The Great Bitcoin Bank Robbery: Hacking Bitcoing

Sean Everett wasn’t sure how his bullish bet on cryptocurrency would turn out. But he definitely didn’t expect it to be over so soon.

In March, he sold all his stocks, including Apple and Amazon, and used a chunk of the proceeds to buy Bitcoin and Ethereum on a site called Coinbase. The decision made Everett, the CEO of artificial intelligence startup Prome, almost instantly richer, as the blockchain-based currencies’ value rocketed up exponentially over the next several weeks. But then, while he was out walking the dog after 10 p.m. on Wednesday, May 17, Everett got the call. It was T-Mobile, ringing him to confirm that it was switching his phone number to a different device.

It was a suspicious move that Everett had most certainly not requested. But even as he pleaded with the agent to block the switch, it was too late. Less than five minutes later, Everett’s cell service abruptly shut off, and as he rushed to his computer, he saw himself being robbed in real time. A raft of email notifications confirmed that someone had taken control of his main Gmail account, then broken into his Coinbase “wallet.” They’d gotten in with the help of his switched-over phone number: Everett’s account required him to log in with a two-factor authentication code sent by text message, as a second safeguard—and now the text had gone straight to the thief.

It took only two minutes for the attacker to clean Everett out of what was then a few thousand dollars’ worth of digital coins. From Everett’s perspective, the even more painful heist was what came next: Ethereum’s price quadrupled over the next three weeks. It had reached its all-time high of $400 just hours before I met Everett in a New York coffee shop on a humid June afternoon. Bitcoin, meanwhile, had broken $3,000 for the first time a day earlier, and Everett was pining for his missing digital coins. “I’m not only still out my money, I also didn’t get the rise in price,” he lamented.

Then again, the biggest surprise for Everett—and, it would turn out, for many other Bitcoin enthusiasts—was that the theft happened on Coinbase at all. San Francisco’s Coinbase, the world’s largest exchange for trading cryptocurrency, is one of very few such companies whose own coffers have never been hacked, a distinction that carries extra weight in the realm of blockchain, where several costly breaches have made global headlines. Almost any early investor you talk to lost money in Mt. Gox, an exchange that collapsed in 2014 after hackers pillaged nearly $500 million in Bitcoin. Last summer, thieves grabbed $72 million from Hong Kong cryptoexchange Bitfinex in one fell swoop.

But hackers have never breached Coinbase’s own virtual fortress, and that impenetrability has earned it a reputation as the safest place to buy Bitcoin, helping it attract more than 9 million customers who store at least $3 billion in crypto­currency there, and who have traded $25 billion to date on its retail brokerage as well as its institutional exchange, GDAX. The five-year-old Coinbase just raised $100 million in new funding, valuing the company at $1.6 billion—making it the blockchain industry’s first “unicorn.” “If you look at what they are world-class at, it’s security, trust, safety … all these things that, frankly, banks are good at,” Fred Wilson, the venture capitalist and one of Coinbase’s earliest and largest backers, said at a conference in March. “They’re like JPMorgan or Goldman Sachs for blockchain.”

But Coinbase’s individual customers do get burglarized—with surprising and unsettling frequency. Even Wilson himself was in for a rude awakening: While vacationing in Europe in early June, the VC woke up to the same telltale emails that Everett saw, signaling that an intruder was trying to get inside his Coinbase account. Wilson managed to lock it down before anything was stolen, but in a rare public chastising of a company in his own portfolio, he wrote in a blog post: “I am still a bit shaken up from the experience and a fair bit more paranoid from it.”

Since then, Fortune has spoken with more than a dozen victims, including tech CEOs and well-known blockchain proponents, whose Coinbase accounts have been targeted and hacked in almost exactly the same fashion; still more have been attacked on other exchanges. The day after Everett’s robbery, Los Angeles entrepreneur Adam Dachis’s account was wiped out of what was then $10,000. On July 7, thieves emptied $18,000 from the Coinbase wallet of blockchain adviser Mike Costache, during the four hours he slept one night while traveling overseas. Since Christmas, there have been months when Coinbase users have been robbed as often as 30 times—a rate of one robbery every single day.  

In each case, the same blindsiding realization arrives, bringing the inherent paradox of blockchain into focus. The quintessential strength that sets cryptocurrency apart from traditional money—that transactions are instant and irreversible—is also its fatal flaw. “One of [Bitcoin’s] reasons for existence is that it’s censorship-resistant,” says Tom Robinson, cofounder and chief data officer of Elliptic, a London-based blockchain intelligence firm. That means no one, not even a government or central bank, can stop a digital currency transaction from happening. And therefore the fraud protections traditional bank depositors rely on are mostly unavailable. “Any kind of charge-back and reversibility would be the antithesis of what Bitcoin was created to achieve,” says Robinson. 

Cybercrime is rising at traditional financial institutions too: For example, thefts through so-called account takeovers, a crime analogous to the Coinbase hacks, rose 61% last year to $2.3 billion, according to Javelin Strategy & Research. But hacking losses are a blip relative to the trillions of dollars kept in banks. Hackers are stealing a much larger proportion of the crypto­currency pie, whose total market value is only about $135 billion. In the past 12 months, for example, criminals have absconded with 1% of Ethereum’s total market value, or $225 million, according to cybersecurity firm Chainalysis; the Bitcoin toll is estimated to be even higher.

Brick and mortar bank robbers have “two problems: stealing the money and hiding the evidence,” explains Moran Cerf, a professor of business and neuroscience at Northwestern’s Kellogg School of Management and a former corporate hacker. “Bitcoin solves the second one for you because everyone there is anonymous.” Bitcoin diehards seem resigned to the reality of irreversible transactions—and its drawbacks. “I think of that as a feature and not a bug,” says Chris Burniske, a blockchain investor and author of forthcoming book Cryptoassets—even though his own accounts were looted in December for digital coins that would now be worth over $100,000.

But when victims watch their money up and leave into the digital wallet of a nameless stranger, it becomes more than just a problem for Coinbase: It’s a threat to the promise of Bitcoin itself. As the value of cryptocurrency soars, more investors are grappling not just with how to profit from it, but how to hold on to it at all. “Coinbase looks like a bank, talks like a bank, and takes millions of dollars in cash like a bank, but, in practice, it functions like a dimly lit underground casino,” says Cody Brown, whose account was hacked for $8,000 in the span of just 15 minutes in May. “You don’t realize that the balanced fonts, smooth blue gradients, and endless copy about trust mean absolutely nothing—until you are robbed blindCoinbase, for its part, won’t discuss specific cases except to say that it investigates all account takeovers. But Brian Armstrong, Coinbase’s 34-year-old CEO and founder, says Brown’s and Wilson’s experiences were “helpful” in teaching the company how to improve. Its security measures already match or exceed those at banks—from using machine learning to detect dubious activity, to mandating dual-factor authentication. Yet Armstrong recognizes that Coinbase is also a juicier target: “We need to be held to a higher standard,” he tells Fortune, “because digital currency is so new and interesting and powerful that it is attractive to a lot of people out there to try to steal it.” 

That’s one reason that, when criminals want to pull a heist, they’re increasingly choosing cryptocurrency over real dollars. In 2016, $28 million in losses from crimes involving virtual currency were reported to the FBI’s Internet Crime Complaint Center, more than triple the 2015 total. And that figure is based heavily on voluntary reports by individual victims. It doesn’t include large-scale thefts from exchanges like the Bitfinex hack, so it likely underestimates the true damages by many orders of magnitude.

If Bitcoin were a religion, its equivalent of “What would Jesus do?” would be “BYOB: Be your own bank,” an unofficial slogan widely embraced in the industry. The original blockchain was launched in 2009, by the mysterious founder (or founders) going by the name Satoshi Nakamoto, as a utopian form of electronic cash that could change hands, as Nakamoto wrote in a legendary white paper, “without going through a financial institution.”

But that ideal also attracted a subversive element, repelling many potential adopters. That’s where Armstrong saw an opportunity to bring polish to an industry run by “hackers and crypto­anarchists” at the time, he says: “If this was going to go mainstream, it needed something that had a more trusted brand around it.”

An early engineer at Airbnb, Armstrong quit in 2012 to create the “Gmail for digital currency.” His strategy: making it easier and safer to store, and then buy and sell, cryptocurrency. While early Bitcoin wallet companies made people keep track of their own private keys—the secret 64-character passwords that alone provide access to one’s cryptocurrency—Coinbase’s pioneering innovation was its offer to store keys on customers’ behalf. That also came with risk, as customers wouldn’t need to know their actual key, but rather just a password, to get to their Bitcoins—and neither would a hacker. “That’s a big responsibility to take on,” the fresh-faced CEO admits. “But I also think it’s necessary to help the industry scale and make digital currency accessible to the next 100 million or billion people.”

Coinbase has demonstrated a unique ability to bring the new asset class to the masses. Its base of customers, most of whom are in the U.S., has grown 50% just in the past five months, with as many as 50,000 signing up in one day; trade volume in July alone was twice as much as all last year. Coinbase, which makes money by charging transaction fees, is said to be nearing profitability, and Armstrong ranks No. 10 on this year’s Fortune 40 Under 40 list. But he is pretty clear about his company’s limits. “The average person may at a high level think of us as a digital currency bank, but we’re not a bank,” he says. Coinbase doesn’t lend money, as banks do. And critically: Coinbase, which is regulated as a money transmitter like PayPal or Western Union, isn’t covered by the FDIC or bound by all the consumer protection laws that govern banks.

Source: Fortune