Blockchain security expert Hartej Sawhney has claimed that, on average, around $2.5 million worth of cryptocurrency is stolen from crypto exchanges every day, with most hacks being unreported to the public.
Mr Sawhney was speaking on the topic of blockchain security on the CNBC crypto trader show.
Mr Sawhney is a co-founder of hosho.io, a global leader in blockchain security. His company provides security services for clients including smart contract auditing and penetration testing for a range of cryptocurrency protocols.
He said: “Hackers have low-hanging fruit to penetrate exchanges.” Examples may include forms of smart contract hacking and order book manipulation to offset bets at competing liquidity providers.
He went on to claim that exchanges need to learn how to properly hold private keys as this is still a major security barrier. This applies to both hot and cold wallet solutions that may provide a wider net for targets.
“Exchanges need to learn to value security, but they are not getting regular penetration testing from cybersecurity companies.”
A love for dogs
Mr Sawhney described an example of a recent hack, stating: “An employee of a Bitcoin exchange was a competitive dog walker. The hacker monitored the social feeds of this employee and gained access to realise that fact.”
“They made a fake website and application for this employee to apply to compete in a local dog walking competition.”
“The victim then opened up the wrong email, opened up the wrong PDF, and ended up applying to a fake dog walking competition, and the hacker gained access to her keystrokes.”
The hackers then gained access to her usernames and passwords for the crypto exchange, and the exchange lost millions of dollars within 48 hours.
He concluded the interview by discussing the relative scarcity of “full-stack developers who know solidity and have a QA mindset” who qualify to work and certify in this field.
If you can strike the correct business model as a custodial exchange in this space, then you will certainly see the benefits of this type of security auditing. Due diligence is clearly required in the management of private key solutions, but the question still lingers – who is going to audit your own code?