How to Hack a Cryptocurrency Slide Heading How to Hack a Cryptocurrency Varun Ebenezer, CISA, CBP VP & Senior IT Audit Manager BMO Financial Group

Agenda Slide Heading Why Hack a Cryptocurrency? Cryptocurrency Thefts Hacks of Cryptocurrencies Questions?

Why Hack a Cryptocurrency? Cryptocurrencies are becoming highly lucrative. Total Market Capitalization of all Cryptocurrencies reached $820 billion in January 2018. Nearly 20 unique cryptocurrencies are currently valued at or above $1 billion. Cryptocurrencies are becoming increasingly legitimate. ICOs have raised over $4.5 billion for crypto/blockchain startup funding for period of 2012 through 2018. Financial firms are creating crypto-trading desks, crypto-based products for consumers, and implementing custody solutions to store cryptocurrencies.

As of 8/10/2018 from https://cryptolization.com/

Cryptocurrency Thefts Theft of a cryptocurrency often involves attacking the medium of storage. Similar to robbing a bank, or breaking into a personal safe. The actual cryptocurrencies being stolen are not typically compromised. Online exchanges, online wallets, and desktop wallets are all vulnerable. Safest approach is keeping your private keys offline. Paper wallets are a cost-effective solution. Hardware wallets such as Nano Ledger or Trezor are generally safe. Never use an online exchange for long-term storage.

Hacks of Cryptocurrencies Hacking of a cryptocurrency involves trying to compromise an associated blockchain network, related coding, or defrauding investors. Cryptocurrencies are by design secure. However, there are both technical and non-technical methods by which cryptocurrencies can be exploited. Up to this point there has not been a substantial vulnerability identified within bitcoin’s source code. All altcoins use a modified version of bitcoin’s source code. Examples of altcoins include: Ethereum, Litecoin, and Monero.

51% Attack Attack in which a group of miners controls more than 50% of a blockchain network’s computing power, or mining hash rate. Would create a condition in which new transactions are not verified. Payments between some or all users would be stopped. Would allow the controlling entity to reverse transactions, and therefore “double-spend” coins. Attack involves substantial amounts of investment in mining hardware and proper economic incentives. Smaller market cap coins are at higher risk. A well-known concern since the early days of bitcoin.

51% Attack Examples of 51% Attacks Bitcoin Gold ~ $18 million stolen Approximate market cap at time of attack $700 million Verge ~ $1.7 million stolen Approximate market cap at time of attack $900 million Zencash ~ $500,000 stolen Approximate market cap at time of attack $120 million 51% Attacks are becoming more popular. Malicious actors can leverage rented mining power. Costs of conducting a 51% can be viewed in real-time. https://www.crypto51.app/

Code Attack The Distributed Autonomous Organization (DAO) incident. Built on top of Ethereum’s blockchain. Largest crowdfunding event in history at the time, raised over $150 million from more than 11,000 users. Hacker exposed flaw in the DAO’s source code and stole funds. The DAO contained 15% of all Ethereum in circulation. Vulnerability identified was not in Ethereum’s source code, but was within DAO’s source code. Similar to the relationship between the iOS platform and iOS apps that are built separately,

Code Attacks The Distributed Autonomous Organization (DAO) incident Built on top of Ethereum’s blockchain Largest crowdfunding event in history at the time, raised over $150 million from more than 11,000 users Hacker exposed flaw in the DAO’s source code and stole funds The DAO contained 15% of all ether in circulation “Too big to fail” decision for Ethereum community Vulnerability identified was not in Ethereum’s source code, but was within DAO’s Similar to the relationship between the iOS platform and iOS apps that are built seperately

Defrauding Investors Use of legacy financial schemes that utilize modern technological means. Ponzi schemes, pump and dump operations, vaporware. Leverage mediums that are credible in the cryptocurrency community: Twitter, Reddit, Bitcointalk.org, and Telegram. Exploitation of human nature and behavior. Regulatory scrutiny from the SEC regarding ICO tokens being classified as securities. High-Profile Frauds OneCoin crypto-fund Ponzi scheme moved $350 million. Bitconnect Coin for crypto-backed loans had a market cap of $2.6 billion.

Defrauding Investors Key characteristics of a fraudulent cryptocurrency Whitepaper that is confusing or does not articulate an actual problem that needs solving. Unrealistic or missing milestone roadmap. Nearly instant large social media following (e.g. Twitter). Excessive amounts of positive posts on forum sites (e.g. Reddit, Bitcointalk). Advisors page that contain individuals whose roles are vague or unclear. Guarantees of high return to investors. Empty GitHub repositories.

Defrauding Investors Centra Tech Provided investors the image that they created a cutting- edge cryptocurrency debit card. Raised $32 million during their ICO through thousands of investors. Marketed false claims of partnerships with major credit card companies, such as Visa. Created fake founder biographies. Manipulated the price of the Centra Tech token (CTR). Secured celebrity endorsements from DJ Khaled and Floyd Mayweather, which helped to exponentially raise visibility.

Slide Heading Questions?