07 Aug Group-IB: No cryptocurrency exchange can guarantee user security
In 2017, the number of compromised accounts on cryptocurrency exchanges increased by 369% in comparison with 2016 and that number jumped to 689% in January 2018.
New research by cybersecurity firm Group-IB shows the US (34.3%), Russia (10.5%), and China (5.0%) were the top three countries where cryptocurrency exchange users were hit by a massive surge of cyberattacks and user data leaks.
“Increased fraudulent activity and attention of hacker groups to cryptoindustry, additional functional of malicious software related to cryptocurrencies, as well as the significant amounts of already stolen funds signal that the industry is not ready to defend itself and protect its users. In 2018 we will see even more incidents. The dark side of the cryptoindustry requires a response from the community, including researchers, scholars, and academia,” said Ruslan Yusufov, Group-IB special projects director.
No cryptocurrency exchanges are adequately protected
The cybersecurity company identified 50 botnets used for launching cyberattacks on cryptocurrency exchanges. The infrastructure used by cybercriminals is mainly based in the USA (56.1%), the Netherlands (21.5%), Ukraine (4.3%) and Russia (3.2%).
The company made a bleak assessment of the state of cryptocurrency exchange security:
“Currently no cryptocurrency exchange, regardless of its size and track record, can guarantee absolute security to its users. At least five out of 19 exchanges in question fell victim to targeted cyberattacks widely covered by the media. These are Bitfinex, Bithumb, Bitstamp, HitBTC, Poloniex and, presumably, Huobi.”
Exchanges must improve security
Clearly, cryptocurrency exchanges can and should be doing more to protect their users. The report cited errors in the source code of software, phishing attacks, unauthorized access to user databases, and vulnerabilities in the storage and withdrawal of account holders.
Group-IB recommended several basic security improvements:
- implement two-step authentication
- conduct regular security audits of IT infrastructure and services
- implement regular training for personnel
- install anti-APT solutions, using threat Intelligence and implementing anti-fraud solutions, as well as behavioral analysis systems
- development of cyber security incident response plans.
Users are careless with passwords, security
Users are also proving to be notoriously careless with their passwords and account security.
Group-IB analyzed the theft of 720 user accounts (logins and passwords) from the 19 largest cryptocurrency exchanges. It found 20% of users chose password shorter than eight characters.
It offered recommendations for improved user account security including:
- creating passwords at least 14 unique symbols
- not using public Wi-Fi during exchange transactions
- avoiding “traces” on social media and not mentioning ownership of cryptocurrency.
You can get a free copy of the Group-IB cryptocurrency exchanges risk report here.