How safe is my crypto stash?
Explaining the Poly Network $613m hack and the protection laws currently in place
- Not the first major crytpo company to be hacked
- The threat from cybercrime
- Some of the hacked funds have been returned
- Crypto market still doing well
In the wake of the $613m (£442m) theft of cryptocoins after a hack on Poly Network, many holders of cryptos will be wondering how safe their holdings are, what steps they should take to make their holdings as secure as possible, and which cryptocurrencies are safest to hold if worried about hackers.
Around $267m (£193m) of ether (ETH), $252m (£182m) of Binance coin (BNB) and $85m (£61m) in USD coin (USDC) was taken.
In order to prevent any tether (USDT) being hacked as part of this attack, $33m (£23.8m) of the digital asset was frozen on Poly Network, according to Paolo Ardoino, chief technology officer (CTO) at Tether.
Speaking to Currency.com, Poly Network explained how the hack took place. The company said: “The hacker exploited a vulnerability, which is the _executeCrossChainTx function between contract calls. Therefore, the attacker uses this function to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract. It is not the case that this event occurred due to the leakage of the keeper’s private key.”
SlowMist, which focuses on blockchain ecosystem security, said: “This attack is mainly because the keeper of the EthCrossChainData contract can be modified by the EthCrossChainManager contract, and the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute the data passed in by the user through the _executeCrossChainTx function.”
Not the first major crytpo company to be hacked
This has been dubbed the biggest hack in the decentralised finance (DeFi) sector. Still, there have been other notable hacks in the crypto arena. The Coincheck and Mt. Gox hacks saw $534m and $460m respectively stolen, and lead to Mt. Gox filing for bankruptcy.
Mt. Gox was a Tokyo-based cryptocurrency exchange that operated between 2010 and 2014, and at its height was responsible for more than 70% of bitcoin (BTC) transactions worldwide. The exchange declared bankruptcy in 2014.
After losing ¥46bn ($423m) to hackers, Coincheck stated it would reimburse certain customers. The exchange announced that as the NEM crypto was the main one targeted in the attack, it would use its funds to reimburse $423m to its 260,000 NEM holders following the hack.
David Williams, founder and chair of Arqit, which describes itself as “symmetric encryption reborn for the cloud”, explained to Currency.com about the vulnerability that cryptos carry.
Williams said: “We have already seen numerous hacks and attacks within the crypto space and the $613m Poly Network attack is only just the most recent addition to the list. Blockchains are no different from traditional cyber threat arenas.”
Legacy Public Key Infrastructure (PKI) is used to facilitate the secure electronic transfer of information for a range of network activities, such as e-commerce, internet banking and confidential email. Despite being created before the blockchain was invented, legacy PKI is used to secure it but was not specifically designed to do so.
Thus, as Williams explained, legacy PKI leaves the blockchain with “vulnerabilities that are often exploited”.
Williams detailed how, as time goes on, cryptos will become even more vulnerable: “Quantum computers and their immense power will easily be able to break the cryptographic security that protects crypto wallets, exchanges and other essential infrastructures. The proposed replacement algorithms are so late and clumsy, and will in turn increase processing by 1,400 times, that the blockchain will stop working.”
The chair of Arqit also noted how this can prove to be an issue with nations that are planning to launch a central bank digital currency (CBDC).
According to the Atlantic Council’s GeoEconomic Center CBDC tracker, since 2020, the number of countries looking into a central bank digital currency (CBDC) has doubled, with 81 countries now actively exploring the notion of a CBDC.
The threat from cybercrime
According to the UK’s National Crime Agency (NCA), it is becoming increasingly difficult to discover where cybercrime originates, whether it is a nation state or a criminal group. The NCA states: “Many Russian-speaking cyber groups are threatening UK interests, but home-grown cyber criminals are becoming more sophisticated and therefore a rising threat.”
The NCA works closely with UK police, regional organised crime units and partners in international law enforcement, such as Europol, the Federal Bureau of Investigation (FBI) and the US Secret Service, to share intelligence and coordinate action.
The NCA has started to target younger people, who “are often driven by peer kudos” into cyber hacking. As a result, the NCA has unveiled its Cyber Choices campaign, which encourages parents of young people with cyber skills to “talk to them about their ambitions and the opportunities to use their skills positively”.
Cyber Choices is coordinated by the NCA, the Met and the City of London Police. The programme has four main aims: to explain the difference between legal and illegal cybercrime activity; to encourage individuals to make informed choices in their use of technology; to deter individuals from cybercrime; and to promote legal and ethical cyber opportunities. Hacking falls under the UK’s Computer Misuse Act 1990.
In 2018, the FBI discovered that $2.7bn was lost from cybercrime, an increase from $1.4bn in 2017, with 51,000 more complaints overall. Many of the victims were aged 50 and over. The FBI said: “The 2018 report shows how prevalent these crimes are. It also shows that the financial toll is substantial, and a victim can be anyone who uses a connected device. Awareness is one powerful tool in efforts to combat and prevent these crimes.”
It was in 2020 that the FBI decided to partner with other US top law enforcement agents and spies under one roof as part of a new federal strategy. This was due to the ever-increasing number of hacks – the United States’ Internet Crime Complaint Center said it had received 467,361 complaints, resulting in more than $3.5bn in losses to individuals and businesses.
The strategy elevated the status of a government office based in Chantilly, Virginia, the National Cyber Investigative Joint Task Force (NCI-JTF). The NCI-JTF now serves as a centre for the federal government’s efforts to monitor and counter hacks. The task force consists of more than 30 federal agencies, including the Central Intelligence Agency (CIA), National Security Agency (NSA) and the Security Service. Matt Gorham, cyber division assistant director at the FBI, said the goal behind this move was to combine “everyone’s tools and authorities” for better results.
Some of the hacked funds have been returned
After the hack took place, Poly Network issued a message on its Twitter page addressed to the hacker. It urged the hacker to return the assets.
The move paid off, as the hacker subsequently returned $260m (£187m) to the company.
Nonetheless, whether or not a hacker is willing to return part of the stolen funds, crypto will continue to be a common target for such criminals. Professor Brian Lucey of international finance and commodities at Trinity Business School, Trinity College, Dublin, told Currency.com: “One of the key drags on cryptocurrencies being accepted as a player in mainstream finance is the decentralised and unregulated nature of the underlying architecture. So long as exchanges and wallets remain open to hacks such as this, mainstream acceptance and integration will necessarily be delayed.”
Crypto market still doing well
BTC still managed to reach a new three-month high on 11 August, seeing a 2.92% increase over the course of the day to $46,488, and the market capitalisation of the world’s largest cryptocurrency rising by 1.8% to $871m (£627m).
Ether (ETH) rose by 4.19% to $3,241 and BNB overtook USDT to become the third most valuable crypto on CoinmarketCap. BNB rose by 8.17% on the day to $398, despite being one of the cryptos used in the Poly Network hack.
However, as of today, 12 August, BTC and ETH have dropped to $45,358 and $3,139 respectively.
This news follows the recent Aspen Security Forum, where Gary Gensler, chair of the Securities and Exchange Commission (SEC), asked Congress to give the agency additional powers to protect investors in the “Wild West” cryptocurrency market.