Why do hacks still occur?

[Queentoshi]

Why do exchanges and companies that offer bitcoins/crypto related services still have security vulnerability that they get hacked? Are they not supposed to be professionals with securing their system, or have learnt from the experience of other companies that were hacked?

Ronin Network: $625 Million
The largest cryptocurrency hack to date was conducted in March 2022 and targeted the network that supports the popular Axie Infinity blockchain gaming platform. Hackers breached the Ronin Network and made off with around $625 million worth of Ethereum and the USDC stablecoin. The U.S. officials said that a North Korean state-backed hacking collective, Lazarus Group, was linked to the theft. Binance was able to recover $5.8 million of the stolen funds a month later, but it would still be the largest hack in history.


Poly Network: $611 Million
In August 2021, a lone hacker pounced on a vulnerability in the Poly Network decentralized finance platform and made off with over $600 million. The project’s developers issued an appeal on X (formerly Twitter) for the stolen funds, which included $33 million Tether. The Poly Network then established several addresses for the funds to be returned and the unknown hacker began to cooperate. After only two days, around $300 million had been recovered and it emerged that the hacker had targeted the network “for fun” or as a challenge.


FTX: $600 Million
In November 2022, FTX, one of the most powerful players in the crypto industry, declared bankruptcy. On the day it filed for Chapter 11 bankruptcy, more than $600 million was stolen from its crypto wallets. Many FTX wallet holders reported $0 balances in their FTX.com and FTX US wallets.

The crypto exchange confirmed the hack on its Telegram channel, saying: ''FTX has been hacked. FTX apps are malware. Delete them. Chat is open. Don't go on FTX site as it might download Trojans." FTX General Counsel Ryne Miller later tweeted that the crypto exchange was making ''every effort to secure all assets, wherever located."

Binance: $570 million
In one of the most high-profile attacks in cryptocurrency history, the Binance exchange was hacked for $570 million in October 2022. A cross-chain bridge, BSC Token Hub, was exploited by hackers, resulting in the creation of extra Binance Coins (BNB) and the withdrawal of 2 million BNB tokens. BNB is the native token of the crypto exchange. A bug in a smart contract enabled the hack, highlighting the need for tighter blockchain security.

$20.6 billion
The amount of cryptocurrency stolen from exchanges and other platforms in 2022.

Coincheck: $534 Million
In January 2018, the Japanese exchange Coincheck suffered an attack to the tune of $523 million NEM coins valued at about $534 million. The vulnerability was created by a hot wallet, which is a live cryptocurrency wallet and not as safe as an offline cold storage wallet. At the time, the Coincheck hack was larger even than the notorious Mt. Gox hack; NEM Foundation president Lon Wong described it as "the biggest theft in the history of the world."

Coincheck was able to survive the hack and continued to operate, despite being bought out a few months later by the Japanese financial services company Monex Group.

Mt. Gox: $473 Million
The first major crypto hack occurred in 2011 when the crypto exchange Mt. Gox lost 25,000 bitcoins worth approximately $400,000.  At that time, the crypto exchange was handling nearly 70% of all bitcoin transactions.

The attack didn't stop and Mt. Gox was attacked again in 2014. It lost almost 650,000 of its customers' bitcoins, and around 100,000 of its own. At the time that was 7% of all bitcoins, and worth around $473 million. Initial reasons for the coins' disappearance were unclear, but later evidence showed that the coins were stolen from the company's hot wallet.

Wormhole: $325 Million
The decentralized finance platform Wormhole was targeted in February 2022, with $325 million taken by hackers. The attack had been made possible by an upgrade to the project’s GitHub repository, which was not then deployed to the live project. The popular cryptocurrency bridge had to plug the hole in the project’s finances after the funds were not recovered. This was also the largest theft that included Solana, one of the rivals to Ethereum's dominance in the worlds of DeFi and NFTs. Up to $47 million was taken in the blockchain's native SOL token.

Bitmart: $196 Million
December 2021 saw a hack of the Bitmart centralized exchange with losses of $196 million. The hack was first spotted by a security analysis firm, which noted BitMart addresses being drained of their balance. Around $100 million in various cryptocurrencies were funneled via Ethereum, with another $96 million exiting through Binance Smart Chain. All of the tokens were moved to an address labeled by Etherscan as the “BitMart Hacker.''

Nomad Bridge: $190 Million
Only one month before the Wintermute breach was a more significant hack of Nomad Bridge, which drained $190 million of the project’s funds. Nomad is a cryptocurrency bridge that lets users swap tokens between blockchains, but those have become the latest target for hackers. That is due to the considerable value of assets they hold and the complexity of the smart contract code on which they run.
 Nomad Bridge later recovered $36 million of the stolen funds.


Beanstalk: $182 Million
This hack involved the exploitation of a decentralized finance (DeFi) platform. The attacker used a DeFi product called a “flash loan,” which allows users to borrow large amounts of cryptocurrency for very short periods. After borrowing $1 billion, the hacker took a 67% controlling stake in the project and approved a transfer of funds to their wallet before repaying the loan and disappearing. The entire process of executing the hack took only 13 seconds.


Wintermute: $162 Million
Wintermute, a leading cryptocurrency market maker, was attacked in September 2022. The project lost around $160 million in a hack, and it made things worse for Wintermute because they owed $200 million to other participants in the market. A 10% bounty was offered by the CEO to the hacker if they returned the funds.

The Largest Cryptocurrency Hacks So Far

Is it not possible for the system to be impregnable?

[Cantsay]

Is it not possible for the system to be impregnable?

The best thing that a company can do and they already have it in place is to hire a cybersecurity expert to help them inspect their systems and also install firewalls do regular security checks to see if there is any unusual activity that might lead to data breach so that they can act fast and put it right.

You should note that there’s no perfect code out there, so what you think is safe might have a little vulnerability that is unknown to you that a hacker could use to their advantage and sometimes the attack could be from an employee most especially those that are disgruntled.

[EL MOHA]

There is no way that anything developed by human can be said to be impregnable, just that the penetration rate of each one differs base on its design and where it is design on.

Concerning exchanges, we all know that most exchanges uses two different storage, one is the cold or offline wallet and the other is hot or online Wallet. It is the hot wallets that normally gets compromised because it is online. The hacker could get access either through collaboration with an insider in the platform or he first hacks the insiders device to get access.

Also the hot wallet is online so definitely anything online is possible to be hacked

[_act_]

This year alone, if you join DeFi hack and centralized exchanges hack together, they are very many and that is how it has been since years ago.

The main reason for the hack is because centralized exchanges are using hot wallet and hot wallets are easy to be compromised. The reason for DeFi hack which is most common is because they are vulnerable by default.

Do not leave coins on centralized exchanges and be careful of DeFi and the so called decentralized exchanges with DeFi.

[Nwada001]

Those codes and developments—who did them? (People) the more technology is advancing, the more new discoveries are happening. You will be busy building a security system, and someone else will also be busy building how to break those systems.

The thing is that nothing is above hacking once the vulnerabilities have been discovered. That's it. Hackers are upgrading their tools day after day, and the rate at which we hear about things and financial-related platforms being hacked these days is really alarming.
 
We can never really be careful enough, which is why it's always advisable to always keep our funds safe for ourselves, because the bigger an organisation gets and the higher the funds they have in their possession, the higher their chances of being attacked. Hackers don't go where they are not going to make money; they go for things that will benefit them, and when they hit it, they know they have hit it big.
 
These days, I don't even see security bug bounty programmes where financial firms set up security bug campaigns and reward those who can discover bugs in their system with some price, and they try to fix those bugs before hackers can use them to penetrate the system.

[Abu-Naim]

Is it not possible for the system to be impregnable?

I don't believe it is possible, so you are advised to act as your own bank by storing your bitcoin in a wallet that allows you to manage your security independently of any outside parties.

Despite the majority of these exchanges make every effort to keep everything secure, hackers and insiders pose the biggest threat because everyone wants to become rich. Due to the fact that the majority of these exchanges have been compromised, there is no faith in cryptocurrencies. If you investigate the news and the hacking's source, you'll learn that one or more of their team members were either involved in the hacking or were responsible for leaking information that resulted in the attack.

[Churchillvv]

Why do exchanges and companies that offer bitcoins/crypto related services still have security vulnerability that they get hacked? Are they not supposed to be professionals with securing their system, or have learnt from the experience of other companies that were hacked?

Hackers a one of the smartest people in the world but the problem is they decide to put their efforts on the negative paths which causes crypto related service to suffer losses. The harder companies try to upgrade their security systems the harder hackers upgrade a system that can beat that security systems no matter the professional that made the security patch of a company, there is another professional that is making a higher beat for hacks. Vise versa.
If there is nothing to hack there will be no hack, because there is funds some where been saved that is why hackers attack most times.
Most of the problem companies face on security issues are on the individual biases, most hackers are people who are familiar with the company security systems and knows the in and out of the companies. Most times workers who feel they are under paid for their time and service seems to be the ones who organizes the hack because of either greed or lack of appreciation. If one is not appreciated they might try to appreciate themselves causing harms to others in order to be satisfied.

[Ojima-ojo]

Can they really defeat the cyber criminals who have high networks connection within the internet and have taken over major exchange and other accounts who falled victim to them, i must say fhat the role of an insider is higly significant in such crimes because i believe that there can never be any hack without an insider or a back door access.


All fhe major hacks that have happen within the recent times have all pointed to security vulnerabilities and at that we have to focus on some neglected facts and factors that have warranted such incidents.

[Saisher]

Is it not possible for the system to be impregnable?

Sometimes it is an inside job, and the HRM or those who recruit should double or triple check the people who are working in their security, there is no perfect security but they can always patch or stop the attack when it happens, their security people should be two steps forward when it comes to security and they should have enough budget to combat security threats, on offline banking some banks are employing former military men to combat bank robbery, on online they should employ people with extensive knowledge on security, security is everything online, you have a good security you have the trust of your users.  

[sheenshane]

Can they really defeat the cyber criminals who have high networks connection within the internet and have taken over major exchange and other accounts who falled victim to them, i must say fhat the role of an insider is higly significant in such crimes because i believe that there can never be any hack without an insider or a back door access.

Sometimes we think this especially if the exchange is very well known and has a strong security like Binance but still they encounter hacks to their system but luckily not a major one.  Many cyberattacks are executed remotely by skilled hackers who exploit vulnerabilities in systems or use sophisticated techniques to gain unauthorized access.  One of the most effective that I have known that until now they've used is social engineering which is scammers often use social engineering tactics to trick users or company staff into revealing their private keys or login credentials.  These tactics can be highly effective, even for a strong security company that has a weak staff.

IMO, there's nothing safe on the internet not unless you have full control over your assets.

[BitMaxz]

Since the security system of any exchanges is developed by humans, there is still a chance exchanges can be hacked because it's online and vulnerable to any attacks. Without the hackers, they can't develop a strong security system to defend their exchanges and hackers are always developing.
Each exchange has its unique security method to defend its site against any attacks to assure the safety of your funds on their platforms but there is no guarantee that your funds from exchanges are safe that is why we strongly suggest if you want to hold your funds for the long term you should own a wallet that grants you complete control over your assets.

[BlackBoss_]

Why do exchanges and companies that offer bitcoins/crypto related services still have security vulnerability that they get hacked? Are they not supposed to be professionals with securing their system, or have learnt from the experience of other companies that were hacked?

They are supposed to create as many new products as possible to catch a current trend in cryptocurrency and blockchain industry. To do that with hurry, they ignore many factors, from product developmental idea to security of their products and platforms.

In security, it's very hard to secure it entirely and building a good security system is like you are building a wall but a hacker only need to find a minor leak, broken point on the very long wall, then exploit it. You can build up miles of secured wall but only one weak point can make it collapses because with hackers, it's enough for exploitation.

[mk4]

It's just a mix/combination of some/all of these:

1. Complacency a.k.a. "let's do it next time lol"
2. Not being 1 step ahead of hackers
3. The fact that nothing is totally unhackable
4. Incompetence of the security-related coders/auditors

This applies both to cryptocurrency platforms, centralized exchanges, or any public platforms in general.

[pooya87]

Is it not possible for the system to be impregnable?

No, never. All they can do is to make it harder for hackers to get to them and only reduce the risk. Otherwise it is impossible to make any system "impregnable". Just look through the hack news (in general) around the globe; you'll see various hacks happening every day.
For example one of the most recent news I saw was a large number of classified US Military, Defense Companies and Satellites, etc. has been hacked years ago and hackers had full access to all that classified information all this time without anybody even knowing!

Of course some of the cases you can find are just pure negligence and incompetency, specially some of these "token swap platforms" that are falsely advertised as DEX are just too terrible and too weak to not-get hacked like this. They're just a bunch of code thrown together to create a scam platform to trade scams and make "bets" on shittokens.

[Queentoshi]

3. The fact that nothing is totally unhackable.

This is very frightening! but these companies can make their security protocol difficult that it is discouraging for hackers to consider hacking right? I think they are not preemptive.

[Odohu]

I don't see much changing in regards to hacking... which in most cases, is stealing. Thieves will always exist so the best you can do is to protect yourself however best you can. Centralized exchanges are prone to hacks... people look for loopholes and most times there is insider collaboration.

I  cannot call the case of FTX a hack rather another form of stealing which is eating money that people entrusted in you.

Just be careful out there.

[JunaidAzizi]

Is it not possible for the system to be impregnable?

The hackers do the hacking every time and it is hard to stop them but at least we need to adopt some protective cores. The hacking process is not just going and hacking every exchange instead they go to the exchange and find the weakest point for the access. Hacking will be easier if you can make the stupid staff of that exchange by making them some money and in their greed they make a mistake and the hackers take benefits of the moment. Another way is that when the exchange makes a security system for their exchange, at that time they leave a back door or weak point for themselves which they use when hacking that exchange. The second one is my own thought maybe wrong but I think this will occur mostly and it's a very easy method for hacking.

[passwordnow]

Why do exchanges and companies that offer bitcoins/crypto related services still have security vulnerability that they get hacked? Are they not supposed to be professionals with securing their system, or have learnt from the experience of other companies that were hacked?

Yes, they hire professionals that will protect their systems from intruders. But whether you hire the strongest ones, the technology that we're having today is also improving. The hackers are also learning something new and they are also continually learning the potential loophole from these systems that are protected. I am sure that they have learned from the past experiences of the other exchanges or services that have been hack by lots of money. Even in real world, banks are also high in security but they cannot escape these hackers.

Is it not possible for the system to be impregnable?

There is no perfect system.
This is a good discussion about such: https://www.quora.com/Is-there-ever-a-perfect-system

[dansus021]

There are two theories

The first theory is they actually have a good team of professionals to secure the exchange system. But the technology keep fast moving forward so do the hacker so they try to find the vulnerabilities on the system, in fact, white hacker and bounty hunter get paid to find a bug.

The second theory the exchange didn't get hacked at all tho they only wanted to exit scam but this theory only a conspiracy theory hahahh but anything could be happen right?

[pooya87]

There are two theories

The first theory is they actually have a good team of professionals to secure the exchange system. But the technology keep fast moving forward so do the hacker so they try to find the variabilities on the system, in fact, white hacker and bounty hunter get paid to find a bug.

The second theory the exchange didn't get hacked at all tho they only wanted to exit scam but this theory only a conspiracy theory hahahh but anything could be happen right?

These are more like different categories rather than different theories.
When we say "exchanges" we are talking a bout many different companies, for example something like Yobit is different from Coinbase! The former is a shady business and the later is a registered and regulated company.

So it is not a "conspiracy theory" when we say some exchanges scammed their users by lying to them about being hacked. There are actual cases of this happening. There are also other cases where despite all the effort the exchange puts into securing their system, they still get hacked.