Cryptocurrency are attractive to hackers because of its anonymity and irreversibility of transactions. Crypto exchanges have an average of $2 billion against $1.5 million for banks in hacking losses. More than $1.2bn was stolen from cryptocurrency exchanges in the first quarter of 2019 as against $1.7bn for the whole of 2018 according to a blockchain forensics company CipherTrace.
How does cryptocurrency work?
Digital currencies are transferred to others via their public key (i.e. the public key is a unique identifier of the user account) similar to how funds are transferred to a bank account number. All transactions are verified by the cryptocurrency network using the key of the owner that made the transaction. It’s not different from any other digital account like a bank account where an account owner can transfer fund to another person’s account using a password.
A crypto wallet (a vault where digital currencies are stored) usually have a key pair: Private and Public key. The private key is meant to be secret and only known to the user. The public key is a public, anyone could have access to it similar to an email address or a bank account number. The private key is similar to a password used to authorise a transaction. The public key is known to the participants of the network and it’s used to check (verify) that the owner of the cryptocurrency actually approved the transaction. For details on how the keys work see Asymmetric cryptography
Who controls the wallet?
Anyone that has access to the private key controls the wallet and the asset (digital currency) therein. Given the decentralised and anonymous nature of cryptocurrency, theft of a wallet’s private key means a complete loss of the cryptocurrency. There are no personal “accounts recovery” with a cryptocurrency like there are with traditional banks — whoever knows the private key of a Bitcoin wallet, for example, essentially owns that Bitcoin.
In most cases, the key pair is stored in a database of the crypto exchange provider – this is referred to as centralized. The user is only assigned a credential (mostly username and password) that they provide on the exchange’s website (or in an app) to unlock their wallet and then uses the key to make a transaction. In this case, the exchange provider is the controller of the account. The issue here is that attackers can steal a user’s credentials and thereby steal the cryptocurrency in the account.
Also, in a case of a vulnerability in the exchange’s system, attackers may not even need the individual credentials. An example is the Bitfloor 2012 breach where “the attacker gained accesses to an unencrypted backup of the wallet keys… using these keys, they were able to transfer the coins”.
Some Hot wallets such as Exodus.io and Dash QT wallet doesn’t store the private keys on its servers – this is referred to as decentralised storage. The keys are stored on software on the individual’s device. This transfers control of the wallet/funds completely to the individual. This makes it harder for an attacker, an attacker would need to gain access to each individual device.
Centralised vs Decentralised
In centralised storage, the cryptocurrency exchange is in total control of the funds. The cryptocurrency exchange is a single point of failure. Anything that affects its infrastructure leaves all the individual funds vulnerable. This is one of the major causes of crypto exchange breaches. In the words of Ethereum creator Vitalik Buterin: “I Definitely Hope Centralized Exchanges Go Burn In Hell”.
With decentralised storage, the funds are not managed centrally. For example, each individual could have its funds (private key) stored in a device under their control. This eliminates the risk of a single point of failure and mass account compromise. It also limits the funds that could be stolen in the event of a breach as an attacker would need to attack individuals.
See how cryptocurrency (wallets) are compromised by hackers.