Chapter II - Background and Review of Literature

Chapter II: Background and Review of Literature

Chapter II: Background and Review of Literature

Introduction

This section of the literature review shall look at the findings in other areas of study and by other researchers on cryptocurrency wallets. Effectively, Cryptocurrency Wallets can be hacked by attackers if it is not well protected and secured. Nevertheless, the focus of this essay for now be based on the problems and security; this section will discuss about the major hacks and other cryptocurrency related services that occurred from 2011 to 2020, when users experienced money stolen from their cryptocurrency wallets due security issues. It is important to highlight about the problems facing on the cryptocurrency wallets and decide how it can be protected it, as well as secured along with how to solve the problem.

Recent hacks into cryptocurrency wallets of users from such systems have raised serious questions about whether this technology can be secured from ongoing, evolving cyberattacks; these hackings happened in chronological orders based on the year from 2011 through 2020 in which it will be mentioned and discuss in the literature related to the problems such as the Proof-of-Stake and the Proof-of-Work problem. The next part of the literature review would be about the methodology given by other researchers and area of study in which the solutions were provided.

First, the article explained about the problems of cryptocurrency thefts and shutdowns of the exchanges that occurred from 2011 through 2020; these drew a lot of attention from investors and users who had their funds safe and secured with any of the cryptocurrency wallets.

The online magazine SSRN demonstrated in their article titled “The Problems of Cryptocurrency Thefts and Exchange Shutdowns”, how Cryptocurrency, specifically Bitcoin, shed a light on the lack on of accountability when it came to cryptocurrency. Furthermore, It defended the need for stricter oversight and more transparency (Usman, 2018).

The article that was published in 2017 by MEDIUM “Mt. Gox Hack Technical Explanation” discussed how Mt. Gox got hacked by attackers in which they stole their Hot Wallets private keys. Unfortunately Mt Gox was not really good at security during that time, but they were able to figure out how now to make it more secure for users (Song, 2017).

An Atlantic Archive Technology that was published in 2012 highlighted the hacking that happened to BitFloor online bank robbery without the FDIC protection in which the owner of the company decided to shut down the site. They were concerned whether or not they can repay coins (Greenfield, 2012).

An article that was published in 2012 by ARS Technical demonstrated how Bitcoinica users filed a lawsuit in a San Francisco court for neglecting the safety of user’s money. Users were promised full refunds due to the hacking that occurred while making sure the security was protected (Geuss, 2012).

According to the Hacker News website published in 2013 which explained about how Bitcash.cz got hacked by attackers; these hackers got access to employee’s personal emails by sending malicious scam while pretending to be the Bitcash.cz. The system unfortunately has been down for maintenance and the server was compromised by unknown hackers (Mohit, 2013).

The CSO online article that was published in 2018 talked about Cryspty that got hacked by inserting malicious viruses to their system named Lucky7 Coin. They lost 300,000 Litecoin’s that were worth approximately $10 million. The owner of Cryspty Paul Vernon was sued by users with an amount of $8.2 million for destruction of evidence and stealing the Bitcoins (Schwarz, 2018).

Based on the newspaper article that was published in 2014 which mentioned that Mt. Gox have been experiencing one of the biggest hacks at all time. It was one of the world’s largest Bitcoin exchanges and Investors were very concerned about the situation as large amount of funds were invested in Bitcoin, hence they were seeking answers for what really happened to their product on the unregulated Tokyo-based exchange. Eventually, the former CEO got arrested in 2015 in which they found roughly $2 billion of Bitcoin stolen in the hack (Yoshifumi & Sophie, 2014).

According to the website on CoinDesk that was published in 2014, the article discussed how Poloniex, one of the Bitcoin exchanges got hacked and suspected an employee who worked for the company that was behind the hacking. The owner D’Agosta suggested that the only way that bitcoins could be distributing fairly among affected users was to pay back customers using exchange fees as well as personal contributions (Rizzo, 2014).

An article that was published in 2015 by Cointelegraph highlighted BTER from China that had been hacked from their cold wallet. Cold wallet was one of the hardest and especially difficult one to hack. Apparently, it was not the first time that they have been hacked. Anyone who would be willing to find the stolen funds would be recompensated (Samman, 2015).

An article that was published in 2015 mentioned that the Chinese bitcoin exchange called KipCoin had lost over 3000 Bitcoins in the hack. KipCoin taught they were secured but the hacker was able to have access to KipCoin’s servers and downloaded the wallet.dat file at the time. Even when the hacker was able to steal the funds at KipCoin stolen during that time, since this hacker even left some clues or their identities that could be traceable (Demartino, 2015) .

An article that was published in 2015 by CoinDesk illustrated that at Bitstamp company, the hacker was able to communicate with few employees by sending malicious malwares through their skypes. Without knowing what it was, some employees automatically clicked on the file malwares that the hackers sent. The hackers were able to have access to at least two servers that contained the wallet.dat file for Bitstamp’s hot wallet and their passphrase (Stan, 2015).

According to Cryptonews website on local bitcoin in 2019 mentioned that it was hacked by attackers who distributed malwares through the local bitcoin live chat. They got access to the funds that was approximately 7.9 BTC. The company was trying to figure it out how they can reimburse affected users (Fredrik, 2019).

An article that was published in 2016 by Reuters discussed how Bitfinex one of the cryptocurrency exchange got hacked extremely. Hackers stole the Bitcoins user’s accounts. Bitfinex did not know how to address the situation to users who lost their funds (Baldwin, 2016).

According to the website on Finance Magnates that was published in 2016 which discussed about Hong-Kong based exchanges called GateCoin that had been hacked in 2016 for an amount of $2 million in cryptocurrencies; they did so by having access to GateCoin hot wallets, the exchange then set up a payment plan called Payment Service Provider to be able to reimburse all the funds belonging to investors who got hacked during that time (Mizrahi, 2016).

An article that was published in 2019 by Crypto News Website mentioned the cryptocurrency exchange ShapeShift had been hacked three times. It was one of the employees working for the company who was behind these attacks, but they were able to rebuild it. it was important to prevent these kinds of attacks from happening, hence they tried to secure it by providing suggestions like keeping your keys in a secured area and transferred it into a hardware wallet (Sead, 2019).

An article that was published in 2017 by Bloomberg Businessweek spoke about a cryptocurrency exchange named Yapizon from South Korea currently changed the name to Youbit had been hacked twice in less than a year. South Korea thought it was the North Korea that spied on them and stole 3800 Bitcoins, but there was no information released to prove that it was the North Korea (Yuji & Sam, 2017).

An article that was published in 2017 by Cointelegraph Bithumb, recalled about one of the top five largest cryptocurrency exchanges that had been hacked by attackers, they stole their user data, and money. Furthermore, the crypto exchange Bithumb confirmed its intention of reimbursing the users affected of the theft (O’Neal, 2018).

According to the CNBC website, there was an article that was published in 2017, focusing on how NiceHash was part of the cryptocurrency mining, allowing users to rent out their hash-rate, had been hacked. NiceHash did not specify how many bitcoins were stolen but the users estimated the amount to be roughly $60 million. They did some investigation by trying to figure out how or what had happened, and they can reimburse users funds (Browne, 2017).

An article that was published in 2019 by Cointelegraph implied that about the employee’s personals computers that had been infected by malicious malwares or viruses. They suspected that it was a group of unknown hackers who installed the viruses to have access to their private keys (Huillet, 2019c).

In the year of 2018, there were more attacks from hackers in few Cryptocurrency exchanges which are listed as follows: CoinCheck, BitGrail, Coinsecure, Taylor, Bitcoin Gold, Coinrail, Zaif, MapleChange, and QuadrigaCX, Cryptopia, Coinmama, Bithumb, DragonEX, Binance, GateHub, Bitrue, Bitpoint, VinDax, UpBit, and AltsBit.

An article that was published in 2018 mentioned that unfortunately for CoinCheck, the process was simple for the hackers to access to it. They were having issues with the security; and the hackers managed to send malware or viruses through employee’s emails and were trying to steal their private keys. They had been sued by other Crypto traders and investors for not securing their funds. Coincheck decided to reimburse the funds stolen as promised to all affected people, and they had been able to “bounce back” after the massive attacks (O’Neal, 2018).

An article that was published in 2018 by Cointelegraph described that BitGrail, an Italian Cryptocurrency Exchange, had its wallets hacked and claimed that an amount of 17 million Tokens were stolen. They accused the founder of BitGrail and Nano for stealing the funds. unfortunately, BitGrail keeps pointing fingers at Nano that they had nothing to do with the hacking (O’Neal, 2018).

An article that was published in 2018 by Cointelegraph explained about Coinsecure, an Indian Cryptocurrency exchange, that had been hacked from the company bitcoin wallet. They suspected the Chief Scientific Officer to be part of the hacking. At the end of the day, the Chief Scientific Officer was arrested for that. The company eventually reimbursed the users while the investigation was still ongoing (O’Neal, 2018).

An article that was published in 2018 by Trending discussed how Taylor, cryptocurrency trading app had been hacked and hackers stole most of their funds with an amount of $1.35 million. They have decided to investigate by tracking the hacker’s activities and let the law enforcement agencies to oversee the situation. Even though they lost a ton of amount, they had a backup plan of revealing a new TAY Token which will block hackers’ addresses (Sam, 2018).

The researcher mentioned that Bitcoin Gold had been hacked by attackers and they stole $ 35 million. Hackers have been using some techniques by putting their Bitcoin Gold into exchanges and traded them with other cryptocurrencies to be able to withdraw their funds (Sharma, 2018).

An article that was published in 2018 by CoinDesk website mentioned that Coinrail which was one of the small Cryptocurrency exchanges in South Korea had been hacked and lost $ 40 million. They were able to save some of their funds in a cold wallet and freeze the rest of their funds so they can continue to investigate and figure it out the issue (Wolfie, 2018a).

An article that was published in 2018 by CoinDesk discussed about Zaif, Japan based Cryptocurrency exchanges had been hacked. Due to the loss of funds, they decided to keep some funds in a hot wallet for immediate transactions and in the cold wallets where the attackers would try different methods but would not have access to their funds. The hackers did not steal on Zaif cryptocurrency wallets but few others also like Bitcoin, MonaCoin and Bitcoin Cash. The great thing with Zaif was that they were able to pay back the affected customers that got their funds stolen by hackers (Wolfie, 2018b).

An article that was published in 2018 by Coinspeaker website discussed how MapleChange, which is a small Cryptocurrency exchange in Canada had been hacked and the attackers stole all their funds which were immediately withdrawn. Without any further noticed to customers or investors, they decided to shut the website down because of the attacks. That made people more suspicious of their action because they closed everything including social media and would not be able to refund all customers. Since MapleChange did not communicate with them, people suspected that it was a inside job but not a hacker that took all the funds (Daria, 2018).

An article that was published in 2019 by Wired Website discussed how QuadrigaCX, the CEO Canadian company Cotton was the only one who knew how to access the Cold Wallets had died in India and took that Cold Wallets of people’s money with him to his grave. They mentioned that Cotten planned his own death and that it was an exit scam to pretend his death. They were six cold Wallets that Cotton knew about. And he had access to all but five of them, the rest having been emptied completely by Cotten. Even though, it was still unclear with the whole situation of Cotton death, the widow wife was able to reimburse an amount of $ 9 million assets (StokelWalker, 2019).

An article that was published in 2019 by Coin telegraph mentioned that Cryptopia company suffered from security breach because users were having hard time accessing their accounts. Because of the issues going on, they found out that there was no customers data on their systems meaning usernames and email addresses. Unfortunately, users who lost funds in the company would not be able to get refunded because they were not enough details on them to know if they were already in their systems (Kuznetsov, 2019).

An article that was published in 2019 discussed how Coinmama based in Israel, suffered a major brokerage from hackers that stole users’ accounts’ details and information; these accounts allowed users to buy and sell Bitcoin and Ethereum by using their credit Card to purchase them. They were no cryptocurrency Wallets stolen from Coinmama (Huillet, 2019a).

An article that was published in 2019 by Cointelegraph discussed about Bithumb, a South Korean Cryptocurrency exchanges that had been hacked by someone who worked for the company. That employee completely withdrew an amount that was more than $3 million. They still did not find the person until then (Zuckerman, 2019).

An article that was published in 2019 by Cointelegraph noted how DragonEX, a Singapore based Cryptocurrency exchange had been hacked by the North Korean Lazarus group who mentioned they were responsible for this. They basically created some fake company by convincing the employees at DragonEX to download some malware in which they were supposed to check to make sure they were not malicious malware or viruses. DragonEX had to take full responsibility to refunds users who lost their funds during these attacks (Huillet, 2019b).

An article that was published in 2019 by CNBC website discussed the number of bitcoins stolen by hackers from a majority Cryptocurrency exchange Binance. Hackers had some ways to send malicious scam and viruses to hack into Binance, and they eventually stole customers’ data. Binance would cover users who had been affected by hackers (Kharpal, 2019).

An article that was published in 2019 by Cointelegraph mentioned that GateHub, which was a UK and Slovenia based Cryptocurrency exchange had been hacked. They are still some investigations going on as to how hackers got access to user’s funds. The great thing was that GateHub were able to recover the stolen funds (Alexandre, 2019).

An article that was published in 2019 by CoinDesk discussed how Bitrue, that was part of Singapore based Cryptocurrency exchange got hacked. Since the company only had few users that were affected, Bitrue agreed to refund them all (Palmer, 2019).

An article that was published in 2019 by Cointelegraph discussed how Bitpoint, a Japanese Cryptocurrency exchanges had experienced a tremendous loss of amount because their security breach was not secure at all. Hackers were able to steal an amount of $32 million, and unfortunately, Bitpoint was able to recover only $2.3 million to give to the affected users that got hacked (Wood, 2019).

An article by Yousaf, “Vietnam-Based Crypto Exchange VinDAX Loses at Least $500K to Hack” that was published in 2019 explained VinDAX, a Vietnam based Cryptocurrency exchange that got hacked by attackers and stole assets of customers. VinDAX conducted Token’s sales for unknown blockchain projects. They asked the blockchain projects for help on funds if they can be able to provide that to them (Yousaf, 2019).

An article that was published in 2019 highlighted Upbit which is a South Korea Cryptocurrency exchange that had been hacked and moved to the cold wallet. Unfortunately, the funds stolen by hackers had been on the move. Upbit were able to update their security breach (Huillet, 2019d).

An article that was published in 2020 by Security Affairs explained Altsbit, an Italian Cryptocurrency exchange that had been around for few months but had been hacked by a Lulzec group who mentioned they were responsible for that. Unfortunately, they had to close Allsbit by May 2020 (Paganini, 2020).

An article that was published in 2018 spoke about Binance, which was one of the world’s largest cryptocurrencies by exchange volume. They tried to hint the hackers after stealing the contents of the company bitcoin Hot wallet. Although, it was mentioned that this form of crime had cost companies and governments $11.3 billion in illegitimate transactions and lost tax revenue (Bischoping, 2018).

Since hackers were able to hack in one of the largest crypto exchanges in the global market, they need to find a way to minimize this incident to prevent it from happening and facilitates the recovery to be more structured and apparent. They also need internal insurance funds to compensate users to make sure this incident will not arise. The next chapter in this paper will aim to discuss the literature review related in the methodology section.

This chapter discusses the different methodologies that are used to evaluate security and privacy in cryptocurrency wallets from academia, and industry. This includes the security of App-based Wallet, Web-based Wallet, Hardware Cryptocurrency Wallets and Paper Wallet.

Since OWASP Top 10 Internet of Things has been part of the industry, it will evaluate the security features related to different types of wallets. OWASP stands for Open Web Application Security Project which provides threats known to devices and applications. This OWASP has top ten latest list of Internet of Things (IoT) vulnerabilities (Lampe, 2014).

Figure 2 focuses on the Internet of Things (IoT) top 10 items that has been designed for hardware devices, web based and app based related to security (Lampe, 2014).

Figure 2
OWASP IoT Top Ten and Applicability of Existing Security (Jariwala, 2020)

App based wallet has been part of the best products and tools used by investors for easier access and have safer transaction as well as management of their funds and sensitive data. There are seven important Bitcoin wallets in Figures 3 listed below in which investors trust by using these wallets to protect their investments (Rosenberg, 2019). These seven important Bitcoin wallets will be discussed in detail in this chapter by explaining the use of these Bitcoin wallets.

Coinbase is one of the easiest wallets that users or investors can buy, sell, and hold your cryptocurrencies in; with this Coinbase, you connect to any bank account which make it easier to transfer money in and out of the wallet. You can buy or sell your cryptocurrencies by using these dollars (Rosenberg, 2019).

Trezor is a physical device that you can connect to your computers where you can store your bitcoin and access it. It is not like Coinbase where you can buy or sell. This wallet provides some protections in cases if you lose your devices, or your passwords. The most important feature of this device is that it keeps hackers away from stealing your bitcoin (Rosenberg, 2019).

Electrum is a software wallet in which your Bitcoin is stored in an encrypted file on your computers or laptop. The big advantage with this wallet is that you can quickly get active, and successively and store your Bitcoin on your personal computer. In case, if you are having issues with your computer, issues such freezing, crashes, hacks, and breaches of security, it could significantly cost you, and you could lose your coins. This software wallet does support a recovery process by allowing you to create a cold storage with a printed or handwritten set of keys (Rosenberg, 2019).

Blockchain wallet is a technology that allows others digital currencies and bitcoin to exist; It is like Coinbase in which you can buy and sell through the platform in different Countries but with a small fee of charge. To protect this wallet, you are required to answer three specific security keys in your account for instance email verification, two-factor authentication ,and a backup security phrase (Rosenberg, 2019).

Robinhood is a wallet and exchange like Coinbase. It is a free stocking that supports users with their investments which includes cryptocurrencies like Bitcoin. Unfortunately, you cannot transfer Coins to and from Robinhood to another wallet. But, it is secure enough for your stocks and coins (Rosenberg, 2019).

Exodus is a software wallet very easy to use like Electrum. You can store coins directly through the app. There is no need to set an account because your wallet and currency belongs to you personally. It contains a private keys encryption and important security tools to use. This wallet is good for people who have an investment background and would like to increase their knowledge on digital currency (Rosenberg, 2019).

Mycelium is another mobile-only Bitcoin wallet, precisely focusing on Android and iPhone. It is a bit more complicated to use than some other Bitcoin wallets. It also allows for secrecy and keeps your Bitcoin in your pocket everywhere you go (Rosenberg, 2019).

The way to know that you are using the proper web-based wallets is to make sure that you have an installation of Windows 10 along with a range of web browsers like Mozilla Firefox and Google Chrome (Konash, 2019). The following web-based cryptocurrency wallets that we will discussed in this chapter while using OWASP Top ten IoT guidelines are:

Metamask
Blockchain.info
MEW (MyEtherWallet)
StrongCoin
Jaxx
coin Wallet
Green Address

They are some tools for instance SSL labs and Security headers which are used to check websites for their levels of security; the type of technology they use for securing the website and each site also gives details on what is not secure and what solutions can be put in place to increase the security level of the website.

Companies from different Countries have supplied hardware wallets, explaining the aims and objectives of these wallets. There are some reasons why users or investors are recommended to use these types of hardware wallets because of the degrees of security and privacy. The purpose of these Hardware Wallet is to promote a safe way of storing and sending bitcoin (Costea, 2019). These are the five Hardware Wallets listed which are Trezor T, Ledger Nano X, KeepKey, Bitbox, and Coldcard Wallet.

Figure 3
Paper Wallets (Ameer, 2017)

Paper wallet is another way of storing cryptocurrency which creates an image that contains the private and public keys to a new wallet address along with QR codes. This is depicted in Figure 3 above, which you can see the printed, sealed, and stored securely in a safe or another secure place (Benton, 2019).

An article that was published in 2020 by SpringerLink “understanding the creation of trust in cryptocurrencies: the case of bitcoin” discussed about Cryptocurrencies providing trust through technology by identifying functionality, reliability, and helpfulness in which users evaluate trust in technology and in bitcoin (Marella et al., 2020).

While looking at the solutions provided by the researchers, they are similar to what would be proposed during the methodology part which are : managing your own private keys and not shared with anyone; making sure that you save these recovery phrase provided by your hardware wallet; these private keys are a minimum of twenty four words recovery phrase which are important to remember and to save in a secure area; creating a password with a maximum of ten characters containing letters, symbols, and numbers, and also used a complicated password instead; setting up multiple questions that must be answered before information can be retrieved or approved as well as two-factor authentication .These solutions will be discussed in detail in the following chapter.

Summary

In conclusion, there are myriads of different types of cryptocurrency wallets; these elements will be used to evaluate Web based Wallet, App based Wallet, hardware wallet and Paper Wallet. As mentioned earlier, OWASP for IoT guidelines are industry standard tests which will help evaluate the IoT security. The results of these screenshots will be charted and evaluated by providing solutions on securing the cryptocurrency wallets in the next chapter.