SpankChain, blockchain-based payment service solution for the adult industry, has disclosed the details of a hack that resulted in losses equivalent to $38,000.
As a result of a broken smart contract, a hacker was able to break into the SpankChain platform and siphon funds from some of its users, through deploying a reentrancy bug—the same bug that has previously been used to attack the DAO.
The scam saw losses of 165.38 ETH, as well as $4,000 worth of BOOTY on the platform immobilized, with the total balance divided between SpankChain and some of its users, with the organisation coming in for sharp criticism over the event.
Explaining the nuts and bolts of the attack, the firm posted an update on Medium: “In short, the attack capitalized on a ‘reentrancy’ bug, much like the one exploited in The DAO. The attacker created a malicious contract masquerading as an ERC20 token, where the ‘transfer’ function called back into the payment channel contract multiple times, draining some ETH each time.”
According to SpankChain, “The malicious contract first called createChannel to set up the channel, then called LCOpenTimeout repeatedly via reentrancy. The LCOpenTimeout is there to allow users to quickly exit payment channels which have not yet been joined by the counter-party.”
On Thursday, SpankChain CEO Ameen Soleimani confirmed that “the stuck BOOTY has been recovered.”
Operation "Save My Ass" is a success. The stuck BOOTY has been recovered. https://t.co/OpuHPWDXl5
— Ameen Soleimani (@ameensol) October 12, 2018
The now-resolved SpankChain hack comes as only the latest example of a significant hacking event affecting a crypto platform, with scams and hacks rapidly increasing in number over the last few months.
SpankChain acknowledged that it could have commissioned a security audit on the smart contract, which may have identified the weakness before it was exploited. However, this would have cost around $50,000, more than the total of the losses incurred.
Either way, SpankChain committed to tightening security as it continues to expand, saying, “As we move forward and grow, we will be stepping up our security practices, and making sure to get multiple internal audits for any smart contract code we publish, as well as at least one professional external audit.”
Note: Tokens on the Bitcoin Core (segwit) Chain are Referred to as BTC coins. Bitcoin Cash (BCH) is today the only Bitcoin implementation that follows Satoshi Nakamoto’s original whitepaper for Peer to Peer Electronic Cash. Bitcoin BCH is the only major public blockchain that maintains the original vision for Bitcoin as fast, frictionless, electronic cash.
The post Adult industry payment platform saves own ass after getting spanked appeared first on Coingeek.
The embattled Japanese cryptocurrency exchange Zaif has published its plan for customer financial support, in the wake of a hack that cost the firm losses of up to JPY6.7 billion ($59.7 million). The attack resulted in Zaif’s parent company, Tech Bureau Inc., seeking external support to cover stolen customer assets.
With the details published on Wednesday, the firm has effectively announced its business will be transferred to Fisco Digital Asset Group, which is expected to conclude in November. In the documentation, Tech Bureau Inc. noted that the business transfer method was the best solution to the issue, factoring in the need to minimise risks and to protects its customers.
Tech Bureau reported that it had reached a basic agreement involving consideration last Sept. 20 to provide “financial support of JPY5 billion, enter a capital alliance enabling acquisition of a majority of the Company’s shares and allow for a majority of directors and the dispatch of an auditor.”
That deal, however, seeks “to pursue the business transfer method from the viewpoint of avoiding risk for those supporting and due to the requirement to implement a decision rapidly to protect customers.”
Monacoin holders caught up in the attack will be reimbursed in a 60/40 split of crypto to fiat, and at an agreed price of JPY144.548 per coin, or about $1.28. As of Wednesday, all Monacoin transactions on the platform have been halted, with an announcement on resuming trade expected at a later date.
All buying and selling in Bitcoin Cash (BCH), as well as BTC, remains unaffected, and will continue unimpeded. However, deposits and withdrawals have also now been frozen, to be resumed when the transfer of ownership to Fisco is complete.
The plan comes after Japan’s Financial Services Agency (FSA) issued another improvement notice to Zaif—the third notice of its kind demanding the exchange steps up its internal processes. The most recent notice, issued in September, follows on from similar notices from March and July of this year.
The plan shows the devastating impact of the theft on the exchange, and serves as a cautionary tale for other exchanges in the importance of robust security. It remains to be seen whether the deal will be enough to provide the support Zaif’s investors now so desperately need.
The post Embattled crypto exchange Zaif lays out plan for customer financial support appeared first on Coingeek.
Cryptocurrency thefts globally are expected to reach over $1 billion this year, about four times the recorded thefts in 2017, according to a report from CipherTrace, a firm that specializes in ensuring legal compliance for blockchain transactions.
From the first three quarters of 2018, already $927 million worth of cryptocurrencies has been documented as stolen, according to the company.
Included in the listed amounts were high-profile hacks of cryptocurrency exchanges such as $530 million worth of tokens stolen from Japanese exchange Coincheck, and $195 million taken from Italian exchange BitGrail.
“Additionally, CipherTrace is aware of over $60 million in cryptocurrency that was stolen but not reported publicly,” the report read.
The company also pointed out that the figure for the first three quarters of 2018 was already 3.5 times larger than all of the previous year, where $266 million was reported stolen globally.
CipherTrace, which deals with blockchain forensics and enforcement solutions, stressed that stricter regulations in the cryptocurrency trade were in demand all over the world. “Establishing their countries’ reputations as ‘safe’ digital markets helps to attract trustworthy cryptocurrency exchanges and digital asset businesses,” according to the company.
It cited the European Commission’s fifth Anti-Money Laundering Directive last July, and policies and monitoring of the Financial Action Task Force, as part of current regulatory initiatives.
The report also noted how existing anti-money laundering (AML) and know your customer (KYC) regulations for the cryptocurrency trade have been moving the use of cryptocurrencies for criminal activity to less regulated markets. The result is that 97% of BTC payments for criminal activity ended up in unregulated exchanges or in exchanges of countries with weak AML legislation.
According to CipherTrace, 4.7% of total BTC received in countries with weak regulations comes from criminal activity, which it defined as directly coming from sources such as dark market sites, extortion, malware, money laundering sites, ransomware, and terrorist financing.
The data analyzed came from 45 million transactions in the top 20 cryptocurrency exchanges, up to last September 29. Using U.S. Department of State Bureau for International Narcotics and Law Enforcement Affairs data, CipherTrace determined that 79 of 212 “have weak AML regimes” due to lack of government controls to regulate drug dealing and money laundering, to enforce KYC regulations, report large and suspicious transactions, and maintain records over time.
The data showed that 95% of BTC paid from exchanges to criminals, worth $1.5 billion at present prices, was sent from unregulated exchanges.
CipherTrace added that “the unregulated exchange is growing at 300%, with risky transactions and criminal transactions growing fastest.”
Usually, a 51% attack is designed to steal money. It allows the scammer to temporarily gain control of a blockchain and proceed to enter double spends on the network as a means to surreptitiously fill the hacker’s own wallet. While that may usually be the reason, an upcoming attack doesn’t want money. Additionally, while announcing 51% attacks are obviously counterproductive to the end cause, the perpetrator of the upcoming attack was all too happy to announce the event.
The attack is going to be led by someone going by the name of “piracy1,” according to the announcement. It will be conducted at 4 a.m. Eastern U.S. time on October 13, and is designed to only show how easy it is for someone to perform an attack. It will be performed against the Einsteinium (EMC2) cryptocurrency and will “demonstrate how easy these attacks are for anyone to do.” It will also “generally teach people about the nuts and bolts of these attacks and potential mitigations.”
51% attacks have been a popular subject this year among developers who stress how dangerous the attacks can be. Already there have been a number of attacks, including two against the cryptocurrency Verge and one against BTC Gold—all within a three-month window.
Attacking EMC2 won’t have any dire ramifications on the Einsteinium blockchain, or cryptocurrency in general. EMC2 is almost worthless, having dropped 97% of its value in the past year. However, it makes for the perfect target, as those cryptocurrencies with extremely low hashrates are easier to pick through.
In fact, piracy1 is more than likely going to have to dig into his own pockets to perform the attack due to the extremely low value of the cryptocurrency. He even indicated in his announcement that he was “putting in $50” of his own money, and is willing to accept donations from others for the attack.
Most developers and blockchain experts already understand the dangers of a 51% attack, especially among those digital assets outside of the top ten list. However, this is the first time that someone has announced that he will be conducting such an attack, and the whole world is invited to watch. It will be livestreamed on Twitch.
The post Coming soon: 51% attack announced to show blockchain vulnerabilities appeared first on Coingeek.
The parent company of Japanese cryptocurrency exchange Zaif, Tech Bureau, has announced that it is temporarily halting new accounts on the exchange. The decision follows the hack of the exchange last month, which saw it lose around $60 million worth of cryptocurrency. While stressed as only temporary, the new account suspension is certainly one that will set off a few alarms. The suspension only impacts any potential new customers – not those who already have accounts or who have already verified their identification.
Tech Bureau brass said that the company will pull the suspension once it decides on a compensation plan for its customers who lost holding during the hack. The reason is a little puzzling given that the company had allegedly already secured the funding necessary to repay its customers. That funding was announced at the same time the company announced the theft.
In an announcement by the firm, Tech Bureau said, “After concluding the basic agreement, we are advancing consultation and negotiations for concluding a formal contract, there is no change in the policy to ensure thorough compensation for customer assets, and we are continuing to consider the details of specific response…As soon as the content is confirmed, we will report it promptly.”
The exchange is being investigated by the Japanese Financial Services Agency (FSA), which has already issued it a business improvement order. Nonetheless, the FSA wants to take a closer look at the company’s user protection systems. Zaif has received three business improvement orders since it opened – two in this year alone.
Some of the stolen crypto has already been tracked, but getting it back is going to be virtually impossible. The funds were sent to offshore exchanges, the majority of which maintain wallets that do not have to adhere to any anti-money laundering or Know Your Customer regulations. This will make it difficult to determine who owns the wallets.
Two weeks after the hack occurred, Zaif finally realized what had happened. It immediately halted operations and announced the theft. It also said at the time that it had worked out a deal with Japan-based Fisco Digital Asset Group Co. ltd. that would see the latter receive a major share in the company in exchange for about $44.5 million, which Zaif said would be used to reimburse its customers, along with funds it held in reserve.
About three weeks ago, the Japanese cryptocurrency exchange Zaif was the target of hacker(s) who made off with around $60 million worth of cryptocurrency. Once the hack was uncovered by the exchange (which, incidentally, took two weeks to discover), the exchange’s parent company, Tech Bureau, suspended trading, apologized to its customers and said that restitution of deposits was forthcoming. Fast-forward to today and – even though it has allegedly already made arrangements to have the funds available – clients are still waiting for their money.
In order to compensate customers for their losses, Tech Bureau announced after the hack that it had made a deal to sell a large chunk of the company to Fisco Digital Asset Group for $44.5 million. That, coupled with its own savings, would give it the money needed to cover investors’ losses. However, it told regulators this week that it needed more time to finalize the repayment plan. It had previously said that it had expected to have the plan in place by the end of last month.
In making its announcement, Tech Bureau added that it is still trying to work out the terms of the Fisco deal. This is surprising since the two were able to quickly come to an understanding following the hack and they’ve now had three weeks to hash out the details.
Japan’s Financial Services Agency (FSA) stepped in to investigate following the hack and subsequently issued Tech Bureau a business improvement order. It was the third received by the company for the Zaif exchange this year and the third since the exchange began operations.
There have been two major hacks of Japanese exchanges this year, the Zaif heist and the Coincheck hack this past January. The scandals have put more pressure on regulators to intervene and crack down on crypto exchange operators to ensure they are protecting their customers adequately. Many are now calling for changes to how the companies manage user funds, with some pushing for the assets to be stored in cold wallets, a type of offline storage facility, instead of in hot wallets that are always connected to the Internet.
According to Kyoto University professor Kaoyuki Iwashita, “Exchange operators should overhaul their security, including hot wallets. We are well past the point of handling massive amounts of funds with the mindset of startups.”
Japan’s self-regulating body for the cryptocurrency industry, the Japan Virtual Currency Exchange Association (JVCEA), apparently agrees with Iwashita. It has introduced a guideline for the involved exchanges that would require them to store no more than 10% of all assets in hot wallets. However, it is only a guideline and cannot be enforced the same way as if it were law.
While Japan’s Financial Services Agency (FSA) has already announced that it is preparing to tighten regulations on the cryptocurrency industry, the self-regulatory crypto body, the Japan Virtual Currency Exchange Association (JVCEA), is introducing some of its own measures, as well. The Japan Times news outlet indicates that the JVCEA will establish a ceiling for the amount of digital currencies allowed to be managed online by any of the country’s crypto exchanges.
Japan Times quotes sources close to the JVCEA who haves said that the group is considering putting a cap of between 10-20% on all customer deposits that can be managed online. The JVCEA is now revising its rules, which were first drafted this past July, and will subsequently present them to the FSA.
Typically, crypto exchanges store their users’ crypto assets in cold storage wallets, which aren’t connected to the Internet. A certain percentage is kept in a hot wallet, or an Internet-connected storage facility, which are tempting targets for hackers. The new rules will prevent hackers from gaining access to the majority of the assets managed by the exchanges.
Two Japanese exchanges have been hacked this year, resulting in major losses. The first was in January when Coincheck was attacked and hackers made off with around $523 million in NEM coins. The assets had allegedly been stored in hot wallets that had relatively low security. The FSA was compelled, following the hack, to intervene into the crypto space and began cracking down on the operations. It has since issued a number of business improvement orders, a type of administrative slap on the wrist that can carry financial penalties, and has pulled the plug on several companies.
The second high-profile hack occurred more recently. The Zaif exchange was hacked about two weeks ago, resulting in just under $60 million in Bitcoin, Bitcoin BCH and MonaCoin being taken. The hack was an embarrassment for the exchange, as it didn’t realize that the hack had taken place for about two days following the breach. Afterwards, Zaif announced that it would reimburse all of its clients, but only after its parent company, Tech Bureau, agreed to relinquish significant control of the company to Fisco Digital Asset Group.
Almost a week ago, Japan’s Zaif cryptocurrency exchange was the target of a hack that saw it lose $60 million worth of cryptocurrencies. It almost immediately agreed to make restitution to its users, but only after calling on Fisco Digital Asset Group for financial assistance. Now, the country’s Ministry of Finance (MoF), through the country’s Financial Services Agency (FSA), has slapped the exchange’s owner, Tech Bureau, with a business improvement order, a type of admonishment that carries serious penalties.
The MoF announced the order yesterday, explaining that the company will be obligated to find out everything about the hack, as well as to create measures to ensure that another hack won’t be possibly. Tech Bureau is also required to try and determine who was behind the attack.
In addition, the company must respond to customers in order to ascertain the individual level of damage that was done, and will also have to provide routine updates to the MoF on progress made of the hack investigation.
Tech Bureau has now received two business improvement orders in the past three months. The previous order, which was similar to one sent to five other exchanges, demanded better security on the platforms.
The hack saw the exchange lose Bitcoin BCH, Bitcoin Core (BTC) and Monacoin from its hot wallets. While many exchanges have switched to the more secure cold wallet, Zaif had not caught up with the larger exchanges.
Fisco agreed to provide the financial help, but it came with a price. The company will become Tech Bureau’s majority shareholder in exchange for $45 million.
The Zaif hack was the second major hack of a crypto exchange in the country this year. This past January, Coincheck lost $530 million to hackers, reportedly the largest crypto hack in history.
According to the Japanese National Police, crypt theft tripled in the first half of this year. However, enthusiasm has not diminished. There is still a growing number of adopters entering the space and the FSA has indicated that it anticipates over 160 applications from companies looking to start their own cryptocurrency exchanges. They’ll be up against some stiff competition, however, as large companies such as Line, Rakuten and Yahoo are already imbedded in the market.
The post Business Improvement Order given to Japan’s Zaif exchange over hack appeared first on Coingeek.
The number of cryptocurrency theft cases in Japan has tripled in the first half of 2018, according to figures released by the country’s National Police Agency (NPA).
The reports come shortly after Japanese crypto exchange Zaif confirmed it has been hacked, with around $60 million stolen in the process, as the latest example of the surge in security breaches to impact the Japanese crypto space.
According to The Asahi Shimbun report, which quoted the NPA figures, the amount stolen this year was substantially larger than the equivalent figure recorded in 2017, with JPY60 billion stolen so far across 158 separate thefts. By contrast, the whole of 2017 saw just JPY600 million lost to thefts over 149 cases, reflected the rapid growth in the volume of criminal activity over the last few months.
In cases where cryptocurrency has been stolen from individual accounts, some 60% of cases involved users with logins similar to those used on other sites. The cryptocurrency most frequently targeted by thieves was XRP, with over JPY1.5 billion stolen across 42 separate incidents.
This was closely followed by BTC, which saw JPY860 million worth of thefts in 94 separate instances. Increasingly the cryptocurrency of choice for scammers, fraudsters and criminals, it is perhaps unsurprising that BTC was represented so prominently in the figures.
After the high profile Coincheck hack back in January, the Japanese Financial Services Agency (FSA) stepped up its efforts to regulate cryptocurrency exchanges in the country. Some analysts have now suggested in light of the Zaif attack that measures could be intensified still further, with the FSA currently reviewing its regulatory approach to tackle this upsurge in criminality.
This is brought into even sharper relief in the present case, with Zaif’s parent company already served with business improvement orders by the FSA in the past. It is likely they will take a dim view on the organisation’s approach to security following the recent theft.
As with the Coincheck theft, Zaif is reported to have held the affected cryptocurrency in hot wallets, with around two-thirds of the total belonging to clients, rather than the exchange itself. This has already resulted in criticism for Zaif and its parent company. The firm has confirmed Zaif is to be acquired by Fisco Ltd., for an amount in the region of JPY5 billion.
With the spike in crypto thefts in the last six months, it’s now over to regulators in Japan to raise security standards throughout the crypto sector.
The post Crypto theft cases in Japan ‘tripled’ in 2018 so far appeared first on Coingeek.
Zaif, a cryptocurrency exchange based in Japan, has fallen victim to a hack, resulting in the loss of JPY6.7 billion ($60 million) worth of cryptocurrencies.
The exchange, which is owned and operated by Tech Bureau, started investigating after it noticed unusual withdrawal and deposit transactions on the platform last Sept. 14. Three days later, while trying to fix the problem, Zaif discovered that unknown persons had hacked their platform and stole 5,966 BTC, along with an unknown number of Bitcoin Cash and MonaCoin from their hot wallets.
Currently, Zaif has shut down its platform in order to fix the breach. They also hired a team of engineers to work on the issue and hope to resume operations soon. However, it is not clear when the platform will open its platform for transactions. The exchange has reported the matter to the Financial Services Agency (FSA) in Japan. Zaif has also filed a criminal case with the local authorities.
The exchange has issued an official announcement apologizing to its customers for the inconvenience as they work to solve the issue. According to Zaif, the company doesn’t have enough reserves to refund customers for the stolen cryptocurrencies.
“Our company’s unique assets are approximately 2.2 billion yen, and the virtual currency equivalent to customer’s assets is about 4.5 billion yen,” according to the roughly translated Zaif statement. “After discovering this case, we are striving to secure financial resources not to damage the customers’ assets.”
Currently, Zaif said it has asked Fisco Digital Asset Group Co. Ltd. for financial assistance. The JASDAQ-listed company has agreed to invest JPY5 billion ($44.5 million) in exchange for a major share of ownership in the crypto exchange.
Early this year, FSA had issued a warning to Zaif along with six other cryptocurrency exchanges in Japan asking them to beef up security on their platforms. Since the hack on Coincheck, FSA has been keen on making sure all cryptocurrency exchanges in the country have implemented stringent security meaures on their platforms.