DDoS Attacks on OKEx and Bitfinex Were Sophisticated, Possibly Related
2020 has already been remarkably eventful for the crypto industry, and security breaches are no exception.
As the cryptocurrency industry continues to mature, security remains a major challenge. Over the last few weeks, a number of cryptocurrency exchanges — namely, OKEx, Bitfinex, Digitex and Coinhako — have experienced security breaches.
Although the attackers apparently did not manage to steal any funds, one of the incidents resulted in a leak of Know Your Customer data. All of the breaches have reportedly been dealt with as of press time, and all of the affected exchanges are back online.
OKEx and Bitfinex targeted in a series of DDoS attacks
Two different major crypto exchanges were reportedly hit with distributed denial-of-service attacks last week. A DDoS attack is a common type of cyberattack that overloads a system with numerous requests from multiple virus-infected servers.
The OKEx crypto exchange platform was the first one hit, as it started to experience problems on Feb. 27 at approximately 11:30 a.m. EST. Notably, as the exchange’s servers were dealing with the increased output, CEO Jay Hao took to his personal Weibo page to blame unspecified competitors for the incident.
The raid lasted two days, as an OKEx spokesperson confirmed in an email to Cointelegraph. Initially, the attack routed 200 gigabytes per second of traffic, and then increased it to 400 GB per second during the second wave.
Such traffic volume makes it safe to deem this a relatively major attack. Telegram CEO Pavel Durov has previously encountered such attacks and told TechCrunch that his messenger was often hit by DDoS attacks of a similar scale (200–400 GB per second) during protests in Hong Kong — which he labeled as “state actor-sized” disruption attempts. Lennix Lai, financial markets director at OKEx, called the attack “very sophisticated.”
Despite being high-grade, the DDoS attack “was properly handled within a short period of time and no client is impacted,” an OKEx representative told Cointelegraph. The second wave of the attack occurred shortly after “temporary system maintenance” on OKEx’s servers was completed, which temporarily disabled options and futures trading. The spokesperson claimed that the two events were completely unrelated.
Related: Crypto Exchange Hacks in Review
On Feb. 28, while OKEx was experiencing the second wave of attacks, fellow cryptocurrency exchange Bitfinex also started to experience problems. Per the Bitfinex status page, the attack lasted one hour, severely hindering the exchange’s activity during that period, with throughput falling close to zero. As a result, all trading activity was suspended during that time frame.
Nonetheless, Bitfinex’s chief technology officer, Paolo Ardoino, told Cointelegraph that it was the company’s decision to go offline, as it allegedly allowed Bitfinex to deal with the attack in a timely fashion:
“The matching engine, websockets and core services were not affected by the DDoS attack. However, it was of paramount importance to speedily react in order to avoid any damage escalation. The decision to enter in maintenance was not due to the inability of the platform to resist, rather, it was a decision taken in order to quickly bring in the countermeasures and patch for all similar attacks.”
Ardoino went on to add that the attack was notably sophisticated, as the attackers attempted to exploit several platform features to increase the load on the infrastructure, adding: “The huge number of different IP addresses used and the sophisticated crafting of the requests toward our API v1 exploited an internal inefficiency in one of our non-core process queues.”
Soon after the attack was dealt with, Ardoino tweeted that he was unaware of the OKEx incident but was “interested to understand similarities.” He added:
“We've seen a level of sophistication that means a deep preparation from the attacker. Good news: This family of attacks won't work again against Bitfinex.”
A Bitfinex representative told Cointelegraph that the company had no further comment, declining to discuss the similarities between the two attacks. A representative for OKEx informed Cointelegraph that they have not been in touch with other exchanges in regard to the attacks.
In a separate tweet, OKEx’s Hao offered a bounty “to any team who got paid to do this” and to Bitfinex in case it is willing to cooperate and “expose the malicious buyer of the DDoS attack.”
Cryptocurrency exchanges have been hit by DDoS attacks in the past. For instance, Bitfinex experienced a DDoS attack in June 2017, when the exchange was forced to suspend transactions for a short period of time.
Coinhako was also hit by a “sophisticated attack” and claims it is not related to other incidents
On Feb. 21, the Tim Draper-backed Singaporean exchange Coinhako was also affected by a “sophisticated attack,” although seemingly of a different nature. During the said incident, “unauthorized cryptocurrency transactions were found from Coinhako accounts and sent out.”
The trading platform decided to deactivate the “send” option as a preventive measure. Eight days later, on Feb. 29, Coinhako announced it was back to “full operational capacity, with tightened security,” and that the “send” function had been made available for all cryptocurrencies available on the platform.
A Coinhako representative has provided a minimal comment to Cointelegraph, saying that the incident “was not related to the recent DDoS attacks on other exchanges.”
Digitex suffered a KYC leak supposedly orchestrated by an ex-employee
Earlier in February, a pseudonymous hacker began leaking KYC data of users who were registered on cryptocurrency derivatives exchange Digitex via a Telegram channel. The stolen data reportedly included scans of passports and drivers’ licenses, as well as other sensitive documentation pertaining to more than 8,000 Digitex customers — although, so far, the hacker has leaked only seven IDs and blurred all photos “out of respect for the users.” The attacker also stated that they “will reach out to all three users in the near future and compensate them accordingly” after leaking the first three IDs.
The leak followed a Feb. 10 announcement from Digitex stating that its Facebook page had been compromised during “an internal issue orchestrated by a scheming and highly manipulative ex-employee whose professional interests are now in conflict with Digitex’s success.” In a Feb. 14 interview on CNBC Africa’s Crypto Trader, Digitex CEO Adam Todd clarified that “no sensitive data” had been taken, only email addresses.
In an interview with Cointelegraph, a hacker under the pseudonym Zincer clarified that the leaked KYC data belonged to the buyers of DGTX, Digitex’s in-house token. When asked about the specific reason for leaking personal information, the hacker replied:
“To get Digitex to admit their incompetence and sort out their blatant lax security practices. [...] This is a startup that is going to launch soon I believe. So, they should sort out their security before going live.”
Zincer denied ever being employed by Digitex or doing any freelance work for the company. The attacker also said that the exchange has been ignoring any attempts to communicate:
“For what it is worth, I have received no messages from them or anyone in affiliation with them.”
On March 2, soon after the interview, Zincer posted on Digileaker that Digitex had apparently addressed the security weakness:
“Finally they seem to have closed off access, it only took a few days. You should be safe doing KYC now.”
Meanwhile, Digitex published another announcement, stating that it initially denied that sensitive information had been stolen because “at that point, we were only aware of the email data that had been taken.” According to the trading platform, there was a second breach, during which sensitive data was indeed compromised. The statement also stipulated that the attack was performed by an ex-employee:
“We have not yet been able to verify the amount of user data taken and if it was, in fact, as many as 8,000 Digitex users. This data is kept in a different system. We do not hold it at Digitex, it is held with a third-party provider to which Adam and one other person had access.”
According to the statement, Digitex is also “investigating the possibility of removing the need for KYC on our exchange entirely.” A representative for Digitex refrained from commenting on the incident and referred to the aforementioned statement.
When speaking with Cointelegraph, Zincer said that other exchanges aren’t currently being targeted, although they have “in the past.” When asked about the DDoS attacks on OKEx and Bitfinex, the hacker said that “the timing would suggest it was related.” Zincer also added:
“I find it unlikely two separate people or organizations would just happen to have their attacks work at the same time.”
Security remains a major concern in the industry
Although apparently no funds were stolen during these attacks, 2020 has already seen a number of crypto-related heists that have resulted in money loss. Among the most high-profile was an attack involving Bitcoin Cash (BCH) and BTC, during which a major investor reportedly lost as much as $30 million worth of cryptocurrency in a wallet hack. According to a recent report issued by Big Four accounting firm KPMG, more than $9.8 billion worth of crypto has been stolen since 2017.