Not Your Keys, Not Your Coins: A Devastating Bitmart Hack Serves As A Humble Reminder
The proof? On Saturday, December 4th, 2021 Bitmart was forced to suspend all deposit and withdrawal functions after detecting a “large-scale security breach”. The hack itself was reported first by PeckShield, a blockchain security company and later confirmed by Bitmart’s CEO, Sheldon Xia.
As you’ve probably guessed, the hack itself cost Bitmart a pretty crypto penny. The hackers made off with a mixed bag of about 20 different token types including Shiba Inu, Safemoon, and Binance coin (among others) with an original estimated worth of about $150 million. PeckShield suspected that losses were likely even more devastating however, with about $100 million in Ethereum-based currency and another $96 million in tokens on the Binance Smart Chain.
As it turns out, hackers were able to fulfill their heist by stealing a private key that opened a real Pandora’s box of crypto. With the key – not just one, but two hot wallets became accessible, allowing hackers to siphon off millions in users’ assets.
And no, we’re not talking about a wallet you’ve tossed on the microwave. Cryptocurrency is stored in virtual wallets which can be “hot” (meaning they’re connected to the internet) or “cold” (offline). A hot wallet is more readily available and definitely more convenient, but this convenience comes with a price – increased risk of hacking.
How It All Happened
For those of you who are utterly baffled by how $196 million could virtually disappear on a public blockchain, there are ways to make these funds more difficult to locate – let us explain. According to PeckShield, this was a classic case of “swap and wash” which isn’t dissimilar to traditional money laundering. Using the decentralised exchange aggregator “1inch”, hackers were able to swap stolen tokens for ether (ETH), then deposit the assets into Tornado Cash which obscures the transaction information.
Basically, the original dirty assets are combined with clean ones and transaction information is scrambled, therefore becoming increasingly difficult to follow. From there, the architects behind the scheme can turn to privacy tokens like Monero where transaction information is kept anonymous, making it that much easier to sail into the sunset with their “earnings”.
This isn’t the first big-time hack we’ve seen either. In fact, this is the second one we’ve seen this month. Just last week it was reported that cybercriminals had stolen about $120 million from DeFi platform BadgerDAO. Another $130 million in losses was seen by Cream Finance after not their first, not their second, but their third hack this year.
The Road To Recovery
There is a silver lining here though. Bitmart has announced that they will be using their own funds to cover losses and compensate their users – something that isn’t always possible (or probable). While blockchains themselves are reliable due to their public records of transaction history, exchanges don’t operate in the same capacity. Think of exchanges like a bank…without insurance.
In Canada, deposits into insured banks are covered by the Canada Deposit Insurance Corporation (CDIC). So, if a bank is robbed and you lose all of your beloved savings, the CDIC will swoop in to help the bank cover those losses. On the contrary, Paul Bischoff of Comparitech told ZDNet that if an “exchange loses assets that belong to its customers via an external hack or inside job, customers might have no recourse to recover their funds”.
With that, Bischoff is giving us a little reminder of one very important beginner lesson in crypto: not your keys, not your coins. If your tokens are stored with an exchange, or even in certain wallets, you will have a public key (where funds can be transferred). But, there is also a private key, which shows true ownership of those tokens. In many cases, users have access to their public key, but not the private one.
Private keys are usually kept by the exchange allowing them more control over their held accounts. When it comes to cases of hacking, if a third-party was able to access your private key, they gain access to the ownership of your tokens and can do basically whatever their heart desires with them. The Bitmart hackers put on a perfect demonstration of this – they stole a private key, et voilà, millions of dollars vanished.
At the end of the day…
You may be thinking, why use an exchange or wallet that doesn’t allow you to hold your own private key? While there are obvious benefits to being a keyholder (namely the fact that you are the sole owner of your coins), there are obvious drawbacks as well (that you, the owner, are solely responsible for security). For many people, outsourcing security to large companies with seemingly ‘secure’ resources is an obvious choice. This is similar to the idea of keeping your money in a bank. After all, you’d feel pretty vulnerable if you keep your life savings in a shoebox at the back of your closet (or on a computer protected by nothing more than a simple antivirus program).
Simply put, it’s naive to think that crypto stored in even the most secure exchanges isn’t at some sort of risk. So, the question here is, do you take the responsibility that comes with holding your private key? Or do you pass that along to a company with greater resources (and arguably a bigger target on their back)? At least in this case users can breathe a sigh of relief that Bitmart has their backs and plans to remedy the lost funds, but victims of future attacks may not be so lucky.