In less than 2 weeks last month, almost RM2.9b worth of cryptocurrency assets were stolen by hackers from 2 leading exchanges abroad
by AFIQ AZIZ / Pic by TMR FILE PIX
THE hacking of digital asset exchanges (DAXs) abroad has put some fear in digital currency investors here their investments on local DAXs may equally be vulnerable to hackers if there are no comprehensive security measures in place.
In less than two weeks last month, almost US$700 million (RM2.9 billion) worth of cryptocurrency assets were stolen by hackers from two leading exchanges abroad.
China-based Poly Network, a smart contract-driven platform that facilitates transactions between various platforms, had US$600 million worth of crypto money stolen, before the hacker, or hackers, returned most of the stolen funds, saying the heist was just “for fun”. It was dubbed as the biggest cryptocurrency theft ever.
Then, the Japanese cryptocurrency exchange known as Liquid was hit in a cyberattack by hackers who made off with a reported US$97 million worth of digital coins.
Liquid has since stated some of its digital currency wallets had been “compromised”, and hackers had transferred the assets to four different wallets.
While the cryptocurrency market in Malaysia is far smaller compared to peers abroad, it is growing with the Securities Commission licensing four DAXs.
The leading DAX, Luno Malaysia Sdn Bhd, reported almost US$1 billion (RM4.2 billion) in total transactions as of June compared to US$300 million (RM1.23 billion) for the whole of 2020.
It currently stores more than RM1 billion of digital assets including bitcoin, ethereum, ripple and litecoin with 300,000 account holders.
In an email to The Malaysian Reserve (TMR), Luno Malaysia country manager Aaron Tang stated DAX keeps most of its customers’ private keys in physical bank vaults inside safety deposit boxes, called “deep freeze” storage to maximise the safety of its customer’s cryptocurrencies.
“Deep-freeze keys are ‘multi-sig’ keys, meaning multiple keys must always be present to authorise a cryptocurrency transaction.
“It is similar to a bank vault that requires multiple keys to be used simultaneously before it can be unlocked.
“Only specific individuals have access to the safety deposit boxes and the same person does not have access to more than one safety deposit box,” Tang noted.
He added the private keys in the safety deposit boxes are also encrypted, making it impossible for a bank employee to steal the-key.
“In addition, our deep-freeze storage is purposefully difficult to access. So, for our day-to-day operations, a small percentage of cryptocurrencies are kept in a combined-strategy system, using offline cold storage and an online hot wallet.
“This allows us to ensure we always have some cryptocurrencies available during the day while leaving most cryptocurrencies safely offline,” he added.
In addition to Luno Malaysia internal security measures, the London-based firm also integrated a co-signing partner as its hot wallet co-signing service.
“As a result, the only way to spend the cryptocurrency from our hot wallet is if Luno and our partner authorise the transaction using multi-sig keys.
“They also provide us with additional security measures like daily and lifetime key spend limits,” he stated.
A hot wallet is a tool that allows a cryptocurrency owner to receive and send tokens but is more vulnerable to cyber attacks as opposed to a cold wallet or offline storage.
Luno’s infrastructure is also hosted on Amazon Web Services, Tang added, which offers a secure environment for Luno services.
Strict Internal Protocol
The success rate of hackers and theft is higher due to organisation insiders who leak confidential and strategic information to the thieves.
To address this, Tang said Luno has put in place a comprehensive system to ensure all internal security matters are guarded, to the extent some experts, like its engineers, have limited access to certain significant information.
“Luno internal networks are protected by firewalls and are not connected to the Internet, while Internet traffic is encrypted to the same standard as external services.
“The firewall policies are designed to allow minimum permissions for different applications and roles to interact,” Tang stressed.
He added that all application and database servers are running inside private networks, with isolation between staging and production environments.
Public-facing services are made available by dedicated load balancers that only handle HTTP requests.
“All Luno employees must use cryptographically secure Multi-Factor Authentication hardware such as Universal 2nd Factor keys to access internal services.
“Engineers do not have access to application credentials or production servers,” Tang explained.
Hence, all deployments are performed independently by a deployment server. As part of its hiring process, all candidates must pass criminal background checks pre-employment.
Regular Assessment Eliminate Potential Risk
Tokenize Technology (M) Sdn Bhd’s CEO and CTO Hong Qi Yu said its platform, Tokenize Exchange, conducts a regular vulnerability assessment and penetration test (VAPT) procedure on an annual basis.
The VAPT check typically consumes less than 10% of an organisation’s operational expenditure and is crucial to eliminate any potential zero-day risk.
“This was carried out by a professional third party,” noted Hong.
Tokenize, which also holds a substantial amount of funds in custody, has insured up to US$100 million, which would allow the custodian to claim their investment.
“However, no DAX operator would be able to guarantee their funds get returned should it get stolen at this juncture,” Hong admitted.
On the same note, Tang said Luno Malaysia is also exploring and evaluating buying additional insurance for the assets under its custody.
That said, digital money is developed and backed by blockchain technology, which makes it hard to be stolen, according to CyberSecurity Malaysia CEO Datuk Dr Amirudin Abdul Wahab.
“As reported, the hackers at Poly Network returned almost half of the funds they stole. This proves the transparency of blockchain, which might make hackers feel there is no choice but to return the money. Transparency in a blockchain network allows every transaction to be seen clearly,” he told TMR.
Amirudin added reports suggest Poly Network has managed to obtain information regarding mailboxes, IPs and device fingerprints belonging to its hackers.
“In a positive view, if this kind of attack is done by white hat, it will allow vulnerabilities of the system to be detected. Poly Network’s vulnerabilities are on its smart contracts,” he explained.
He advised local DAXs as well as cryptocurrency holders, to ensure their investment or assets are safely kept, and undertake regular security testing of their systems.
“One of the tests that can be carried out is smart contract validation testing. Perhaps local DAXs can also create a programme that will reward white hat who successfully find any valid bugs found in their system. This has been done by Poly Network after the incident,” he said.