Categories
Crypto

Recovering Lost or Stolen Crypto (part 1)

We hear all the time about how secure crypto is and that it is both anonymous & untraceable. In this article we will examine what are the risks of holding crypto and the chances of recovering it if lost or stolen.

In part 1 of this article we look at the key question:

  • How secure is your valuable Bitcoin and AltCoins?

Below we will attempt to answer this question across a number of scenarios.

How is crypto lost or stolen?

In this section we cover the various risks of your crypto potentially being compromised, put at risk, lost or stolen.

Digital Wallet passwords & PINs

Forgetting a password or PIN (Personal Identification Number) is never a good thing but in most circumstances they can be recovered or reset in the context of a digital wallet. This might be by receiving an email and clicking on the link, answering a secret question, receiving a SMS text message and entering the code, entering a previously used password, and a plethora of other methods.

Over time passwords and PINs are gradually being replaced by facial or thumbprint recognition for ease of use and increased security so forgetting traditional passwords/PINs will hopefully become a thing of the past.

Having a password or PIN to a digital wallet stolen varies in risk depending on the type of wallet and other factors such as whether or not a second level of security has been put in place e.g. 2FA (Two-Factor Authentication).

Wallets come in various guises and have varying risk levels of crypto being stolen in the event of losing a password or PIN:

1) Browser wallet

A browser wallet is usually an extension or add-on to a web browser. An example of one is MetaMask which is geared towards the Ethereum blockchain. It’s primary purpose is for connecting to dApps (Decentralized Applications) e.g. for buying/selling AltCoins.

The most common ways for crypto to be stolen from this type of wallet is by a phishing attack or brute force hacking of the password.

A phishing attack usually occurs by coercing a user to click on a link in an email or on a web page that sends the browser to a fake site. A fake site might be one that imitates a DEX and lures the user into sending crypto from their browser wallet to a hacker’s blockchain address.

Brute force attacks involve scripts being run to try multiple passwords, usually from large lists, against a browser wallet login. Once the security has been breached then the crypto can be transferred out of the wallet to an address owned by the hacker.

2) CEX wallet

A CEX (Central Exchange) wallet is where you have a login to a site such as Binance or Coinbase and within your account is a wallet to hold your crypto. In general centralized exchanges like these are seen as insecure because if a hacker obtains your login credentials then they can transfer out your crypto.

Whilst this is theoretically the case, a number of these sites do have additional security mechanisms that can be switched on to secure your account further such as:

  • 2FA – using apps such as Google Authenticator codes via text messages.
  • Address transfers – specifying certain external crypto addresses that transfers are limited to.
  • IP access – limiting access to your account to certain IP Addresses e.g. your home or office. The main disadvantage of this is the inability to access your account from your mobile device whilst traveling.

Access to a CEX can be via a web browser or smartphone app. With the latter there are often additional safeguards such as facial or fingerprint recognition to both get access to your phone as well as CEX crypto apps.

3) Mobile or computer app wallet

There are a number of options available for wallet apps and these come in a variety of types:

  • Exchange wallets – these apps are produced by or on-behalf of a CEX e.g. Coinbase Wallet. They can often be used independent of the CEX that funded the development but are often pre-setup to easily interact with the said exchange.
  • Independent wallets – these are developed by software companies and aimed at working with as many CEX’s, DEX’s (Decentralized Exchanges) & dApps as possible e.g. Electrum Crypto Wallet.
  • Hardware compatible wallets – these apps are developed either by the hardware wallet manufacturer or by a 3rd party to be compatible with one or more hardware wallets e.g. Ledger Live.

All of these mobile & computer crypto wallets have one thing in common – in the main a hacker needs to have access to the physical device in order to then attempt access using a stolen password or PIN. With this in mind the security of the device itself needs to be robust e.g. a strong password, facial or fingerprint recognition.

The exception to this is in the event of being infected by some form of virus or malware which could allow remote access or key logging to capture login credentials. Apple’s iOS operating system for mobile devices is less prone to viruses due to being a closed system whilst Android is much more susceptible with being far more open.

As far as computers go then Windows machines are much more vulnerable compared to macOS or Linux. As a general rule where available Anti-Virus software should be used and kept up-to-date to try prevent these forms of attacks that could potentially lead to an intruder gaining access to your wallet and stealing your crypto.

4) Hardware wallet

With a hardware wallet such as a Ledger or Trezor then the risk of a password or PIN being stolen and leading to a loss in crypto is low. This is due to not only needing access to an associated app on your mobile device or computer but you also need the physical wallet itself to be connected to your device via a USB cable or bluetooth.

Digital Wallet seeds

A ‘seed phrase’ for a digital wallet is a sequence of 24 random words that are chosen during setup. These can be for a software or hardware wallet. They are used to restore or recover an existing wallet to a new wallet in the event of it being corrupted or broken in the case of a hardware wallet or the password has been lost or forgotten in the case of any wallet.

It is advisable never to store a full seed phrase in one place electronically in case the device it is being stored on is hacked or compromised. If a hacker obtains this information it means they can restore it to a new wallet of their choosing and then accessing the crypto within that can then be transferred out to other addresses.

The best way to store a seed phrase is to write it down on paper and keep it in either a fireproof/waterproof safe or a safe deposit box and separate from the hardware wallet if applicable. An additional step is to split the list in two and store each half in a different physical location.

Exchange hacks

Earlier in this article we covered potential vulnerabilities of Digital Wallet Passwords & PINs for CEX Wallets. In addition to this there are other potential risks associated with any Exchange and these are primarily related to hacking attempts on the web site itself.

Whilst cryptocurrencies themselves are secure, due to their use of encryption and verification of transactions by multiple validators, the security of web sites relies heavily on the hardware and software protections put in place such as:

  • Anti-virus software
  • Application security (code, database & web server levels)
  • Deception technologies
  • Firewalls (hardware and/or software)
  • Operating System security

The general problem is that if an Exchange gets hacked then there is a major risk that the perpetrator can siphon crypto assets out of multiple wallets, raid Pools where crypto is being Farmed or Staked, new tokens can be minted via Smart Contracts being compromised resulting in the crashing of an AltCoin’s price, and many more examples.

In order to try address some of these risks, beyond implementing quality security at a software and hardware level, some Exchanges do one or more of the following:

  • Insurance – a percentage of interest payments go into an insurance fund that is there to compensate customers in the event of an Exchange hack resulting in loss of crypto e.g. Swissborg.
  • Pool splitting – split staking amounts across multiple Pools so that if one gets hacked then the majority of the assets remain unaffected.
  • Vaults – place a majority percentage of crypto assets in offline Vaults that have a delay period for bringing the assets into an online wallet e.g. Coinbase.

Fake tokens, fake websites & scams

Whilst most of the ways of losing crypto in this article involve stolen passwords or web sites such as exchanges being hacked, there are a number of other ways which involve various forms of deception.

1) Fake tokens

When using a DEX such as Uniswap or PancakeSwap for buying/selling AltCoins, it is important to remain vigilant. Scammers are able to create fake tokens as a way of defrauding you of your crypto. Fortunately there are verification sites that can be used to check that the crypto address associated with the token you wish to purchase is in fact legitimate e.g. Etherscan.

An example of a valid verified token will look like the following:

However an invalid token or address that has been identified as being, or having been, used for scams will have a warning like this:

Many sites have clickable crypto addresses which will take you to a verification site such as Etherscan but you can also copy & paste the address to then search for it.

2) Fake Websites

These usually involve scammers creating websites to mimic legitimate ones (e.g. a DEX) to connect your wallets to then send crypto in order to purchase a different AltCoin. This is usually done by using a domain name that is very close to an authentic site.

These fake websites are then registered with the search engines such as Google and will come up in the results of crypto searches or be linked to inadvertently by articles and other sites.

To avoid falling victim to these types of sites it is always advisable to type the URL into a web browser rather than search for it. Another way is to click the official website link on a trusted site such as coinmarketcap.com or coingecko.com.

3) Scams

These usually occur via social media whereby impersonators of crypto influencers try to get their followers to send them money or cryptocurrency in return for some form of made up service.

Crypto influencers, who provide regular technical analysis and explanations on various crypto-related subjects, tend to be most prevalent on YouTube, Instagram, and Twitter. The numbers of followers can range from a few thousand to well over a million.

The audiences and followers of these figures frequently interact with them and other followers by commenting on videos, photos, memes and posts. In response to this the scammers will often reply to comments or DM (Direct Message) the follower with a telephone number or some other form of engagement.

Frequently these scammers will offer a service whereby if you send them money or crypto then in return they promise significant returns on the outlay. In reality of course communication then ceases or may be followed by further attempts to extort more money from the victim.

Whilst crypto influencers often assure their followers that they will never ask for money, give out a phone number or DM them, the problem still occurs. The influencers also try to confront the problem by getting Verified by the social media site though this can be time consuming, expensive and sometimes problematic.

Transferring crypto to a wrong address

Another way of potentially losing your crypto is by sending it to the wrong address. This can occur from a number of scenarios including:

  • Incompatible address – this problem occurs when some crypto is sent to a wallet address that is for a different type of token e.g. sending Bitcoin to an Ethereum (ERC-20) address or vice versa. If this is carried out then the crypto can be lost forever and unrecoverable. To avoid this always double check that the destination address is of the correct type or a compatible token.
  • Incorrect address – this can be due to the address being mistyped and once sent it is not always possible to recover it as shall be discussed in part 2 of this article. To avoid this error it is always best to either copy & paste the address or even better scan the associated QR code.

Further Information

Below are some useful articles on the above areas:

What next?

In part 2 of this article we will look at the follow-up question:

  • What happens if your cryptocurrency is lost or stolen – can it be recovered or is it gone for good?

Have you ever had your crypto stolen or lost it? If so please share with us what happened in the comments below.

Leave a Reply