Two new cryptocurrency heists make off with over $400M worth of blockchange

  News
image_pdfimage_print
Enlarge / It’s where the money is.
iStock/Getty Images

The Japanese cryptocurrency exchange Coincheck has shut down trading and withdrawals from accounts after a reported theft of more than 500 million XEM—the blockchain-based cryptocurrency created by the NEM Foundation. At the time of the theft, 500 million XEM was worth approximately $400 million US. Police were reportedly at Coincheck’s offices.

Coincheck announced the shutdown of NEM deposits at about noon Japan Standard Time Friday (10:00pm Eastern Time on Thursday). In a follow-up announcement four hours later, a company spokesperson expanded the shutdown to all currencies, and by 6pm JST all payment processing had been suspended. “We sincerely apologize for these inconveniences and will continue to do our best to be back to normal operations as soon as possible,” the spokesperson wrote. At about the same time, police were seen at Coincheck’s offices.

Ars attempted to reach representatives of Coincheck and the NEM Foundation without success. Lon Wong, the president of the NEM Foundation, was quoted by Sead Fadilpašić and Stuart Garlick of Cryptonews.com as saying, “This is the biggest theft in the history of the world.” Wong told Cryptonews that NEM’s technology was not responsible and that Coincheck did not implement NEM’s multi-signature smart contract, “and that’s why they could have been hacked. They were very relaxed with their security measures.” It is not clear if there was actually a “hack” at this point.

Issues with smart contracts have resulted in other recent cryptocurrency woes. In November 2017, a bug in multi-party contracts in Ethereum wallets developed by Parity Technologies Ltd. led to the “freezing” of $280 million worth of the cryptocurrency when someone inserted code into a wallet that essentially linked the wallet to all Ethereum multi-party contracts—and then deleted it, cancelling every contract. The bug has not yet been resolved as Parity examines multiple options for a fix.

This latest theft comes a week after it was revealed that the relatively small sum of $4 million worth of IOTA cryptocurrency had been stolen from investors’ wallets. That incident is thanks to what IOTA founder David Sønstebø characterized in an interview with Rachel McIntosh of the cryptocurrency news site Finance Magnates as a “phishing website” masquerading as a legitimate tool for creating the cryptographic seed for IOTA wallets:

What actually happened was a lot of unfortunate users were generating their unique seed (which is what you derive your password from) from a false website, a phishing website. It was meticulously crafted in such a way that it ended up being at the top of a Google search for IOTA seed generator, it was the first thing listed in the ads…So, this malicious actor essentially had people go there, and he/she created a website that looked very legitimate to new users. Therefore, they trusted it, and generated a seed there. That essentially means that they gave away their private key to a thief. It’s equivalent to giving your keys to someone as you go into a store, and then coming back out to find that your car is gone.

IOTA wallet seeds are a string of 81 (preferably randomly generated) characters. However, the tool at iotaseed.io apparently also stored data about each seed generated along with information about the wallet it was associated with, allowing whoever was running the site (or whoever hijacked it) to simply wait until wallets were filled and then cash them out. The offending site  is currently down—replaced with a message: “Taken down. Apologies.”

https://arstechnica.com/?p=1250525