Cybercriminals Hacking the Unhackable: Can Blockchain be Truly Hacked?
Blockchain-adjacent processes can be hacked, but there are many ways to protect your assets and avoid such activity.
There is no doubt that Blockchain has been the talk of the world for quite sometime now, and it has truly become part of our financial lives. However, as investors put in huge amounts of money, and with the several network hackings that have been happening, one may ask this question: can the blockchain be hacked?
Experts say that the blockchain itself cannot be hacked, but blockchain-adjacent processes certainly can in a number of ways.
Blockchain transactions can be manipulated, just like blockchain assets can be stolen. Nonetheless, that’s not a commentary on the blockchain itself; it is a reality of the environment in which people trade and own blockchain assets.
Protocol or network hacking
Lucky for us all, big networks and protocols are extremely hard to hack. Let us take the Bitcoin network for instance:
Bitcoin is considered hack-proof because the Bitcoin blockchain is constantly reviewed by the entire network. Thus, attacks on the blockchain itself are very unlikely. To add a new block containing a collection of transactions, each miner who updates Bitcoin’s ledger is continuously solving complex math problems.
To manipulate a cryptocurrency network is extremely difficult. Erasing or overwriting a block of already spent Bitcoin, known as “double spending”, is rendered impossible by the decentralized, chronological and computing, power-intensive characteristics of the Bitcoin blockchain.
Nonetheless, small protocols and networks can be hacked, depending on the code and number of nodes they have. Sometimes, there may be security glitches or errors during the creation of the blockchain.
When this occurs, hackers looking for a way in can identify the vulnerabilities and attempt an attack, which has transpired with smart contracts that use a blockchain network to operate. Common functions of smart contracts include assisting with the financial aspect of contract dealings and automating tasks.
Legal professionals may encounter smart contracts in their practice, whether using them internally or through exposure from cases and client issues. If a security flaw exists on the blockchain network where a smart contract operates, hackers may be able to steal money from users without being detected because the fraudulent activity is not reflected. Unfortunately, since blockchain transactions cannot be altered, the only way to get back stolen money is to make a fork that all users recognize as the authoritative blockchain.
Conventional hacking tactics
A popular tactic is to lure an unsuspecting victim to a cloned website that looks almost identical to the original one, according to techopedia.
They may use a Google or Facebook ad that ranks for the same name as the original service, or a slightly modified URL that points to a “trapped” version of the site. Once there, they may fool you into uploading your private info through a page that may look like one of the many perfectly legit payment gateways or an otherwise indistinguishable trading site.
Another scary trick is to switch a legit URL you are copy-pasting to make a payment with a fake one through malicious software such as Cryptoshuffler. Other tricks, including hacked Slack Bots and fake social media accounts, are also used to convince you to upload your private key to an unsafe URL.
Hackers have also used some methods to steal additional money from people after they complete their mission, such as demanding a ransom to delete the trader’s personal information.
There are also some people who are less tech-savvy, so hackers use old technologies such as phishing emails. Even the most paranoid of us can be hacked when cybercriminals find a way to obtain our credentials through mobile SMS two-factor authentication (2FA) by duping mobile operators.
Centralized platforms- crypto exchange hackings
As you might know or have heard, many of the hacks that have been taking place are related to crypto exchanges.
In fact, the amount of money in cryptocurrencies stolen from exchanges is incredible, amounting to a grand total of $760 million just in the first half of 2018. In 2020, the largest decentralized finance hack cost KuCoin $280 million when in September, the CEO Johnny Lyu confirmed a leak of several private keys.
The use of an exchange to trade cryptocurrency or blockchain assets in many cases is mandatory, and unfortunately, hackers can get access to digital assets through an exchange network or platform.
In other words, Bitcoin, for example, is naturally decentralized, so there’s no central system to hack, but the exchange puts the asset into a position that can be exposed to hackers.
Another example would be the Solana ecosystem, which suffered a multi-million dollar attack two weeks ago, as horrified users came to the realization that their wallets are now empty from all their funds. In fact, the hacker successfully drained around $6 million from major internet-connected “hot” wallets, including Phantom, Slope and TrustWallet.
But there are all sorts of headlines where some hackers were able to detect a defect in some exchanges, steal people’s assets, and run away. For that matter, there are also “rug pulls,” where people can get people invested in an asset and then take off with the money.
The 51% Attack
Yes, attackers cannot hack the blockchain, however, there is one crucial exception that may occur: the 51% attack.
A 51% attack, also known as a majority attack, occurs when a single person or group of people gain control of over 50% of a blockchain’s hashing power, which is usually achieved by creating or renting mining hash power from a third party.
Successful attackers gain the ability to block new transactions from being confirmed as well as change the ordering of new transactions. It also allows these hackers to essentially rewrite parts of the blockchain and reverse their own transactions, leading to an issue known as double spending.
This problem was traditionally an issue faced mostly by electronic payments where a network was incapable of proving that two or more people didn’t spend the same digital asset.
A 51% attack, however, is theoretically limited in the amount of disruption it can cause. While the attacker could trigger the double-spending problem, they cannot reverse others’ transactions on the network or prevent users from broadcasting their transactions to the network. Additionally, a 51% attack is incapable of creating new assets, stealing assets from unrelated parties or altering the functionality of block rewards.
As a blockchain network grows and acquires news mining nodes it makes the chances of a 51% attack taking place less likely. That is because the cost of performing a 51% attack rises in tandem with the network hashrate (the amount of computational power committed to the network).
Essentially, the bigger the network and the more nodes there are participating in it, the more hash power is needed to control over 50% of it. However, even if an attacker were to reach above 50% of the hashrate, the size of a blockchain could still provide security, for blocks are linked together in the chain; a block can be altered only if all confirmed blocks are eliminated.
While possible, doing so would be incredibly costly for the attacker for two reasons:
1- The attacker would have to expend great amounts of computing power to achieve a 51% hashrate, particularly on larger more established networks
2- Because the miner is not acting in a way that participates appropriately, they would no longer be receiving the blockchain rewards that come with mining.
Thus, the more significant number of transactions there are, the more blocks are on the chain and the more difficult it is to alter a block.
While the threat of a 51% attack still exists, but is extremely unlikely on big blockchains like Bitcoin, the financial costs would far outweigh the benefits. Even if an attacker were to expend all of its resources to attack a blockchain, the constant addition of blocks to the chain would give only a relatively small window to a number of transactions for the attacker to alter.
Hacking Computers to Steal Mining Power
Hacking computers to mine cryptocurrency has been all about rage, for hackers are using a variety of approaches to hijack computers.
Kaspersky Lab once reported finding cryptocurrency mining tools on 1.65 million of its clients’ computers.
The researchers also detected several large botnets set up to profit from cryptocurrency mining, making a “conservative” estimate that such operations could generate up to $30,000 a month, according to MIT Technology Review.
Beyond that, they’ve seen “growing numbers” of attempts to install mining tools on servers owned by organizations. According to IBM’s X-Force security team, cryptocurrency mining attacks aimed at enterprise networks have undeniably increased in the past few years.
Researchers say that hackers are especially attracted to relatively new alternatives to Bitcoin. That’s probably in part because these currencies have cryptographic features that make transactions untraceable by law enforcement. It is also because hackers can generate more profits mining these newer currencies than they can with Bitcoin. Bitcoin-mining malware was extremely popular a few years back, but the currency’s popularity has, by design, made it more difficult to mine, warding off this kind of attack, whis is why hackers are now embracing newer, easier-to-mine currencies.
Malware containing cryptocurrency mining tools can be relatively straightforward to detect using antivirus software, says Justin Fier, cyber intelligence lead for the security firm Darktrace.
However, illegal mining operations set up by insiders, which can be much more difficult to detect, are also on the rise, he says, often carried out by employees with high-level network privileges and the technical skills needed to turn their company’s computing infrastructure into a currency mint, based on MIT Technology Review.
In one instance, Fier’s team, which relies on machine learning to detect suspicious activity inside networks, noticed an employee at a major telecom company using a company computer in an unauthorized way to communicate with his home machine. Further investigation revealed that he had planned to turn his company’s server room into a mining pool.
How to protect one’s assets
No one is really safe, but there are a few ways one you apply to avoid such hackings, according to techopedia:
- Although we previously stated that 2FA is not 100% safe anymore, it is still better than nothing. Make sure not to rely on 2FA via SMS though, as it is less secure.
- Never trust Slack Bots and report all those who look suspicious. A good antivirus may be used to protect the Slack channel as well.
- Never download any crypto add-on, and do not perform any crypto transaction while on public Wi-Fi, and, if possible, use a different PC or smartphone for crypto trading.
- Use a cold wallet to protect your digital address. Cold storage is not connected to the internet, reducing the exposure of your holdings. Your digital finances can be safely kept in custody inside external hard drives or memory cards, which can be accessed later with the help of SD card readers.
- Similar to traditional firewalls, rules and limits can be set to allow or deny transactions, such as the number of tokens per transaction or the time between each transaction.
This new technology may be a step towards a more efficient, streamlined, and automated form of protection against blockchain threats; it may help get rid of at least a portion of the general sense of insecurity commonly associated with this new technology.
- The best practice for users is to have multiple addresses, even hundreds. Using only a select number of addresses or holding too many funds in one address are some of the biggest mistakes bitcoin users can make. The other reason for having so many addresses is privacy.
That’s why it’s becoming an industry standard among bitcoin service providers. Most bitcoin software now supports this under the hood, without the user having to think too much about it.
“In practice, as you’re walking around the city and you buy a coffee here and a donut there, every single purchase means you need to create a brand new account”, explained Perklin.
“This is done by design to protect your privacy because if I learned that you had address 1ABCDE, maybe because I owed you $5 so I’ve given you $5 to that address, at any point in the future, I can see how many funds you have in that account. For privacy, it’s not ideal to stick with one bitcoin address because once someone learns that that address is yours, from that point on, they can track every purchase you make”, he added.
To sum up, hacking is much more common now, especially when it comes to the blockchain and crypto space, as there are several tactics to do that. Nevertheless, there are a few tricks one can do once investing in crypto.
Also, when hackings of that sort occur, it is important to keep in mind that the blockchain itself as a model is very resistant to almost all kinds of hacking, but it is the processes and systems connected to a blockchain and an asset that have vulnerabilities, and are usually targeted. Bottom line: keep an eye out, no one is really safe!