Japanese cryptocoin exchange robbed of $100,000,000

Another week, another cryptocurrency catastrophe.

Last week’s story was about Chinese cryptocoin smart contract company Poly Networks, which was robbed of about $600 million’s worth of various cryptocurrencies.

That heist has turned into an ongoing saga in which, mirabile dictu, the hacker ultimately seems to have agreed to return as much of the stolen cryptocurrency as he can.

In a bizarre stream of messages transmitted as “additional data” in zero-value transactions on the Ethereum blockchain, the thief claimed, ALL IN CAPS, to have acted out of altruism.

The hacker, now dubbed Mr. White Hat in an act of obeisance by Poly Networks, suggested that he’d taken the money for safe keeping before disclosing the bug, so that no one else could exploit it in the meantime.

(The implication was that the coders who would be working to fix the bug – who would inevitably need to know how the bug could be exploited in order to repair it properly – might themselves be rogues, and therefore needed protecting from their own baser instincts by a nobler form of cybercriminality.)

The money hasn’t all been recovered yet – that is expected to take a few days more – but Poly Networks seems confident [2021-08-20T15:00Z] that it will get back most of it in the end.

The company has also said that it will dig into its own pockets “to compensate for any slippage loss and fees that are incurred.”

Amusingly, if not amazingly, Poly Networks has “rewarded” Mr. Hat with 160 Ethereum coins (about $525,000 at today’s price), and offered him a role as Chief Security Advisor.

In one of the company’s own blockchain messages back to Hat, Poly Networks went so far as to invite him to be a co-approver of any future upgrades to the system.

That might seem like an alarming amount of control to offer to someone who once ran off with all your funds and deliberately shut down your whole network for two weeks, even if they decided to give back most of the money in the end:

We decided to use [a] multi-signature of relay chain validators to authorize upgrades. We also hope to invite you to participate in the future development of the Poly Network. If you want, your address […] can be one of the validators.

Hat, for his part, has been on the receiving end of numerous blockchain spam messages of his own, with a mixture of admirers, detractors and opportunists letting him know how they feel and what they expect from him.

YOU SAID YOU WILL GIVE ME A PERSONAL GIFT. I WOULD LIKE 32 ETH, insisted one commenter, who claimed to know the name of the company where Hat used to work and threatened to reveal the details.

Another noted, contrarily eschewing Hat’s ALL CAPS style and letter spacing, that Nowitseems­thatmoneyis­stillveryimportant.­Stillsupportyou!

Truth, as the truism goes, can sometimes be stranger than fiction.

Roguery redux

This week, sadly, it was the turn of cryptocoin trading platform Liquid to get hit by hackers.

The company bravely still has a cryptocurrency exchange rate ticker scrolling across the top of its website, but underneath that is a worrying notice saying simply:

All crypto deposits are currently suspended. Please do not transfer crypto to your Liquid wallet address until further notice.

The More information link on the main page leads to an even more chilling note that apparently confirms the scale of the problem:

Important Notice: We are sorry to announce that #LiquidGlobal warm wallets were compromised, we are moving assets into the cold wallet.

We are currently investigating and will provide regular updates. In the meantime deposits and withdrawals will be suspended.

Hot versus cold

A “hot wallet” (the word warm above rather understates the immediacy and risk involved, but may just be a detail of translation rather than a misguided attempt at euphemism), as the name suggests, is one that is primed for access at any time.

Loosely speaking, a hot wallet is a file of cryptocurrency assets that is directly available for online trading, with any necessary cryptographic passwords and private keys shared with the online trading platform you’re using.

In contrast, a cold wallet is one that’s stored offline, and where you keep the cryptographic keys to yourself.

In a cold wallet setup, the files that constitute your cryptocoin stash are inaccessible to malware or hackers who manage to wriggle into your computer, thanks to being kept offline, and unusable in the event of an intruder in your house finding the storage device on which you stashed them, thanks to being encrypted.

Note. If you give someone hot wallet access, and they then move your funds into a cold wallet of their own, as described above, that’s safer than having your cryptocoins available for immediate online trading, but it’s nevertheless not your cold wallet, so the person who created that cold wallet still has control over your funds.

If you want to compare cryptocoin walletry with social media access, setting up a “hot wallet” is a bit like deliberately logging into your Twitter and Facebook accounts on someone else’s laptop, going through the necessary authentication processes to grant yourself full access…

…and then going home without logging out, saying to your friend, “Here’s a list of topics to follow and the things I’d like to say if any of them come up. Keep my accounts logged in, watch out in case anything interesting comes up, and chime in with relevant comments in my behalf whenever it does.”

You have to trust your friend completely – both directly (e.g. not to go rogue and start posting uncharitable or offensive comments in your name) and indirectly (e.g. not to get hacked so that intruders can access your accounts remotely).

What next?

Unfortunately, there’s no suggestion, so far, that the crooks who hacked Liquid are now thinking of giving back the funds they’ve just stolen, said in some reports to be worth about $100 million.

Stolen cryptocoins can be hard to turn into regular money, as many cryptocurrency thieves have found in the past.

Most exchanges will track cryptocurrency wallets into which stolen coins were transferred, especially in high-value raids like this one, in an effort to blocklist payouts that might be used to convert the looted funds back into cash, or to launder them into other types of cryptocoin.

But the fact that stolen cryptocoins might not end up enriching the crooks who stole them is cold comfort if those stolen coins were yours…

…in the same way that you would still be left out of pocket if a crook who pickpocketed your wallet simply set fire to the banknotes inside it instead of spending the money on themselves.

What to do?

We’re going to repeat what we said last week, after Poly Networks found its assets drained without warning:

  • If you’re thinking of getting into the cryptocurrency scene, never invest more than you can afford to lose. There are more than 10,000 different cryptocoins currently in existence, many of which were kicked off by cash injections from early investors. Not all cryptocoins can or will follow the Bitcoin pattern of going from a few cents in value in 2010 to $45,000 each in August 2021. Even worse, some “investments” are outright scams in which the “creators” of the cryptocoinage collect startup funds from early investors in what’s known as an ICO (initial coin offering), only to run off without ever establishing the new cryptocurrency at all.
  • If you plan to buy and hold cryptocurrency, keep as much of you can offline in what’s known as a cold wallet. A cold wallet is an encrypted file that you keep where you won’t lose track of it, and where other people can’t use it unless they know your password.

For further discussion and advice, listen to Sophos expert Chester Wisniewski in this week’s podcast, where we discuss the Poly Networks incident and what it says about online trust (the cryptocurrency section starts at 17’13”):

LISTEN NOW

Click-and-drag on the soundwaves to move forward or back. Cryptocurrency segment at 17’13”.
You can also listen directly on Soundcloud.


go top