The Bitcoin crypto-currency is one the biggest financial stories of 2017, increasing dramatically in value over the past 12 months from $1,000 in January to as high as $20,000 on Dec. 7. As Bitcoin’s value has grown, so too have its risks, as sites struggle to remain both available and safe.
The most recent security incident occurred on Dec. 6, with Bitcoin exchange site NiceHash publicly revealing that it was the victim of a security breach.
“Importantly, our payment system was compromised and the contents of the NiceHash Bitcoin wallet have been stolen,” NiceHash stated. “We are working to verify the precise number of [Bitcoins] taken.”
Although NiceHash has not publicly disclosed the number of lost Bitcoins, according to a Reuters report, 4,700 Bitcoins were stolen from NiceHash. The value of Bitcoin has surged dramatically on Dec. 7. with prices ranging from $15,000 to a high of $20,000 as of 1:30 p.m. EST, putting the value of the theft in the range of $70.5 million to $94 million.
“Clearly, this is a matter of deep concern and we are working hard to rectify the matter in the coming days,” NiceHash stated. “In addition to undertaking our own investigation, the incident has been reported to the relevant authorities and law enforcement and we are co-operating with them as a matter of urgency.”
NiceHash has not publicly disclosed how its site was breached, but the firm has recommended that users change their online passwords to limit additional risk.
“This NiceHash attack is reminiscent of the Carbanak heist in which the sophisticated attackers used the banks’ own tools to steal their money,” said Chris Morales, head of security analytics at Vectra Networks.
For an environment like NiceHash, the most important security controls are ones that monitor internal traffic for the misuse of administrative credentials and administrative protocols, Morales said.
NiceHash isn’t the first Bitcoin exchange to be targeted by hackers. In February 2014, Mt. Gox, which at the time was the largest Bitcoin exchange in the world, reported a theft of 750,000 Bitcoins. At the time of the theft, the value of the stolen Bitcoins was estimated at $473 million.
Coinbase Crash
While outright theft is a risk, so too is site availability for the various online crypto-currency exchange sites. On Dec. 7 with the extremely volatile price of Bitcoin, the popular Coinbase exchange site struggled with availability issues. The dramatic rise in the value of Bitcoin over the last 60 days has put increased pressure on crypto-currency trading sites to handle the spike in transaction volume and value.
“We are currently experiencing high traffic,” the Coinbase status page reports. “This is resulting in some customers having slow performance or issues logging into their Coinbase.com accounts.”
Coinbase has had availability issues before, most notably from Nov. 29 to Dec. 1, when the site also suffered performance troubles. In a post-mortem on the issue, Coinbase engineer Luke Demi wrote that Coinbase was able to remediate the performance issues by reducing total query volume and scaling the affected databases. It’s not yet clear if the same issues are at fault for the slowed performance on Dec. 7.
What Should Users Do?
For those looking to hold Bitcoin financial balances safely, there are options beyond just trusting the security or availability of an online exchange.
“Bitcoin exchanges are like not banks and therefore are not subject to the same cyber-security regulations like those defined by state of New York for any institution operating in the state,” Morales said. “If you are risk-averse, transfer deposits made to your Bitcoin wallet to a hard currency account with a bank.”
Morales added that while a bank can be hacked too, financial services firms demonstrate the lowest rates of attacker behaviors per 1,000 devices monitored, according to his firm’s 2016 Attacker Behavior Industry Report, most likely due to their investment in cyber-security controls and security personnel.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.