Cryptocurrency Exchange Users Faced 689% More Attacks in Early 2018
In early 2018, users of cryptocurrency exchanges experienced a dramatic surge in cyberattacks—up by 689% compared to previous periods. Researchers from Group-IB conducted a study on credential leaks among crypto exchange users and analyzed the nature of these incidents. Over the course of a year, the number of leaks increased by 369%.
In 2017, as interest in cryptocurrencies soared along with record market capitalizations and the rise of Bitcoin, dozens of attacks targeted crypto services. According to a joint study by EY and Group-IB, cybercriminals managed to steal 10% of all funds invested in ICOs via Ethereum in 2017, with total losses from hacker attacks on ICO projects reaching nearly $400 million. For example, the January 2018 hack of Coincheck resulted in a record theft of $533 million.
Analysis of Compromised Accounts
Using data from the Group-IB Threat Intelligence system, experts analyzed the theft of 720 user accounts (logins and passwords) from 19 major cryptocurrency exchanges. The compromised accounts were linked to the following platforms: Binance, Bit-z, Bitfinex, Bithumb, Bitstamp, Bittrex, BTCC, CEX.io, Coinone, Gate.io, GDAX, Gemini, HitBTC, Huobi, Kraken, KuCoin, OKEx, Poloniex, and Wex.nz.
Distribution of Compromised Accounts by Exchange
The study found that the highest number of compromised accounts in the sample belonged to Poloniex (174 accounts), Bittrex (111), CEX.io (95), HitBTC (83), and Kraken (61). Experts believe this distribution is likely due to the popularity of these trading platforms among investors and the broader internet community, which attracted the attention of scammers.
Overall, there is a steady increase in the number of compromised user accounts on cryptocurrency exchanges. From 2016 to 2017, the number of such incidents grew by 369%.
Monthly Account Leak Statistics (Jan 2016 – Jan 2018)
The first month of 2018 set a new negative record: due to heightened interest in cryptocurrencies and the blockchain industry, the number of incidents in January rose by 689% compared to the average monthly figure for 2017. According to Google Trends, interest in cryptocurrencies peaked at the end of 2017.
The United States, Russia, and China were the top three countries where registered users most frequently became victims of cyberattacks. The study showed that one in three affected users was located in the U.S.
Distribution of Victims by Country
Group-IB researchers identified 50 active botnets used in cyberattacks against cryptocurrency exchange users. The cybercriminals’ infrastructure was mainly based in the U.S. (56.1%), the Netherlands (21.5%), Ukraine (4.3%), and Russia (3.2%). The number of malicious programs used by hackers is constantly increasing, and the tools themselves are continually being modified. Among the most “popular” malware are the AZORult and Pony Formgrabber trojans, as well as the Qbot bot. Attackers are also repurposing tools previously used for bank attacks to now target crypto exchanges, wallets, and user data.
Main Causes of Security Breaches
The report highlights two main reasons for the dire security situation:
- Ignoring Two-Factor Authentication (2FA): Both users and exchanges often neglect 2FA. According to a study by the Cambridge Centre for Alternative Finance, 75% of exchanges offer optional 2FA for account login, but only 23% make it mandatory. Only 35% of services require 2FA for all trading operations, and just 11% require it for withdrawals. Thus, less than half of exchanges consider 2FA activation a minimum requirement to prevent unauthorized access, with most offering it only as an option.
- Poor Password Practices: Many users disregard basic security rules, such as using strong and unique passwords for different services. Group-IB’s analysis of 720 accounts showed that one in five users used a password shorter than eight characters. It was also common for users to reuse the same password across multiple exchanges.
Password Lengths of Stolen Accounts
Group-IB experts draw a sobering conclusion: at present, no cryptocurrency exchange—regardless of size or operational history—can guarantee absolute security for its users. At least five of the 19 analyzed exchanges (Bitfinex, Bithumb, Bitstamp, HitBTC, Poloniex, and possibly Huobi) have fallen victim to targeted hacker attacks. The causes of these breaches varied, including coding errors, phishing attacks, unauthorized access to user databases, and vulnerabilities in fund storage and withdrawal processes. However, all stemmed from insufficient attention to information security and digital asset protection.
“The surge in fraudulent activity, increased attention from hacker groups to the crypto industry, the adaptation of malware for cryptocurrencies, and the significant amounts of stolen funds all signal that this sector is not yet ready to protect itself and its users. Therefore, the number of incidents is expected to rise in 2018. This situation requires prompt and effective action from all stakeholders, including experts from various fields,” wrote Ruslan Yusufov, Director of Special Projects at Group-IB.