7 Ways Private Keys Have Been Compromised

Published Dec 30, 2019
By Anthony Foy, CEO Qredo

Bitcoin lets you be your own bank by holding your private keys, but as the cryptocurrency industry has developed, this idea has become diluted. Many cryptocurrency users now choose to surrender their private keys to third party custodians.

This has brought trust back into a trustless system—with dangerous consequences.

Cryptocurrency's short history is littered with massive losses, where the private keys controlling millions have been stolen from exchange wallets, pilfered by scam artists, and embezzled by trusted custodians.

Even those individuals who have stayed true to the spirit of Bitcoin and kept their own private keys have still suffered, with dodgy crypto wallets, silly mistakes, and even a series of 'horrible boating accidents' all leading people to lose their cryptocurrency.

To celebrate #ProofofKeys, here are 7 different ways that private keys have been compromised (and a few tips to help you take control of them without becoming another victim).

1) Lost in 'horrible boating accidents'

In an effort to avoid the problems of third party custody, some cryptocurrency users take control of their own private keys. But, losing this secret string of code is easier than you might think. Last year, a digital forensics firm estimated that four million bitcoins are gone forever—with many private keys being lost in the early days before the value became evident.

Some were accidentally shared and misplaced, and some—if commentators on crypto Twitter are to be believed—were lost in horrible boating accidents.

When it happened: James Howells, 2009

British IT guy James Howells was an early adopter of Bitcoin who ended up watching others get rich without him. The laptop that he used to mine hundreds of bitcoin in 2009 was accidentally dismantled and sent to the tip, and while the bitcoin could still be there, they are now buried under mountains of toxic waste on a hard drive that is likely to have corroded.

2) Misplaced by incompetent employees

Even when custodians are not malicious, they are still prone to making mistakes. According to a study by IBM, irresponsible and uninformed employees are the cause of a staggering 95% of cyber security breaches.

When it happened: Bitomat, 2011

The Polish exchange Bitomat met a sticky end when employees decided to reboot the server, and accidentally destroyed a crypto wallet containing the private keys to 17,000 bitcoin.

3) Hacked from hot wallets

Hot crypto wallets, which are always connected to the internet, have become an irresistible target for cybercriminals.

In 2018 alone, hackers stole private keys controlling over a billion dollars’ worth of cryptocurrency from hot wallets, which despite being intrinsically insecure are still used by many custodians to provide a pool of easily accessible liquidity.

When it happened: Mt Gox, 2014

Mt Gox was the beating heart of bitcoin trading in 2013, accounting for 90% of all transactions. But the massive Japanese exchange eventually collapsed when it was revealed hackers had crept in through the backdoor, stole private keys from the hot wallet, and ran off with 850,000 Bitcoins valued at roughly $473 million at the time.

4) Embezzled by corrupt custodians

Cold storage, hot wallets, and multisig wallets can all be vulnerable to insider theft, with customer funds often proving too much to resist for corrupt custodians.

When it happened: Shapeshift, 2016

Despite having secure infrastructure in place, Shapeshift lost $230k in a string of thefts after a disgruntled former employee sold sensitive security information to a hacker.

5) Phished, scammed, and gobbled up by viruses

Cybercriminals have dreamt up many different ways to get their hands on private keys, targeting both individuals and third party custodians with phishing devices, fraudulent emails, and malware droppers.

When it happened: BitCash, 2016

The servers of Czech exchange BitCash were commandeered by hackers, who—in a scam reminiscent of the efforts of Nigerian princes—sent a cunning phishing email to customers requesting them to send bitcoin in order to gain access to their funds.

6) Misappropriated from multisig wallets

Multisig technology, which can be traced back to medieval monks holding separate keys to guard sacred artefacts in crypts, is often added as another security layer to hot or cold wallets.

This system was widely adopted after the Mt Gox hack in 2014, but it hasn't stopped security breaches from coming thick and fast.

When it happened: Parity, 2017

Ethereum development firm Parity suffered a hack to its multisig wallets after a critical bug was left in the smart contract by developers. This resulted in millions of dollars of Ether being drained from the wallets by cybercriminals.

When the bug was discovered, a race was sparked as white hat hackers rushed to the rescue by exploiting the same vulnerability to empty the remaining wallets before the hackers could get their hands on them. By the time the dust had settled, $31 million worth of Ethereum had been lost.

7) Stolen from cold storage

Cold storage is often seen as an impenetrable fortress, but the custody method still has risks—paper wallets can be physically stolen or damaged, and hardware wallets can malfunction or get lost.

The biggest risk affecting cold storage is hiding in plain sight: Research from IBM shows that at least 60% of cyber attacks are committed by insiders, so even if the wallet itself is secure, the custodians might not be trustworthy.

When it happened: Quadriga CX, 2018

Having cryptocurrency stored in cold storage didn't help the customers of Canadian exchange QuadrigaCX. They discovered after CEO Gerald Cotten's untimely death that he had cleaned out the cold wallets containing customer funds.

How to protect your private keys

To best protect your private keys, you first need to understand what they are. Here's a quick primer.

What is a Private Key?

Every bitcoin address on the network has a public key and a private key—these two strings of code are cryptographically linked. You can get the public key from the private key, but you can't get the private key from the public key—just like you can turn fruit into a smoothie, but you can't turn a smoothie back into fruit...

This means you can share your public key with others so they can send you bitcoin, but they can't derive your private key and take control of your funds.

What are the different ways to protect your keys?

Individuals and institutions have a few different options for keeping private keys away from prying eyes. Hot wallets, which are connected to the internet, and cold wallets, which are offline and come in two forms—paper and hardware. Both hot wallets and cold wallets can be protected with an additional layer of multi-signature technology.

Paper wallets

Paper wallets were the first form of key storage to arrive on the scene when people first started to take private keys off personal hard drives and print them out.

The idea is that by taking the private keys completely offline they are made impossible to hack. The problem is, using a paper wallet safely requires expertise, as even a small mistake can expose your private keys to the world, or cause them to be lost forever. Not only that, but you then must prevent the paper from getting lost, eaten by a dog, or set on fire.

Bitcoin billionaires the Winklevoss twins are famous for using paper wallets to protect their fortune. They devised their own system of splitting the keys into different pieces of paper which are then stored in banks around the country. This mitigates the risk of loss or theft, but also makes the funds difficult to manage.

Hardware wallets

Hardware wallets are a modern form of paper wallets which rely on the same basic principles. But instead of being written on paper, the private keys are encoded into a chip that remains offline.

When you want to manage your funds, you can plug the wallet into your computer to sign transactions with the private key. This makes hardware wallets easier to manage than paper wallets, but they still have their vulnerabilities.

Hardware wallets can be lost, stolen, broken or corrupted. And, you still have to write down the seed words as a backup on paper, which introduces all the additional risks of a paper wallet.

Hot wallets

Hot wallets are easy to set up, but are also very vulnerable to hacks since they are centralized and secured online. Use this custody solution at your own risk.

The above custody solutions are cumbersome for individuals, but for institutions, managing millions of dollars of crypto assets on behalf of clients, they are a liability—presenting challenges for liquidity, security, and regulatory compliance.

Thankfully, a new paradigm of asset management has emerged that makes it possible for investors to more easily hold and trade cryptocurrency with institutional grade security, governance and control.

Click here to read about how Qredo's  unique consensus-driven MPC protocol protects private keys.