With Bitcoin and other cryptocurrencies on the rise for a while now, it comes as no surprise that hackers and cyber-criminals are shifting their attention to exchange platforms. A relatively unknown South Korean exchange platform, Yapizon, was reportedly the target of such an attack in late April 2017.
The news broke when Yapizon released a statement in Korean on its website (translation of the statement is available here), which confirmed that four separate hot wallets, that is, intermediary coin purses aimed at directing funds towards covering high-priority, instant transactions, were targeted on Saturday April 22, 2017, between 02:00 and 03:00. The total damage reported by the exchange was 3816.2028 btc – namely more than 5.5 million US dollars– which translates to 44.277% of total coin assets and 36.594% of total assets. Users’ personal data and other valuable information was reportedly not targeted by the attack and remains safe with the platform.
Local media reports that investors will suffer losses in the absence of state regulation of Bitcoin and that the South Korean Financial Services Commission has launched a specialized task force and intends to introduce regulatory guidelines for digital currency exchanges and money laundering prevention later this year. According to the same source, industry stakeholders are concerned that similar attacks undermine Bitcoin’s public credibility and discourage newcomers from investing.
Meanwhile, users on digital currency forums point out the likelihood of the attack being an inside job, especially focusing on the fact that four separate wallets were targeted at once. Similar concerns serve to illustrate the issues posed by big data security, as it becomes more challenging for organizations handling increased amounts of data sets to discern between legitimate access to valuable data and true insider threat incidents. However there are tools to address this difficulty; for example, a security-oriented approach that uses data classification tools to proactively discover, identify and classify sensitive data – especially in light of the fact that data owners cannot be relied upon to consistently classify such data using a manual process. Monitoring all users (not just privileged ones) who access databases and network ﬁles and clearly defining and enforcing relevant organizational policies can also work wonders towards protection.
Much to the dismay of its customers, Yapizon has decided to distribute damage across its client base, including initially unaffected clients. Users with Yapizon wallets will suffer a 37 percent deduction in their holdings (a form of “internal loan”, so to speak) and will in lieu of them be given “Fei” IOU tokens. These tokens indicate the cryptocurrency amount owed by the exchange platform to its users, which will be paid back by future revenues over a period of time by buying the Fei tokens back.
There is precedent for this: last August, Bitfinex, the world’s largest Bitcoin trading platform, suffered a similar attack resulting in the loss of 119,756 Bitcoin (around 36% of its assets). Bitfinex responded by issuing IOUs that were repaid gradually over the course of several months, ending last April. In light of Yapizon’s similar approach, bitcoiners groan that this pattern sets a dangerous example for investors.