The cryptocurrency mining company NiceHash has suspended its operations for the time being, because of a payment system compromise that translates to $64 million in losses.
Hackers made off with contents of the company’s bitcoin account, according to Andrej Škraba, the Slovenian marketplace's head of marketing. He told Reuters that the compromise was highly professional and involved “sophisticated social engineering”—and led to the loss of 4,700 bitcoins. The digital currency's value continues to skyrocket, reaching a 1 BTC to $16,000 exchange rate this week.
NiceHash matches people looking to sell processing time on their computers with those looking to mine cryptocurrency, which is a compute-intensive activity involving complex algorithms.
It’s not clear whether NiceHash users' accounts were compromised as well, though a sentence in its announcement of the breach seemed to indicate the possibility: “While the full scope of what happened is not yet known, we recommend, as a precaution, that you change your online passwords.”
For US users, their investments are not protected as traditional bank funds would be under the FDIC, which was put in place after the 1929 stock market crash to provide insurance for money kept in bank vaults and to prevent bank runs. Between this and the fact that it is by design an untraceable currency, a bitcoin wallet theft is a total loss 99.9% of the time.
How the compromise played out is likewise unknown.
"There are certainly a number potential security issues to discuss, from API vulnerabilities to web application and database protection, however, without more details from NiceHash, we can only speculate by which method of attack their website was compromised,” said Rusty Carter, vice president of product management for mobile app security company Arxan Technologies, via email. “Given the large number of bitcoin lost, it's reasonable to suspect that insufficient database security and/or a compromised web application was the likely entry point.”
Most of the focus for cryptocurrencies has been put into the security of the currency itself, while securing the storage and trading of the digital assets has not reached the same level, he added.
“If we contrast with traditional financial institutions like banks and investment firms, we see that the overall reputation of the company, established through corporate stability and security of customer assets, are fundamental priorities to building and maintaining a long-lived business,” said Carter. “With the steady growth of online and mobile banking, there has been an exponential expansion of these institutions adopting a security-by-design philosophy. This security adoption includes end-to-end application security which has become a key area of focus in order to protect the bank's reputation, and customer's assets. With this, mobile apps and API security have become critical, along with securing data in transit, at rest, and in process.”
Reuters number-crunching revealed that nearly a million (980,000) bitcoins have been stolen from exchanges since 2011, which would be worth more than $15 billion at current exchange rates. One of the largest heists resulted in the collapse of the Mt. Gox bitcoin market in 2014.