Cryptopia breach highlights gaps in cybersecurity, and cryptocurrency regulation, experts say
Christchurch-based cryptocurrency exchange Cryptopia suffered a security breach almost a month ago. Customers have no idea what's happened to their funds, while police remain tight-lipped about the investigation. Little is being said, but there's a lot to learn from this case so far, experts say. KATIE KENNY reports.
If you follow the news, you may have heard about the "significant" losses of cryptocurrency after a security breach at Christchurch-based exchange Cryptopia. The online currency trading platform is said to have as many as 1.4 million registered users. Millions of dollars' worth of tokens were stolen.
Cryptocurrency can be difficult to understand. So let's try and use the example of an ordinary bank heist to illustrate what happened.
Let's say a bank in Christchurch was robbed. Customers first noticed something was wrong when they tried to log into their online accounts and saw a message saying the site was in "unscheduled maintenance" mode.
The following day, customers still couldn't log in and police said they were investigating. Those who visited the bank saw its windows had been blacked out and the doors locked. Apparently, the heist was still happening. Bank managers, employees, and even police couldn't force entry, or stop the funds being stolen.
* Police skills in doubt over Cryptopia probe into missing $23m
* Cryptopia: A wildly popular platform that veered from one crisis to the next
* New Zealand struggles to regulate cryptocurrency
The robbers weren't in a hurry. They'd got hold of the master keys, and locked everyone else out. Then, they'd changed the locks. So they took their time, stuffing sacks with valuables, smuggling them out through tunnels, shipping them overseas.
Today, almost a month later, the windows are still dark. Customers can't access their accounts. The investigation is ongoing, with few updates.
The combined worth of tokens stolen from Cryptopia's digital wallets is unclear. On January 13, it's estimated more than $5 million was transferred to an unknown digital wallet. The following day, the website was down. On January 15, Cryptopia admitted a "security breach" and said "appropriate government agencies" had been notified. But New York-based analyst Max Galka, of Elementus, said in his blog that funds continued being drained until January 17. He estimated the total value of stolen tokens at around US$16m (NZ$24m).
Cryptocurrencies stolen from exchanges and scammed from investors totalled around US$1.7 billion (NZ$2.5b) in 2018, up 400 per cent from the previous year, according to United States cybersecurity firm CipherTrace. Internationally speaking, the Cryptopia breach was relatively small – being in the tens rather than hundreds of millions.
Do you know more about the Cryptopia hack? Email firstname.lastname@example.org
But it was "different" from other high profile hacks, Galk wrote. Namely, because it seemed to go on for several days: "The lack of urgency on the part of the thieves is striking." Another unusual factor was that funds were taken from more than 76,000 different wallets.
A likely explanation for both these things is that the offenders gained access to the server holding the private keys. From there, they could have downloaded and wiped the keys, leaving Cryptopia unable to access its own wallets, and the authorities stuck on the outside of this digital bank.
How is all this known? Owing to the blockchain technology underlying cryptocurrencies, the stolen funds are hiding in plain sight. They're visible, but anonymous. "Pseudo-anonymous," explains Guy Kloss, a blockchain architect at SingleSource Ltd.
It can be difficult for people to understand why the illegal transactions can't simply be reversed. But on the blockchain (the secure database, or ledger), transactions are recorded across many, many computers simultaneously, with no single authority controlling and verifying the authenticity of the data. The system is based on pure mathematics, on cryptography. And keys.
If you want to trade cryptocurrencies, you need a private and a public key to prove you are who you say you are. (The public key is like a business card, while the private key unlocks your online identity.) The keys are verified by the worldwide network of computers, and the payment proceeds.
Banks aren't that secure. If you hack into a bank's computer system, you can, potentially, get money out. But if you try to get tokens out of a blockchain system, the network will stop you, because it can't prove you own those funds.
So if someone else gets hold of your private keys, it's game over. They can transfer money, change the keys, lock you out. And the transactions can't be reversed, any more than those valuables could have been sucked back up an escape tunnel dug by thieves.
"What's happened can't be undone," Kloss says. "In some ways, [cryptocurrency] is more like cash. If you've lost cash, you can't go to the bank and ask for your cash back."
It can't be undone, but it can, to a certain extent, be tracked. The ledger is encrypted, but it's public. Hence "pseudo-anonymous". You might not know who dug the tunnel, but you can follow it. (Whether someone's still at the end is another question entirely.)
So, who are the likely thieves?
Almost a month later, police are saying little about the case. For this story, police communications staff refused interview requests. They also refused to provide answers to any specific questions – such as when Cryptopia might reopen (reports have said as soon as this month), whether overseas exchanges are cooperating, how many staff have been tasked with investigating the case, and how much was stolen. The lengthy silence has prompted questions about whether police have sufficient skills to solve the case.
But Detective Inspector Greg Murton, in an emailed statement, said the investigation is "progressing well". "The stolen cryptocurrency is being actively tracked by police and specialists worldwide due to the nature of the cryptocurrency blockchains being publicly available."
Cryptopia management and employees were assisting, he said. Officers remained at the Christchurch headquarters but expected to leave by Friday, February 15.
Several experts I spoke to said they wouldn't be surprised if a foreign party was behind the breach. A country under heavy economic sanctions, such as North Korea, or perhaps China or Russia, which have been connected to malware or ransomware attacks.
Kloss admits Cryptopia wouldn't be an obvious target owing to its size, but, "if they do happen to stumble upon something that can be exploited, they'll do it".
Executive director of Blockchain NZ Mark Pascall says while it's hard to comment on the case without knowing all the details, Cryptopia was known for playing in the "long tail" space. Meaning it listed and traded large numbers of "obscure tokens", which would have exposed it to additional security risks.
Regardless, there will always be risks involved in cryptocurrency trading, he says. "For people new to this space, it's important to understand that it's the exchanges that are being hacked, and not the underlying blockchains."
There are various investments going on which promise to develop new, decentralised exchanges, with improved security. And an emerging market for security tokens (regulated tokens that derive their value from real world assets) will "open up many opportunities for New Zealand businesses", he says.
While a lot remains unclear about the breach, there's already a lot to learn from it, says Auckland University associate professor of commercial law Alex Sims. "Never give your private key to anyone. And don't leave your money in exchanges."
Sims also says there are lessons for how New Zealand regulates exchanges: "We need to have properly regulated exchanges."
However, it's not true to say – as many people have – that exchanges are currently unregulated. In order to sign up to one, you have to provide various levels of proof of identity. Bank account numbers, passport photos, contact details, and so on. This is so the exchange can abide by anti-money laundering laws. Government bodies including the Department of Internal Affairs know about exchanges, and make sure they're compliant. "So they're regulated in that sense," Sims says.
But it's a messy system. The DIA, the Financial Markets Authority, and the Reserve Bank all currently act as regulators. "People are being pulled around. What they're pushing for is one government department. They just want nice, clear rules they can follow."
Even with better regulation there's always an element of risk, she says. "People break the law all the time."
While Bitcoin has a reputation as the currency of choice for drug dealers and money launderers, in reality, criminal activities account for just 10 per cent of transactions, the United States Drug Enforcement Agency found last year. (Down from a high of 90 per cent in 2013, prior to the takedown of dark web marketplace Silk Road.
"Authorities would like people to use Bitcoin because it's traceable," Sims says. "Cash, now, that's a lot better for money-laundering."
Perhaps the biggest takeaway is the need for effective cybersecurity. "While it's easy to understand why Cryptopia was hacked, cybercrime isn't limited to cryptocurrency exchanges," she says. Organisations – large and small – must treat cybercrime as one of their biggest risks.
"It's not a case of if hackers strike, but when."