Many of the breaches involved taking control of accounts through techniques such as sim swapping.
As much as $4.3 billion (£3.5 billion) worth of digital currency was stolen in the first six months of 2019, a study by cybersecurity research firm Ciphertrace has revealed.
Ciphertrace researchers described the stolen currency as “outright thefts” from cryptocurrency exchanges, as well as scams. The sum stolen marks a massive rise from the $1.7 billion (£1.4 billion) stolen in 2018.
Rivalling robberies in the first quarter, hackers stole more than $124 million from exchanges and infrastructure in Q2, making a total of $227 million (£186 million) stolen from exchanges so far this year.
In addition, $851 million (£697 million) was “lost” by Bitfinex. While the total dollar value of Q2 2019 thefts would currently be dramatically higher due to the recovery of cryptocurrency prices from the lows of the crypto winter, the Ciphertrace report used the value of the lost loot at the time of the scam or robbery.
Also, these numbers reflect only the losses that CipherTrace has validated; undoubtedly more losses occurred.
Many of the breaches involved taking control of accounts through techniques such as sim swapping – meaning the hacker receives all alerts and messages of the owner and can trade as them.
Another common form of theft is typosquatting, whereby victims are sent to similarly named websites after making spelling errors, and enter their details assuming the website they have landed on is legitimate.
So far this year, European authorities have made arrests in two major typosquatting scams that cost exchange users tens of millions.
In their report, the researchers described 2019 as “the year of the exit scam”. An exit scam is a confidence trick where an established business stops shipping orders while continuing to receive payment for new orders.
$2.9 billion (£2.4 billion) worth of deposits appear to have been lost when Chinese police broke up an alleged Ponzi scheme involving the purportedly South Korea-based crypto wallet and exchange, PlusToken.
It is unknown how many people were affected, but PlusToken claimed to have between 2.4 and 3 million users/investors.
The researchers said: “CipherTrace has not definitively confirmed this apparent fraud or exit scam. The details of who was behind PlusToken and where its custodial funds went are currently shrouded in a mystery involving Chinese nationals, Chinese police, the government of Vanuatu, and the two supposed co-founders – a Russian known only as ‘Leo’ and South Korean who uses the name ‘Kim Jung Un’.”
If confirmed, it would be the largest such loss ever, dwarfing even the $600 million (£491 million) exit scam pulled off last year in Vietnam.
The researchers added: “Despite increased awareness of the risk of exit scams and more emphasis on cybersecurity at exchanges designed to prevent hacks, both continue relatively unabated. This is because exchanges and users are facing a greater sophistication in the tactics, techniques and procedures (TTPs) cybercriminals are using to target the cryptocurrency space.
“In the case of exchange robberies, hackers have developed advanced methods to overcome even the current “best practice” security in place at the more vigilant exchanges. These include simultaneous takeovers of inside and outside user credentials to defeat security controls.”