这家虚拟货币交易所1500万美元以太币被盗
据报道,由好莱坞巨星马特·达蒙代言的虚拟币交易所Crypto.com在近期遭到了黑客攻击。该交易所成立已经有五年,马特·达蒙也是它的投资人之一。
1月17日上午,Crypto.com在其官方推特(Twitter)上表示:“据少数用户报称,他们的账户上出现了可疑活动。”为确保用户资金安全,该公司已经暂停了提现功能,并就此事展开了调查。当时Crypto.com还称“所有资金都是安全的”。
到了1月18日上午,该公司又在官方推特上宣布,公司已经恢复了所有提现服务,并再次声明没有任何客户资产损失。该公司的首席执行官克里斯·马尔沙韦克也在其个人推特账号上表示,公司已经针对此事加强了安全设施,并将在“内部调查完成后公布完整的调查报告”。
在过去24小时里,我有一些想法:
-客户资金没有损失
-提现功能暂停了14个小时
-我们的团队已经针对此事加强了安全设施
我们将在内部调查结束后公布完整的调查报告。
——克里斯 | Crypto.com (@Kris_HK),2022年1月18日
虽然Crypto.com宣称所有客户资金都是安全的,但很多人都在推特上对此表示质疑。比如1月19日早上,中国的区块链安全公司派盾科技就爆料称,Crypto.com实际上丢失了1500万美元的资产。“它损失了至少4600枚以太币(Ether),其中半数已经通过Tornado Cash混币平台洗白。”Tornado Cash是一个去中心化的智能合约平台,允许用户在以太币区块链上进行匿名交易。派盾科技随后还对虚拟币网站Decrypt表示,Crypto.com真正的损失规模“绝对比这更严重”。
除此之外,还有多名用户称自己的账号资金被盗。比如推特用户@J8Arnold说:“所有资金并非都是安全的。我的账户出现了未经我授权的比特币(Bitcoin)提现。这些资金还没有返还给我……我一直采取的是密码+双重认证模式。”该用户尚未回应《财富》杂志的评论请求。
有行业分析师认为,派盾科技评估的损失很可能是准确的。虚拟币交易分析机构Crystal Blockchain的调查总监斯科特·庞德指出,区块链数据显示,有“一大笔”资产被从Crypto.com上提走,转入了一个钱包,然后又被转入了一个混币平台。这一系列活动“很明显表明发生了黑客攻击”,而且这是一次集中化的黑客攻击,只是目前无法证实是否涉及用户的资产。区块链分析公司Nansen Alpha的研究分析师邱永利(音译)表示,他交叉引用了来自区块链监测平台CertiK等来源的数据,发现有282个用户钱包在此事件中受到了影响。
除了在推特上的官方声明外,Crypto.com拒绝对此事做进一步评论。Crypto.com是在香港和新加坡注册的,2021年它豪掷10亿美元开展营销宣传,让它在全世界声名雀起,迅速成为全球首屈一指的虚拟币交易所。2021年11月,Crypto.com签署了一份7亿美元的合同,将美国职业篮球联赛(National Basketball Association)的洛杉矶湖人队(Los Angeles Lakers)和洛杉矶快船队(Los Angeles Clippers)的主场——斯台普斯中心(Staples Center)正式更名为Crypto.com球场。它还请马特·达蒙拍了一系列广告,与终极格斗锦标赛(Ultimate Fighting Championship)、 F1方程式锦标赛(Formula 1)和多家曲棍球、足球、橄榄球俱乐部签署了一系列合作协议,总计耗资约5亿美元。
不过Crypto.com仍然是盈利的,而且它的收入在过去12个月里飙升了2000%。2021年12月,该公司的首席执行官克里斯·马尔沙韦克在接受《财富》杂志采访时表示,该公司2021年4至6月的当季收入达到了5亿美元。自1月17日以来,Cryto.com自家发行的CRO币已经下跌了大约3.5%。
此次事件也表明,网络黑客已经将更多目光瞄准了财大气粗的虚拟币企业,尤其是像Crypto.com这样的集中化交易所和去中心化金融服务企业。据区块链分析公司Chainalysis今年1月的一份报告显示,2021年,网络黑客通过诈骗和窃取等手段,累计盗取了价值140亿美元的虚拟币资产,创下历史新高,较2020年增长了79%。
就在2021年12月,一伙“虚拟币大盗”成功地从注册在开曼群岛的虚拟币交易所BitMart盗走了2亿美元的用户资产。这伙犯罪分子先是盗取了两个“热钱包”的私钥(所谓“热钱包”是指基于互联网的一种虚拟币的数字化存储方式),然后转走了钱包里的数字资产。2021年夏天,网络黑客更是从去中心化金融服务平台Poly Network那里一次盗走6亿美元资产,创下币圈历史之最——但随即又返还了这笔数字资产。2021年10月,在纳斯达克(Nasdaq)上市的虚拟币交易所Coinbase对6000余名客户表示,他们的账户被侵入了,黑客利用了该平台SMS账号恢复进程的一个漏洞,获得了一个双重认证标记,从而进入了这些账号。
区块链分析公司Elliptic的联合创始人、首席科学家汤姆·罗宾逊指出,通常说来,黑客之所以能够黑入虚拟币交易所,是因为他“能够访问交易所的内部系并且提取资产。账户接管也是可能发生的,比如说,黑客可以通过网络钓鱼获取用户的登陆信息,从而黑入交易所平台的用户账号。”邱永利也表示,像BitMart和Crypto.com这种虚拟币交易所会把用户资产储存在“热钱包”里,这样虽然方便了客户,但也更容易被盗。
庞德认为,由于其工作性质,虚拟币交易所必然会继续成为黑客袭击的目标。不过罗宾逊指出,近期虚拟币被盗事件高发的主要原因,是黑客利用了去中心化金融的DeFi协议。去中心化金融服务不需要交易所,而是建立在区块链平台上的,这就使黑客能够利用网络的设计缺陷或编码错误实施袭击。
据美国消费者新闻与商业频道(CNBC)上周报道,在遭到袭击后,BitMart承诺将自掏腰包赔偿用户的损失。然而五个星期过去了,一些用户仍然没有收到交易所的补偿款,也未收到关于此事的进一步通知。Coinbase还承诺将出资补偿6000名受影响的用户。
虚拟币服务提供商Eqonex的机构销售经理贾斯汀·丹尼森认为,Crypto.com很可能也会选择自掏腰包补偿用户。“所有投资者的损失可能都会被全额补偿,因为公司负担得起。”(财富中文网)
译者:朴成奎
据报道,由好莱坞巨星马特·达蒙代言的虚拟币交易所Crypto.com在近期遭到了黑客攻击。该交易所成立已经有五年,马特·达蒙也是它的投资人之一。
1月17日上午,Crypto.com在其官方推特(Twitter)上表示:“据少数用户报称,他们的账户上出现了可疑活动。”为确保用户资金安全,该公司已经暂停了提现功能,并就此事展开了调查。当时Crypto.com还称“所有资金都是安全的”。
到了1月18日上午,该公司又在官方推特上宣布,公司已经恢复了所有提现服务,并再次声明没有任何客户资产损失。该公司的首席执行官克里斯·马尔沙韦克也在其个人推特账号上表示,公司已经针对此事加强了安全设施,并将在“内部调查完成后公布完整的调查报告”。
在过去24小时里,我有一些想法:
-客户资金没有损失
-提现功能暂停了14个小时
-我们的团队已经针对此事加强了安全设施
我们将在内部调查结束后公布完整的调查报告。
——克里斯 | Crypto.com (@Kris_HK),2022年1月18日
虽然Crypto.com宣称所有客户资金都是安全的,但很多人都在推特上对此表示质疑。比如1月19日早上,中国的区块链安全公司派盾科技就爆料称,Crypto.com实际上丢失了1500万美元的资产。“它损失了至少4600枚以太币(Ether),其中半数已经通过Tornado Cash混币平台洗白。”Tornado Cash是一个去中心化的智能合约平台,允许用户在以太币区块链上进行匿名交易。派盾科技随后还对虚拟币网站Decrypt表示,Crypto.com真正的损失规模“绝对比这更严重”。
除此之外,还有多名用户称自己的账号资金被盗。比如推特用户@J8Arnold说:“所有资金并非都是安全的。我的账户出现了未经我授权的比特币(Bitcoin)提现。这些资金还没有返还给我……我一直采取的是密码+双重认证模式。”该用户尚未回应《财富》杂志的评论请求。
有行业分析师认为,派盾科技评估的损失很可能是准确的。虚拟币交易分析机构Crystal Blockchain的调查总监斯科特·庞德指出,区块链数据显示,有“一大笔”资产被从Crypto.com上提走,转入了一个钱包,然后又被转入了一个混币平台。这一系列活动“很明显表明发生了黑客攻击”,而且这是一次集中化的黑客攻击,只是目前无法证实是否涉及用户的资产。区块链分析公司Nansen Alpha的研究分析师邱永利(音译)表示,他交叉引用了来自区块链监测平台CertiK等来源的数据,发现有282个用户钱包在此事件中受到了影响。
除了在推特上的官方声明外,Crypto.com拒绝对此事做进一步评论。Crypto.com是在香港和新加坡注册的,2021年它豪掷10亿美元开展营销宣传,让它在全世界声名雀起,迅速成为全球首屈一指的虚拟币交易所。2021年11月,Crypto.com签署了一份7亿美元的合同,将美国职业篮球联赛(National Basketball Association)的洛杉矶湖人队(Los Angeles Lakers)和洛杉矶快船队(Los Angeles Clippers)的主场——斯台普斯中心(Staples Center)正式更名为Crypto.com球场。它还请马特·达蒙拍了一系列广告,与终极格斗锦标赛(Ultimate Fighting Championship)、 F1方程式锦标赛(Formula 1)和多家曲棍球、足球、橄榄球俱乐部签署了一系列合作协议,总计耗资约5亿美元。
不过Crypto.com仍然是盈利的,而且它的收入在过去12个月里飙升了2000%。2021年12月,该公司的首席执行官克里斯·马尔沙韦克在接受《财富》杂志采访时表示,该公司2021年4至6月的当季收入达到了5亿美元。自1月17日以来,Cryto.com自家发行的CRO币已经下跌了大约3.5%。
此次事件也表明,网络黑客已经将更多目光瞄准了财大气粗的虚拟币企业,尤其是像Crypto.com这样的集中化交易所和去中心化金融服务企业。据区块链分析公司Chainalysis今年1月的一份报告显示,2021年,网络黑客通过诈骗和窃取等手段,累计盗取了价值140亿美元的虚拟币资产,创下历史新高,较2020年增长了79%。
就在2021年12月,一伙“虚拟币大盗”成功地从注册在开曼群岛的虚拟币交易所BitMart盗走了2亿美元的用户资产。这伙犯罪分子先是盗取了两个“热钱包”的私钥(所谓“热钱包”是指基于互联网的一种虚拟币的数字化存储方式),然后转走了钱包里的数字资产。2021年夏天,网络黑客更是从去中心化金融服务平台Poly Network那里一次盗走6亿美元资产,创下币圈历史之最——但随即又返还了这笔数字资产。2021年10月,在纳斯达克(Nasdaq)上市的虚拟币交易所Coinbase对6000余名客户表示,他们的账户被侵入了,黑客利用了该平台SMS账号恢复进程的一个漏洞,获得了一个双重认证标记,从而进入了这些账号。
区块链分析公司Elliptic的联合创始人、首席科学家汤姆·罗宾逊指出,通常说来,黑客之所以能够黑入虚拟币交易所,是因为他“能够访问交易所的内部系并且提取资产。账户接管也是可能发生的,比如说,黑客可以通过网络钓鱼获取用户的登陆信息,从而黑入交易所平台的用户账号。”邱永利也表示,像BitMart和Crypto.com这种虚拟币交易所会把用户资产储存在“热钱包”里,这样虽然方便了客户,但也更容易被盗。
庞德认为,由于其工作性质,虚拟币交易所必然会继续成为黑客袭击的目标。不过罗宾逊指出,近期虚拟币被盗事件高发的主要原因,是黑客利用了去中心化金融的DeFi协议。去中心化金融服务不需要交易所,而是建立在区块链平台上的,这就使黑客能够利用网络的设计缺陷或编码错误实施袭击。
据美国消费者新闻与商业频道(CNBC)上周报道,在遭到袭击后,BitMart承诺将自掏腰包赔偿用户的损失。然而五个星期过去了,一些用户仍然没有收到交易所的补偿款,也未收到关于此事的进一步通知。Coinbase还承诺将出资补偿6000名受影响的用户。
虚拟币服务提供商Eqonex的机构销售经理贾斯汀·丹尼森认为,Crypto.com很可能也会选择自掏腰包补偿用户。“所有投资者的损失可能都会被全额补偿,因为公司负担得起。”(财富中文网)
译者:朴成奎
Crypto.com, the five-year-old cryptocurrency exchange which boasts Hollywood superstar Matt Damon as the face of the company (and as an investor), has allegedly been hacked.
On January 17 morning, Crypto.com announced via Twitter: "We have a small number of users reporting suspicious activity on their accounts." In response, the company paused withdrawals, to ensure the safety of user funds and launched an investigation, it said. Crypto.com said at the time that "all funds are safe."
On January 18 morning, the company tweeted that it had restored all withdrawal services," stating again that no customer funds were lost. Crypto.com CEO Kris Marszalek tweeted via his personal account that the firm has strengthened its security infrastructure in response to the incident and will "share a full post mortem after the internal investigation is completed."
Some thoughts from me on the last 24 hours:
- no customer funds were lost
- the downtime of withdrawal infra was ~14 hours
- our team has hardened the infrastructure in response to the incident
We will share a full post mortem after the internal investigation is completed.
— Kris | Crypto.com (@Kris_HK) January 18, 2022
Yet a series of subsequent tweets cast doubt on Crypto.com's claim that all user money remained safe. Peckshield, a China-based blockchain security firm, wrote on January 19 morning that Crypto.com actually lost $15 million of funds, "with at least 4.6K ETHs [Ether] and half of them are currently being washed via [Tornado Cash]," a decentralized smart contract platform that allows users to conduct anonymous transactions on the Ethereum blockchain. Peckshield subsequently told Decrypt that the true scale of the damage is "definitely worse."
Meanwhile, several users like @J8Arnold said that he had funds stolen from his account. "All funds are not safe. I had BTC [Bitcoin] withdrawn from my account that I did not authorize. These funds have yet to be returned to me…I have always had passcode & [2-factor authentication] enabled," the user wrote. The user did not return Fortune's request for comment.
Industry analysts say Peckshield's assessment is likely accurate. The blockchain data shows that a "significant sum" was taken from Crypto.com and moved into one wallet, then rerouted to a mixer, says Scott Pounder, head of investigations at Crystal Blockchain, a crypto transaction analysis and compliance firm. This chain of events is "a fairly clear sign that a hack [took] place" and that the attack was centralized, though it can't be verified whether user funds were involved or not, says Pounder. Yong Li Khoo, a research analyst at blockchain analytics firm Nansen Alpha said that he cross-referenced the data from other sources like CertiK, a platform that monitors blockchain protocols, and found that 282 user wallets were affected in the alleged breach.
Crypto.com declined to comment beyond its official statements released on Twitter. The Hong Kong and Singapore-based platform became one of the world's top cryptocurrency exchanges last year after a $1 billion marketing offensive helped it gain recognition worldwide. Last November, Crypto.com inked a $700 million deal to emblazon its name on Los Angeles's iconic Staples Center—home of the National Basketball Association's (NBA) Los Angeles Lakers and Clippers. Before that, the company spent a collective $500 million on a series of commercials led by actor Matt Damon and a bevy of endorsement deals with the Ultimate Fighting Championship (UFC); motor racing championship Formula 1; and elite hockey, football and soccer clubs.
Crypto.com is profitable and its revenue has surged 2,000% in the last 12 months. In the April to June quarter this year, it recorded $500 million in revenue, Crypto.com CEO Kris Marszalek told Fortune in a conversation in December. The price of CRO (Crypto.com coin) has dropped roughly 3.5% since January 17.
The alleged Crypto.com hack is yet another indication of how digital scammers are increasingly targeting lucrative crypto businesses—particularly centralized exchanges like Crypto.com and decentralized finance, or DeFi services. Last year, cryptocurrency swindlers stole a record $14 billion—up 79% from 2020—via scams and theft, according to a January report from data and blockchain analytics firm Chainalysis.
Just in December 2021, crypto thieves made off with $200 million of customer funds from Cayman Islands-headquartered exchange BitMart. Scammers stole a private key to gain access to two 'hot wallets'—a type of Internet-enabled digital storage where cryptocurrencies are stored—and took the digital assets stored in the wallets. Last summer, hackers stole $600 million from DeFi platform Poly Network—the biggest crypto heist in history—but subsequently returned the digital assets. In October 2021, Nasdaq-listed Coinbase told 6,000 customers that their accounts were compromised; hackers exploited a flaw in the platform's SMS account recovery process to obtain a two-factor authentication token and access the accounts.
Thefts from cryptocurrency exchanges typically occur because a hacker is "able to access the exchange's internal systems, and withdraw funds. Account takeovers can also take place, where a hacker is able to access the accounts belonging to individuals users of an exchange... for example a user's login details might be obtained through a phishing attack," says Tom Robinson, co-founder and chief scientist at Elliptic, a blockchain analysis firm. Crypto exchanges like BitMart and Crypto.com, which store user assets in hot wallets, are more convenient for the customer, but are also more susceptible to theft, says Khoo.
Cryptocurrency exchanges will continue to be targeted due to the nature of their work, says Pounder. But the major explosion in crypto thefts took place due to hackers exploiting DeFi protocols, says Robinson. DeFi services remove the need for exchanges and are built on top of a blockchain platform, which allows hackers to take advantage of a design flaw or coding error in the network.
After its platform breach, BitMart promised to reimburse users via the company's own cash. Five weeks later, however, some users still haven't received any updates or money from the exchange, according to a CNBC report last week. Coinbase also vowed to pay back its 6,000 affected users using its own funds.
Justin d'Anethan, institutional sales manager at crypto services provider Eqonex believes that Crypto.com will likely opt to pay users back with its own capital: "All the investors will probably be made whole [since] the company can afford it."
