In the first quarter of 2022 hackers have penetrated 78 blockchain projects and stolen almost $1.3 billion of crypto assets. This information was reported by the encryption and cybersecurity company Atlas VPN, which have calculated the data from Slowmist Hacked, a project that collects information about disclosed cases in blockchain projects.
The growing popularity of cryptocurrencies and their exchange platforms goes hand in hand with the booming interest of hackers’ who never sleep to compromise an exchange, wallet or account. This, in turn, spurs the security requirements for such applications. Today, almost every crypto exchange can compete with banking institutions in terms of protection. Nevertheless, attackers still hack crypto platforms and steal cryptocurrencies.
What are the threats that accompany crypto companies? How to protect crypto assets and platforms from cyberattacks? All the answers in this detailed overview from the developers of the Merkeleon cryptocurrency exchange software.
First and foremost, developers often misinterpret the words crypto and blockchain, considering these are secure by default. This leads to code or architecture issues. And the security of smart contracts cries for attention too. Often, developers rely too much on the security of blockchain itself, missing the unsafe operation of pseudo-random number generators, using data from the Bitcoin network or similar currencies as a source of random variables.
Up to date, the most popular attacks on cryptocurrency exchanges are DDoS attacks and phishing. In fact, the abbreviation DDoS (Distributed Denial of Service) has long been a news headline and a cause for users’ awe. Hackers transmit artificially created traffic — which has several sources — to the server. For the server, this creates too excessive a load to operate, and the site goes down. Thus, crypto exchanges lose money because traders can’t access the platform, and the funds stay still.
Phishing, on the other hand, is based on social engineering. At first, scammers create the exact copy of a target site. Then, they spam a letter, composed in a way similar to a real letter from the exchange, with logos and managers names replicated. The letter reports that due to software change or — isn’t that ironic — a hacker attack, a user needs to confirm or change their registration details. In all cases, the purpose of such emails is to force a user to follow the link and then enter their data on a false site.
Apart from targeted phishing, social engineering, site deface, malware download, supply chain attacks or hacking there may be even more attacks. In general, they can be divided as follows.
THREATS | |||
INTERNAL | EXTERNAL | INFRASTRUCTURE | SOFTWARE |
Targeted phishing via social networks | Account theft | Lack of standard during development | Vulnerabilities in trading process |
Social engineering | Fraud via web and mobile apps | Multi-stage targeted attacks on software | |
Insider attacks | L3 and L7 DDoS attacks | Update infection |
There are many ways to minimize risks and protect your exchange. Internal and external audits, constant monitoring of user activity and applying security experts recommendations. For example, the international standard CobiT (Control Objects for Information and Related Technology) is the most spread among auditors. It defines a set of universal IT management tasks, primarily for a company management and IT auditors.
Smart contracts form the blockchain basis. Their comprehensive audit must never be disregarded. Here, the difference from the routine information security resides in the critical level of the system and the amount of money in circulation, as well as in the system behaviour.
Further, to guarantee security to its users, a crypto exchange needs to shield itself first. The most common defence is two-factor authentication (2FA) and cold storage. Some exchanges impose stringent requirements and ask users to provide the copies of documents for verification. Besides, the bulk of all digital assets are stored offline in cold wallets that are not physically connected to any computer unless necessary for transactions.
When your security department knows about possible vulnerabilities and attacks, they can efficiently tackle all flaws and keep your crypto platform’s stability at a high level. Apart from the above procedures, for additional safety exchanges declare mandatory AML (Anti Money Laundering) and KYC (Know Your Client) mechanisms. For more tactics, follow our short guide.
PROTECTION METHODS | |||
INTERNAL | EXTERNAL | INFRASTRUCTURE | SOFTWARE |
Monitoring of phishing pages | Account theft prevention | Developing with reputable companies | Crypto exchange security audit |
Basic course in cyber-hygiene | Control of fraud for mobile and web apps | Perimeter Penetration Test | |
Traditional end-point security | Preventive measures for DDoS attacks | Threat detection |
Summarizing the talk, we need to make it clear: there always will be risks, there are no 100%-proof systems. Even companies, like Microsoft, get scammed. Yet, the above measures can ensure more security from hacker attacks to your cryptocurrency platform and boost more protecting techniques to emerge.
We recommend that you also read how to start a crypto exchange and what is crypto OTC trading.