Let's Steal a Coin

Did you ever regret hesitating in investing in cryptocurrency? I surely do, but is it secure and safe to invest in cryptocurrency? What is cryptocurrency? These questions are consistently trending in the IT communities. 

Cryptocurrency is a digital currency, which uses encryption to enforce regulation, create a monetary unit (identified as a fund or a coin), verify their transference, and ensure their authenticity. Cryptocurrency represents a standard of value accepted by all parties.

Cryptocurrency owes its existence to the Blockchain technology. A Blockchain technology is a decentralized ledger, which is essentially a list of all transactions across a peer-to-peer network.

This can be applied in various domains such as identity, digital assists, digital currencies, and smart contracts. In addition, Blockchain can mitigate digital forgery cases and verify identification in passports, immigrations, and medical record’s fields.

In addition, it can remove intermediaries in exchanging digital assets such as settlements in the stock exchange and building traceability system for materials and products in provenance trading businesses.

That’s been said, how can a hacker steal a cryptocurrency coin? To answer this question, certain types of Blockchain developer must be identified. There are two types of Blockchain developers: the core Blockchain developer, and Blockchain developer.

The core Blockchain developer focuses on the core technology and protocols . The core technology is a platform which allows financial assets to be managed and transported with or without permissions. Financial firms are the main beneficiary of the core Blockchain with permissions, and core Blockchain can be developed with open source resources and minimal coding skills.

There are public, federated, and private Blockchains. Examples of public Blockchain are Bitcoin, Litecoin, Monero, Dash, and Ethereum, where these protocols are not permissioned and anyone can participate in downloading the code and running a public node on their local device. In addition, anyone can validate a transaction in the network with public Blockchain protocols.

A private Blockchain is made specifically for certain organization with limited access and permissions to overcome a deficiency, lack of security, and fraud issues.

Federated Blockchain is a domain where protocols are operated under a leadership of a group. In federated Blockchain, the leadership does not allow anyone to participate in the process of verifying a transaction. Core Blockchain developers can be protocol (such as Bitcoin) code developers or developers focused on a crypto project.

The Blockchain developer focuses on the implementation and enhancement of decentralized application programming. An example of this type of developer is one who focuses on building Ethereum Dapp (Decentralized Application Development).

The main purpose of Dapp is to connect users and providers without a third party involvement. The Blockchain developer must be familiar with applications protocols such as HTTP/S, SSH, L2TP, TLS, and SOAP, and have web developing skills such as using JavaScript. In addition, Blockchain developers must have the ability to code on contract-oriented programming language such as Solidity or Viper. Many international companies that are specialized in Blockchain development have a long experience with LeewayHerts, Bacancy, VironIT and more.

An exploit for the core technology affects the coins’ infrastructure and communication channels, but an exploit for the implementation of Blockchain affects applications and websites. The majority of the Blockchain developers’ tasks are the same as a web developers’ tasks. This means the hacker uses web vulnerabilities to steal coins.

An example of a threat scenario against the web vulnerabilities is where hackers target and compromise the hot wallet: a hot wallet is on a server and accessible through the internet through an application. This means the hacker can utilize the website weaknesses (cross-site script, SQL injection, etc…) to reach the wallet data. Then, the hacker can perform interception, interruption, modification, and/or fabrication.

Don’t get me wrong and underestimate cryptocurrency hackers, they are most likely advanced and zero-day vulnerability hunters. However, they are following the same threat framework that is known in the IT industry.

Hackers go through the planning and reconnaissance phase to identify the cryptocurrency technology and platform nature. Then, they deep-dive into the technology to identify vulnerabilities. They exploit the vulnerability on various layers and gain their coins.

A great supplementary can be added to this framework by accessing from an anonymous channel that makes it harder to be tracked.         

This article is not about stealing coins. In fact, it is about identifying the sources of losing your coins to a hacker and providing you with an overview of ways to protect your coins. As a cryptocurrency trader or user, you need to verify the cryptocurrency security by verifying the security of the core technology of the cryptocurrency.

For example, Bitcoin runs on C , which means Bitcoin might have a potential for C vulnerabilities. Another cryptocurrency such as Dragonchain supports various languages such as Java, Python, NodeJS, and C#. This raises a question regarding the limit of attack surface against such a cryptocurrency.

A trader can raise the security level of storing his coins by using an offline hardware wallet (cold wallet) instead of the hot wallet. In addition, a trader must ensure a higher security access measures to the wallet by emphasizing the utilization of two-factor authentication.

Nawwaf Alabdulhadi is an IT security expert, where Nawwaf’s experience in IT field involved more than 7 years in executing IT security projects, providing consultation, and assessment in various countries, roles, and companies. Nawwaf has Computer Science Bachelor degree from Northumbria University, UK, Master Degree in Information Security Policy and Management from Carnegie Mellon University, US, and leading industry certificates such as CISSP from ISC2 and CPT from IACRB. Nawwaf currently works as a senior IT Security specialist in a leading enterprise (Saudi Aramco).

What’s Hot on Infosecurity Magazine?