Bithumb’s $30 Million Dollar Hack – The Ocean –
We’re back with another installment of Hack Attack! This week, another South Korean exchange, Bithumb, was reportedly breached.
On June 19th, 2018, Bithumb (a top 10 exchange by volume) publicly suspended deposits and withdrawals due to escalating safety issues. As a precaution, they warned customers to not send funds to Bithumb wallet addresses for the time being.
Initially, Bithumb tweeted that $30 million USD worth of cryptocurrency had been stolen, and their team would compensate investors for all value lost in the security breach. While this maneuver was immediately lauded by crypto-influencers on Twitter, the statement has since been deleted. This has caused confusion amongst investors, as a current notice on their website still states that: ₩35 billion KRW (~$31 million USD) was stolen in the hack, and reimbursement is imminent for all affected customers through “Bithumb’s own company fund”, self-reported to hold $450 million USD.
We have announced about 35 billion won worth of damage to passwords. Bithumb is reducing the amount of damage through ongoing disaster recovery. Future figures are expected to be lower.
We will remind you once again that there is no damage to [investors].
While not confirmed, rumors have arisen concerning the timing of the hack. Two weeks prior, Coindesk reported that Bithumb owed about $28 million USD in back taxes, a similar value lost in this year’s hack. No divisive evidence linking the hack and their tax liability has emerged, however.
How did it happen?
There is currently an ongoing investigation by KISA, the national internet and security agency of Korea. No further information has been given regarding the attack vector.
This is the 3rd time in a 12 months that Bithumb has been hacked. Last year on June 29rd, an attacker hacked the personal computer of a Bithumb employee and gained access to customers’ personal data. The attacker compromised over 31,800 user profiles (3% of its user base) that contained names, emails, home addresses, and phone numbers. The attacker then used the phone numbers to call customers posing as a Bithumb representative in a voice-phishing scam. The attacker claimed that there was suspicious activity in Bithumb’s network and convinced users to give him their passwords and Google Authenticator codes. Users noticed that their accounts were being drained of funds (almost $1 million USD) and notified Bithumb and the authorities.
- Transparency regarding the status of customers funds is critical. Exchanges should be more forthcoming and consistent in the information they provide during such incidents. It doesn’t help if there are deleted Tweets and inconsistent messaging.
- Eliminate infrastructural weakness altogether. While influencers have praised Bithumb for their disaster recovery plans, it’s important to recognize that exchange hacks are a consequence of centralized risk. Billions of dollars in lost crypto value can be easily avoided by employing non-custodial architecture.
- User information security is critical. Last years’ Bithumb attack, not to mention last year’s Equifax hack and similar incidents, reminds us that not just user funds but user identifying information is an attractive target for hackers. Exchanges — and companies in general — need to use extreme care when handling customer information. *The Ocean takes specific measures (restricted access, top-of-the-line server protections) to ensure that all user account information is handled with care.
We just launched registration last week! Check out our new website and sign up to claim your OCEAN tokens.