It’s not your usual bank robbery. On October 20, crypto exchange Trade.io’s security team was alerted to find one million TIO tokens ($230,000) had been stolen from an account holding 50 million TIO, worth $11 million at the time. Now, before you say, “ha! Yet another crypto hack” and point to statistics like the one about nearly $1 billion being stolen from crypto wallets this year, this one is different.
You see this particular wallet was stored on a password protected device–cold storage–which was stored in a safety deposit box, which itself was stored in a bank and all its safety measures. Typically crypto thefts are the result of weak security measures. This one took some serious planning. Whodunnit? Time to put on a deerstalker and start looking for mud prints.
There are five main ways the hack could have happened.
The hardware wallet was compromised
According to a statement, the hardware wallet was purchased directly from the manufacturer, reducing the chances of a man-in-the-middle attack where a hacker compromises the device by intercepting data as it’s transmitted. Trade.io also confirms the device hardware itself was not compromised physically which means this is unlikely. Seeing as hardware wallets don’t have internet access, the hacker would have had to break into the bank in order to use it. A dead end.
“Investigations are ongoing, but we have so far concluded that there was no technical hack on the third party cold storage unit, and trade.io systems remain secure and unbreached,” says Jim Preissler, CEO at Trade.io.
The hacker broke into the bank
This is a bit old-school for a modern-day crypto hack but is the most logical explanation for how the hacker got his hands on the loot. However, there are no traces of a masked assailant holding up a bank or a giant hole dug into the vault a la the pensioners who robbed London’s diamond district in 2015. Gah, another red herring.
The hacker knew the private key
The term “Bitcoin wallet” is a misnomer. Technically the coins are not stored in the wallet, the wallet simply contains a key to use them. Keeping this key private is the goal of securing the money held in the account because if anyone else knows the key, they can steal the money. Therefore, even if the key is written on paper, in a box, buried five miles deep–if somebody else knows it–then the funds aren’t safe. This would explain how the attacker managed to spend the money but raises another question, how did he or she get the key in the first place?
It was an inside job
Considering the device wasn’t tampered with, it implies that the hacker may have had some insider knowledge or managed to find somebody who was willing to give it to them. On this issue, Trade.io says there are no indications of theft by internal actors although it is unclear if this is from within the company or at the bank.
The blockchain was hacked
While blockchains are protected by strong cryptography, in some ways they can be exploited. Recently, it was found Bitcoin had a bug that could have allowed coins to be minted at will. This was actually exploited on lesser-known Pigeoncoin, for $15,000. However, while this would explain the ability to access the coins, it would be obvious and noticeable by looking at the history logs of the blocks.
So, was it a rogue employee or a crypto-enthusiast at the bank? Was the blockchain hacked or was the device somehow compromised? So far, we don’t know. But what we do know is what Trade.io is going to do about it. They’re going to re-write history so it never happened. Like a do-over. But is that ethical?
A $230,000 fork
The precedent for this sort of thing was set by The DAO in 2016. Heralded as one of the first major examples of a decentralized organization, investors poured in to show their support to the tune of some $100 million. But thanks to a bug, someone managed to siphon off $60 million of those funds into a DAO clone. As a result, the Ethereum community decided to carry out a hard fork, splitting the cryptocurrency in two and creating a new coin with a transaction history where the attack never happened. This broke the principle of immutability, that a blockchain cannot be changed, and resulted in Ethereum Classic, the version of the chain that included the hack, run by those who believe the blockchain should not have been altered.
Back to Trade.io. CEO Jim Preissler writes on LinkedIn that the management team has decided to fork the Ethereum-based token from TIO to TIOx. This will overwrite the hack so that it never happened. The funds were moved to crypto exchanges KuCoin and decentralized exchange Bancor but have been quarantined. This means the tokens can be “returned” to Trade.io and should avoid a further drop in value, although the coins have already fallen 40% from $0.22 to $0.13.
However, this highlights a key issue that is starting to repeat itself. Blockchains can be rewritten which means perhaps, they shouldn’t be trusted as the bastions immutability they’re heralded to be. Trade.io’s management team is changing history because someone got robbed--and no one seems to understand how. Not only does this violate the principle of immutability, as the blockchain gets rewritten, but it also violates the principle of decentralization. A token is decentralized if no one party has control over it. Considering that the management team is able to make one user, the hacker, lose their funds, then that shows they have control over the network, even if it involves convincing miners to accept the changes.
In Preissler’s post, he cleverly writes in Latin that actual losses are estimated to be “De Minimis,” which means, trifling or unimportant. The hack wasn’t as big as Coincheck’s $500 million or Coinrail’s $40 million but it is another violation of the principle of immutability. This “trivial” hack has exposed a growing chasm in blockchain technology, one that needs to be solved by either re-structuring how these organizations are run, or overhauling the very definition of what this ecosystem claims to be.