Editor's Note: This article comes fromEthereum enthusiasts (ID: ethfans)Editor's Note: This article comes from

Ethereum enthusiasts (ID: ethfans)

Ethereum enthusiasts (ID: ethfans)

, Author: Harry, Translator & Proofreader: Zeng Mi & A Jian, reproduced by Odaily with authorization.

To get an idea of ​​our writing process, check out our previously written 2019 Year in Review.Chinese translationIf 2019 can be summed up as a wild ride, then 2020 is completely unconventional.

Over the course of the year, we've published many articles talking about white hats recovering assets from phishers, massive campaigns driving the proliferation of malicious browser plugins, top 10 actions to prevent crypto asset loss, and Risky Business: DeFi (

Chinese translation

). Each of our published articles mentions various threat elements that users should be aware of when using cryptocurrencies, complete with real-life examples. The information shared in these articles doesn’t just apply to MyCrypto and Ethereum users — the lessons can be applied across the industry, no matter which chain, exchange, or wallet you prefer.

Let's take a deeper look at these accidents to see what happened and what lessons we as an industry can learn from them.

The following list lists the major safety incidents that occurred in 2020. However, we will not list all accidents one by one, because the number is too large...

The first quarter of 2020 started off with some good news and some bad news (barring the global pandemic and subsequent lockdowns). We caught some bad guys and looked at ways to attack hardware wallets, but hacks and money losses also increased.

Story: Cryptocurrency Exchange Poloniex Issues Password Reset Warning

Summary: Poloniex published a PSA in an email in late December 2019 announcing that some users had to reset their passwords after a list of email addresses and passwords leaked on Twitter.

Story: YouTube account hijacked for cryptocurrency scam

Bottom line: While this isn't exactly a new scam, this modus operandi is becoming increasingly popular. Scammers have pre-recorded video clips of cryptocurrency conferences involving celebrities, and then hijacked Youtube accounts to broadcast fake cryptocurrency giveaway videos.

Story: Upbit upgrades ETH wallet security after $50M attack

Summary: A South Korean exchange publicly stated that their hot wallet was stolen in November 2019 and lost 342,000 ETH (worth approximately $50 million).

Story: Teenager defrauded blockchain experts of over $50 million by swapping SIM cards

Summary: SIM-Swapping is a cancer in the industry. Many people think it's safer to use SMS for 2FA authentication on their accounts. One teenager took advantage of this and made more than $50 million from multiple victims. The 18-year-old has been arrested and faces multiple criminal charges.

Story: Kraken finds critical flaw in Trezor hardware wallet

Story: Cryptocurrency IOTA Shuts Entire Network After Official Wallet Software HackedChinese translation）

Summary: IOTA shut down their network for quite some time after hackers exploited a vulnerability in the official IOTA wallet (Trinity) to steal user funds.

Story: Risky Business: DeFi, Ethereum will continue to grow (

Chinese translation

Summary: MyCrypto founder Taylor Monahan puts together her ETHDenver 2020 presentation on DeFi and its risks. Taylor discusses potential pitfalls and previous attacks, what we have and haven't learned from past mistakes, and how we can improve in this area.

Story: Does the BZx flash loan attack mean the end of DeFi?

Summary: A popular DeFi protocol suffered two flash loan attacks in a short period of time. 1,193 ETH was lost in the first attack, and another 2,378 ETH was lost by the end of the second attack.

Story: Scammers Continue to Scam Bitcoin in UK Using Covid-19 Chaos

https://twitter.com/dsearch3r/status/1228657292792549383

Summary: With the news of the global pandemic caused by the coronavirus (COVID-19), some criminals are making a scare fortune by soliciting Bitcoin donations by posing as being from a CDC research organization.

BZx is under attack again

Although this was a repeat of the trick, hackers used flash loans to launch a second attack on the BZx protocol within a few days.

In Q2, we saw more smart contract vulnerabilities being exploited and attention was drawn to a large-scale proliferation of a malicious browser extension that impersonated well-known brands in the industry to gain access to users' keys.

Story: Hackers exploit bug in decentralized bitcoin exchange Bisq to steal $250,000

Bottom line: Bisq took an "unprecedented" step and halted trading after discovering that attackers were using software to steal user funds. According to reports, the attacker stole 3BTC and 4000XMR.

Story: Fake browser extensions found targeting users of Ledger, Trezor, MEW, Metamask and more

Bottom line: MyCrypto and PhishFort have published research on how malicious browser extensions that mimic well-known brands via Google Ads prey on cryptocurrency users.

Story: Etherscan launches 'ETH Protect' to identify and flag tainted ETH addresses

Bottom Line: One of the most used blockchain explorers - Etherscan launched a product that provides users with more information about an address (taint analysis) and quickly shows if they were received from a known bad address over cryptocurrency.

Story: dForce loses $25 million due to DeFi smart contract bug

Summary: The lending protocol dForce is said to be a fork that modified the Compound code and was attacked similarly to the Uniswap liquidity pool. The attack exploits a standard used by the imBTC contract (Translator's Note: Refers to ERC-777).

Story: 'Evil Genius' Accused of Stealing Cryptocurrencies Worth Millions

dForce / Lendf

SUMMARY: Information has been released about a high profile SIM swapping complaint filed by Michael Terpin. One of the main criminals was only 15 years old at the time of the attack. He allegedly stole more than $23 million by swapping multiple people's SIM cards.

Story: Supercomputers across Europe Hacked for Cryptocurrency Mining

Summary: Multiple supercomputers in the UK, Germany, and Switzerland were infected with cryptocurrency mining malware, using cracked SSH logins to mine Monero, a privacy-focused cryptocurrency.

Lendf's hack is interesting because the ERC777 standard used to implement reentrancy attacks was just blasted in Uniswap's imBTC liquidity pool a few days ago. But dForce did not audit their system, although they also support imBTC. A long tweet from defiprime sums it up nicely - evidence that the code was forked from Compound Finance, another thorny issue even in the open source world.

Story: Intercept and defend $5,000 worth of cryptocurrency from a phishing incident

Summary: When we (MyCrypto) scanned for phishing tools, we found an open door for active operations, and we also monitored them to prevent users' private keys from being compromised. On rare occasions, we have successfully intercepted cryptocurrency assets stolen from victims. We cleaned up these assets before the criminals and returned them to their verified owners.

Story: Twitter attack postmortem

Summary: On July 15, 2020, a massive account takeover campaign took place on the Twitter platform, including a pyramid scheme "credit transaction"/prepaid bitcoin scam using verified political accounts. Overall, "only" $150,000 was stolen, which is a bit insignificant compared to the widespread exposure the criminals have gained from the accounts they took over.

Story: Partnering with Binance to Return $10,000 in Stolen Cryptocurrency to Victims

Summary: We (MyCrypto) researched more phishing campaigns and discovered another exposed port to a server used by the criminals. Once again, we intermingled between their phishing fronts and the criminals' communication channels to clean up those phished assets from falling into the wrong pockets.

Story: Do these 10 things well and say goodbye to losing coins

Bottom line: MyCrypto has published a short best-practice ten-step approach with clear action guidelines on how to protect your cryptocurrency holdings and linked accounts. We've drawn on our extensive knowledge of cryptocurrency theft to compile an actionable checklist of actions.

Story: Hackers Steal $16 Million in Bitcoin Using Bitcoin Wallet Vulnerabilities

Summary: A user failed to install a critical security update for his Electrum wallet, then fell victim to an (old) attack method that resulted in the theft of 1,400 BTC. This user was tricked into connecting to a malicious Electrum server that allowed rich text to be displayed in its error popups. The returned error prompts the user to update their Electrum software, but instead links to a download address for the malware.

Story: Escape from the Dark Forest

Summary: Samczsun (and co) managed to save $9.6 million from a buggy contract in a white hat campaign. The story is interesting as Samczsun explains how they beat the rush bot. They privately send signed transactions directly to miners instead of broadcasting to transaction pools.

Story: $280 million stolen from KuCoin exchange

KuCoin

Summary: KuCoin, a popular Asian exchange, has had its hot wallet stolen and has been alerted of large amounts of Bitcoin and Ethereum being withdrawn. KuCoin is investigating with international law enforcement and has pledged to use their insurance fund to cover the full loss of customer funds.

Ledger data breach

Ledger is one of the leading hardware wallets in the industry and has accumulated a lot of customers in this field. In July 2020, they issued a statement saying that data from their e-commerce platform and marketing platform had been compromised. On July 14, 2020, they were alerted to a potential data leak from their bounty program. After an internal investigation, Ledger discovered that the data breach occurred on June 25, 2020, and some of its customers were affected. In May 2020, Twitter user UnderTheBreach tweeted about a potential data leak.

A security breach in KuCoin resulted in the theft of its private keys. Assets worth a total of $281,000,000 were stolen. It is worth noting that several projects assisted in the recovery of funds during this attack, including Ocean Protocol, which forked their own contracts and removed the tokens stolen by the attackers.

Story: Cryptocurrency Exchange Liquid Confirmed Hacked

SUMMARY: Liquid confirms that its domain and email accounts have been compromised. The exchange believes that hackers may have obtained user personal information including email addresses, names, delivery addresses and encrypted passwords.

Story: Hackers Use GoDaddy Employees to Attack Cryptocurrency Sites: Liquid and NiceHash

Summary: A public report states that there is solid data that NiceHash and Liquid have been compromised by their service provider GoDaddy.

Story: Tugou Smart Contract Stolen $10.8 Million

Summary: There is a hidden backdoor in the smart contract of a liquidity mining protocol (a replica of Harvest and YearnFinance), allowing developers to directly withdraw wBTC, ETH, and DAI in the contract.

Bottom Line: Ledger claims a recent customer data breach originated from a rogue agency called Shopify. Ledger's new chief information security officer, Matt Johnson, established new procedures and policies to prevent future data leaks, and announced a reward of 10 BTC for any information that can help him catch the hackers.

Story: Cryptocurrency Exchange EXMO Claims 5% of Total Assets Stolen

SUMMARY: EXMO has detected suspicious behavior in its hot wallets and suspended withdrawals pending investigation. The result was that their cold wallets were unaffected, but 5% of their hot wallets were stolen.

first level title

If you compare our observations in 2019, you will see that there is a lot of room for improvement in this industry. Of course there is no such thing as 100% security, but history rhymes with that statement.

Even if you store your assets on a "legitimate" exchange, you are still at risk.

secondary title

Decentralization and security are not equal

While decentralized products (wallets, DEXs, etc.) may be attacked differently, and losses are far less of a concern than attacks on large exchanges, attackers still have a variety of tricks to defraud digital assets from your hands . Phishing campaigns, especially those that encourage users to enter their private keys on websites, are on the rise. With the rise of decentralized exchanges (DEXs), it has become increasingly common for users to “log in” and have their assets swept away.

secondary title