Securing Your Crypto: Lessons from Recent Wallet Hacks

Crypto, as we know, carries its share of risks. While DeFi exploits and bridge hacks often dominate the headlines, there's another less-discussed threat that every crypto user should be aware of: wallet hacks. Just last week, users of the self-custodial Atomic Wallet lost over $35 million in a yet unexplained hack.

While this represents the largest wallet hack in years, it is far from an isolated incident; wallet exploits across various networks have resulted in over $75 million in losses since 2020. While we will likely need to wait several months to understand how Atomic was exploited, this blog post breaks down other significant wallet hacks in recent years. We aim to understand why these hacks happened and provide insights to help you safeguard your assets.

BitKeep

In December 2022, BitKeep, a multichain wallet supporting over 30 blockchains and used by over eight million people worldwide, fell victim to a significant security breach. Hackers tricked users into downloading an unofficial version of the Android app and proceeded to drain approximately $9 million from users' wallets. The platform urged affected users to transfer their funds to a new wallet created from the official app, treating any addresses generated via the malicious app as compromised.

This incident was not the first time BitKeep users faced a security issue. Back in October 2022, a hacker managed to exploit a token swap feature within the wallet, leading to a loss of about $1 million across multiple users. The attacker used "approvals" that users had previously signed, which allowed for unlimited transfers from their wallets. BitKeep suspended the service and pledged to reimburse everyone affected. 

Takeaways: Be careful what you download! But that is obvious (sorry BitKeep users). More importantly, manage your approvals wisely. In an effort to “improve” user UX, most dApps ask you to sign an unlimited approval the first time you use it, giving the dApp permission to drain your wallet. You then have to trust that the next transaction you sign is not malicious. If you recently signed some sketchy stuff in DeFi, don’t fear – approvals can be revoked! Etherscan offers a free approval checker on their website: Etherscan

UvToken Wallet

In October 2022, UvToken, a “digital asset management ecosystem” on the BNB chain, was exploited for more than 5,000 BNB, equivalent to $1.5 million at the time. The hack targeted a vulnerability in its UvToken Wallet's Eco Staking protocol.

According to an incident analysis by SlowMist, the attackers exploited a failure in the withdrawal function to properly verify the information users were entering. The hackers were able to enter a malicious contract address, tricking the system into thinking they were regular users making a withdrawal. But instead of making a normal withdrawal, the hackers were able to drain other users’ tokens directly to their own addresses.

Interestingly, the smart contract exploited in this attack was not open-source code. The only way that Slowmist was able to analyze the exploit was by “decompiling” the on-chain data (i.e., working backward to infer what code was used).  At Locksmith, we strongly advocate for open-source code, which allows for greater scrutiny by a community of developers and can inform users of the exact trust assumptions they make when interacting with a dApp.

The UvToken website also makes no mention of a smart contract security audit. Although it's impossible to be certain, audits are usually showcased prominently on a project's website to reassure potential users. A smart contract wallet that claims to be fully deployed without undergoing a security audit is another red flag.

Takeaways: Smart contract wallets will always be vulnerable to smart contract exploits. UvToken serves as a reminder of the importance of open-source code and the value of security audits from reputable firms like Halborn or Certik. While not bulletproof, security audits can provide an extra layer of assurance if you plan to do more than just experiment with a new platform.

The Electrum Wallet Hacks

Between 2018 and 2020, Electrum Wallet, a widely-used desktop Bitcoin client, fell victim to a series of hacks that resulted in a loss of over $22 million in Bitcoin. Incredibly, the same attack pattern was used multiple times over the course of two years.

Electrum Wallets are designed to connect to the Bitcoin blockchain through a network of Electrum servers, known as ElectrumX. The open nature of Electrum's ecosystem allows anyone to set up an ElectrumX gateway server. This openness, while a strength in many respects, was exploited by attackers who set up malicious servers.

When users connected to these malicious servers, they were prompted to enter a one-time passcode (OTP) into an illegitimate (but convincing) user interface. Unbeknownst to the users, entering this OTP allowed the attackers to drain their wallets. This type of attack, known as phishing, is an extremely common tactic in crypto exploits.

Takeaways: The Electrum Wallet hacks underscore the need for constant vigilance against phishing attacks. Even seemingly legitimate pop-ups can be deceiving. Especially considering how transactions displayed in browser extensions are near impossible to decipher, it’s hard to blame anyone that falls for these types of attacks. Take Kevin Rose, founder of Proof, as a prime example. Kevin lost NFTs worth roughly $1.4 million in a phishing attack earlier this year.

Being in the space for years doesn’t prevent anyone from a momentary lapse of judgment. Always be cautious when asked to sign a transaction that you didn’t expect to pop up. If something seems off, just hit cancel!

The ongoing "OG" Hack

Since December 2022, an unsettling series of wallet hacks affecting “OG” crypto users has been causing concern in the crypto community. All the victims have been in crypto for over a year, with some having been active as early as 2014. So far, the hacks have resulted in the theft of over 5000+ ETH and an unknown amount in tokens and NFTs across 11+ chains, totaling over $10 million.

The OG hack is particularly concerning because even assets held in “cold storage” have allegedly been drained. Despite the ongoing investigation, the source of the compromise remains unidentified. However, the near impossibility of brute force hacking the SHA-256 algorithm suggests that victims’ seed phrases may have been compromised.  One popular theory is that the seed phrases were stored in a common password manager that was exploited, but at this point, no one knows for sure.

Takeaways: While the password manager theory is pure speculation, it's worth noting that password managers, such as LastPass, have been hacked (repeatedly) in the past. There has always been a trade-off between convenience and security in crypto, but our view is that typing your seed phrase into a password manager is a particularly risky strategy.

Locksmith’s Approach to Security

We understand the security challenges users face when it comes to storing their digital assets, which is why we created Locksmith Wallet.

With Locksmith Wallet, users can transfer ETH or any ERC-20 token from their EOA wallet into personal "vaults." This process effectively decouples assets from private keys, enabling the creation of wallets with specifically assigned permissions. This setup not only facilitates controlled interactions with dApps, thereby eliminating the risk of "approval" exploits, but also allows users to set limits on their hot wallet, significantly mitigating the impact of potential phishing attacks. The most significant advantage, however, is that once your assets are moved off your private keys and into Locksmith's vaults, losing your seed phrase is no big deal.

If you want to learn more about our open-source project, check out our whitepaper, sign up for early access, or join us on Discord.

Final Thoughts: Safely Navigating Crypto

It's clear that the crypto landscape, while ripe with opportunity, is also fraught with risk. Over the past few years, we've seen wallet hacks across various networks result in over $75 million in losses, with the $35 million Atomic Wallet hack last week as our latest example.

Each incident we've examined provides valuable lessons and insights, suggesting how to avoid similar pitfalls in our own security strategies. This includes the judicious management of approvals, verifying if a project utilizes open-source code and has undergone security audits, and maintaining constant vigilance against phishing attacks. However, as the Kevin Rose incident and the ongoing 'OG' exploit illustrate, even those with extensive knowledge and experience are not immune. The unsettling reality is that hackers want your money, and being safe means actively participating in your own security.  

While many projects in the crypto ecosystem are working to make this easier, we believe Locksmith is the simplest and safest way for anyone to upgrade their security. As we continue to explore this exciting frontier, let's do so with caution, vigilance, and a commitment to learning from the past.

Sources:

TechCrunch

Cointelegraph

Slowmist (Medium)

Bleeping Computer

Peter Kacherginsky (Medium)

ZDNET