paint-brush
Cybersecurity in Crypto Trading: Beyond Bad Trading Decisionsby@dshishov
186 reads

Cybersecurity in Crypto Trading: Beyond Bad Trading Decisions

by Dmitry ShishovFebruary 3rd, 2023
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Hacks, data leaks, cyber’attacks - it looks like they never end in the crypto space. Crypto offers immense earning potential but not everything depends on users. And while not all platforms are willing to take responsibility for their faults, we cannot talk about a secure crypto trading space. Some ideas about how to secure your funds when trading are in the post

People Mentioned

Mention Thumbnail
featured image - Cybersecurity in Crypto Trading: Beyond Bad Trading Decisions
Dmitry Shishov HackerNoon profile picture

Not only smart and lucky investors get rich when it comes to crypto. Hackers have been benefiting from this industry since the times when crypto started growing in popularity and coins started increasing in price. 

Just within a couple of years, hackers have made millions of dollars in virtual assets by compromising a crypto exchange, stealing private keys from naive users, getting illegal access to API keys, and many other ways.

Considering that there are many coins that provide 100% anonymity, and hackers use crypto mixers to eliminate any track of the stolen coins, the majority of funds cannot be recovered.

Traders Take Higher Risks

So, investing in crypto is risky. But there is a category of crypto users who run bigger risks than others. I mean crypto traders. Why? Because in trading, a single wrong decision can leave you without your money. In crypto-trading, risks of losing money surge because of the following reasons:

  • The asset’s extreme volatility: the smallest delay may result in significant losses.
  • Irreversibility of transactions: a single error in a wallet address leads to a permanent loss of funds.
  • Traders don’t have any other option but to keep a part of their funds on crypto trading platforms for more accessibility. 
  • Traders have to use third-party solutions (trading bots) to benefit from price differences on different exchanges. 


Why Cybercriminals Are Attracted to Crypto Exchanges

Many major cryptocurrency exchanges such as Binance, Bitfinex, or Bittrex perform the function of a middleman for crypto trading. Users store millions of dollars on these platforms. 

This is one of the main reasons why such exchanges are a lucrative target for cybercriminals. And over time, the amount of funds stolen in such hacks is increasing. 

Source

If you compare the major crypto exchanges hacks, you will see that over time, stolen sums have grown:

  • Mt.Gox (2011) lost in a hack approx. $400,000
  • Bitmart (December 2021) lost $196 mln
  • Binance (October 2022) lost $570 mln but the majority of funds were recovered
  • FTX (November 2022) lost $600 mln in an alleged hack

How Can You Ensure That Your Stored Funds Are Safe on a Crypto Trading Platform?

I will be open: there is not much to do for you as a user. Of course, it is highly risky to rely on a platform that is known for being insecure and prone to hacks, as even top exchanges can be hacked.

However, I would say that top exchanges that manage billions of funds are always under attack but the chances that this attack is successful are much lower than in the case of small platforms that cannot invest in highly qualified specialists to ensure the needed security level.

You can check how the selected exchange behaved when it was hacked. So, Binance in its recent hack compensated its users for their losses while Mt.Gox’s users are still waiting for their lost funds to be reimbursed.

Most platforms offer bounty programs where white-hat hackers can report bugs and vulnerabilities found on a platform and receive a reward.

Some exchanges such as Coinbase and Binance insure customer funds. Such exchanges shield their users from losses in the even of a hack. Insurance Policies vary on different platforms so I recommend checking all details before transferring your money to the platform. 

Crypto Tax Reporting Services 

Tax reporting is a laborious task that requires knowledge, accuracy, and time. That’s why many traders rely on third-party crypto-tax reporting services for this task. 

Source: CoinDesk

Such services store loads of sensitive user information such as customers’ names, payment processors’ profiles, emails, and details on income in crypto, among other data. While these services are not as frequently targeted as exchanges, hacks happen there, too. Therefore, using these services makes traders more vulnerable.

How can you protect yourself from the leaks of sensitive information on such a website? By filling all the tax forms manually or hiring an experienced accountant to do so. And if you are still tempted to use such a website, make sure that it uses third-party services to ensure unbiased security checks and protect the data of its users. 

Be Vigilant About Whom You Entrust Your API Keys To 

API keys control who uses an API and how this API is used. API keys are a unique code or a set of unique codes that are used for authentication and creating cryptographic signatures that prove the legitimacy of a request.

API keys are a frequent target in cyberattacks because, with them, criminals can perform all types of operations including confirming financial transactions or requesting the users’ personal information. 

The consequences of API key leaks are immense, especially considering that some API keys don’t expire. It means that attackers can use them repeatedly. 

API keys are often used by traders to provide trading bots with access to traders’ accounts on an exchange. 

While this practice has already caused some security questions, the recent case with 3Commas (I analyzed it in my previous article) demonstrated that the API keys of clients shall be treated with the utmost attention. A leak of information may result in millions of losses.

On the other hand, providing API keys to a trading bot is a common practice in crypto because otherwise, it is impossible to gain profit. 

So what can we do to mitigate the security risks that arise from providing our API keys to a third party like 3Commas? 

Do your own research - it sounds primitive, I know, but this is the only thing I can advise for now. If you see that the API keys of clients are stored in a public repository, avoid that service.

Make sure there is clear information on how the service stores your API keys. For example, this declaration from the 3Commas team makes me think that previously, they didn’t take much care about the security of their clients’ keys:

Source. 

Earlier, there were no specific measures to provide extra protection to the data that gives access to millions of dollars of users’ funds…

Now we're watching to see how 3Commas will address the issue. If they compensate the users for the losses that occurred because of the company’s ignorance, it will be proof that the company indeed cares about its reputation and the security of its users’ information. If the losses are not reimbursed, I doubt that any serious trader will ever use the service again.

Other than that, I can provide standard recommendations such as checking how your account is used, never forgetting that your API keys are somewhere else creating IP whitelisting. Rotating your APIs whenever you can, and using multiple API keys to reduce the losses if one of them is stolen is a good way to protect your interests.

Conclusions

While users still have the major part of the responsibility for safeguarding their crypto funds, the system evolves and some major players show their willingness to share this responsibility with their users. It boosts users’ confidence in such players and increases their willingness to collaborate with them.

Others though try to escape the responsibility even if security errors are consistently made by them. I believe that in the future, the latter ones will be wiped out from the crypto trading market, and we will be confident that by entrusting our sensitive data to a third party, we can count on this third party’s responsibility to store it securely.