Crypto Hacks — How Secure are Blockchains?

Cryptocurrencies like Bitcoin keep growing in network size and market capitalization, which justifiably raises the question of whether cryptocurrencies can be hacked or even shut down completely.

In this post, we will break down the essential types of hacks on blockchains and the security features of cryptocurrencies by the example of Bitcoin and how Bitcoin's robustness differs from typical day-to-day applications that everyone uses.

Blockchains like Bitcoin were designed with high cautiousness for security, which generally makes blockchains highly robust to attacks that could harm the core of the blockchain.

When talking about the security of blockchains like Bitcoin and whether Bitcoin can be hacked, one has to consider the different components of blockchains as well as how critical they are to the network.

As a reminder: A blockchain is a distributed database consisting of individual blocks that each store a bunch of individual transactions.

Blockchain is seen as a mostly predictable and secure technology around which a dynamic and less secure network of users, miners, nodes, applications etc. is built.

For cryptocurrency users, this practically means: the blockchain technology itself is rather reliable. However, there are some attacks that can make you, as an individual participant in a cryptocurrency network, a victim of hacks.

The core components of every blockchain are transactions and blocks, whose validity can be verified easily by anyone with the help of hash functions at any point in time.

Therefore, they leave zero room for direct hacks and manipulation, as their validity is provable by cryptography and mathematics.

In Bitcoin, this is where the so-called UTxOs come in handy, making it easy for anyone to deterministically verify that any user in fact owns the funds they are trying to spend.

Nevertheless, there are always exceptions where damaging transactions are falsely deemed to be valid due to bugs in the software, such as Bitcoin's inflation bug in its youngest years.

If someone attempted to hack a blockchain by manipulating a transaction, a block, or even the order of the blocks in the blockchain, every node in the network would detect such manipulation and reject the malicious proposal, leaving the globally distributed blockchain unharmed.

Since blockchain nodes define what is allowed and what is not, a hacker would be required to hack most nodes on Earth to create any long-term damage to the blockchain.

This highlights the importance of decentralization — e.g. having thousands of nodes that actively guard a given blockchain. Smaller blockchains with fewer nodes are therefore more prone to such attacks, since it's feasible to control a majority of their nodes, as the case of such an attack on Bitcoin SV has shown.

In practice, an attempt of hacking Bitcoin, Ethereum, or other major blockchains is nearly impossible, especially because most blockchain nodes run the same, open-source software that was verified for correctness and deemed hack-proof.

For example, the core security features of Bitcoin make it impossible to

• Hack yourself more Bitcoin than you own

• Spend someone else's Bitcoin without having access to their private key

• Change past Bitcoin transactions (exception: 51% attack, see below)

• Change rules of the network without having the majority vote for it, like the cap of ~21 million bitcoin to ever be mined

This makes decentralized blockchains like the Bitcoin blockchain very secure in general.

Yet, the more dynamic and less essential components of a blockchain's network, consisting of miners, nodes, third-party apps, and users leave some room for many dangerous attack vectors that we're going to talk about next.

The 51% Attack is a famous attack targeted towards the so-called consensus layer of a blockchain with the goal of fully controlling the creation of new blocks, therefore hijacking an entire blockchain.

Executing this network attack involves a malicious mining operator controlling at least 51% of the network's entire mining power (hash power), essentially giving them the full power to decide which new blocks get added to the blockchain.

Such a 51% attack on Bitcoin would allow the hacker to

• Revert past Bitcoin transactions by re-mining a past block without these transactions included, allowing them to steal Bitcoin from the receivers of these transactions and spend Bitcoin multiple times (double-spending)

• Effectively shut down the Bitcoin blockchain as long as the hacker controls 51% of the network's hash power simply by keep mining empty blocks, not allowing anyone to transact Bitcoin anymore

Still, any hacker executing a successful 51% attack on blockchains like Bitcoin would still not be able to arbitrarily steal any Bitcoin or cheat themself more Bitcoin out of thin air.

While a successfully executed 51% attack would allow an attacker to effectively shut down Bitcoin, they would only be able to freeze the blockchain for as long as they control 51% of the network's hash power.

Shutting down Bitcoin would require an attacker to keep mining empty blocks faster than the rest of the miners together forever, which would result in unimaginably high energy and hardware costs.

At the time of writing, it's estimated that the cost of such an attack on Bitcoin would be over one million US-Dollars per hour — Trending upwards in proportion to the so-called hash power of the Bitcoin network.

While other blockchain-related attacks, such as the Sybil- or Eclipse attack, could hack critical components of the Bitcoin network, they could still not shut down big blockchains like Bitcoin entirely.

The most notable reasons why cryptocurrencies like Bitcoin get stolen are not security flaws in the blockchain, but rather hacks of crypto exchanges, user devices, or single wallet applications developed by third parties.

In practice, there are many different ways in which cryptocurrencies like Bitcoin are being stolen.

Because the only thing requires to steal all of your cryptocurrencies is the private key of your crypto wallet, it's possible for hackers to

1. Simply steal Bitcoin from an infected device if any private keys are stored on it in clear text

2. Exploit software bugs of a crypto wallet to gain access to your private keys

Both these types of hacks are daily occurrences in the crypto space – most notably the current incident of the Atomic Wallet being hacked .

Hackers cannot only steal Bitcoin through private keys directly from their user's devices but also from crypto exchanges. This is because those platforms you buy cryptocurrencies on hold the assets of their users on internal wallets. In case a hacker gains access to their private keys, they can drain their wallets, stealing all the cryptocurrencies of users of the exchange.

Even though, nowadays, cryptocurrency exchanges invest significant resources into the security of their platforms, hacks of crypto exchanges still occur multiple times a year. The most prominent case of a cryptocurrency exchange being hacked was the case of Mt.Gox .

With enough awareness of different hacks and security measures, such as using a hardware wallet and not leaving your assets on trading platforms, you can make it nearly impossible for hackers to steal your Bitcoin or other cryptocurrencies.

Another frequently encountered hack in the Bitcoin space is the so-called man-in-the-middle attack, where a hacker manipulates your communication with the blockchain, which is mostly done by manipulating your devices or applications installed on them.

A widespread example of these Bitcoin man-in-the-middle or man-in-the-browser attacks are

• Malware that changes the address you enter into your crypto wallet when sending cryptocurrencies, prompting your wallet to send cryptocurrencies to the hacker's wallet instead of your wished destination.

• Malware that changes the deposit address displayed in your browser, e.g. when depositing money onto an exchange, making you believe you send crypto to a platform - in reality sending it to the hacker

• Malicious software wallets that seem like conventional wallets but are actually programmed to steal your crypto

Protecting yourself against those attacks involves overall high-security awareness on your smartphone or computer.

Perhaps the most frequently seen cryptocurrency hacks that steal coins from users are phishing attacks, which are social engineering attacks that trick users into sending cryptocurrencies to the attacker on their own.

In practice phishing attackers publicly ‚pread addresses or links to fake applications via email or social media, creating the assumption that

• You're entering into a giveaway by sending crypto to any displayed address

• You're required to send your crypto private key to an exchange, authority, or other company

• You're required to sign a message on smart-contract blockchains like Ethereum to gain access to an application, while in reality, you agree to send all your crypto to the attacker

There are many more examples, and the only protection against phishing attacks in crypto is being cautious and critically questioning any message, link, or video that one encounters on the internet.

Remember: In the end, not a single legitimate company or authority on the internet will ever ask you to enter your private keys or give you free money for no reason.

Despite the relatively high security of blockchains like Bitcoin, every user of crypto needs to educate himself on crypto hacks and stay cautious at all times.

Being just slightly uncautious for one time can quickly result in falling for scams, your crypto wallets being hacked and cryptocurrencies being stolen.