Cryptocurrency exchanges under attack, risking repeat of Mt. Gox debacle

NEW YORK – When hackers penetrated a secure authentication system at a bitcoin exchange called Bitfinex earlier this month, they stole about $70 million worth of the virtual currency.

The cybertheft — the second largest by an exchange since hackers took roughly $350 million in bitcoins at Tokyo’s Mt. Gox exchange in early 2014 — is hardly a rare occurrence in the emerging world of cryptocurrencies.

Data seen by Reuters shows a third of bitcoin trading platforms have been hacked, and nearly half have closed in the half dozen years since they burst on the scene.

This rising risk for bitcoin holders is compounded by the fact there is no depositor’s insurance to absorb the loss, even though many exchanges act like virtual banks.

Not only does that approach cast the cybersecurity risk in stark relief, but it also exposes the fact that bitcoin investors have little choice but to do business with under-capitalized exchanges that may not have the capital buffer to absorb these losses the way a traditional and regulated bank or exchange would.

“There is a general sense in the bitcoin community that any centralized repository is at risk,” said a U.S.-based professional trader who lost about $1,000 in bitcoins when Bitfinex was hacked. He declined to be named.

“So when investing, you always have that expectation at the back of your head. I lost a small amount compared to the others, but I know of traders who lost millions of dollars worth of bitcoins,” the trader said.

The security challenge for the bitcoin world does not appear to be letting up, according to experts in the currency.

“I am skeptical there’s going to be any technological silver bullet that’s going to solve security breach problems. No technology, cryptocurrency, or financial mechanism can be made safe from hacks,” said Tyler Moore, assistant professor of cybersecurity at the University of Tulsa’s Tandy School of Computer Science, who will soon publish the new research on the vulnerability of bitcoin exchanges.

His study, funded by the U.S. Department of Homeland Security, shows that since bitcoin’s creation in 2009 to March 2015, 33 percent of all bitcoin exchanges operational during that period were hacked. The figure represents one of the first estimates of the extent of security breaches in the bitcoin world.

In contrast, data from the Privacy Rights Clearinghouse, a nonprofit organization, showed that of the 6,000 operational U.S. banks, only 67 banks experienced a publicly disclosed data breach between 2009 and 2015. That is roughly 1 percent of U.S. banks.

Among the world’s stock exchanges, however, security breaches are much higher, with hackers attracted to the large pools of cash moving in and out of these trading venues. The latest survey of 46 securities exchanges released three years ago by the International Organization of Securities Commissions and World Federation of Exchanges found that more than half had experienced a cyberattack.

Moore collaborated on the research with Nicolas Christin, associate research professor at Carnegie Mellon University and Janos Szurdi, a Ph.D. student also at Carnegie.

In 2013, Moore and Christin wrote a research paper on security risks surrounding bitcoin exchanges when Moore was still a professor at Southern Methodist University. That research was presented at the 17th International Financial Cryptography and Data Security Conference in Okinawa, Japan in 2013.

In the most recent study, the rate of closure for bitcoin exchanges in Moore’s research edged up to 48 percent among those operating from 2009 to March 2015. Hacking did not necessarily trigger the closure in each case.

“A 48 percent closure is not acceptable, but not surprising given that bitcoin is a new technology,” said Richard Johnson, vice president of market structure and technology at Greenwich Associates. Johnson has written reports on risk and security issues in the cryptocurrency world.

Profitability is a big problem for bitcoin exchanges, with many of them unable to generate enough volume to keep afloat.

Bitcoin exchanges overall could be launched for as low as $100,000 up to $1 million, said Erik Voorhees, founder and chief executive officer of digital currency exchange ShapeShift. That is a fraction of what U.S. foreign currency exchanges are required to put up.

Retail FX trading platform FXCM, for instance, is required by the Commodity Futures Trading Commission to have at least $25 million in capital at all times.

A key factor tied to the risk posed by exchanges is whether customers are reimbursed after closure or after the loss of bitcoins following a hack. Each closure and breach have been handled differently, but Tandy’s Moore said the risk of losing funds stored in exchanges are real.

In the case of Bitfinex, which is now up and running after the hack August 2, customers lost 36 percent of the assets they had on the platform and were compensated for the losses with tokens of credit that would be converted into equity in the parent company.

At Tokyo’s Mt. Gox, customers have yet to recover their investments more than two years after closure.

Experts say trading venues acting like banks such as Bitfinex will remain vulnerable. These exchanges act as custodial wallets in which they control users’ digital currencies like banks control customer deposits.

“The big exchanges that hold customer deposits are a big target for hackers,” said ShapeShift’s Voorhees, “and unfortunately most bitcoin exchanges store user funds.”

When customers’ checking accounts are hacked, there is always a third party at the bank that can step in to deal with the theft.

Not so with bitcoin, said Seattle-based Darin Stanchfield, chief executive officer at KeepKey, a hardware wallet provider. He expects more of these attacks to happen despite efforts to improve security at bitcoin exchanges.

“Unfortunately because of its irreversible nature, bitcoin requires near perfect security.”