NiceHash buyers and miners, change your passwords immediately if you haven’t already been ransacked: the cryptomining exchange that describes itself as the world’s largest marketplace for mining digital currencies has been vacuumed out.
Late Wednesday night, NiceHash said that it was suspending its operations for at least 24 hours because of a security breach.
Importantly, our payment system was compromised and the contents of the NiceHash Bitcoin wallet have been stolen. We are working to verify the precise number of BTC taken. Clearly, this is a matter of deep concern and we are working hard to rectify the matter in the coming days. In addition to undertaking our own investigation, the incident has been reported to the relevant authorities and law enforcement and we are co-operating with them as a matter of urgency
According to CoinDesk, a site specializing in cryptocurrency news and information, news of the breach comes on the heels of an hours-long outage and reports from a multitude of users that their NiceHash-associated wallets had been emptied. NiceHash had previously posted an announcement that its service was “under maintenance.”
NiceHash users have been passing around a link to a Bitcoin account that appears to belong to the hacker(s). It shows that as many as 4736 bitcoins had been stolen.
That jibes with what NiceHash head of marketing Andrej P. Škraba told The Guardian: namely, that the hack – “a highly professional attack with sophisticated social engineering” – resulted in approximately 4700 bitcoins being stolen.
As of Thursday morning, that amount was worth about USD $80 million – a value that skyrocketed from what The Hacker News said was $58 million at the time of the theft.
At the time of writing, the NiceHash service was still offline. NiceHash, which formed in 2014, still had a “Service Unavailable” post on its website, along with its official press release about the hack.
Unfortunately, the NiceHash hack is a prime example of how you can lose money beyond just the wildly fluctuating value of cryptocurrencies. As Naked Security’s Taylor Armerding noted recently, cryptocurrency exchanges – the sites where these currencies are bought, sold and stored – are a soft and vulnerable underbelly.
Once you’ve uploaded your private keys to an exchange to make trading easier, they’re at the mercy of that site’s security. The sites can be hacked, via social engineering or other means, and the keys can be stolen. Unfortunately, there’s no Federal Deposit Insurance Corporation (FDIC) to protect your Bitcoin; nor do governments or central banks back them up.
In August 2016, we saw it happen to Bitfinex, which was then the world’s largest Bitcoin exchange.
At that point, the one question on everybody’s lips was this: Are we getting Goxed again?
That had been, up until the Bitfinex hack, the Mother of All Bitcoin Bellyups. Mt. Gox, a Tokyo bitcoin exchange, announced in 2014 that there’s been a mysterious vanishing of half a billion dollars worth of digital assets.
In the case of Mt. Gox, 850,000 Bitcoins went missing and were thought to be likely stolen. That would be worth about $14.4 billion nowadays. But sometime after Mt. Gox found 200,000 of those Bitcoins, its chief was accused of embezzlement and data manipulation.
His trial started up in a Tokyo court in July. According to the Guardian, those affected by Mt. Gox’s failure are still trying to claw back the funds they lost and looking to the trial to hopefully help explain what happened.
The value of Bitcoin is through the roof, and it’s showing no signs of slowing down. It jumped past 15,000 on Thursday, and experts are predicting that it could get as high as $100,000 one year from now.
With no better value for a hacker, we can expect more stories like this one.Follow @NakedSecurity