Tag: hacking

Avoid Crypto Scams – Not A “How-To”, But Friendly Advice

A coordinated attack against social media platform Twitter (around July 15-16, 2020) led to a hack that targeted popular accounts. These were not just any accounts, but influential public figures. Included in that list were former US president Barack Obama, Microsoft’s Bill Gates and founder of Tesla and SpaceX Elon Musk. What makes this all the more interesting is that hackers used these accounts to solicit cryptocurrency, specifically Bitcoin (BTC). In the scheme, the hackers used the account to mention some feel good words about giving back to the community during the Covid-19 crisis and then requested people to send them BTC with a message of doubling whatever is sent to a given BTC address in the tweet.

These are your typical scams which many in the cryptoverse probably caught. Unfortunately not everybody did. The hackers made off with at least 12 BTC worth $100K+ in the initial stages after the attack was discovered. This sort of attack appears to have affected Twitter’s internal system, since only admin accounts have privileges to modify user accounts. Speculation is that a phishing attack or directed social engineering technique was used to gain access to Twitter’s backend system. This is definitely a cause for concern to everyone who has an account on Twitter because a repeat of this attack could compromise them. Once the hackers gained access to the backend, they targeted the accounts and began tweeting.

People who are caught up in the hype of cryptocurrency like Bitcoin will easily fall prey to scams like this. Noobs (newbies) who recently got in may not have enough education … meaning they don’t know any better what not to do. If someone, anyone, asks you to give them Bitcoin in order to double your holdings don’t be too quick to trust them. It really doesn’t make sense if you think about. Supposed you give 100 BTC, are you really expecting to get 200 BTC? This is a naive gambling mentality that can affect anyone’s logic if they are not aware of these schemes. Never give other people Bitcoin expecting more in return.

It is not even like investing because the public figures account tweets to just give them BTC and you get more in return. The problem with that should be obvious to the common person, but why would other people go along with it? This is why social media has such tremendous power when it comes to influence. The few people who gave their BTC away probably understood what they were doing, which is scary. They did it because they are firm believers of that person. Whether it was through charisma or just blind following, people probably acted subconsciously and just obeyed the tweet like it was an order. Greed is perhaps another motivator since it psychologically makes a person think about how easy it would be to get more crypto. It makes me wonder if the hackers had been more nefarious with the tweet, just think of how many people they could have put in danger or in harm’s path. It was good that it did not end up that way.

Bitcoin addresses are pseudonymous and cannot be directly linked to a person’s identity. That is the blockchain by design, so there would be no way to verify the Bitcoin address really belongs to the public figure. That is probably the biggest reason why not to fall for these scams. We don’t have any way of knowing if the address legitimately belongs to President Obama or Elon Musk. A Bitcoin address is just a hexadecimal string but it doesn’t link to the actual person like the way you can look up a person’s identity by their driver’s license number or social security number. That should have been the red flag that prevents people from giving their BTC.

The Bitcoin address the scammers used which begins with “bc1qxyp….” (I do not reveal the full address here, just a snippet) can be tracked on a blockchain explorer. It doesn’t specifically say the name of the owner of that account. What you can see though are the transactions in the account history, and it indicates the 12 BTC collected.

Note: The full Bitcoin address of the scammer/hacker is not revealed here.

In crypto the only way to really trace the identity of the account holder is if they cash out using a digital exchange. Users who use digital exchanges to convert crypto to fiat, require a KYC documents in order to comply with financial regulations (e.g. AML, Anti-terrorist funding, etc.). This is not revealed to the public, but if there were an investigation the digital exchange can release the personal information if they were required. Accounts created on digital exchanges are also linked to bank accounts which can be traced to a person’s identity. On the blockchain, the real way to prove identity would be with a digital signature using the private key from the user’s digital wallet. This is one way a person who claims to own a Bitcoin address can prove they are the true owner.

The lesson here is that scams are everywhere in our society. It even affects crypto. In fact there have already been 2 popular scams uncovered in the past – Bitconnect and OneCoin. They have not proven any legitimacy and quickly collapsed with their leadership no where to be found. These cryptocurrency promised people ridiculous returns, but many got into it anyway with the help of social influencers. Some of these influencers were just too convincing that it leads to a bandwagon or network effect of more people putting money in a system that is like a house of wax built on top of the sun. By the time it collapsed (no more money to give people) it was too late for many and they lost the money they put into the coin, perhaps never to be recovered.

To avoid scams ask yourself if the message you are getting is too good to be true. If it is do more research to verify it. Don’t just give your BTC to anyone and expect more in return. Those things just don’t really happen in the real world. If it does, then there is probably something you have to give back in return but it may not always have a good ending. It is like the car dealer telling you to give them your old car and you get a new car back. You do get your new car but then you end up with a mountain of costs you had not been expecting. It is always the unexpected things beyond our control. This is true with crypto as well, so be very careful next time you hear or see someone say “Hey, give me some BTC today and I’ll double it up for a good cause!”.

Note: This is not financial advice. Please do your own research to verify information.

The Bitcoin Binance Hack And The Lessons Learned

At the time of this writing it is the start of blockchain week In New York City. One of the hot topics that will be discussed has to do with the most recent Binance hack that led to $40.7 Million of stolen Bitcoin (worth 7,000 BTC at the time of the incident). This is actually not the first time Binance has been hacked, they have a track record. Despite their concern for cybersecurity, it seems their system is not really that secure. This is not to say that Binance does not take cybersecurity seriously, because they do. They implement a 2FA type of authentication which requires using either an authenticator that generates a random code or the code is sent via an SMS text message to a smartphone. It is pretty secure after the fact, yet it was foiled time and time again. At this point the best that Binance can do is to track the stolen BTC and get the cooperation of other digital exchanges to freeze the funds. We actually know which address moved the coins (The transaction was traced from this link).

Fortunately, Binance has what it calls a SAFU (Secure Asset Fund for Users) which is a way of providing an insurance to users on the exchange in case of emergency. Changpeng Zhao or CZ, Binance CEO, has guaranteed that those who lost Bitcoin from the hack will be compensated for their losses. That is good to know, but will this be the end of these type of hacks? It has already happened before, so there is likelihood that it can happen again. That is unless Binance will add new security measures that tighten their systems even more. Then that gives hackers a new problem to deal with.

Now here is what is concerning. In an official statement made by Binance regarding the hack:

“The transaction is structured in a way that passed our existing security checks. It was unfortunate that we were not able to block this withdrawal before it was executed. Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that.

The fact that it “passed our existing security checks” is a cause for concern that is what they are working to improve. According to this Coindesk article, Binance is going to do a revamp of their security system. They will certainly look into improving their API for 2FA as well as their withdrawal validation process. If a hacker can easily hack a user’s API key or 2FA credentials, you don’t really have a secure system. It was probably not an easy feat for the hackers, so now Binance should make it even more difficult to decrease the likelihood of any successful breach.

Phishing attacks are one of the exploits hackers use to get information from users. Once they trick a user to giving them that information, the hackers then use it to access the exchange. That is really all you need to do to get past Binance’s security check. Binance implements withdrawal limits for unverified users but for those who are verified, the hacker can wipe out their entire balance on the exchange.

Other ways a Binance user account was compromised can be from spyware, keyloggers or remote viewing software like VNC. Having an antivirus and cyberbsecurity software installed on a computer can help detect these malware. Another way to foil these attacks is to not keep funds stored on an exchange. Using a cold storage (not connected to the Internet) on a hardware wallet provides more security. In fact, some smartphones like the HTC Exodus and Samsung Galaxy S10 provide hardware wallet support for cryptocurrency now. For the strictest security, keep your digital assets safe in cold storage and not on hot wallets or custodial services like digital exchanges.

According to CZ:

“We are working with a dozen or so industry-leading security expert teams to help improve our security as well as track down the hackers.”

That’s right. Binance is definitely going to need more help in cybersecurity to fix this problem. Remember, it is not the blockchain that got hacked, it is Binance’s system. Binance also announced support for hardware devices with 2FA, a more secure way to connect to Binance. A system like that would require hackers to have possession of the actual hardware device. Think of this as a sort of physical key, that only gives access to the user who owns it.

The risk of a more digital world is computer hacking. Binance has been successfully hacked in the past. A user lost 2 BTC when a hacker used the credentials from their hacked e-mail address. Another hack occurred in July 2018, which was a “potential” hack that led to the theft of $45 Million of Syscoin and dumping of BTC. It was not Binance’s direct fault, but more on the Syscoin wallet. Regardless, it was a system anomaly that Binance admins detected. Binance immediately shutdown and then reset their API keys. That’s exactly what they did with the most recent hack. It seems that the answer to the problem is just shutting down and resetting everything. However, that does not solve the problem apparently.

Due to this large loss of BTC, someone from the BTC development community reached out to CZ. A suggestion was made to reorg the BTC blockchain and give back the stolen funds to their respective owners. Now the reaction to this was not good at all and thankfully, CZ decided not to do this. That would require Binance to use a “51% attack” to gain majority hashing power on the Bitcoin network to overturn transactions. The problem with this is an ethics issue because it would require Binance to get a consensus among miners and nodes on the network to support this plan. It goes against the main ideology of the blockchain, which is about decentralization and immutability. When you get a collusion of miners to provide Binance with majority hashing power, it centralizes the network to benefit one organization. This may also lead to inconsistencies on the blockchain if several bad actors try to mine on their own chain to gain control of the network. The idea that a consortium of miners with hashing power can overturn a trnsaction goes against immutability on the blockchain. It would be a terrible idea to do this.

The result of a reorg may lead to more factions in the Bitcoin community. There might even be a fork and this is not going to be good for the price of BTC as a store of value. It may even ruin the market leading to turmoil and massive sell offs as users collect their money. There needs to be a clear direction for BTC and a reorg is probably not in everyone’s best interest since it really only benefits Binance and the hacked accounts. This is not a consensus of the network’s interests.

The good thing is that the hack did not affect BTC prices. FUD didn’t lead to any massive dump or sell off, proving that there is confidence in the market. Taking care of the real problem, which is cybersecurity, is what needs to addressed. Binance vows to increase their security which is the most important feature right now for any digital exchange. Users need their funds to be safe from hackers, so this is going to be the responsibility of digital exchanges.