Cryptopia Cracked: Are Centralized Exchanges the Way to Go?

Published at: May 22, 2019

It goes without saying that exchanges command significant influence over the cryptocurrency market, being the exclusive portals for fiat into the world of blockchain. Exchanges are also the most significant winners of the cryptocurrency craze, and bank billions by raking in fees and maintaining custody over sizeable crypto wallets comprised of their own funds but also those of the customers. In a largely unregulated environment, the latter idea comes with its own set of implications and risks.

Not every exchange uses its capital to reduce these risks adequately. Instead of reinvesting in a more secure custody service or establishing carefully administered audits, some exchanges may begin to act in their own financial interests. Traders keeping their coins in exchange wallets understand that the direct connection to the market and ability to trade into and out of fiat demands a steep price — and familiarity with this compromise is universal.

For a sector that is moving gradually toward improved compliance, customer safety and access to the crypto market shouldn’t be mutually exclusive. This is why breaches like that of Cryptopia are vital to pay attention to, as they also highlight the often-adversarial role that exchanges play with their customers.

With the news that Cryptopia is now being liquidated, several months after two major hacks, the reality may be setting in for optimistic crypto traders. Despite their best intentions and ambitious statements, exchanges are not always friendly places to customers, for more than one reason. For early investors, this scary reality tempers investment enthusiasm and represents an anchor on the market that, in 2019, is past due to be cut loose. But is the future really that bleak?

Thanks to the transparency of the ledger, websites like Etherscan, and watchdog social accounts such as Whale Alert, have already tracked the stolen Cryptopia funds to a handful of wallet addresses that moved the funds over to an exchange. However, this is far from identifying the perpetrators of the hack or even preventing them from using the crypto they stole.

Cryptopia crushed

Exchange hacks are an unfortunate yet predictable occurrence in cryptocurrency and add to its notoriety as a “Wild West” marketplace. Cryptopia is just one instance in a long history of hacks, which, as of April 2019, totaled over $1.3 billion lost or stolen in crypto since the origination of bitcoin in 2009. Of that $1.3 billion, 61% was lost in 2018 alone — and 2019 seems to have the ambition to surpass that figure.

The hack of New Zealand exchange platform Cryptopia was reported in January after several days of on-and-off maintenance, when it finally announced on Jan. 15 that, at the time, around $16 million had been stolen from over 76,000 different wallet addresses. On Jan. 29 the hacker struck again, siphoning a further 1,675 ethers (ETH) from a variety of 17,000 Cryptopia wallets.

“What surprises me the most is the negligence in relation to security of the entire chain of work with wallets,” Codex Exchange CEO Serge Vasylchuk told Cointelegraph. “Maximum isolation is necessary both from external influences and from accidental internal interference — on the developer’s part or anyone else’s, because each change in the system may entail a security breach. That’s why backups should be done regularly. Private key backuhereumps must be on a well-protected physical copy with no questions. This hack would have been prevented if they would have taken these must-have measures seriously.”

Also, the founder of Cryptopia, Adam Clark has seemingly moved on from the failed project and is now working on a new cryptocurrency exchange. It claims to be “New Zealands most advanced crypto trading platform,” offering fast and secure service. It is unclear if the exchange is fully operational at this point in time, several pages like “About Us” are blank and “Market Summary” displays zero activity.

Badly run exchanges demonstrate the need for decentralization

So, why did it take so long for Cryptopia to acknowledge the threat and then to deal with it appropriately? How could it have let its customers’ private keys become exposed?

Answers are still inconclusive, but some are of the opinion that the hack was an inside job, meant to drain the exchange of its funds before a scheduled audit. Though this would be incomprehensibly malevolent, it’s already bad enough that a platform with over 1 million customers would expose their private keys to intruders.

According to Hacken’s blockchain security team, “The Cryptopia hack is quite different from other exchange and wallet hacks. First of all, the funds were transferred from ethereum accounts. Hackers need to sign the transaction with an account’s private key to be able to transfer ether or tokens to their personal account. It could have happened that hacker somehow gained access to Cryptopia’s private key storage. The fact that a hacker gained access to private keys is confirmed by the fact that transfers continued several days after the breach was discovered.”

The lack of transparency on the part of Cryptopia, which remains tight-lipped about the ordeal and willing to let customers flail, also seems questionable. Centralized exchanges are able to rely on the legal system to some extent when it comes to repaying stakeholders, but it isn’t always the most elegant or satisfying solution, given that they still exist on the fringes of traditional finance. The embrace of decentralized exchanges is partly due to the idea that traders own their own private keys and therefore exercise true ownership of their cryptocurrency.

This is clearly demonstrable in other exchange hacks, all of which occurred on centralized exchanges exclusively. The largest hack of all time, in January 2018, saw Japanese exchange Coincheck hacked for over $500 million in crypto at the time, which appeared to have resulted from a lazily managed custody model. Not only was Coincheck not registered with Japan’s Financial Services Agency (FSA), it was also revealed that it had kept the entirety of its NEM in a single hot wallet as opposed to the hybrid hot-and-cold solution deployed by most modern exchanges.

And it also seems that the New Zealand exchange took no action for several days while it was being drained. Blockchain forensics firm Elementus said at the time, “Despite the hack, many Cryptopia users continue depositing funds into their ethereum wallets. In just the two hours since these breaches took place, many of the very same ethereum wallets that were just drained have already been topped with more ether.” The lack of transparency meant users lost much more than they should have, had Cryptopia been forthcoming.

After the liquidation announcement, however, the company did take to Twitter, asking users to stop depositing crypto onto the soon-to-be-defunct platform.

Do exchanges remain vulnerable despite efforts?

The recent Binance hack to the tune of $40 million was also catalyzed by error, but these instances could also be preventable if exchanges didn’t insist on being responsible for keeping customer funds safe. In its purest form, blockchain removes this necessity anyway. However, in the interest of profit, exchanges have decided to become “funds” rather than just service providers, despite not being technologically or legally capable of doing so in some cases.

Moreover, regulation remains fuzzy, even though there is a growing consensus that it is necessary to increase security and safety of traders and their funds. Even the likes of Mike Novogratz have advocated for greater external and self-regulation. According to him, the industry is leaning that way regardless, noting that “we think all the exchanges should go to a process where they can almost self-regulate, right? They do what the regulators want beforehand,” as a way of creating more transparency and improving the overall ecosystem.

Regardless, there are simply too many attack vectors for hackers to explore when it comes to cryptocurrency exchanges. From weak smart contracts to phishing and insecure storage methods, it’s clear that centralized exchanges need to adjust their approach and, at the very least, pour their profits into a security apparatus that will hopefully keep the platform safe.

Some exchanges, like Binance, even put away 10% of funds into a dedicated wallet for the express use of reimbursing hacked customers. Initiatives like these, although very welcome, should not be the safety net for billions of dollars stored in crypto, and by themselves indicate that the expectation of a hack is always present.

The Cryptopia hack and subsequent liquidation have reawakened the conversation about how safe crypto really is. The hack itself resulted in millions being lost, and the company proved unable to manage the aftermath and to respond to its users’ very valid concerns.

However, the increasing emphasis on regulation and a stronger focus on security means that, at the very least, the problem is likely to be mitigated soon. As exchanges learn from their rivals’ lessons and the market matures, it will likely weed out those exchanges that refuse to improve and leave only those that prioritize transparency and user safety.

Tags
Related Posts
Half a billion people just had their Facebook data leaked
According to a security analyst, sensitive personal information for over half a billion Facebook users was leaked on a well-trafficked hacking forum earlier today — a potential risk to millions of cryptocurrency traders and hodlers who now may be vulnerable to sim swapping and other identity-based attacks. The trove of information was first discovered by Alon Gal, CTO of security firm Hudson Rock, who posted on Twitter about the leak earlier today: All 533,000,000 Facebook records were just leaked for free. This means that if you have a Facebook account, it is extremely likely the phone number used for the …
Decentralization / April 3, 2021
Report: Blockchain-related hacks have declined in 2020
The amount of cryptocurrency and blockchain-related hacks has been decreasing over the course of 2020, a new report claims. According to data analyzed by VPN provider Atlas VPN, the number of hacks in the first half of 2020 dropped more than three times compared to the same period in 2019. The data is part of a report released by Atlas VPN on Oct. 28. According to Atlas VPN, 2019 was a record-breaking year for blockchain hackers that exploited 94 successful attacks in the first half of the year, while in H1 2020 there were 31. Per the report, 2019 as …
Technology / Nov. 2, 2020
Binance Freezes Funds Stolen From Upbit in Late 2019
An address associated with the $50 million hack of South Korean crypto exchange, Upbit, has moved some of the stolen Ethereum (ETH) to Binance. The world's biggest exchange immediately froze these funds on its platform, and has initiated an investigation. On May 13, Whale Alert tweeted that a 137 ETH ($27,164) transaction was moving funds derived from hacked Upbit exchange to Binance. According to the transaction details, the transfer occurred at 12 p.m. EST. Less than one hour after the transaction was flagged, Binance CEO Changpeng Zhao, or CZ, stepped in to the tweet thread to report that the transferred …
Blockchain / May 13, 2020
Finance Redefined: Alchemy raises $200M, Bunny goes DAO, Feb. 4–11
Welcome to the latest edition of Cointelegraph’s decentralized finance newsletter. As the DeFi space continues its technical resurgence, essential news on funding, innovation and DAOs continues to drive adoption in what remains a nascent industry. For the full version of this newsletter including longer, more descriptive analysis of the top stories this week, subscribe below: Alchemy raises $200M in latest funding, ACH token soars 77% Web3 platform Alchemy announced the launch of a $200-million Series C funding round this week, giving the company a decacorn status and a valuation of $10.2 billion. The seven-investor round was led by two California-based …
Decentralization / Feb. 12, 2022
First steps: Basic tips for getting started investing in DeFi
Decentralized finance (DeFi) protocols have diversified investment opportunities in the crypto industry by facilitating novel and innovative passive income generation schemes. Delving a bit into how they work, DeFi systems are based on blockchain technology and run on programmable chains such as the BNB Chain and the Ethereum Network. The chains use decentralized peer-to-peer (P2P) finance architectures to cut out the middleman and enable lending, borrowing and liquidity provision. This leads to higher interest rates compared to those provided by regulated financial institutions such as banks. For perspective, many regulated banks provide interest rates of less than one percent per …
Decentralization / April 14, 2022