Overall, the dollar losses are mounting, but the number of incidents has stayed pretty much the same, averaging 9 per year. During the uptick that occurred around 2013, the average jumped from three incidents per annum in previous years to 11 afterwards. What happened in 2013? Well, it was the Year of Bitcoin, per Forbes Magazine, denoting the serious financial investment being put towards cryptocurrencies. It seems to have piqued criminal attention, as well.

What is Going Wrong?

Like most security professionals, we at F5 Labs are most interested in how the attackers are getting in so we can design the appropriate defenses. We read through all these cases and, where we could, we attributed the incidents to an inciting cause, as shown in Figure 3.

Figure 3: Causes of cryptocurrency theft by incidence percentage

It’s worthwhile to compare these statistics to general data breaches, as we did in the 2018 Application Protection Report. In comparing the incident numbers, the first thing that jumped out to us was the high rate of insiders. For cryptocurrency thefts, the incidence rate is more than double, at 4.1% versus the average of 2%. That much highly liquid value sitting around is a tempting target for thieves, inside and out of an organization. That’s why traditional financial institutions worldwide have strict personnel management practices such as background checks, separation of duties, and system change auditing.

We also see double the amount of undisclosed causes, which is a known problem in the cryptocurrency industry. Some cryptocurrency thefts have been attributed to exchange owners faking a hack and taking off with the money.

We also saw a significantly higher number of DNS hijacking attacks. They do happen to traditional banks, but they are relatively rare in comparison to other types of attacks. In the cryptocurrency world, DNS attacks seem to be a larger problem.

One statistic that didn’t vary was breaches attributed to web application vulnerabilities. Web apps are complicated and provide an easy way to get to the goods. We’ll dive deeper into that in the next section.

Lastly, access credential theft and phishing actually saw lower numbers than traditional cyber-crime. This could be due to the stronger reliance on multi-factor authentication in the smaller and newer cryptocurrency industry. A smaller, newly formed organization focused on technology would be able to roll out multi-factor authentication a lot faster than a venerable, large bank.

If you look at the causes by dollar loss, as shown in Figure 4, you’ll see the proportions don’t shift much.

Figure 4: Causes of cryptocurrency theft by dollar loss

Who is Getting Hacked?

There are many different technological services in the cryptocurrency industry, all of which are targets for cyber-criminals. The most commonly hit technical services are cryptocurrency exchanges (63% of incidents). These exchanges are the digital equivalent of currency exchanges, except instead of exchanging dollars for euros or yuan, they are for exchanging cryptocurrency, like selling Bitcoin to buy Ethereum. Customers come to exchanges to buy or sell their various currencies, which makes these sites a nexus of high value transactions.

Cryptocurrency uses storage mechanisms called wallets, and there are two kinds. A “hot wallet” is Internet-connected and is used to store the cryptocurrency you would use for day-to-day transactions. Think of a hot wallet like the real-world wallet in your pocket or purse holding the cash for your morning latte. Hot wallets can run on cryptocurrency exchanges for easy trading, but they also can run as client software on your computer or mobile device. Because of this, hot wallets are more likely stolen (pickpocketed?) by cyber-criminals. To reduce the risk, cryptocurrency technology also leverages “cold wallets” that, as you can guess, are not connected online. The best cold wallets are air-gapped systems, such as a USB stick with a strong password. Within cryptocurrency exchanges, cold wallets exist as separate, strongly-encrypted databases requiring a wallet owner to unlock it with a private key.

This distinction is significant because the wallets running on cryptocurrency exchanges are the primary target for attackers. Both hot wallets and cold wallets have been hit. As shown in Figure 5, of the known attacked technologies, hot wallets within exchanges are ripped off three times as much as cold wallets.

Figure 5: Attacked technology within exchange thefts

Wallet software for clients that is outside of an exchange can also be attacked. Those represent about one seventh of the cryptocurrency thefts.

Another cryptocurrency technology is the mining service. Instead of using your own hardware to mine or forge coins, you rent someone else’s. There are a handful of incidents over the years where these mining services were hacked and the cryptocurrency stolen.

Figure 6 shows how the types of affected organizations broke down by incidents:

Figure 6: Incidents involving different types of cryptocurrency services

Broken down into more detail, Figure 7 shows dollar loss totals:

Figure 7: Dollar loss involving different types of cryptocurrency services

No matter how you slice it, cryptocurrency exchanges are like banks with lots of easy-to-grab money flowing through, so that’s where criminals will strike first.

Where Are We Going?

At the end of the day, we need to remember that all of these things are applications running on the Internet. Applications are complex conglomerations of interacting services in a variety of environments glued together with APIs, authentication credentials, and networks. This means they have an extensive attack surface and therefore need extensive security testing and protection.

Governments around the world are now starting to regulate the cryptocurrency industry, and some have already begun defining cybersecurity measures. Korea Regulation 5.5.7 (Regulation on Supervision of Electronic Finance) is being looked at as one of the leaders in that it treats cryptocurrency exchange cybersecurity measures the way a financial institution would. Hopefully, we’ll start to see other governments follow South Korea’s lead so we can turn the tide on this skyrocketing trend. In the meantime, brace yourselves to see cryptocurrency theft break the billion-dollar mark by the end of 2018.