A Cautionary Tale for Crypto As Cryptopia Reports First Bitcoin Exchange Hack of 2019
New Zealand-based crypto trading platform Cryptopia went offline for “unscheduled maintenance” on Sunday, January 13th, making a surprise announcement on Twitter.
Then, in a tweet posted on Tuesday, January 15th, the exchange explicitly stated that a hack had occurred on Monday, January 14th and that the exchange had been put into maintenance mode so that staff could assess the situation.
What has unraveled since the announcement has led to a number of questions.
According to the tweet,
“Staff then notified and involved the appropriate Government Agencies, including NZ Police and High Tech Crimes Unit who are jointly and actively investigating the matter as a major crime and they are assisting us with advice.”
The New Zealand police issued their own statement on Tuesday, which confirms that Cryptopia reported an apparent hack and notified the police of potential missing funds.
“Police were advised late yesterday of an issue involving potential un-authorised transaction activity at the Christchurch based crypto-currency trading company Cryptopia. A significant value of crypto-currency may be involved and Police are taking this very seriously. We are currently talking to the company to gain a further understanding of what has occurred.
A dedicated investigation team is being established in Christchurch including specialist police staff with expertise in this area. Police are also liaising with relevant partner agencies in New Zealand and overseas. The investigation is still in its very early stages and police are unable to provide further information tonight. We expect to provide an update tomorrow.”
Cryptopia’s cooperation with the police may allay some fears in the crypto community that the small exchange is in the midst of an “exit scam,” a calculated effort to defraud consumers by launching, luring and operating a crypto-related platform only to shut the operation down and run off with all funds involved.
But the hack fuels concerns about cybersecurity and timeliness of disclosure of a data breach.
Although there have been no statements on exactly how much was stolen, blockchain transactions show that roughly $2.4 million worth of Ether was moved from Cryptopia’s “hot” wallets, which is storage that is linked to the internet, to an unknown wallet – on Sunday, the day of the unscheduled maintenance.
— Whale Alert (@whale_alert) January 13, 2019
As for the public disclosure, Cryptopia made the announcement about the suspected hack nearly two days after the exchange was taken offline for routine maintenance.
We are currently experiencing an unscheduled maintenance, we are working to resume services as soon as possible. We will keep you updated.
— Cryptopia Exchange (@Cryptopia_NZ) January 14, 2019
The sequence of events calls into question the nature of the big transfer on Sunday, the cause of the unscheduled maintenance on Sunday, the official date of the hack on Monday, and the reason for delaying announcement of the hack until Tuesday. Namely, were the big transfer, the unscheduled maintenance and the hack all completely separate and unrelated events? If they were related, how so?
In a post entitled, “Cybersecurity 2019 — The Year in Preview: Cryptocurrency and SEC Enforcement,” Michael Licker, an attorney at Foley Hoag, explains that the US Securities and Exchange Commission – which has yet to approve a Bitcoin exchange-traded fund on concerns related to security and consumer protections – has attempted to provide the market with guidance on when an issuer should disclose a data breach.
“The Commission’s February 2018 guidance was its second effort (its first was in 2011) in this regard. The guidance focused on the materiality of a particular cyber risk or breach, and stressed that the need to make a disclosure must be analyzed on a case-by-case basis, depending on the nature, extent and potential magnitude of the risk or breach. In assessing whether disclosure is required, a company should consider the range of harm that an incident could cause, including to a company’s reputation, financial performance, and customer or vendor relationships, along with the possibility of litigation or regulatory actions.
By and large, this guidance did not provide much clarity beyond what the SEC had previously advised. In a new twist, however, the guidance also touched on insider trading and made clear that material, non-public information regarding cyber events should be treated no differently than any other material, non-public information. Officers, directors and other executives cannot trade on such information, and companies should have policies and procedures in place to guard against them doing so and also to help ensure the company makes timely disclosure of such information.”
At time of writing, Cryptopia’s trading volumes were last updated on CoinMarketCap 56 hours ago, when trades were halted. The data shows relatively low 24-hour trading volumes for its top coins: Bitcoin, Tether, Ether, Electroneum and Tron.
- BTC/USDT – $60,706
- ETH/BTC – $59,667
- ETN/BTC – $50,343
- TRX/BTC – $46,240
Aside from the impact and pressure that low liquidity can have on traders in search of buyers and sellers, it calls into question whether an exchange has enough resources to implement critical cybersecurity measures to secure customer funds.
CNBC’s Cryptotrader host Ran NeuNer suggests that the exchange may have difficulty rebounding from the breach. At play is the amount that was lost and the measures the exchange used to secure customer funds.
I’m interested to see how the Cryptopia hack plays out, how much was lost & whether they were negligent in storage. Will they be able to refund users given their size & the state of the market. I suspect many smaller exchanges won’t survive this and the bigger ones will benefit! pic.twitter.com/VMkNJS3n12
— Ran NeuNer (@cryptomanran) January 15, 2019
At time of writing, Cryptopia says that they are no longer able to comment on the active police investigation, and they advise customers to check their social media for updates.