• The Listener
  • North & South
  • Noted
  • RNZ

Gone in 60 seconds: The hard lessons from the Cryptopia heist

The Cryptopia homepage's ominous message.

Imagine if your bank emailed you to say it was carrying out “unscheduled maintenance” so you wouldn’t be able to deposit or withdraw any money for a while.

That was the ominous message customers of the Christchurch-based cryptocurrency exchange Cryptopia received on Sunday, only it wasn’t their money they couldn’t transfer, but digital tokens in one or more of the hundreds of cryptocurrencies the exchange traded in.

Nevertheless, those digital tokens can be traded for cash and anyone who has watched the rollercoaster ride of Bitcoin valuations over the last year knows how valuable those coins can suddenly and inexplicably become.

The following day the news got significantly worse. Cryptopia had “suffered a security breach which resulted in significant losses”. The Police and the High Tech Crimes Unit were investigating. The exchange remained closed and Cryptopia’s management was cooperating with the investigation.

The nightmare began to unfold for thousands of Cryptopia users whose coins were held in digital “wallets” connected to the company’s exchange, which apparently had as many as 1.4 million registered users.

One Reddit forum poster, Jollyjoker747, was among them.

“I am one of you,” he wrote yesterday.

“Most of my crypto funds were on the exchange on the date the hack happened (I was trading them actively) and I am also scared I will never see them again.”

He has set out to try and assemble as much confirmed information as possible about the Cryptopia incident in this Reddit thread, no mean feat in the murky and largely unregulated world of cryptocurrency trading.

Following the digital trail

It’s unclear just how much the combined worth of crypto tokens removed from Cryptopia’s digital wallets amounts to. However, one of the defining factors of the major cryptocurrencies is the blockchain technology that underpins them.

This records every transaction and movement of the coins in a decentralised ledger, as well as other details such as the wallets coins are being transferred to and from and their value at the time of trade. It means that observers can track the movement of coins, even if the identity of those moving them remains hidden.

Etherscan and other tracking services detected three major withdrawals from Cryptopia’s wallets within minutes of each other on January 13 – one in Ethereum currency worth US$2.47 million and another in Centrality, a cryptocurrency created by the Auckland company of the same name, worth around US$1.1 million. A third transaction in DAPS tokens, US$304,000. That totals around US$4 million worth of crypto transfers. Many other cryptocurrencies have been identified in unconfirmed social media posts, with amounts ranging from thousands to hundreds of thousands of dollars.

Cryptocurrency creators and the exchanges that facilitate in trade of their tokens have been going through the usual scramble to try and stop whoever made the transactions from getting away with the loot.

One of the largest exchanges, Binance, revealed that it had frozen tokens transferred to its wallets from others related to the Cryptopia withdrawal. The creators of DAPS, the decentralised autonomous payment system, warned users not to buy cheap tokens being offered for sale.

“This may see you get caught up in the tracking and your wallet may be blacklisted as a result of this,” the DAPS team told its users.

As with any bank heist, time is of the essence when trying to stop the robbers getting away with the cash. In the digital world, tokens can be transferred in seconds, traded for other currencies and converted to US dollars at an exchange, a laundering process that can be difficult to stop. With no uniform rules and standards across exchanges, wallets can be emptied before fraud is detected.

Biggest crypto hacks prior to Cryptopia. Photo/@lawmaster

Top 10 hack

That has been the case in many of the multi-million dollar hacks of cryptocurrency exchanges that have taken place over the last two years. In the scheme of crypto hacks, Cryptopia is on the smaller side, but appears serious enough to put it in the top 10 hacks by value.

The most infamous case of hackers stealing currencies held by an exchange dates to 2014, when hundreds of thousands of Bitcoins were stolen from Mt. Gox, which at that stage was the biggest exchange in the world.

The coins represented seven per cent of all of the Bitcoins in circulation at the time. The exchange collapsed in bankruptcy, its customers left out of pocket. Last year saw another massive hack with US$530 million of tokens in the NEM cryptocurrency stolen from the Japanese exchange Coincheck.

The thieves dispersed the tokens to numerous accounts, managing to quickly launder the bulk of it. Amazingly, Coincheck survived the disaster. It stopped trading for 10 months, but an undertaking to reimburse customers who lost their tokens, made possible by the vast profits Coincheck made in the run up to the hack, seems to have kept them alive. Coincheck was recently bought by a Japanese investment company and just this week joined a list of registered crypto exchanges after overhauling its security systems.

How likely Cryptopia customers are to claw back their tokens may depend on the type of breach the exchange was hit with. If it was a sophisticated hack by experience criminals, the chances of recovery are slim.

However, social media chatter has raised the prospect of it being an inside job. In the crypto world, they call it an “exit scam”, where nefarious crypto entrepreneurs basically run away with your money, leaving a collapsed house of cards behind them.

Inside job?

That scenario seems unlikely with Cryptopia, which by all accounts was considered a legitimate business, run by two respected tech entrepreneurs, Rob Dawson and Adam Clark. Cryptopia turned four in December, had just had a year of massive growth and seemed well on its way to becoming a major player in the crypto trading world.

I almost parked my own coins with them 18 months ago when I grew frustrated with using overseas exchanges with high fees. But Cryptopia has never had a good relationship with New Zealand banks who do not want their accounts used for converting crypto to cash and vice versa. The prospect of an account being frozen, preventing me from cashing out exactly when I wanted to, put me off.

But a rogue current or past Cryptopia employee using inside knowledge to clear out the wallets, could be at the root of all of this.

Crypto exchange hacks can generally be blamed on poor security features and policies. In the case of Coincheck, those NEM tokens were stored in a so-called “hot” wallet which exists online like a bank account, allowing instant transferral if the right security keys are presented. Those keys were stolen, allowing the transfers to proceed.

That constituted a huge security lapse. Most exchanges have moved to more secure systems, where the bulk of cryptocurrency is kept in “cold” storage, offline in digital vaults, and transferred bit by bit into online wallets. Even then, multi-signature authorisation is often required for transfers.

Whether affected customers get anything back may well depend on the extent to which Cryptopia kept tokens in cold storage.

While Cryptopia claimed to have strong “level 3” security, there were warning signs last year that it was struggling to maintain its systems as it grew. Its Twitter feed features numerous apologies for outages and maintenance delays taking currencies and trading offline.

Crypto forums are littered with customer service complaints about Cryptopia.

“I would not count on ever getting any money back,” writes Sigmagood, in that same Reddit post Jollyjoker747 started.

“I lost almost everything a year ago on Cryptopia when they wouldn’t release a transaction to the blockchain due to ‘unscheduled maintenance’. I got a sick feeling in my stomach when I saw there was no way to contact them and read all the scam accusations,” Sigmagood continues.

“They never responded to my ticket and I reported them to the Financial Markets Authority in NZ. Surprise surprise a year later they are still ripping people off. Just google Cryptopia and scam and you will see 99% of the results are prior to this latest ‘hack’.”

Can Cryptopia survive? It will depend on whether it can stage a Coincheck type recovery to fix its security, repay those left out of pocket and rebuild trust in the integrity of its exchange. The episode leaves a black mark on New Zealand’s fledgling crypto scheme, which is dominated by Auckland-based Centrality, which has developed its own blockchain offering start-ups the chance to offer ledger-based services using Centrality’s system.

No key, no money

For crypto traders, it is however a sobering reminder that the trust that exists in the traditional world of banking doesn’t exist in the new world of cryptocurrency exchanges.

“We urge our community again to NOT keep any digital assets on exchanges as this can happen at any time to anyone,” the DAPS team has urged their users.

Commenting on the Cryptopia hack, Will Heasman, who runs a Youtube channel devoted to crypto news, had similar advice.

“There’s been a saying floating around the crypto space for a while now which goes ‘not your keys, not your Bitcoin’,” says Heasman.

But the alternative to parking your tokens with an exchange could be just as fraught with issues. It requires you recording the long string of numbers, the keys that represents your valuable tokens, somewhere offline, on a USB stick or even printing them out and putting them in a safe.

Lose the keys through your own forgetfulness, incompetence or the catastrophe of a house fire and you lose your tokens. Until the crypto world offers the level of trust banks have, mainstream users will stay away.

But as Heasman says, the idea of giving away control to a central exchange goes against the ethos of cryptocurrencies.

“The core fundamental of cryptocurrency is the divergence from middlemen. Exchanges are no better. Nor will they ever be.”

While the sheen came off crypto trading in late 2018 as the value of Bitcoin and rival coins plunged, the industry continues to grow and develop. But traders entering the complex world of trading need to be aware of the risks and understand that the safety net of the financial system they are used to doesn’t apply.

That’s the bitter lesson for Jollyjoker747, who continues to post Reddit updates as the catastrophe unfolds.

“I am emotionally rekt [sic], since that tokens that I had on Cryptopia took a wile [sic] to accumulate, with many invested time and buy orders involved.”

“I know it is hard to process that one day you have all the big plans for your crypto portfolio and on the other – all your Cryptopia assets are GONE. I will probably lose a lot too.”

Follow NOTED on Twitter, Facebook, Instagram and sign up to our email newsletter for more tech news.