At least $18m in cryptocurrency has been exposed to theft in exchanges with extremely poor cybersecurity, making it possible with anyone with only modest technical skills to steal or change balances, according to a report published today by CyberNews.
Analysis of several cryptocurrency marketplaces, where people can trade a variety of cryptocurrencies including market leader bitcoin, has found that two exchanges have what CyberNews, an independent cybersecurity research publication, calls “dangerously unsafe” security.
Lykke marketplace exposed user cryptocurrency to theft
Swiss cryptocurrency marketplace Lykke was one of the two identified by CyberNews. It had exposed API keys on a publicly accessible database, which could be used to directly access the exchange and perform exchanges, withdrawals, deposits and trades, enabling a malicious actor to, for example, transfer cryptocurrency to their own account or interfere with other users’ trades.
Lykke was also found to have the private keys of customers exposed – essentially the passwords for cryptocurrency wallets – which would enable anyone to spend, transfer or trade individual users’ cryptocurrency without their knowledge.
Furthermore, while some customers make use of multisig wallets, which need a minimum of two authorisations to enable to funds to be spend, the exposed database also included the redeem scripts and the private keys to these wallets – either of which would enable a malicious party to steal their cryptocurrency.
“Having any of this information allows us direct access to these users’ funds, meaning the full ability to steal those funds or manipulate any data we choose,” said CyberNews in its report. “This is a serious breach of users’ privacy and security.”
CyberNews contacted Lykke about the issue, and had an immediate response, with Lykke taking swift action to make the database private and inform affected customers. The cryptocurrency exchange told CyberNews that the database was “a slave instance of a cluster” and “was available read-only”.
“No personal data was exposed and no funds lost,” Lykke told CyberNews. “However, we have done a through process review and a proper incident post-mortem to avoid such situations in future.”
Hubdex exposes personal data in addition to private keys
CyberNews also identified similar security issues with Chinese marketplace Hubbdex, with 1.1 million private keys left exposed on a publicly accessible database, as well as the ability to change the password hash, enabling a malicious party to log into the account of their choosing. The exchange had also left API keys and multisig wallet keys exposed, giving criminals a range of ways to steal cryptocurrency.
However, even more concerning is the level of personal data that Hubdesk left exposed. Cryptocurrency marketplaces are required to collect know your customer (KYC) data as part of regulations against the misuse of such currencies, which include official IDs, names and addresses.
And unfortunately, these were also included on the Hubdex database identified by CyberNews, including scans of official government identification.
“The amount of data we stumbled across is quite staggering and significant. Instead of providing users with security and anonymity, these unsecured platforms have exposed their users, not only to getting their data stolen, but also their investment,” said CyberNews.
The company attempted to contact Hubdex but found the email listed for them did not work, while other attempts were unsuccessful. It ultimately contacted China’s CERT, the non-governmental organisation responsible for handling cybersecurity incidents in the country, which led to the database being taken offline.
Lessons for cryptocurrency security
While both databases are now inaccessible, the findings raise concerns for the wider cryptocurrency trading industry.
There are now almost 19,000 cryptocurrency marketplaces worldwide, and while users are assured their data and currencies are safe within them this research suggests it may not always be.
“When people put money on cryptocurrency exchanges, hoping to buy and sell various cryptocurrencies, they are putting their faith into the exchanges to provide the utmost security and anonymity. After all, that’s what cryptocurrencies are known for,” said CyberNews.
“But the fact that the opposite is true is eye-opening. Not only are they not anonymous (by leaking KYC data), which means that their exchanges can be traced, but they also stand to lose all of their money.”