What’s happening with Cryptopia?
Cryptocurrency exchange Cryptopia suffered a security breach almost a month ago. Customers have no idea what’s happened to their funds, while police will not discuss the investigation. Little is being said, but there’s a lot to learn from this case so far, experts say. Katie Kenny reports.
If you follow the news, you may have heard about the ‘‘significant’’ losses of cryptocurrency after a security breach at Christchurchbased exchange Cryptopia.
The online currency trading platform is said to have as many as 1.4 million registered users.
Millions of dollars’ worth of tokens were stolen.
Cryptocurrency can be difficult to understand. So let’s try to use the example of an ordinary bank heist to illustrate what happened.
Let’s say a bank in Christchurch was robbed. Customers first noticed something was wrong when they tried to log in to their online accounts and saw a message saying the site was in ‘‘unscheduled maintenance’’ mode.
The following day, customers still could not log in and police said they were investigating. Those who visited the bank found its windows blacked out and doors locked. Apparently, the heist was still happening. Bank managers, employees and even police could not force entry or stop the funds being stolen.
The robbers weren’t in a hurry. They had got hold of the keys, the master keys, and locked everyone else out. Then, they had changed the locks. So they took their time, stuffing sacks with valuables, smuggling them out through tunnels, shipping them overseas.
Today, almost a month later, the windows are still dark. Customers cannot access their accounts. The investigation is continuing, with few updates.
The combined worth of tokens stolen from Cryptopia’s digital wallets is unclear. It’s estimated that on January 13 more than $5 million was transferred to an unknown digital wallet. The following day, the website was down. On January 15, Cryptopia admitted a ‘‘security breach’’ and said ‘‘appropriate government agencies’’ had been notified.
But New York-based analyst Max Galka, of Elementus, said in his blog that funds continued to be drained until January 17. He estimated the total value of stolen tokens at US$16 million (NZ$24m).
Cryptocurrencies stolen from exchanges and scammed from investors totalled about US$1.7 billion (NZ$2.5b) in 2018, up 400 per cent from the previous year, according to United States cybersecurity firm CipherTrace.
Internationally speaking, the Cryptopia breach was relatively small – being in the tens rather than hundreds of millions.
But it was different from other high-profile hacks, Galk wrote, because it seemed to go on for several days: ‘‘The lack of urgency on the part of the thieves is striking.’’
Another unusual factor was that funds were taken from more than 76,000 wallets.
A likely explanation for both these things is that the offenders gained access to the server holding the private keys. From there, they could have downloaded and wiped the keys, leaving Cryptopia unable to access its own wallets, and authorities stuck on the outside of this digital bank.
How is all this known? Owing to the blockchain technology underlying cryptocurrencies, the stolen funds are hiding in plain sight. They’re visible, but anonymous.
‘‘Pseudo-anonymous,’’ explains Guy Kloss, a blockchain architect at SingleSource.
It can be difficult for people to understand why the illegal transactions cannot simply be reversed. But on the blockchain (the secure database, or ledger), transactions are recorded across many, many computers simultaneously, with no single authority controlling and verifying the authenticity of the data. The system is based on pure mathematics, on cryptography. And keys.
If you want to trade cryptocurrencies, you need a private and a public key to prove you are who you say you are. (The public key is like a business card, while the private key unlocks your online identity.) The keys are verified by the worldwide network of computers, and the payment proceeds.
Banks aren’t that secure. If you hack into a bank’s computer system, you can, potentially, get money out. But if you try to get tokens out of a blockchain system, the network will stop you, because it can’t prove you own those funds.
So if someone else gets hold of your private keys, it’s game over. They can transfer money, change the keys, lock you out. And the transactions can’t be reversed, any more than those valuables could have been sucked back up an escape tunnel
dug by thieves. ‘‘What’s happened can’t be undone,’’ Kloss says. ‘‘In some ways, [cryptocurrency] is more like cash. If you’ve lost cash, you can’t go to the bank and ask for your cash back.’’
It can’t be undone, but it can, to a certain extent, be tracked. The ledger is encrypted, but it’s public. Hence ‘‘pseudoanonymous’’. You might not know who dug the tunnel, but you can follow it. (Whether someone’s still at the end is another question entirely.)
So, who are the likely thieves? Almost a month later, police are saying little about the case. For this story, police communications staff refused interview requests. They also refused to provide answers to specific questions, such as when Cryptopia might reopen (reports have said as soon as this month), whether overseas exchanges are co-operating, how many staff are investigating the case, and how much was stolen.
The lengthy silence has prompted questions about whether police have sufficient skills to solve the case.
But Detective Inspector Greg Murton, in an emailed statement, said the investigation was ‘‘progressing well’’.
‘‘The stolen cryptocurrency is being actively tracked by police and specialists worldwide due to the nature of the cryptocurrency blockchains being publicly available.’’
Cryptopia management and employees were assisting, he said. Officers remained at the Christchurch headquarters but expected to leave by tomorrow.
Several experts I spoke to said they would not be surprised if a foreign party were behind the breach. A country under heavy economic sanctions, such as North Korea, or perhaps China or Russia, which has been connected to malware or ransomware attacks.
Kloss admits Cryptopia would not be an obvious target owing to its size, but, ‘‘if they do happen to stumble upon something that can be exploited, they’ll do it’’.
Mark Pascall, executive director of Blockchain NZ, says while it’s hard to comment on the case without knowing all the details, Cryptopia was known for playing in the ‘‘long tail’’ space. This means it listed and traded large numbers of ‘‘obscure tokens’’, which would have exposed it to additional security risks.
Regardless, there will always be risks involved in cryptocurrency trading, he says. ‘‘For people new to this space, it’s important to understand that it’s the exchanges that are being hacked, and not the underlying blockchains.’’
There are various investments going on which promise to develop new, decentralised exchanges, with improved security. And an emerging market for security tokens (regulated tokens that derive their value from real world assets) will ‘‘open up many opportunities for New Zealand businesses’’, he says.
While a lot remains unclear about the breach, there’s already a lot to learn from it, says Auckland University associate professor of commercial law Alex Sims. ‘‘Never give your private key to anyone. And don’t leave your money in exchanges.’’
She also says there are lessons for how New Zealand regulates exchanges: ‘‘We need to have properly regulated exchanges.’’
However, it’s not true to say – as many people have – that exchanges are unregulated. In order to sign up to one, you have to provide various levels of proof of identity. Bank account numbers, passport photos, contact details, and so on. This is so the exchange can abide by anti-money laundering laws.
Government bodies, including the Department of Internal Affairs (DIA), know about exchanges, and make sure they are compliant. ‘‘So they’re regulated in that sense,’’ Sims says.
But it’s a messy system. The DIA, the Financial Markets Authority and the Reserve Bank all act as regulators. ‘‘People are being pulled around. What they’re pushing for is one government department. They just want nice, clear rules they can follow.’’
Even with better regulation there’s always an element of risk, she says. ‘‘People break the law all the time.’’
While Bitcoin has a reputation as the currency of choice for drug dealers and money launderers, in reality, criminal activities account for just 10 per cent of transactions, the United States Drug Enforcement Agency found last year. This is down from a high of 90 per cent in 2013, before the takedown of dark web marketplace Silk Road.
‘‘Authorities would like people to use Bitcoin because it’s traceable,’’ Sims says. ‘‘Cash, now, that’s a lot better for money-laundering.’’
Perhaps the biggest takeaway is the need for effective cybersecurity. ‘‘While it’s easy to understand why Cryptopia was hacked, cybercrime isn’t limited to cryptocurrency exchanges,’’ she says.
Organisations large and small must treat cybercrime as one of their biggest risks.
‘‘It’s not a case of if hackers strike, but when.’’