如何盗取5亿美元的加密货币？

不久前，黑客入侵了东京加密货币交易所Coincheck Inc.，卷走了价值近5亿美元的数字代币。这是史上最大规模的抢劫之一，交易所损失了超过5亿枚NEM币。这次黑客入侵引发了世界各地对于加密货币安全性的质疑。

1. 黑客是如何成功入侵的？

Coincheck没有披露系统是如何被入侵的，只表示这次不是内部人员作案。公司坦承自身在安全方面存在过错，导致窃贼拿走了这么大一笔钱：他们把用户资产保存在热钱包中，与外部网络相联。通常来说，交易所应当设法把大部分储蓄保存在与外部断绝联系的冷钱包中，这样就不太容易遭受黑客攻击了。Coincheck也没有多重签名的安全措施，资金在转移之前不必获得多份签名许可。

2. 被盗的钱流向何处？

这类抢劫有一个特殊之处。由于比特币和类似货币的交易都是公开的，因此很容易看到这些NEM币位于何处——即使它们已经遭窃了。Coincheck已经确认并公布了5.23亿枚遭窃货币流向的全部11个地址。你自己就能上网看到。麻烦在于，没有人知道这些账户的所有者是谁。每个账户都被贴上了标签“Coincheck被盗货币，不要接受交易：账户所有者是黑客”。NEM的开发者设计了一个追踪工具，可以让各大交易所自动拒收遭窃资金。

3. 这是否意味着黑客无法把它们兑换成现金？

不一定。窃贼可以尝试通过ShapeShift等服务摆脱监视，它们支持加密货币的交易，却不收集个人数据。将NEM币变成另一种更加匿名的货币例如Monero币，很可能就可以把钱洗干净。ShapeShift在平台上发布了所有的交易，他们声称已经屏蔽了与黑客有关的地址。另外还有一些“不倒翁”服务可以隐藏身份和交易，不过这次被盗的钱币数额过大，对窃贼而言是个难题。

4. NEM开发者还可以做些什么来修正问题？

他们可以回滚记录到黑客攻击之前的某个时段，从而改变NEM区块链。这种所谓的硬分叉会创造两个版本的NEM，一个从未经历过黑客攻击，另一个的资金已经遭窃。尽管以太坊（Ethereum）在2015年用过这种方式，但NEM Foundation的副总裁杰夫·麦克唐纳表示不会选择分叉。

5. 这些交易所是不是屡次被黑客攻击？

没错，加密货币交易所和钱包有着悠久的遭窃史，这可以追溯到2014年著名的东京Mt. Gox遭窃案。随着数字资产的价格一路上扬，这些平台在黑客眼中的诱惑力也与日俱增。据说，由于朝鲜面临的经济制裁形势日益严峻，领导人金正恩已经派出黑客来洗劫数字货币。一位研究人员估计，超过14%的比特币和其竞争对手以太币已经遭窃。

6. 如何保证加密货币资产的安全？

对于加密货币的爱好者而言，这次的教训在于：交易所是黑客的主要目标，不适合储存你的货币。一个方案是把这些资产存在自己的软件钱包中，它们可能有在线、移动或桌面的多种形式。硬件钱包则是那些储存加密货币的专用设备，提供了额外的安全保护层。对于那些妄想症严重的人士，还有一个模拟选项：把加密货币的私人密钥打印在纸上。（财富中文网）

译者：严匡正 

Early Friday morning in Tokyo, hackers broke into a cryptocurrency exchange called Coincheck Inc. and made off with nearly $500 million in digital tokens. It’s one of the biggest heists in history, with the exchange losing more than 500 million of the somewhat obscure NEM coins. The hack has raised questions about security of cryptocurrencies around the world.

1.How did the hackers pull it off?

Coincheck hasn’t disclosed how their system was breached beyond saying that it wasn’t an inside job. The company did own up to a security lapse that allowed the thief to seize such a large sum: It kept customer assets in what’s known as a hot wallet, which is connected to external networks. Exchanges generally try to keep a majority of customer deposits in cold wallets, which aren’t connected to the outside world and thus are less vulnerable to hacks. Coincheck also lacked multi-signature security, a measure requiring multiple sign-offs before funds can be moved.

2.Where did the stolen coins go?

That’s one of the stranger aspects of these heists. Because transactions for Bitcoin and the like are all public, it’s easy to see where the NEM coins are — even though they’re stolen. Coincheck has identified and published 11 addresses where all 523 million of the stolen coins ended up. You can see for yourself online. Trouble is, no one knows who owns the accounts. Each one has been labeled with a tag that reads “coincheck stolen funds do not accept trades : owner of this account is hacker.”NEM developers created a tracking tool that would allow exchanges to automatically reject stolen funds.

3.Does that mean the hackers won’t be able to cash in?

Not necessarily. The thief could attempt to shake off surveillance by going through a service like ShapeShift, which offers cryptocurrency trading without collecting personal data. Converting NEM coins into a more anonymized currency, like Monero, could conceivably launder them. ShapeShift, which publishes all trades on its platform, said they have already blocked addresses associated with the hack. There are also “tumbler” services, designed to obscure both identities and transactions, but the huge total amount of money stolen presents a challenge.

4.What else can NEM developers do to fix this?

They could change the NEM blockchain by rolling back the record to a point before the attack. The so-called hard fork would create two versions of NEM, one that has never been hacked and another containing the stolen funds. While this approach worked for Ethereum in 2015, NEM Foundation Vice President Jeff McDonald said a fork is not an option.

5.Aren’t these exchanges being hacked a lot?

Yes, there’s a long history of thefts at cryptocurrency exchanges and wallets, dating back to the infamous robbery of Tokyo-based Mt. Gox in 2014. As prices of digital assets have soared, the platforms have become increasingly juicy targets for hackers. North Korean leader Kim Jong Un has allegedly sent his hackers out to swipe digital coins as his country faces tightening trade sanctions. One researcher estimates that more than 14 percent of Bitcoin and rival currency Ether has been stolen.

6.So what can you do to keep crypto-assets safe?

The lesson for crypto-enthusiasts is that exchanges are prime targets for hackers and no place to store your coins. One alternative is to keep the assets in software wallets, which come in online, mobile and desktop varieties. Hardware wallets are dedicated devices that offer an additional layer of security. For the extra paranoid, there is always the analog option: printing out the private keys for your coins on paper.