Are you doing enough to keep your crypto assets safe?

By Tyler Moffitt, Senior Threat Research Analyst at Webroot

355
Are you doing enough to keep your crypto assets safe?

Cryptocurrencies continue to rivet Australians, with one investor even declaring that he had poured 90 percent of his retirement account into Bitcoin.

Today, the Australian Tax Office (ATO) estimates that between 500,000 and one million Australians have money in “crypto-assets” as part of their portfolio mix.

Part of crypto’s appeal lies in its purported transparency and safety. As cryptocurrencies run on distributed ledger technology, it is easy for many investors to feel that their money is safe, and the chances of it being stolen are significantly lower than more traditional forms of finance.

Unfortunately, if the technology is used incorrectly, this couldn’t be farther from the truth.

It is easy for crypto to disappear if investors are not careful. This could be through malware hijacks, deposits into fake or non-secure wallet projects, or holding cryptocurrency on exchanges that get hacked.

In fact, Australian fraudsters made off with US$4.3 million [AU$6.1 million] in cryptocurrency scams last year.

When crypto disappears

When crypto disappears

A cursory glance at newspapers and blogs sheds light on several examples of cryptocurrency hacks and theft.

Earlier this year, South Korean crypto exchange Bithumb lost around $13 million in the EOS cryptocurrency to a hack.

This came just a year after the crypto exchange was hacked for around $30 million worth of cryptocurrencies.

The actual blockchain protocol of these tokens was not hacked or manipulated.

Instead, hackers had picked up private keys that unlocked Bithumb’s wallet, allowing them to withdraw funds as if they were the legitimate owners.

Bithumb offered to cover all funds stolen with its own reserves, and it moved coins to an offline cold storage wallet.

But if they hadn’t, that would have amounted to more than $43 million in investor losses.

In another case, crypto exchange Binance was subjected last year to an organized, tenacious series of sophisticated attacks by a group of skilled criminals.

This allegedly involved a massive, well-coordinated phishing exercise, where hackers accumulated user accounts over months, before creating API keys for each account.

One of the DNS poisoning attacks was thwarted by Binance’s solid risk management system, which detected the hack in time and stopped fund withdrawals.

However, the most recent attack did not trigger any alarms and the criminals made off with over $40 million.

How to keep your crypto safe

How to keep your crypto safe

With these attacks becoming increasingly more common, cryptocurrency owners should take some basic hygiene steps to protect their coins from cybercriminals.

One of the most basic critical steps is to guard your private key.

While a wallet’s public address can be freely provided to anyone, your private key – which unlocks your wallet and allows you to send coins – should always be kept secure.

Keeping up with your wallets’ private addresses is a personal responsibility.

Users need to store their wallets’ private addresses carefully, which means avoiding unsecured notes on a computer.

These are easy targets for cybercriminals, who can use malware to sniff out and copy private keys.

Instead, keep private keys at the very least on a user device, and opt for a password-protected, encrypted drive.

Never store private keys in plain text format. Storing private keys in cold storage – such as paper notes, kept in a safe or somewhere secret – is not a bad idea, but bear in mind that events like a house fire can destroy the keys, losing the crypto forever.

The best practice for crypto holders is to use a hardware wallet, designed to store crypto keys securely.

In case of damage or theft, the crypto keys can be retrieved with a seed phrase, like a list of words.

As we’ve seen from the examples above, phishing attempts to steal private keys are abundant, and many are targeted specifically at investors chasing the crypto rush.

Crypto owners should be suspicious when websites ask for their private addresses.

The only circumstance under which you should provide your private address is to unlock your wallet, and many web wallets offer alternatives that are safer, like file uploads.

It is a good idea to bookmark safe web wallet sites, to ensure you’re always on the correct URLs.

While this one might seem obvious, making sure your computer is free from malware is mission-critical if you’re a crypto investor.

Some hackers use malware that spy on user clipboards and, when they see that crypto keys and addresses are being copy-pasted, insert criminal addresses instead of the intended addresses.

Always double-check the address pasted matches what you intended to copy and send to.

A trusted antivirus solution, using 2FA on all exchanges where you store crypto, secure password managers and browser security can help protect you from would-be crypto thieves.

In a world where fraudsters see cryptocurrency as an increasingly easy target, make sure you’re one step ahead of the game and keep your cryptocurrency safe.

Tyler Moffitt is a senior threat research analyst at Webroot who is immersed in the world of malware and antimalware. He focuses on improving the customer experience through his work directly with malware samples, creating antimalware intelligence, writing blogs and testing in-house tools. Follow Tyler on Twitter @Webroot or on LinkedIn.