9 Common Digital Asset Hacks & Scams
As the value of the digital asset market continues to grow, we believe understanding how to help secure your digital assets is critical to helping you protect your investments. In this article, we’ll explore the most common hacks and scams, as well as how you may be able to help ensure that you won’t fall victim to any of these malicious actors.
Wallet Hack
The two primary weaknesses in the digital asset space are private keys and the way they are stored. A wallet (where private keys are stored) is where many hacks and thefts occur.
There is a common saying in the digital asset space that goes, “Not your keys, not your coins.” If you don’t have control of the keys to your digital assets, you can’t possibly control what happens to them. Allowing someone else to store your keys for you (referred to as a custodial relationship) gives that entity control of your digital assets.
While a private key can theoretically be decrypted, each key is an encrypted number with 2256 possibilities. This means there are 115 quattuorvigintillion possibilities (a quattuorvigintillion is a 1 followed by 75 zeros). It would take hundreds or thousands of years to brute force hack this encryption with current technology.
Electronic and software versions of wallets are either connected to the internet (hot) or not connected (cold). Generally, exchanges will offer hot and cold storage options for their users. In either case, these storage methods are custodial because the exchange is holding your keys for you. Software and devices are susceptible to hacking, and because private keys are stored in these devices, hackers can potentially access them and steal your digital assets.
Exchange Hack
A coin exchange is in essence an online platform which allows users to trade or store their coins. Exchanges generally hold digital assets in reserve for liquidity, in addition to private keys for many of their customers. This makes them a major target for hackers, and no matter what level of security they advertise, they are a potential weak spot.
Reputable exchanges can store your keys for you in what is called “deep cold storage,” which are generally offline data storage units with enterprise security. Some exchanges (like Gemini) even offer the equivalent of insurance if your digital assets are stolen as a result of a direct hack or security breach of their systems.
Hackers can deploy different types of attacks (like phishing and social engineering) to steal digital assets that are stored in the exchange’s hot wallets. More on these types of attacks later in this article.
51% Attack
A 51% attack is an attack on a cryptocurrency blockchain by an entity or group that controls more than 50% of the network. If a party is able to gain control of 51% or more of a network, it would theoretically have the power to alter the blockchain. This could allow them to double-spend coins, one of the issues a mechanism like proof-of-work was created to prevent. The attackers would also potentially be able to prevent new transactions from gaining confirmations. This in turn would allow them to halt payments between some or all users.
Bridge Attack
A bridge attack is a type of crypto trading hack where cybercriminals target cryptocurrency as it is being transferred between different blockchains. Since each cryptocurrency coin exists on its own blockchain, moving these from one blockchain to another (i.e. from Bitcoin to Ethereum) involves a transfer protocol known as cross-chain bridges. Although these bridges are vital to maintaining the current digital asset landscape, hackers can target them by inserting bugs into the bridge code or by using cryptographic keys.
Exploitation of Vulnerabilities
Although they are quite powerful, smart contracts have the potential to contain coding errors or vulnerabilities that attackers can exploit. Once a smart contract is deployed, it is immutable, meaning any vulnerabilities can lead to the potential of significant financial losses or unintended behaviors. One of these vulnerabilities is known as a zero-day exploit, which refers to a cyberattack that takes advantage of a software vulnerability that is unknown to the developer(s) of the affected software. The vulnerability is called “zero-day” because the developers have had zero days to attempt to fix it before the exploit is utilized by malicious actors.
Romance Scams
While large exchange hacks are generally the ones that make the news, what often isn’t mentioned is the social engineering techniques that scammers use to try to steal digital assets from individuals. In 2023, romance scams were among the most popular techniques used by scammers to attempt to steal digital assets. In these scenarios, thieves pose as potential romantic interests until their target is comfortable. From there, they attempt to convince their unsuspecting love interest that they urgently need cryptocurrency to pay for an emergency.
Phishing
One of the most common forms of digital social engineering attacks, phishing usually involves malicious actors sending emails or text messages that lure owners of digital assets into either divulging sensitive information or downloading malware. This malware has the potential to allow the hacker to access the wallet that is storing the individual’s digital assets, and subsequently steal their coins.
Ransomware
Ransomware–which was once on the decline with respect to cryptocurrency–began re-gaining traction in 2023. Ransomware is comprised of a group of scamming techniques. These cybercriminals could encrypt files or data and demand you send them cryptocurrency to regain access to said files, or they may resort to intimidation tactics that won’t cease until they are paid.
Election-Related Scams
In late May, Donald Trump announced that his campaign would accept donations in cryptocurrency through Coinbase. In the weeks following the announcement, cybercrime detection firm Netcraft found dozens of scam websites seeking to target Trump supporters and steal their crypto donations.
In the days leading up to the announcement, scammers registered domains with common misspellings hoping to trick those intending to access donaldjtrump.com. The donalbjtrump.com url was an almost perfect replica of the actual Trump campaign website. Many of the scam websites were using payment portals meant to look like Coingate, a blockchain and crypto payment processor.
How to Help Keep Your Digital Assets Secure
In my opinion, the best way to ensure your crypto is safe from hackers and scammers is to remember some simple rules:
- In most cases, you should never share your private keys with anyone else.
- Don’t store your keys in a wallet on your mobile device or any other device that has a connection to the internet. Your private keys should always be held in cold storage. Keep your cold storage signing device in a secure, humidity-controlled environment without a wired or wireless connection.
- Write down a back-up of your private key and keep it in a secure location. Consider breaking up the key into three parts and storing those parts in multiple locations:
- Location 1: Part A and Part B
- Location 2: Part A and Part C
- Location 3: Part B and Part C
- In this scenario, you only need 2 of your 3 backups to access your crypto; If any one of your locations is exposed, damaged, etc., you still have access.
- Rather than writing down your private key on paper, engrave it in stainless steel. This reduces the risk of losing your private key in a fire or flood.
- Don’t let someone else store your keys for you unless you’re comfortable with the potential risks.
- Check on your devices periodically to ensure they’re not degrading. If they are, transfer your keys to a new storage device.
To learn more, please check out our recent article, “The Evolving Landscape of Digital Asset Custody.”
Alex’s Take
Cyber attacks have been an ongoing challenge for the digital asset industry. Hackers of cryptocurrency platforms stole around $1.7 billion in 2023, which was around 54.3% lower than the year before. Although the amount stolen funds was more than cut in half from the prior year, the number of individual hacking incidents actually grew slightly year-over-year.
Self-storage is the preferred method amongst crypto-enthusiasts, but a large percentage of the population would benefit from having an institution custody their crypto, in my opinion.
Learn More About How to Help Keep Your Digital Assets Safe
At Crossover Capital, our number one goal is to provide people with the support, knowledge, and access to make informed decisions about their financial futures. Building a foundation for success starts with steady support and a customized approach. Crossover Capital is here to provide the necessary tools we believe are required for growth and to be a champion for our clients’ success.
If you want to receive tools, knowledge, and digital asset insights delivered directly to your inbox once a month, subscribe here.
Investment advisory services offered through Crossover Capital Brands, LLC (dba Crossover Capital), a Registered Investment Advisor with the U.S. Securities and Exchange Commission.
This material is intended for informational purposes only. It should not be construed as legal or tax advice, and is not intended to replace the advice of a qualified attorney or tax advisor. This information is not an offer or a solicitation to buy or sell securities. The information contained may have been compiled from third party sources, and is believed to be reliable.
Alternative investments – such as hedge funds and private equity/venture capital funds – are speculative and involve a high degree of risk. Likewise, the emergence of digital assets comes with its own speculative characteristics and involves a high degree of risk. Various digital assets have unique features, and the regulatory risk environment continues to change as governance requirements, rules, and lawsuits emerge. There may be material differences in the type of marketplaces available for digital assets, and there could be significant restrictions or limitations on withdrawing from or transferring these types of investments. Digital assets may incur higher fees when compared to traditional assets, and these expenses may offset returns.
Crossover Capital may not be able to independently verify digital asset valuations provided by institutions that hold or offer digital asset services. As a result, Crossover Capital will generally rely on information reported to it by third parties. As such, the information contained herein is for informational purposes. Clients should recognize that they may bear digital asset-based fees and expenses at the manager-level, as well as indirect fees, expenses, and performance-based compensation for digital assets. Spot bitcoin exchange-traded products were recently approved for listing and trading by the SEC. However, such approvals do not indicate SEC approval to use or invest in bitcoin. Clients should remain cautious and aware of the various risks associated with digital assets that have a value tied to bitcoin or other crypto related products.