The history of cryptocurrency is fraught with people losing their coins, whether through carelessness, greed, bad luck, or some combination of the above. Some ignored the first rule of crypto: “never leave your crypto on an exchange.” When their exchange failed, their crypto went with it. Others were negligent with their storage solutions, misplacing old hard drives, using software wallets on malware-ridden PCs, forgetting the passwords to hardware wallets. Some were greedy and lost their coins to a Nigerian Crypto Prince or a Ponzi scheme. And some were just plain unlucky. These unfortunate tales remind us to be careful with our crypto, and underscore the need for new solutions to storing crypto safely.
Buying cryptocurrency used to be a risky prospect. There weren’t many exchanges, they often required you to deposit fiat via a third party, you certainly couldn’t use your credit card, and there was hardly any regulation. It was considered unwise to leave your cryptocurrency on the exchange after you bought it. Many people today feel safe buying some crypto on Coinbase or Binance, without transferring it to a personal wallet, but in those wild years you absolutely wanted control of your private keys. If the exchange had the keys, you were trusting your crypto to the reputation of a small company, located who-knows-where, that made its revenue by exchanging speculative, unregulated digital currencies between anonymous traders. One such company was Mt. Gox.
Mt Gox was a Tokyo based Bitcoin exchange. Led by CEO Mark Karpelès, who was also majority shareholder and lead developer, Mt Gox expanded quickly. Founded in 2010 and bought by Karpelès in 2011, Mt. Gox quickly dominated the Bitcoin market, responsible for 70% of BTC volume in 2013, with 1.1 million active accounts. But despite the outwards success, there were some signs that all was not well internally. Karpelès refused to allow any updates to the exchange software, without approving changes to the source code, meaning needed updates could languish for weeks. In June, 2011 the exchange lost $8.75 million in Bitcoin to a cyberattack, and the site went offline. According to friends of Karpelès who flew in to help get Mt. Gox back online, Karpelès seemed surprisingly relaxed about the affair, even taking the weekend off.
Mt. Gox was brought back online, but soon after US Federal agents seized $5 million from the company’s US account, and former business partner CoinLab sued for $75 million. Karpelès seemed more focused on creating a Bitcoin Cafe in the Mt. Gox building than on addressing these many issues. After an internal memo was leaked disclosing the disappearance of 850,000 BTC (worth about $460 million at the time), Mt. Gox collapsed into bankruptcy. It is still in bankruptcy proceedings today.
One might be tempted to dismiss the failure of Mt. Gox as a lesson learned by the crypto community, a mistake that wouldn’t be repeated. Sadly, exchanges continue to lose their customers’ crypto with startling regularity. A less spectacular but much more recent loss was $150 million of Nano stolen from exchange Bitgrail in February. Bitgrail’s management blamed the Nano blockchain software for the theft, but has refused to release any evidence. Nano, for its part, has vigorously defended itself against Bitgrail’s claims, showing that the missing Nano was stored in a hot wallet (one that is accessible online) instead of a cold wallet, which would have been more protected. Whoever’s to blame, if you had Nano on Bitgrail, it’s gone. Similarly, if you had any crypto on Korean exchange Youbit, you’re down 17%, which was stolen in a hack in December. Or if you used Bitconnect, you’ll find your Bitconnect tokens became nearly worthless after the company shuttered in January.
“Dozens of exchanges have failed since the creation of Bitcoin, taking many small fortunes with them. This should serve as a reminder to never leave your cryptocurrency on an exchange; however there are other ways to lose your coins,” according to Saifu co-founder Evgeny Vigovsky.
In October of 2017, a new cryptocurrency was created called Bitcoin Gold. Bitcoin Gold is a fork of the Bitcoin blockchain. This meant that anyone who owned Bitcoin was now entitled to an equivalent amount of Bitcoin Gold. Many were eager to claim their share, and some found a Bitcoin Gold online wallet called mybtgwallet.com. This helpful site offered to assist users claim their Bitcoin Gold, instructing them to enter their wallet’s seed or private key. The seed is a series of words, usually 24, that can be used to recreate a wallet if it’s lost or corrupted. Giving someone your wallet seed or private keys is akin to giving them the keys to your safe deposit box, and the victims of mybtgwallet found their wallets were quickly emptied of whatever cryptocurrencies they held. More than $3 million in Bitcoin was stolen.
MyEtherWallet is a popular online wallet for Ethereum and other tokens built on the Ethereum blockchain. The wallet is free to use, and as far as online wallets go, it’s secure, requiring users to take steps to protect themselves. In December, the MyEtherWallet iOS app hit the #3 spot on the App
Store in the finance category. Unfortunately for the thousands of users who bought the app for $4.99, this app was just another scam. MyEtherWallet doesn’t have an app (and Apple doesn’t allow wallet apps on the App Store). Suspicious users alerted the MyEtherWallet team, who alerted Apple. Two days later, Apple responded and removed the app from the app store.
Less colorful but more insidious, there are a plethora of malware that targets cryptocurrency wallets. These programs run quietly in the background, searching for wallet software on your computer and uploading your credentials. A particularly nasty bit of malware was the Pony botnet, discovered in September 2014. The Pony botnet used a trojan virus to compromise about 700,000 accounts, including email accounts, website login credentials, and other sensitive information. Bitcoin totalling 335 were stolen from 85 different wallets; those Bitcoin are worth about $2.7 million today.
Some classic scams have been updated for cryptocurrencies, including a variation on the Nigerian prince con, harnessing social media to attract victims. In the classic Nigerian prince scam, the victim would receive an email from a Nigerian prince who needs help to move his wealth to the United States. The prince needs someone to deposit a check for him, then wire out the funds. They pay the wire fee but get to keep part of the funds from the deposited check. Typically the victim’s bank informs them that they’ve deposited a bad check well after they’ve wired out the funds for the “Prince.”
In the new variation, scammers impersonate well-known figures of the tech world like Elon Musk or John McAfee, often on Twitter. They use a name similar to the celebrity, and their picture. They claim to be giving away cryptocurrency to the first 100 people to respond to the tweet, but there’s a catch; respondents need to send a small amount of crypto to pay for the “fees.” Naturally, the scammer just keeps these small bits of crypto and does not send anything in return. Here’s “Elon Msk” giving away some free Bitcoin:
Thankfully, crypto security is steadily improving. The rise in value and mainstream adoption have attracted established cybersecurity players, and innovative new storage solutions are being created with increasing frequency. Our firm Saifu has developed its own crypto storage hardware in partnership with Thales. “Users’ crypto keys are stored in Thales hardware security modules, which cannot be accessed remotely. Even if we were ever hacked, our customers’ cryptocurrencies are protected. As it becomes safer and easier to buy and use cryptocurrencies, we believe mainstream adoption will skyrocket. The crypto revolution is just beginning,” Vigovsky, the Saifu co-founder, says.