How To Launder $500 Million In Stolen Cryptocurrency

An unknown hacker or group of hackers perpetrated the “biggest theft in crypto history” Friday morning when they stole what at the time were $500 million worth of NEM tokens – formerly one of the ten most popular digital currencies.

The hack was only the latest in a series of security breaches at digital currency exchanges that have resulted in hundreds of millions – if not billions – of dollars in customer funds’ being taken.

But how exactly do hackers continue to get away with these hacks?

Bloomberg has published a handy guide explaining how hackers are able to pull off these digital heists, and then launder the money

1. How did the hackers pull it off?

Coincheck hasn’t disclosed how their system was breached beyond saying that it wasn’t an inside job. The company did own up to a security lapse that allowed the thief to seize such a large sum: It kept customer assets in what’s known as a hot wallet, which is connected to external networks. Exchanges generally try to keep a majority of customer deposits in cold wallets, which aren’t connected to the outside world and thus are less vulnerable to hacks. Coincheck also lacked multi-signature security, a measure requiring multiple sign-offs before funds can be moved.

2. Where did the stolen coins go?

That’s one of the stranger aspects of these heists. Because transactions for Bitcoin and the like are all public, it’s easy to see where the NEM coins are — even though they’re stolen. Coincheck has identified and published 11 addresses where all 523 million of the stolen coins ended up. You can see for yourself online. Trouble is, no one knows who owns the accounts. Each one has been labeled with a tag that reads “coincheck_stolen_funds_do_not_accept_trades : owner_of_this_account_is_hacker.” NEM developers created a tracking tool that would allow exchanges to automatically reject stolen funds.

3. Does that mean the hackers won’t be able to cash in?

Not necessarily. The thief may be able to shake off surveillance by going through a “tumbler,” a service like ShapeShift that offers cryptocurrency trading without collecting personal data. Converting NEM coins into a more anonymized currency, like Monero, could conceivably launder them. But the huge total amount of money stolen presents a challenge. NEM trading was disabled on ShapeShift as of Monday.

4. What else can NEM developers do to fix this?

They could change the NEM blockchain by rolling back the record to a point before the attack. The so-called hard fork would create two versions of NEM, one that has never been hacked and another containing the stolen funds. While this approach worked for Ethereum in 2015, NEM Foundation Vice President Jeff McDonald said a fork is not an option.

5. Aren’t these exchanges being hacked a lot?

Yes, there’s a long history of thefts at cryptocurrency exchanges and wallets, dating back to the infamous robbery of Tokyo-based Mt. Gox in 2014. As prices of digital assets have soared, the platforms have become increasingly juicy targets for hackers. North Korean leader Kim Jong Un has allegedly sent his hackers out to swipe digital coins as his country faces tightening trade sanctions. One researcher estimates that more than 14 percent of Bitcoin and rival currency Ether has been stolen.

6. So what can you do to keep crypto-assets safe?

The lesson for crypto-enthusiasts is that exchanges are prime targets for hackers and no place to store your coins. One alternative is to keep the assets in software wallets, which come in online, mobile and desktop varieties. Hardware wallets are dedicated devices that offer an additional layer of security. For the extra paranoid, there is always the analog option: printing out the private keys for your coins on paper.

* * *

It’s worth noting that at least one person – Russian-born Alexander Vinnick – has been charged for helping hackers launder bitcoin stolen during the infamous Mt. Gox heist through BTC-e – a shadowy cryptocurrency exchange that was purportedly launched by Vinnick to be a haven for digital criminals.