Redirecting you to
Podcast Aug 20, 2021

Root Causes 178: Stealing Cryptocurrency

In this episode our hosts go through the various ways in which cryptocurrency can be stolen or lost, including private key compromise, security failures at cryptocurrency brokers, and theft of login credentials. Our hosts also discuss how manipulation of the public ledger could also lead to unfair distribution of cryptocurrency value.

  • Original Broadcast Date: August 20, 2021

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    Alright. So, this – - we have been exploring many aspects of the world of blockchain and cryptocurrencies lately and this is another of those episodes and what we are going to talk about today is stealing cryptocurrency.

  • Jason Soroko

    Yeah. And, this has been in the news ever since cryptocurrencies have been talked about and, you know, there’s a lot here, Tim, and I wanted to cover it at a high level for those of you interested in the subject whether you have a cryptocurrency that you are holding, or several, or if you are, you know, just interested in the topic because of technically how it could happen because I know that when you and I, Tim, have talked about this subject in the past, you’ve parroted back to me a lot of what you very honestly heard about cryptocurrencies which is they are immutable, they are private and, you know, it can’t be - -

  • Tim Callan

    Fully secure, cryptographically assured. Yes.

  • Jason Soroko

    Yeah. And these are all things that at one point or another I’ve had to talk to you about it and say, hey, Tim, by the way, you know, you’d hear right.

  • Tim Callan

    Not so much...

  • Jason Soroko

    Your ears didn’t lie to you but the facts are a little different than maybe what you heard. And so, I thought this is an interesting topic because it gets into PKI topics or topics around authentication and security that are really surrounding this podcast typically.

  • Tim Callan

    Great. Ok. So, cryptocurrency cannot be stolen.

  • Jason Soroko

    Yeah, it can.

  • Tim Callan

    How?

  • Jason Soroko

    Let’s talk about probably the most common way to hold a cryptocurrency.

  • Tim Callan

    Ok.

  • Jason Soroko

    And that is you don’t really hold it yourself.

  • Tim Callan

    Right.

  • Jason Soroko

    You are holding it through a broker.

  • Tim Callan

    Yeah. It’s like my stock portfolio.

  • Jason Soroko

    It’s almost identical to that at the high-level concept. Your broker is holding the stock. You’re not the stock holder. However, it is in your name and legally it’s your asset.

  • Tim Callan

    Right. And I can do things with it through the broker. I can sell it and short it and things like that. I don’t know if you can short a cryptocurrency but you certainly can sell it. Yeah.

  • Jason Soroko

    Yeah. Exactly. And, God, that’s a whole other kettle of fish.

    So, let’s get into this. So, because there are other examples that don’t use a broker but I’d like to use this example first because that’s how probably 99% of the population will interact with a cryptocurrency.

  • Tim Callan

    Sue.

  • Jason Soroko

    And think about this for a moment. When you are saying to the broker, hey, I’m me. First of all, you have to identify yourself to the broker. So, they go through a very similar process that a broker or a bank would. They’d go through the whole know your customer profiling. They get your name and address and other information about yourself. And then, the second thing they have to do is create a crypto wallet.

  • Tim Callan

    Ok.

  • Jason Soroko

    And I don’t know how much about this we’ve talked about in the past, Tim, but I really want to go through what happens when a crypto wallet is created because that’s really the heart of how things are secured.

  • Tim Callan

    Ok. Walk us through it.

  • Jason Soroko

    So, when a crypto wallet is created, something interesting happens that is probably near and dear to our hearts, Tim, that you’ll understand really well. A key pair is created.

  • Tim Callan

    Oh, good. I like key pairs.

  • Jason Soroko

    A key pair is created and, in fact, the address of the wallet is a hash of public key.

  • Tim Callan

    Ok. Gotcha.

  • Jason Soroko

    And then, therefore, access to the actual asset - -

  • Tim Callan

    Is restricted to holders of the private key?

  • Jason Soroko

    You got it.

  • Tim Callan

    Right.

  • Jason Soroko

    You’ve got it.

  • Tim Callan

    And so, if I can jump ahead, Jay.

  • Jason Soroko

    Yeah.

  • Tim Callan

    Tell me if I’m going in the right direction. One vulnerability of that, of course, is if my private key is stolen then it is the key to my cryptocurrency wallet?

  • Jason Soroko

    You’ve got it 100%, Tim.

  • Tim Callan

    Ok. Alright. Sorry. Go ahead.

  • Jason Soroko

    So, therefore, you have to protect that key as well as possibly can. And, so, therefore, most people just don’t have the chops to do it and therefore, the broker is using security mechanisms to store those private keys on your behalf.

  • Tim Callan

    Now, we are relying on the fact that our broker is doing things correctly in this scenario.

  • Jason Soroko

    And some brokers have not.

  • Tim Callan

    Ok. Yeah.

  • Jason Soroko

    In fact, because of the fact that the brokers hold the private key, there has been temptation, sufficient temptation, by some very shady brokerages back in the early days where they simply took everybody’s Bitcoin.

  • Tim Callan

    Yeah. There you go. I wasn’t even thinking of that. I was thinking of an incompetent broker or a broker that is outclassed where the size of the honey pot is big enough that the attacker can put in enough, invest enough, that they can actually beat the broker. Right? That’s the scenario that I was thinking about.

  • Jason Soroko

    And that has happened as well.

  • Tim Callan

    Yeah. Ok.

  • Jason Soroko

    So, yes. Both of those cases that you mentioned, that I have mentioned, that has happened. So, therefore, every single way that a private key can be stolen, it probably has been stolen at some point in the past. And that’s the point, is you’ve really gotta be careful with that private key. The beauty, again, of PKI type concepts is that public key or the hash of the public key, you can flash that around to anybody. Right?

  • Tim Callan

    Yeah. Right.

  • Jason Soroko

    I mean really one of the main reasons why people don’t flash it around to just everybody is because that kind of gets – it removes your anonymity because you yourself are tying your own identity to a specific crypto wallet and therefore, any transaction you do on the public blockchain of whatever crypto currency you are working with, your identity is typically only known to the broker unless you’ve splashed around that information to other people. Is that clear? That’s kind of a - - so, in other words, you know, that’s not necessarily a stealing cryptocurrency but it’s a matter of the privacy issue of cryptocurrency.

  • Tim Callan

    Yeah. Right. Ok.

  • Jason Soroko

    So, in other words, I think we talked not long ago about a ransomware attack on Colonial Pipeline.

  • Tim Callan

    Yeah.

  • Jason Soroko

    And, obviously, in order to get paid Bitcoin, which is what they were asking for in the ransom, they had to disclose to the victim, hey, here’s essentially the hash of the public key that - essentially the wallet – that we want you to send the Bitcoin to. Right?

  • Tim Callan

    Right.

  • Jason Soroko

    And so, therefore, you know, as a nefarious person who is ransoming someone, you have to let out that public key; otherwise, nobody would know where to send the money to. On the other hand, and for the rest of the world, if you don’t want your crypto transactions to be noted against your own personal identity, then typically, you just don’t flash that hash of that public key around.

  • Tim Callan

    Right. Right. Ok.

    So, now - - so, of course, there is another issue then with the broker which is it’s not just brokers being defeated or brokers being crooked but it gets back to all of the things that we talk about all the time. Like if somebody can manage to steak my log in credentials then they could use it to log into my brokerage account and take my crypto coins.

  • Jason Soroko

    Good old-fashioned user name and password is typically the authentication method to unlock the private key essentially.

  • Tim Callan

    Right. Yep. Exactly.

  • Jason Soroko

    And so, just like you, you can’t give out your user name and password in any scenario that you want to stay secure. It’s identically the same. And really good brokerages might throw MFA on top of that. My own brokerage for this does that. But, on the other hand, some don’t and even then, you certainly don’t want to be in a situation where that user name and password you are making more vulnerable than it already is. And that is a weakness because anybody who can then log into that account can then start dictating what happens to your transactions and if you have let’s say a Bitcoin balance that’s greater than zero, they can perhaps then send that Bitcoin to their own address and essentially steal it from you.

  • Tim Callan

    Sure. Exactly. Yep.

    Alright. So, those are two ways that your cryptocurrency can be stolen. Are there others?

  • Jason Soroko

    I would say, Tim, the only other high-level way is something we talked about before and that’s a much, much more difficult way but it has been done.

  • Tim Callan

    Which is?

  • Jason Soroko

    Which is to mess with the ledger. In other words, to put an illegitimate record into the ledger which is, how do you do that? Well, we’ve talked about that in previous podcasts. That’s done through the consensus algorithm.

  • Tim Callan

    Right. So, that’s really hard and I think you and I talked about why that’s hard but scenarios where that could occur.

  • Jason Soroko

    Tim, I think with Bitcoin it happened in the past but I think it’s incredibly hard now to do that. I mean you would have to be a nation state to pull it off probably.

  • Tim Callan

    Right.

  • Jason Soroko

    Hey, if somebody disagrees, get ahold of us. I’d love to know.

  • Tim Callan

    Sure.

  • Jason Soroko

    But I think something as large as Ethereum, like right now the market capitalization of all Ethereum is about the size of – would be somewhere between Citibank and Bank of America.

  • Tim Callan

    Ok. Yeah.

  • Jason Soroko

    So, that’s a very large amount where, you know, even though it’s still currently - like classic Ethereum is still a proof of work and so, therefore, it’s, you know, potentially somebody can get 51% of the proof of work. Once it moved to proof of stake, again, it’s just a very expensive endeavor. I would say that the reason I bring it up, Tim, is because there is new cryptocurrencies almost on a daily basis.

  • Tim Callan

    Right. And some of these might have a much smaller pool and cornering it might be much more practical.

  • Jason Soroko

    That’s right, Tim. And that’s why I think cryptocurrencies can be so seductive. In many ways, a lot of people have made some good money off of them – at least on paper – and I would say for those of you who are just curious and don’t get into the weeds of it, I think it is good to understand the consensus algorithm and what kind of risk that you might be at for a consensus algorithm attack which could render your cryptocurrency in somebody else’s hands due to an illegitimate transaction.

  • Tim Callan

    Sure. Ok. Got it. Yeah.

  • Jason Soroko

    So, that’s it in a nutshell, Tim. I just wanted to categorize the attacks and bring that to people’s attention but keep in mind, right, the one example I haven’t talked about typical with cryptocurrencies is for those of you who are handling the private keys yourself and not going through a broker, best practices typically have been to put that private key onto basically a small HSM form factor, a USB stick as some people have done. But keep in mind, if you lose that, you’ve lost everything.

  • Tim Callan

    Yeah. That’s right. Because that’s the key to the door and inside the door is the money and you can’t get another key.

  • Jason Soroko

    Right. And so, I think the most common scenario there is people simply lose it or might lose the password that might be protecting that private key with another layer. I also think that another common scenario is somebody might know, hey, I know what’s on that key and all I gotta do is physically get ahold of it. Perhaps it’s a laptop. Perhaps it’s a USB stick and people I think have physically gone after those things knowing that the private key material is on that and so, therefore, that could possibly be a target. Just like cash. Right?

  • Tim Callan

    Right. Right.

  • Jason Soroko

    And I think that’s it. I think those are the categories, Tim, that involve the stealing and losing of cryptocurrencies.

  • Tim Callan

    Stealing and losing cryptocurrency. I think that was a great overview, Jay. Thank you very much.

  • Jason Soroko

    Thank you, Tim.

  • Tim Callan

    And this has been Root Causes.