Today’s news headlines sound the alarm about a breach that’s affecting thousands of Solana users with certain hot wallets.
Many newer cryptocurrencies already have a sordid history of security issues, but what about Bitcoin hacks? How safe is Bitcoin in comparison to other cryptocurrencies?
Safety is a subjective term, meaning we each define our own comfort level. For some, even a slight risk relative to a government bond, for example, makes an asset too hot to handle. For others, anything less volatile than hydrogen might be acceptable. It’s also a broad term. Even in a tightly defined discussion about Bitcoin hacks, you have to consider which other elements may have played a role in making crypto assets vanish into thin air.
Wallet hacks differ from exchange hacks which differ from platform hacks, and all of these differ from Bitcoin hacks aimed at the network itself.
Bitcoin’s network has never been successfully hacked, but external platforms and wallets have fallen prey to hackers, liberating Bitcoins from the target wallets, platforms, and exchanges.
Two serious inflation-based vulnerabilities have also been discovered and since patched, but each proved Bitcoin itself hasn’t always been a perfect bastion of hope as an alternative currency.
It’s helpful to know, however, that Bitcoin has never been counterfeited, reinforcing Bitcoin’s value as a fixed supply currency.
Bitcoin Exchange Hacks
Hackers target exchanges for the same reason bank robbers rob banks: that’s where the money is. Exchanges remain the most common choice for storing crypto assets, with over 90% of asset holders keeping some or all of their coins or tokens on exchanges.
In regard to Bitcoin hacks, this storage preference doesn’t always create as much risk as you might expect because many exchanges use cold storage to mitigate exposure. Cold storage refers to wallets for which the private keys are generated offline. Major exchanges also carry insurance against breaches.
But some Bitcoin holders have still lost everything in some of the higher profile Bitcoin hacks. In total, a truly stunning amount of Bitcoin has gone missing over the years.
- Mt. Gox: Easily the most famous of Bitcoin hacks, Mt. Gox was a turning point for Bitcoin in many ways, changing the way we invest and the way we secure Bitcoin. In 2014, Mt. Gox went offline forever. In a hack that may have started as early as 2011, an estimated 850,000 BTC went missing from what was the world’s largest Bitcoin exchange at the time. At today’s prices, the Mt. Gox hack still tops the list with investor losses of about $20 billion. Also in 2014, SatoshiLabs introduced the Trezor One, the first hardware wallet, offering a more secure way to self-custody Bitcoin.
- Bitfinex: In 2016, nearly 120,000 Bitcoins were transferred out of Bitfinex’s secure storage to a series of other addresses controlled by the hackers who coordinated the theft. At the time, Bitfinex was one of the world’s largest Bitcoin exchanges, and the hack represented more than half the exchange’s crypto holdings.
- NiceHash: Famous in the Bitcoin mining world, Slovenia-based NiceHash provides a marketplace for Bitcoin mining computational power. In 2017, NiceHash was hacked, resulting in a loss of 4,700 Bitcoins. This tale has a happy ending, however. In 2020, NiceHash returned the missing Bitcoins to NiceHash users who suffered a loss in the hack. This reparation is out-of-pocket. To date, NiceHash has been unable to recover the missing coins.
- Zaif: In 2018, Zaif, a Japan-based crypto exchange, lost about 6,000 Bitcoins in a hack, part of a larger crypto heist valued at around $60 million at the time. The digital bandits also stole Bitcoin Cash and MonaCoin in the brazen theft.
- Binance: Even the world’s largest crypto exchange isn’t immune from Bitcoin hacks. In 2019, the lights flickered worldwide as hackers liberated 7,000 Bitcoins from Binance in one bold transaction. The heist also left the thieves in possession of two-factor authentication codes used to secure user accounts and API tokens used to connect to external platforms.
When using exchanges, Bitcoin hacks are only one concern. You also have to consider insolvency. If the exchange fails as the result of losses due to a hack or for another reason, you’ll likely become an unsecured creditor, which puts your Bitcoin at risk.
The Infamous Bitcoin Inflation Bugs
After the last Bitcoin has been mined, there will only be about 21 million coins, or will there?
History shows us that Bitcoin’s code isn’t always bug-free, and at least two inflation bugs have surfaced, allowing more Bitcoin to be printed into existence.
- CVE-2018–17144 Bug: As recently as 2018, a bug that would allow double spending was discovered in Bitcoin’s code by a Bitcoin Cash (BCH) developer.
- CVE-2010–5139 Bug: Going back to 2010, a bug discovered in Bitcoin’s infancy allowed 184 billion Bitcoins to be minted. That really happened. Then, Bitcoin core developers rolled back the blockchain to make it “unhappen.” Yes, that really happened too.
Bitcoin isn’t perfect, at least not yet. But a dedicated team of developers continues working to squash Bitcoin bugs, making Bitcoin the secure, trustless, and decentralized money the world needs.
Exchanges make common targets for crypto hacks. But many times, hackers target end users, leveraging user actions (or inactions) to perform the heist.
- Phishing: Bad actors use phishing to obtain pieces of information used to access accounts or even steal identities. Phishing can take the form of emails, texts, phone calls, or other schemes in which the bad actor pretends to represent a platform, exchange, or product/service provider. In a phishing attack, some of which can be well-planned and quite convincing, scammers trick the end user into surrendering critical information voluntarily.
- Lending platforms: Recent headlines are packed with stories about lending platforms that capsized, taking investors down with the ship. Think twice and do your due diligence before depositing your Bitcoin with a third party that promises to deliver a yield on your deposited coins.
- Bridges: Blockchain bridges allow users to move assets or data between blockchains. But a series of nasty exploits used against bridges recently should give Bitcoin holders pause before crossing over. The Ronin Bridge hack and Nomad Bridge hack top the list with combined losses of nearly 300,000 Ether.
- SIM swaps: SIM swapping is usually the finishing touch on a multilevel hack in which bad actors collect various bits of information, such as logins, passwords, email addresses, and phone numbers. For accounts that have two-factor authentication that sends a code to the user’s phone, bad actors may be able to capture this code by swapping another phone onto the phone number for the account. In the Spring of 2021, about 6,000 Coinbase users suffered a breach similar to that described above.
Whether with crypto or with traditional finance, build safe habits such as not reusing passwords, not clicking on questionable links in emails or texts, and safeguarding information that might compromise your online security.
Other Crypto Hacks
Relative to market share, other crypto projects may be more likely to suffer hacks compared to Bitcoin.
Here are some of the more impactful hacks in the altcoin market’s short history:
- Ronin Network: In August 2021, Axie Infinity’s Ronin Network fell to a hack, resulting in a $625 million loss of ETH and USDC.
- Poly Network: Also in 2021, the Poly Network experienced a $600 million hack. However, the hacker returned the funds, purportedly having moved the funds to a secure address to prevent others from using the exploit.
- Coincheck: Just three years after its inception in 2015, NEM (XEM) became the target of a 2018 hack on the Coincheck exchange. In total, over $500 million in NEM coins disappeared.
- KuCoin: 2020 wasn’t a good year for the Seychelles-based exchange, at least from a hacking standpoint. In total, hackers stole over $275 million in a grab-bag assortment comprised of eight different crypto assets.
- Nomad Token Bridge: Just a few days prior to this article’s publication date, a widespread $200 million hack hit the Nomad Token Bridge, a tool used to move tokens between blockchains.
- BitGrail: In 2018, a series of hacks resulting in nearly $150 million in lost crypto led to the demise of the BitGrail exchange.
- Maiar DEX: Early 2022 saw a large-scale hack of the Maiar decentralized exchange as thieves stuffed their sacks with nearly $115 million in Elrond eGold (EGLD).
Bitcoin Structural Risks
Aside from Bitcoin hacks, Bitcoin can also bring some additional risks.
- 51% attack: In a 51% attack, also known as a majority attack, a group of miners with over half of the network’s hashing power can bully the network to reverse transactions, thus allowing double-spending. Due to Bitcoin’s size, a 51% attack is more of a theoretical risk than a probable risk, although a fork of Bitcoin called Bitcoin Satoshi Vision (BSV) suffered a 51% attack in 2021.
- Custodial risks: Any time you don’t self-custody your coins, you introduce additional risks. Seemingly stable platforms and exchanges can restrict access to your Bitcoin without warning or may suddenly go dark, ala Mt Gox. It’s impossible to know what other liabilities another organization might have that can affect their ability to protect your coins or even remain solvent.
- Layer 2 and sidechains: Bitcoin is slowly evolving, and the Taproot upgrade adds new functionality that will bring more growth to the Bitcoin ecosystem. However, new layer 2 or sidechain solutions may bring risks of their own. Be sure to do your due diligence before experimenting with large amounts of Bitcoin on the latest new project.
- Volatility risk: Bitcoin’s price changes daily, sometimes swinging wildly. Thus far, the long-term trend still points north. But be prepared for a roller coaster ride in the short term Peak to trough swings of up to 85% are not unprecedented.
- Server software risks: Software called Bitcoin Core powers nearly all Bitcoin nodes. Bugs or vulnerabilities in Bitcoin Core could potentially affect the entire network. For example, the INVDoS bug, discovered in 2018 and since patched, made all Bitcoin Core nodes vulnerable to denial-of-service (DoS) attacks. This bug also afflicted Btcd, an alternative software for running full Bitcoin nodes.
Hacks and Breaches in Traditional Finance
All this talk about Bitcoin hacks and crypto breaches can make it seem like cryptocurrency is inherently risky. And it is.
But it’s also helpful to step back and take in the big picture.
Traditional finance isn’t particularly safe. Leaks and data breaches are becoming more common, and the losses associated with these events can be difficult to measure because of their massive scope.
Below is just a sampling of leaks and breaches from traditional finance in recent years:
|First American Financial Corp||May 2019||885 million credit card applications|
|Equifax Data Breach||Sep 2017||147 million customers|
|Heartland Payment Systems||Jan 2008||130 million debit and credit card numbers|
|Capital One||Mar 2019||100 million credit card applications|
|JPMorgan Chase||Oct 2014||83 million accounts|
|Experian||Aug 2020||24 million customers|
Ways to Secure Your Bitcoin
“Not your keys, not your coins. “
While sounding like the Bitcoiner’s version of “I told you so,” this pearl of wisdom rings about keys and coins true now more than ever.
Between hacks, bugs, and high-profile platforms that can crash and burn suddenly, the safest place to keep your Bitcoin is in your own wallet, where only you control the keys.
For a cold storage option that doesn’t require a hardware device, you can consider the Electrum Wallet. The Electrum app is available for Mac, Windows, and Linux, as well as iOS and Android.
A cold wallet refers to a wallet in which the private keys are created offline, ideally with an air-gapped device that has never touched the internet. This reduces the chances of malware and spyware on the device.
A cold wallet in Electrum uses only the public key, which allows you to send BTC to the wallet but not to spend your BTC unless you put the wallet online by adding the private key.
To set up Electrum as a cold wallet, which Electrum refers to as “watching only,” you can use a few different methods.
You can build your wallet using an offline version of Tails, a privacy-based operating system that runs off a thumb drive. The Tails operating system comes with Electrum preinstalled. You can then transfer the public key to another device running Electrum by using a QR code.
Alternatively, you can build your cold wallet in Tails within a virtual machine (without enabling internet access).
As a third option, you can use the Qubes operating system to build a cold wallet with Electrum. Qubes is a privacy and security-focused operating system that supports multiple virtual machines (VMs) used for specific tasks. Qubes allows you to choose or deny networking access for each VM, which lets you build your cold wallet. You can even build your cold wallet in a disposable VM that self-destructs when you close the VM.
In all of the above cases, write down the seed phrase that Electrum creates and store it safely. Without this seed phrase, you’ll never be able to put the wallet online to move or spend your Bitcoin.
Electrum is open source and is widely used. The source code is open to review. Be sure to download it from the official site.
As an alternative to Electrum or a similar solution, you can use a hardware wallet to secure your Bitcoin.
Popular hardware wallet options include:
A hardware wallet acts like two-factor authentication, in a sense, only allowing transactions that you authorize on a device you physically hold. But be aware that hardware wallets often work hand in hand with the provider’s own software bundle. This software may introduce additional risks.
Split Your Bitcoin Into Smaller Amounts
In the traditional finance world, you don’t carry your entire life savings around in your back pocket. Too risky. The same eggs-and-baskets wisdom applies to Bitcoin. If you need to use a hot wallet that allows you to spend your Bitcoin easily, consider keeping a smaller amount in such a wallet. If some unforeseen event causes you to lose the BTC on your hot wallet, you’ve still kept the rest of your coins safe.
Mum’s the Word
It may seem like common sense, but it’s always better to keep quiet about how much Bitcoin you own. You don’t ride the subway in New York shouting about how much money you have in your briefcase, right? One way to reduce the risk of targeted Bitcoin hacks is to be mindful of how much information you provide.
Nearly 35 million US adults own crypto assets, so owning some Bitcoin isn’t unusual anymore. Still, it may be wiser not to disclose how much you own publicly, especially not on social media.
Safeguarding Against Bitcoin Hacks
No strategy is bulletproof, but there are ways to mitigate your risk. Bitcoin asks us to take responsibility for our own security. That means there’s no helpline and no one to yell at if our own actions or inactions put our Bitcoin in harm’s way.
Fortunately, there are now easier ways to safeguard your stacks against Bitcoin hacks. Look for opportunities to self-custody your coins and use a cold storage solution or a hardware wallet that helps keep your Bitcoin safe.
Frequently Asked Questions
What was the largest Bitcoin hack?
When measured in today’s value, the Mt. Gox hack, which began in 2011 and wasn’t immediately revealed, was the largest Bitcoin hack. In total, about 850,000 BTC went missing from the Japan-based exchange, a loss valued at nearly $20 billion at today’s Bitcoin price of about $23,000 per coin.
What’s the best way to protect Bitcoin?
Cold storage in a wallet that was created offline and for which the private keys are never exposed to the internet offers the most protection. In this scenario, the funds can’t be moved unless the wallet is put online.
As an alternative, a hardware wallet can also protect the private keys, preventing Bitcoin from being transferred without authorization.
You can also combine these methods with a multi-signature wallet that requires permission from more than one user to transfer funds.