Why holding crypto on exchanges is a bad idea

This April, cryptocurrency exchange Hotbit got hacked. Consequently, the platform has shut down, stating that it needs to perform a “comprehensive inspection”. Everyone who had stored their digital assets on Hotbit could not access the funds or even close their trading positions. In a blink of an eye, thousands of people became potential victims of yet another crypto exchange hack. There have been many such incidents in the past, with losses exceeding billions of dollars if calculated at the current Bitcoin exchange rate.

What happened to Hotbit?

On April 30, the cryptocurrency exchange Hotbit announced a cyber-attack that began on April 29 at 20:00 UTC. Hackers managed to “paralyze” almost all of the platform’s vital nodes. Representatives of Hotbit hastened to assure that criminals did not manage to get to the users’ funds, but their personal data ended up in the hands of hackers. According to the announcement, the platform suspended its work for at least seven days to eliminate the consequences of the incident. At the time of writing, the Hotbit website is still showing a maintenance notice with reference to the latest announcement about the hacking attempt.

Since hackers managed to gain access to customers’ personal data, the exchange warned that email addresses, phone numbers and registration information could be made public, while passwords and 2FA combinations could also be at risk of getting leaked. The platform pledges to reimburse potential losses on open leveraged trading positions and promises to close all open trades as maintenance goes on.

Some time after the announcement, a number of transactions were made from Hotbit wallets. The exchange stated these were transfers to their new cold wallet and users’ crypto “remains safe”. For example, below are two transactions from Hotbit’s wallet to 0x2AcDb44596E2b6FFBBF62614C9aaD9CD04980248 of 30 and 760 ETH. The transfer of funds caused bewilderment and concern among users; many of them began to speculate that there was, in fact, no hacking, and the exchange is just robbing the customers.

However, Hotbit’s Twitter account is still posting platform maintenance updates. Here’s the latest post from their official Twitter account:

Hotbit users have a reason to be worried – in the last few weeks alone two major Turkish crypto exchanges have been at the center of a major fraud scandal. We would like to take a closer look at the Vebitcoin and Thodex platforms.

What’s going on with crypto exchanges in Turkey?

On Monday, April 19, users of the Thodex cryptocurrency exchange started complaining about disruptions in the platform’s operation. The exchange continued functioning for about a day, and the last record by CoinMarketCap on Tuesday showed $585 million of daily trading volume on Thodex. That is when the platform ceased to function and its users lost a chance to withdraw their funds up till now.

Local news agency Anadolu Agency reported that the Financial Crimes Investigation Council (MASAK) began investigating Thodex CEO, Faruk Fatih Ozer, on Wednesday; on top of that, authorities froze the exchange’s bank accounts on Thursday. The agency reports that the Istanbul prosecutor’s office also asked the victims to reach the authorities and testify. A little later, police searched the exchange’s headquarters in Istanbul. Ozer left Turkey and flew to the Albanian capital, Tirana, on Wednesday. Below is a photo of him obtained by law enforcement from airport officials.

However, an announcement appeared on the homepage of Thodex, in which Ozer tried to dispel all related suspicions. Allegedly, the exchange’s technical department is investigating “abnormal fluctuations in accounts identified a week earlier, affecting about 30,000 users”. He said the platform remains closed as the investigation into the “incident” continues. Ozer adds that he went abroad as part of late negotiations with new foreign investors, rather than fleeing with the assets (he is now suspected of stealing more than $2 billion). He also said that the exchange expected to open withdrawals in the coming days. That hasn’t happened yet.

On his Twitter page, Ozer posted the following message, which was later deleted:

“If I had any intention of raising money and fleeing, I would have illegally withdrawn millions of dollars from our bank accounts. But the money is still there.”

Interestingly, a decision of the Turkish government preceded this delicate Thodex situation. Recall that on April 16, Turkey’s central bank announced a ban on cryptocurrency usage in domestic payments. The bank stated that the decision was made because the digital assets could “cause unrecoverable losses” among the population. 

Almost simultaneously, another Turkish cryptocurrency exchange, Vebitcoin, ceased its operations. On Friday, April 23, the following message appeared on its homepage:

“Due to recent events in the cryptocurrency industry, our transaction activity has significantly exceeded our expectations. We would like to state with regret that this situation has forced us to make extremely difficult decisions. We have decided to cease our operations in order to meet all the requirements [of regulators].”

Financial regulator MASAK has blocked Vebitcoin bank accounts and launched an investigation. To date, four people have been detained as part of the investigation, with another 62 suspects arrested in the Thodex case. Farooq Fatih Ozer, the CEO of Thodex, is still wanted. 

Sad lessons from Mt. Gox 

Let’s go back a few years back and discuss one of the most famous incidents in the cryptocurrency industry: the fall of the Mt. Gox exchange. Mt. Gox was founded by American programmer Jed McCaleb before Bitcoin even existed. In 2007, he registered the domain for the Magic the Gathering Online eXchange platform, where Magic the Gathering game cards were to be traded. But later, when Bitcoin started to gain popularity, McCaleb decided to use the Mt. Gox domain to host a cryptocurrency platform. In 2011, he sold the business to French developer Marc Karpeles (pictured below), or more specifically to the Japanese company TIBANNE Co., Ltd. owned by Karpeles. By 2013, Mt. Gox was hugely successful – during its peak, it handled more than 70% of bitcoin trades.

In 2014, there was an event that immediately received widespread publicity even outside the crypto industry – the exchange was hacked and hackers managed to steal 744,000 BTC; after some time, the trading platform ceased its operation for good. The losses at the time reached $460 million. 

Although all the high-profile events began to unfold only in February 2014, it became clear sometime later that Mt. Gox had not been doing very well since June 2011. At that time, the company was the victim of its first hacking attack, in which hackers managed to gain access to Mt. Gox’s auditor’s computer and artificially drop bitcoin’s price to 1 cent to further buy about 2,000 BTC.

Mt. Gox has since beefed up its security, but that was not enough to protect the exchange. An investigation after the 2014 incident revealed that the private key for the Mt. Gox wallet was unencrypted and stolen back in 2011. However, it is unclear whether it was obtained through hacking or with the help of an insider. Criminals utilized this private key to withdraw bitcoins from customer accounts over the next few years.

In fact, Mt. Gox lost its solvency two years before it shut down for good. While its potential debts to customers grew due to stolen funds, bitcoins continued trading on the platform as if nothing had happened – in 2013 it became the industry’s leading player and one of the most recognizable cryptocurrency-related brands.

Why didn’t anyone know about what was happening? Many former Mt. Gox employees later cited mismanagement and disorganization within the company. An anonymous developer reported that the company didn’t even use version control. This standard tool was used to prevent colleagues from accidentally overwriting the work of others if they worked on the same file. Another problem was that the only person who could approve changes to the platform’s source code was Mark Karpeles himself. This meant that even important security updates and bug fixes could take weeks to get approved.

In addition to the technical problems, the first challenges to Mt. Gox’s existence as a legitimate firm began to emerge in 2013. That May, a former Coinlab business partner sued Mt. Gox, claiming a breach of their contract. On top of that, Mt. Gox was under investigation by the U.S. Department of the Interior for allegations that the exchange was operating without a license in the United States. At the end of the day, the U.S. government seized more than $5 million from the company.

The litigation over the missing funds from Mt. Gox continues till date. One of the latest news is the approval of a new civil rehabilitation plan for the bankrupt company, announced in February this year by the exchange’s trustee Nobuyaki Kobayashi. However, many Mt. Gox creditors and traders are still seeking the compensation they were promised, with court cases dragging on for years.

WEX and the Russian crypto exchange hack

In July 2011, the BTC-e trading platform was launched. The platform was built to cater to the needs of the Russian-speaking community. It offered a BTC-RUB exchange, which made BTC-e arguably the most popular crypto exchange in the CIS space at that time. 

Platform’s daily trading volumes grew from $600,000 to $66 million between 2013 and 2017. However, on July 25, 2017, BTC-e stopped all operations and announced “unscheduled maintenance”. Since then, the exchange never went online again.

At about the same time, 38-year-old Russian citizen, Alexander Vinnik, was arrested in Greece and accused of laundering $4 billion dollars through the BTC-e platform. The U.S. authorities and the FBI seized operations of BTC-e, confiscated the domain, and fined the company $110 million. Vinnik was identified as one of the owners and administrators of the trading platform. A few months later, organizers tried to relaunch BTC-e, but only by September, a “new version” of BTC-e appeared. The exchange was rebranded to WEX and moved to the wex.nz domain.

The name was not the only thing to get changed – new owners came in as well. New management (Vinnik’s former partner Alexander Bilyuchenko and one of BTC-e’s major clients Dmitry Vasilyev) took over the digital assets, user database and all relevant information. WEX pledged to repay the previously lost funds in fiat and cryptocurrencies, though only 62 percent of the funds were returned from the reserve fund, never seized by the FBI. The remaining 38 percent was planned to be repaid by issuing an internal WEX token, which the exchange would then gradually buyback from users.

However, in 2018 history repeated itself: WEX froze funds, and sometime later, information popped out that more than $450 million had “escaped” from the cryptocurrency platform. This is the last point in the history of the existence of BTC-e, although many clients have not yet seen (and are unlikely to see) their compensation.

Conclusion

This is just the “tip of the iceberg” and by far, not all hacking attack cases were mentioned. However, they all have one unfortunate outcome – a partial or complete loss of customers’ funds. Despite the fact that the industry’s capitalization has already exceeded the $2 trillion mark, many sectors are still the “Wild West” – a place where users are solely responsible for their funds.

To avoid becoming another victim of a new hacker attack or fraudulent scheme, avoid keeping significant parts of your savings on the exchange. Deposit only those funds that you are willing to lose. We strongly recommend you to use a cold wallet, completely isolated from the Internet to store cryptocurrencies long-term. And remember, from the moment coins are transferred to the exchange, they are actually at the company’s disposal and you have no fundamental control over the funds.

 

Exchanges

Comment