More than $1bn in cryptocurrency is traded on the Kraken exchange every day. As its chief security officer, it is up to Nick Percoco to protect it from a barrage of daily attempted cyberattacks.
“The stakes are much higher in cryptocurrency,” Percoco tells Verdict.
Percoco has more than 23 years of information security experience, including senior roles at Rapid7 and Trustwave. But he says the threat landscape at Kraken, a US-based cryptocurrency exchange founded in 2011, is unlike any other place he has worked.
“The things that we see every day, many companies probably see once or twice a quarter,” he says.
This includes “very targeted” attempts at phishing, scams, and distributed denial of service (DDoS).
Kraken isn’t alone. Cryptocurrency exchanges and decentralised finance platforms are often the targets of digital heists, with some criminals siphoning away tens or even hundreds of millions of dollars.
Global losses from cryptocurrency thefts, hacks and fraud totalled $1.9bn in 2020, according to an analysis by cryptocurrency intelligence company CipherTrace.
Why are cryptocurrency exchanges targeted so often?
Percoco believes there’s a simple answer: “Because that’s where the money is”, referencing the reply given by infamous US criminal Willie Sutton when asked why he robbed banks.
“I think that’s the reason why,” explains Percoco. “If you’re a criminal group and you’re trying to steal massive amounts of monetary value – whether that’s bitcoin or other cryptocurrencies – you’re going to go after exchanges, you’re going to go after DeFi.”
The other appealing factor for cybercriminals is that it’s not easy to recover crypto funds once they are stolen. However, Percoco highlights how cryptocurrency is much more traceable than fiat currency “in its physical form”.
For example, he says, if someone stole $2m in cash from an armoured truck it could – provided the thieves adequately covered their tracks – be laundered.
“But if you were to steal $2m worth of bitcoin from an exchange the whole world knows where it went. It’s on the public ledger,” says Percoco.
While criminals can try and obfuscate their tracks by transferring the cryptocurrency through multiple wallets, ultimately the funds can be tracked. They also have no way of converting the funds into fiat currency via an exchange without getting caught.
A range of blockchain analysis tools makes it simple to add the crook’s address to a watchlist, providing alerts when a transaction is made. This creates a dilemma for cryptocurrency thieves.
“They get sort of stuck. Of course, you could hold on to it for a decade and hope people forget about it, there are lots of things you can try and do,” Percoco explains.
“But it’s almost like robbing an armoured car and having dye packs explode on you for the rest of your life.”
Cybersecurity at Kraken
Kraken, which offers cryptocurrency trading services such as futures and staking in addition to the buying and selling of coins, says it has never been hacked. Percoco attributes this to Kraken’s small attack surface, strong security culture and an internal bug bounty programme.
One common complaint among security professionals is there is not enough budget to adequately protect their business.
“That’s not the case at Kraken,” says Percoco. He says that if there’s ever a business need to hire more security staff at Kraken, they “just do it”.
He adds: “There’s no sort of ‘oh let’s wait until next year or let’s wait until next quarter’. We just hire them now so we can take care of this problem. That’s something that’s very unique, especially in the position that I’m in, compared to other places where I guess I could be fighting tooth and nail for a firewall or a security analyst.”
Most of the attacks facing Kraken are social engineering and phishing directed at both employees and customers.
Percoco says there are “multiple layers of analysis” to prevent malicious inbound email from landing in the inbox of Kraken employees.
In 2019, rival cryptocurrency exchange Coinbase said it was targeted by a sophisticated phishing attack aiming to exploit a zero-day to steal private keys and passwords. Coinbase successfully blocked the attack, which used a legitimate university domain and all but one of the emails contained “no malicious elements”.
When Percoco and his team checked their own system, they found Kraken had been targeted too – but it never made it past the email filters.
No system is perfect, though, and occasionally emails slip through. When that happens, Percoco says it falls back on its employees who are “productively paranoid about inbound email”.
Scammers target Kraken exchange
The more difficult part of Percoco’s role as Kraken CSO is protecting its customers from scams.
One of the more elaborate types of cons are investment scams, which Percoco says are “pretty common.”
Professional-looking websites, complete with slick graphs and designs, offer advice to make a profit on cryptocurrency trading.
These scam sites claim to have a partnership with Kraken and ask them to make an account with the cryptocurrency exchange.
It then tells the victim to add funds to their Kraken account, create an API key to link their account before moving in for the kill – asking for the account credentials so they can “fully manage” the investment.
“It becomes this thing where the scam site has complete control over their account,” explains Percoco.
Finally, they claim they are going to “start the investment process” and that there will be an email from Kraken asking permission for the withdrawal process, which they need to approve. Once the customer approves it, it’s game over and the funds are gone.
“That happens. Not all the time, but from time to time. It’s totally believable – it’s a con artist.”
Unfortunately for the victim, there’s nothing that can be done once the funds are gone, as they freely gave away access to their account. Instead, Kraken recommends contacting law enforcement.
Percoco says: “We would give [law enforcement] any information we can share that can help them, like what IP addresses the attackers were coming from, any identifiable information related to that crime.”
The mysterious Poly Network heist
In August, a hacker stole $613m in cryptocurrency from DeFi platform Poly Network in one of the largest ever cryptocurrency thefts – before returning all of the funds and claiming it was to test its security.
Percoco says it didn’t seem like a criminal enterprise: “Real criminal groups don’t brag on the internet about what they’re doing.”
He adds: “This is their business, they don’t care about the bragging rights.”
Percoco’s theory is that the attacker found the flaw in Poly Network and was “in a predicament” whether to tell someone or to use it for their own advantage.
For Percoco, the saga speaks to a wider ethical question in the security world about what to do when discovering critical “the sky is falling” type vulnerabilities.
He gives the hypothetical example of someone discovering a critical flaw in a system that was so powerful that even disclosing it responsibly could put people at risk. What should they do?
Should they tell the person overseeing a bug bounty scheme, even though it runs the risk of them exploiting it for themselves? Should that person exploit it themself to raise awareness?
Or should they keep quiet, and hope that nobody else discovers the flaw?
“That’s a very big moral predicament that a researcher runs into,” he says.
Percoco speculates that the Poly Network attacker could have faced the same moral dilemma.
“It seems like they were in this sort of mind space as a researcher – possibly – you know, what do you do?”
“I dabble in doge”
While bitcoin has been around since 2009, the cryptocurrency market is still very much in its infancy. Its decentralised nature means it can largely operate outside of traditional institutions and regulators.
Percoco believes cryptocurrency will be “completely ubiquitous” in a “couple of decades”. Unsurprisingly, he invests in cryptocurrency.
Asked if he holds any joke cryptocurrency Dogecoin, Percoco says: “I don’t speak about my crypto holdings. But I dabble in doge.”
It is unclear whether a cryptocurrency will ever rival fiat currency as a medium of exchange.
Its ability to be managed without a central bank is a huge part of its appeal for it backers – but also comes with risks.
Percoco compares the risks of using cryptocurrency with that of credit cards: “If your credit card number gets compromised, you call up your bank and they send you a new card. There’s almost no risk to the consumer.”
But in the cryptocurrency world, once it’s gone it is usually gone for good.
“You can’t call ‘Bitcoin Inc’ and say ‘hey Bitcoin, I want my crypto back,” Percoco says. “It’s essentially lost forever. And so, the stakes and the verification we have to put in place at Kraken are very extreme compared to if you’re running a normal bank or a company that processes payments. You can recall stuff pretty easily. But if crypto goes out, it’s out.”
The nascency of cryptocurrency provides a unique challenge for security professionals.
Percoco believes this helps make the cryptocurrency space the most exciting area for a security professional to work in right now.
“There are still things that are not defined, there are still things that people are learning how to do.”
For example, looking at how customers “self-custody” – or protect their own assets.
For someone without much technical knowledge of cryptocurrency it’s “still not that easy” says Percoco.
“That’s a security problem that the industry still faces today.”
Does he get a thrill from the heightened threat level?
“Oh certainly. It’s definitely more exciting.”