1. Home
  2. Password

Password

3 steps crypto investors can take to avoid hacks by the Lazarus Group

The Lazarus Group has mastered the art of stealing crypto investors’ assets. Here are a few tips on how investors can protect their portfolios.

Cryptocurrency users frequently fall prey to online hacks with Mark Cuban being just the latest high-profile example how nearly a million dollars can leave your digital wallet.

It is possible to substantially bolster the security of your funds by heeding three simple guidelines that will be outlined in this article. But before delving into these, it's crucial to understand the type of threat that exists today. 

FBI has clear evidence on the Lazarus Group

The Lazarus Group is a North Korean state-sponsored hacking group, known for their sophisticated attacks linked to various cyberattacks and cybercriminal activities, including the WannaCry ransomware attack.

WannaCry disrupted critical services in numerous organizations, including healthcare institutions and government agencies by encrypting files on infected computers and demanding a ransom payment in Bitcoin (BTC).

One of its earliest crypto-related hacks was the breach of South Korean crypto exchange Yapizon (later rebranded to Youbit) in April 2017, resulting in the theft of 3,831 Bitcoin, worth over $4.5 million at the time.

The Lazarus Group's activities in the cryptocurrency space have raised concerns about its ability to generate funds for the North Korean regime and evade international sanctions. For instance, in 2022 the group was tied to a number of high-profile cryptocurrency hacks, including the theft of $620 million from Axie Infinity bridge Ronin.

The Federal Bureau of Investigation (FBI) blamed Lazarus Group for the Alphapo, CoinsPaid and Atomic Wallet hacks, stating that losses from all of these hacks add up to over $200 million the group has stolen in 2023.

This month, the FBI have attributed Lazarus Group to a $41 million hack of the crypto gambling site Stake, which was carried out through a spear-phishing campaign that targeted some of its employees.

Lastly, according to blockchain security firm SlowMist, the $55 million hack of the crypto exchange CoinEx was carried out by the North Korean state sponsored hackers.

Most hacks involve social engineering and exploit human error

Contrary to what movies usually display, meaning hackers either gaining physical access to devices or brute forcing passwords, most hacks occur through phishing and social engineering. The attacker relies on human curiosity or greed to entice the victim.

Those hackers may pose as customer support representatives or other trusted figures in order to trick victims into giving up their personal information.

For instance, a hacker might impersonate a company's IT support and call an employee, claiming they need to verify their login credentials for a system update. To build trust, the attacker might use public information about the company and the target's role.

Related: North Korean crypto hacks down 80%, but that could change overnight: Chainalysis

Phishing attacks involve sending deceptive emails or messages to trick recipients into taking malicious actions. An attacker might impersonate a reputable organization, such as a bank, and send an email to a user, asking them to click on a link to verify their account. The link takes them to a fraudulent website where their login credentials are stolen.

Baiting attacks offer something enticing to the victim, such as free software or a job opportunity. An attacker poses as a recruiter and creates a convincing job posting on a reputable job search website. To further establish trust, they may even conduct a fake video interview, and later inform the candidate that they have been selected. The hackers proceed by sending a seemingly innocuous file, like a PDF or a Word document, which contains malware.

How crypto investors can avoid hacks and exploits

Luckily, despite the increasing sophistication and capabilities of hackers today, there are three simple steps you can take to keep your funds safe. Namely: 

  • Use hardware wallets for long-term storage of your crypto assets, not directly connected to the internet, making them highly secure against online threats like phishing attacks or malware. They provide an extra layer of protection by keeping your private keys offline and away from potential hackers.
Common crypto hardware wallets. Source: Enjin
  • Enable Two-Factor Authentication, or 2FA, on all your crypto exchange and wallet accounts. This adds an extra security step by requiring you to provide a one-time code generated by an app like Google Authenticator or Authy. Even if an attacker manages to steal your password, they won't be able to access your accounts.
  • Be extremely cautious when clicking on links on emails and social media. Scammers often use enticing offers or giveaways to lure victims. Use separate "burner" accounts or wallets for experimenting with new decentralized applications and for airdrops to reduce the risk of losing your funds. 

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Court prolongs Tornado Cash developer Pertsev’s pre-trial detention

Polygon launches decentralized ID product powered by ZK proofs

The public launch of Polygon ID comes 12 months after it was first launched in a closed-environment to a select group of builders.

Polygon, a layer-2 scaling protocol for Ethereum, has launched a zero-knowledge decentralized identity solutionto the public nearly a year after announcing its development.

The Polygon ID service uses zero-knowledge proofs (ZK proofs) that use cryptographic techniques to allow users to verify their identity online without having their sensitive information passed or potentially stored with a third party.

Polygon Labs publicly released Polygon ID on March 1, almost 12 months after the project was officially launched in a closed-source environment.

The Polygon team says Polygon ID was built to “solve the issue of digital trust.”

“What sets Polygon ID apart from most other decentralized ID frameworks is its implementation of zero-knowledge technology, allowing users to verify their identities or other credentials without necessarily revealing sensitive information,” Polygon said.

The public release introduces four new tools to the Polygon ID toolset — Verifier SDK, Issuer Node, Wallet SDK and Wallet App — that will allow Polygon developers to integrate decentralized identity into their applications.

A simple chart explaining how Polygon ID interacts with user credentials. Source: Polygon

Users will be able to produce zero-knowledge proofs using off-chain credentials — such as their passport, national ID or a bachelor's degree — to interact with smart contracts and verify information on-chain.

“This means that off-chain data can now be used for trustless on-chain verifications in the widely-supported Verified Credential format.”

Polygon claims it’s also the first ZK-based digital ID tool that allows users to hold credentials locally on handheld devices such as smartphones, and that users will no longer need passwords:

“Passwordless logins exchange encrypted verifiable credentials by simply scanning a QR code or connecting to a desktop wallet. Organizations can benefit from improved security, a better user experience, and productivity of their system administrators whose time is not taken up by password resets.”

The co-founder of Polygon ID, David Schwartz, said in a March 1 tweet that the product was built “on the latest decentralized identity standards” which will help protect developers and users against unauthorized access from third parties.

"Providing identity in a way that the average consumer can use is the holy grail of digital ID adoption,” he explained in a separate press statement.

Related: Decentralized finance to be examined at inaugural CFTC tech advisory meeting

Multiple projects have already committed to integrating Polygon ID upon launch, such as Web3 infrastructure provider Kaleido, ID verification solution Fractal and Web3 community management system Collab.Land. Together they have a user base of over 4 million, according to Polygon.

Other Web3 projects, such as metaverse platform The Sandbox and blockchain builder community Guild.xyz, are in the process of integrating Polygon ID too.

Following the news, the price of Polygon’s native token, MATIC (MATIC), increased 2.5% from $1.22 to $1.25 in a matter of hours before falling back to $1.23.

Other blockchain-based ID products out in the space today include Quadrata and IDNTTY.

Court prolongs Tornado Cash developer Pertsev’s pre-trial detention

How to keep your crypto safe in 2023: a few tips from an analyst

Lead on-chain analyst at Glassnode, James Check, explains why taking self-custody of your private keys has become more important than ever and how to do it in a few simple steps.

There is no excuse for not putting a few hours of research into how to properly custody your crypto, according to lead on-chain analyst James Check. Joining the latest debate around self-custody, the analyst pushed back against the notion that managing private keys is too complicated and risky for the average crypto user. 

“If you have gold in your vault, if you have cash in your wallet, it's the same concept: you need to exercise a level of responsibility,” said Check in our latest Cointelegraph interview.

Check argued that, while third-party custody and semi-custodial solutions such as collaborative custody may appear more user-friendly for the average user, they also have their own, even bigger, vectors of risks.

To the analyst, when it comes to custody "there are no solutions, only trade-offs." His position is that being in full control of your own crypto and eliminating the third-party risk is well worth the effort of learning how to keep your wallet's 12 word seed phrase safe.

Cast your vote now!

Ultimately, Check pointed out that the amount of time and effort someone should put into learning self-custody should be scaled proportionally to the size of thei holdings. 

“If you're not willing to put more than 5 minutes into it, then don't put more than $5 into it. If you're willing to do 100 hours now, you can start talking about doing your significant sums of savings,” he said. 

To find out more about Check's approach to self-custody, check out the full interview on our YouTube channel and subscribe!

Court prolongs Tornado Cash developer Pertsev’s pre-trial detention

Debridge Finance Suspects North Korean Hacking Syndicate Lazarus Group Attacked the Protocol’s Team

Debridge Finance Suspects North Korean Hacking Syndicate Lazarus Group Attacked the Protocol’s TeamAccording to the co-founder of Debridge Finance, Alex Smirnov, the infamous North Korean hacking syndicate Lazarus Group subjected Debridge to an attempted cyberattack. Smirnov has warned Web3 teams that the campaign is likely widespread. Lazarus Group Suspected of Attacking Debridge Finance Team Members With a Malicious Group Email There’s been a great number of attacks […]

Court prolongs Tornado Cash developer Pertsev’s pre-trial detention

Warning: Smartphone text prediction guesses crypto hodler’s seed phrase

Redditor Andre highlighted the ease with which hackers can use the text prediction feature to drain a user’s funds just by being able to first word out of the BIP 39 list.

Seed phrases, a random combination of words from the BIP 39 list of 2048 words, act as one of the primary layers of security against unauthorized access to a user’s crypto holdings. But what happens when your ‘smart’ phone’s predictive typing remembers and suggests the words next time you try to access your digital wallet?

Andre, a 33-year-old IT professional from Germany, recently posted on the r/CryptoCurrency subreddit after discovering his mobile phone’s ability to predict the entire recovery seed phrase as soon as he typed down the first word.

As a fair warning to fellow Redditors and crypto enthusiasts, Andre’s post highlighted the ease with which hackers can use the feature to drain a user’s funds just by being able to type the first word out of the BIP 39 list:

“This makes it easy to attack, get your hands on a phone, start any chat app, and start typing any words off the BIP39 list, and see what the phone suggests.”

Speaking to Cointelegraph, Andre, a.k.a. u/Divinux on Reddit, shared his shock when he first experienced his phone literally guessing the (12-24 word) seed phrase — “First I was stunned - the first couple words could be a coincidence, right?”

As a tech-savvy individual, the German crypto investor was able to reproduce the scenario wherein his mobile phone could accurately predict the seed phrases. After realizing the possible impact of this information if it went out to the wrong hands, “I thought I should tell people about it; I'm sure there are others who also have typed seeds into their phone.”

Andre’s experiments confirmed that Google’s GBoard was the least vulnerable as the software did not predict every word in the correct order. However, Microsoft’s Swiftkey keyboard was able to predict the seed phrase right out of the box. The Samsung keyboard, too, can predict the words if ‘Auto replace’ and ‘Suggest text corrections’ have been manually turned on.

Andre’s initial stint with crypto dates back to 2015, when he momentarily lost interest until he realized he could buy goods and services using Bitcoin (BTC) and other cryptocurrencies. His investment strategy involves purchasing and staking BTC and altcoins such as Terra (LUNA), Algorand (ALGO) and Tezos (XTZ) and “then dollar-cost averaging (DCA) out into BTC when/if they moon.” The IT professional also develops his own coins and tokens as a hobby.

A safety measure against possible hacks, according to Andre, is to store significant and long-term holdings in a hardware wallet. To Redditors across the world, OP’s advice includes — not your keys, not your coins, DYOR, don't FOMO, never invest more than you are willing to lose, always double-check the address you are sending to, always send a small amount beforehand, and disable your PMs in Settings, concluding:

“Do yourself a solid and prevent that from happening by clearing your predictive type cache.”

Related: STEPN impersonators stealing users' seed phrases, warn security experts

Blockchain security firm PeckShield warned the crypto community about a large number of phishing websites targeting users of the Web3 lifestyle app STEPN.

As Cointelegraph reported, based on PechShield’s findings, hackers insert a forged MetaMask browser plugin through which they can steal seed phrases from unsuspecting STEPN users.

Access to seed phrase guarantees complete control over the user’s crypto funds via the STEPN dashboard.

Court prolongs Tornado Cash developer Pertsev’s pre-trial detention

Lost Bitcoin may be a ‘donation,’ but is it hindering adoption?

Estimates suggest 20% of Bitcoin’s supply has been lost. Are these funds a donation to everyone else, or a challenge to further adoption?

Cryptocurrency custody solutions have become a big business over the last few years. Independent storage and security systems meant to hold large quantities of crypto on behalf of clients can bring in institutional capital and retail investors waiting on the sidelines simply because they remove a major fear: losing access to funds that become unrecoverable.

Because of the decentralized nature of major blockchains like that of Bitcoin or Ethereum, whenever a user loses access to their wallet and doesn’t have a backup of their private keys, the funds within it cannot be recovered. There’s no central entity to turn to, and no one can control the blockchain to give anyone access back to their funds.

Storing a private key can be challenging, as it needs to be kept away from bad actors, yet close enough for the user to access it when necessary. Dealing with the challenges associated with managing cryptocurrency has seen many simply leave their funds on cryptocurrency exchanges, creating a massive demand for crypto custody services, to the point where America’s fifth-largest bank is offering a solution.

While keeping cryptocurrencies with a third party is often seen as a security risk because that third party can itself get hacked, experts told Cointelegraph that custody services are the best option out there when it comes to lost coins.

Early cryptocurrency adopters have lost cryptocurrency in numerous ways, including exchange hacks. These security breaches have seen Bitcoin academic Andreas Antonopoulos popularize the famous slogan “not your keys, not your coins.”

How much crypto has been lost?

Cryptocurrencies can be lost in a number of ways, although unless someone admits that they have lost access to their funds, it’s impossible to tell from data on the blockchain. More often than not, users lose access to a wallet’s private key, which allows them to access the funds within it.

There have also been cases in which users send cryptocurrency to the wrong address. Once again, because of the decentralized nature of the blockchain, there’s no remedial action to retrieve these tokens. Finally, users can pass away without leaving anyone else access to their funds.

Speaking to Cointelegraph, Kim Grauer, director of research at blockchain forensics firm Chainalysis, noted that an estimated 3.7 million Bitcoin (BTC) (today worth over $140 billion) has been lost. Grauer said the estimate is a “bit old” and is set to be updated with further research later this year.

Crypto assets are often considered lost after remaining dormant for a specific number of years. While this method does point to coins that are effectively not currently in circulation, it is flawed. In 2020, for example, a wallet with 50 BTC first mined in February 2009 moved its funds to two addresses.

Michael Fasanello, director of training and regulatory affairs at the Blockchain Intelligence Group — which helps government agencies, cryptocurrency businesses and financial institutions address fraud — told Cointelegraph it may be difficult to approximate the monetary value of lost coins because “those who suffered losses would not always be interested in sharing such information.”

The figure of 3.7 million represents close to 20% of Bitcoin’s circulating supply, which, to Grauer, likely has an “economic impact that will affect the long-term price” of the cryptocurrency. Grauer added:

“There is also a more psychological impact. It’s possible people will be more hesitant to invest in Bitcoin out of a fear of losing it, at which point it is not recoverable.”

The Chainalysis executive added that this quality isn’t unique to the cryptocurrency ecosystem and “should not be prohibitive to further adoption,” as there are “many ways to custody your cryptocurrency safely either in your own possession or on an exchange.”

Speaking to Cointelegraph, Chris Brooks, founder of cryptocurrency recovery business Crypto Asset Recovery, noted that in his experience, people should be more worried about leaving their seed phrase or private keys in paper wallets that can be mistakenly thrown out, rather than about hackers or scammers. Brooks said:

“You have a far greater chance of moving to a new apartment and losing your crypto password in the process than you do of getting hacked.”

In March 2011, a user on the Bitcointalk forum started a thread, trying to add up the known lost BTC. While the thread derailed with time, it did show just how many users have lost access to cryptocurrency over the years.

These losses, as Chainalysis’ Grauer said, can have a significant economic impact on the cryptocurrency ecosystem.

Should lost crypto be considered a donation?

Bitcoin creator Satoshi Nakamoto has famously said that lost coins “only make everyone else’s coins worth slightly more” and that they should be thought of as a “donation to everyone.” The Blockchain Intelligence Group’s Fasanello said that when it comes to coins with a limited supply, Satoshi may be right, but those with an infinite supply could see the reverse be true.

Fasanello said that just as fiat currency loses value with inflation, so do cryptocurrencies. If a cryptocurrency doesn’t have a finite supply, the value of the lost coins is simply going to erode over time.

Speaking to Cointelegraph, Yuriy Kovalev, CEO of crypto trading platform Zenfuse, said that lost coins represent a hidden cost of security in the cryptocurrency space that benefits everyone else:

“The amount of lost crypto only shows that decentralized networks like Bitcoin are extremely secure, so much so that trivial mistakes can cost millions. Wallet hunters are seldom only able to help in cases of lost passwords, further proving the blockchain is immutable.”

Indeed, most cases in which lost tokens are recovered involve lost passwords used to unlock wallets and not the private keys used to recover them. A recent case saw a computer engineer and hardware hacker crack a Trezor One hardware wallet that was locked because its owner had forgotten its security PIN.

Asaf Naim, founder and CEO of blockchain application developer Kirobo, told Cointelegraph that Satoshi’s words may be true for “minor and occasional instances of losing crypto,” but Naim added that the “law of scarcity only holds if people have confidence in the underlying system. If too much cryptocurrency is lost, people will stop believing in its use and its intrinsic value.”

Lost crypto and mass adoption

Early stories from the cryptocurrency space about lost crypto have made headlines over the years, pointing to how hard it may be to recover lost funds. One such example is that of James Howells, who threw away a hard drive containing 7,500 BTC (almost $285 million today) while cleaning his house in 2013.

Wallet recovery services have gained popularity over the last few years but often charge large percentages of the funds they recover. Grauer said that there are industry solutions meant to reduce the chances of accidental losses, which include “storing your cryptocurrency on a known and trusted exchange, or hot wallet, similar to what you do with a bank.”

The approach contrasts those who argue that if a user does not control the private keys to their wallet, they do not actually own the coins within it. Speaking to Cointelegraph, Crypto Asset Recovery’s Brooks seemed to agree with Grauer, adding, however, that “crypto can be extremely complicated,” and as such, he believes “new investors are better off with custodial wallets.”

To Brooks, if a user suddenly passes away or suffers a serious accident, it’s easy for loved ones to claim their crypto from a custodial wallet, but it’s hard to do so through the use of a private key. Kirobo’s Naim believes the cryptocurrency recovery industry may be important but is part of a backward approach:

 “The main effect of so much crypto being lost is that it stands in the way of mass adoption. If people don’t feel safe using crypto, they just won’t use it. It’s not acceptable that forgetting access credentials is irreversible.”

He added that credit cards wouldn’t be as popular as they are if “there was a high chance of irreversibly losing money every time you used one.” The solution could be related to cryptocurrency platforms and their user experience, which could, for example, implement whitelists the same way online banking platforms do to prevent common errors.

To the executive, it’s “amazing that writing down words on a piece of paper or memorizing them is the best practice for security in 2022,” as it shows “crypto has lacked a safety net for human error.”

The free market has attempted to come up with better solutions over time, which include the creation of titanium sheets where users can write down their seed phrases or private keys. These sheets are harder to throw away by accident and can often survive natural disasters. Some wallets, including Coinbase Wallet, allow users to back up their private keys on Google Drive or iCloud.

While cryptocurrency custody services may offer institutional investors the security they need to enter the market, for users looking for an uncensorable form of money, lost crypto may continue to be a problem for the foreseeable future.

Court prolongs Tornado Cash developer Pertsev’s pre-trial detention

Google Alerts Users About Malicious Actors Using Cloud for Cryptocurrency Mining

Google Alerts Users About Malicious Actors Using Cloud for Cryptocurrency MiningGoogle has warned users about the use of its Google Cloud platform by malicious actors to mine cryptocurrencies. In its latest Cloud Threat Intelligence report titled “Threat Horizons,” which provides users with security insights, the company informed that 86% of the compromised instances on Google Cloud platforms were being used to mine cryptocurrencies. Most of […]

Court prolongs Tornado Cash developer Pertsev’s pre-trial detention