A Short Story about the Cryptothief

With great power comes great responsibility. Rephrased, we could very well apply this to the crypotoworld – great potential has great flaws. Or is prone to flaws.

Where am I heading with this? I would like to briefly touch upon the topic of cybersecurity, or to be more precise – talk about the Bitcoin Robbery.

The Numbers

As Bitcoin, Ethereum and other cryptocurrencies are getting more and more popular, they are attracting not only investors or individual users, but hackers, or cryptothiefs as well. In the last couple of years, hundreds of millions of dollars have been digitally stolen. Here are some numbers to consider:

• In 2014, hackers plundered nearly $500 million in Bitcoin from Mt. Gox, an exchange that later collapsed.
• In summer 2016, thieves took $72 million from Hong Kong cryptoexchange Bitfinex in one fell swoop.
• Coinbase, the world’s largest exchange for trading cryptocurrencies, is estimated to be losing up to $5 million annually to theft by hacking.

How is this possible? Isn’t Blockchain more secure and safe? Well, it appears that it is not that difficult after all. Here is a step-by-step guide of a cryptothief.

A Step-by-Step Guide of a Cryptothief

• Step 1: find a target. A scammer finds a target by searching for people who work in the blockchain industry — or by exploring social media for mentions of Bitcoin and Coinbase. The attacker then finds the target’s email address and phone number through online postings or previous data leaks.
• Step 2: steel the phone number. The cryptothief contacts the victim’s mobile provider and ports the phone number to a device under his control. This sadly appears to be by far one of the easiest parts...
• Step 3: adjust the account. Since Gmail -accounts often link phone numbers as a backup access option, the digital thief can now log in and reset the target’s email password, then do the same at Coinbase.
• Step 4: log in. Coinbase requires two-factor authentication (also known as 2FA) in addition to a password. That 2FA now gets texted to the thief, who logs in.
• Step 5: transfer the money. The cryptothief moves the money into digital wallets under his control. Law enforcement can easily track the movements of the stolen currency recorded on the blockchain, but they however cannot block the transactions, and figuring out who controls the wallets is really problematic.
• Step 6: cover the tracks. To try to cover his trail, the cryptothief can move the currency to foreign cryptoexchanges, or convert it to other kinds of digital currency that is harder to track. Eventually, he can convert it to cash or other assets. As simple as that.

Bringing it all together

To sum up, we can once again conclude that blockchain and cryptocurrencies have a huge potential to transform nearly every aspect of our lives. Yet, from the review & steps provided above, it is clear that some threats have to be addressed very carefully as well. And one of them is the cryptothiefs.