From Hodl to Heist
Analysis of Cyber Security Threats to Bitcoin Exchanges
How and where do you buy your Bitcoin? Via a P2P marketplace, decentralized exchange, or rather through Coinbase, Binance and the likes? Most people do so via the latter ones. Centralized exchange platforms are compelling to most users as they are easy to use. They are usually in the top Google results, provide a fancy mobile device app and thus serve as a gateway into Bitcoin without having to delve into its technicalities. All of this comes at a price, which comes at trading privacy for ease of use. As most people keep their funds in the custodial wallet offered by the exchange, they also trade security for ease of use.
One can argue this is all fine. The money on your bank account is also not truly your money, but only a claim against your bank. These centralized exchange platforms have essentially become the banks of Bitcoin. What is wrong with that, you might ask. The problem is that you should then expect these parties to implement bank-level security, but they don’t. And when things get ugly, this might leave you empty-handed. Which has happened many times: remember the Mt. Gox hack?
We have looked at a corpus of 36 cyber security breaches of centralized Bitcoin exchange platforms over the last years. We have analyzed how these platforms were breached and also how this compares to security breaches of ‘traditional’ financial institutions. Yes, that is a bold comparison for a Bitcoin maximalist and purist. But as what has become of these big centralized platforms opposes the Bitcoin philosophy so much, they must at least be trustworthy custodians. Of course this is exactly why Trace Mayer launched Proof of Keys1. Not your keys, not your Bitcoin2. On the upside, our research shows that things have gotten better over the last couple of years, but there is still room for improvement. The amount of funds that get exfiltrated using relatively low-level attack techniques, is unique to this ecosystem. But of course none of this would be feasible if people move their newly acquired BTC directly to a privately managed means of storage. If everyone acted accordingly, would centralized exchange platforms still exist?
This was a fun, quick analysis to pull off, which allowed me to tinker with the VERIS framework and the VERIS toolbox a bit. The paper got accepted into IEEE’s International Conference on Blockchain and Cryptocurrency, which will take place next month. If you’re interested in reading the full paper, it is provided here. Strong hands!