796 Exchange Hack: Difference between revisions
No edit summary |
(Another 30 minutes complete. Integrated all sources and some additional key sources. Added technical analysis. All sections summarized with initial draft content.) |
||
| Line 1: | Line 1: | ||
{{ | {{Case Study Under Construction}} | ||
This is an unusual case, where the hacker exploited vulnerabilities in the exchange to tamper with the withdrawal address of a customer. The customer legitimately requested the withdrawal and failed to notice the changed address. “796” appears to have handled this well, and the situation was quickly made right. No other customers appear to have been affected. It is suggested that all large withdrawals must be tested before completion. | This is an unusual case, where the hacker exploited vulnerabilities in the exchange to tamper with the withdrawal address of a customer. The customer legitimately requested the withdrawal and failed to notice the changed address. “796” appears to have handled this well, and the situation was quickly made right. No other customers appear to have been affected. It is suggested that all large withdrawals must be tested before completion. | ||
== About 796 Exchange == | == About 796 Exchange == | ||
The 796 exchange platform was based in China. | |||
== The Reality == | == The Reality == | ||
The 796 exchange platform had a vulnerability present in their withdrawal module, which could allow an attacker to modify the withdrawal address after a withdrawal had been started. | |||
== What Happened == | == What Happened == | ||
Due to a vulnerability in the 796 exchange, a bitcoin withdrawal address was modified to a similar address. This sent a withdrawal of 1,000 bitcoin from the platform to an attacker. | |||
{| class="wikitable" | {| class="wikitable" | ||
|+Key Event Timeline - 796 Exchange Hack | |+Key Event Timeline - 796 Exchange Hack | ||
| Line 44: | Line 17: | ||
!Description | !Description | ||
|- | |- | ||
|January | |January 27th, 2015 3:21:00 PM MST | ||
| | |User Requests Withdrawal | ||
| | |10:21 PM local time in China, a user on the 796 exchange platform requested a withdrawal<ref name=":0">[https://weibo.com/p/1001603803961751650197 关于昨晚出现被盗一事的说明 - Weibo] (Dec 11, 2023)</ref>. | ||
|- | |||
|January 27th, 2015 3:26:00 PM MST | |||
|Phone Call Confirmation | |||
|Staff of the 796 exchange platform confirm the withdrawal through a phone call with the customer<ref name=":0" />. | |||
|- | |||
|January 27th, 2015 3:38:00 PM MST | |||
|Email Confirmation | |||
|The withdrawal is also confirmed through an email, which is apparently "due to a different IP location"<ref name=":0" />. | |||
|- | |||
|January 27th, 2015 3:50:00 PM MST | |||
|Withdrawal Processed | |||
|The withdrawal for 1,000 bitcoin is released to the blockchain<ref name=":0" />. | |||
|- | |||
|January 27th, 2015 8:50:00 PM MST | |||
|Call From Customer About Not Receiving Withdrawal | |||
|The 796 exchange reportedly receives a call from the customer about having not received their requested funds<ref name=":0" />. | |||
|- | |||
|January 28th, 2015 5:16:00 AM MST | |||
|Weibo Announcement Published | |||
|The 796 exchange announces the breach on the social media platform Weibo<ref name=":0" />. The statement from 796 exchange addresses the incident of a user's 1000 BTC withdrawal being stolen. On January 27, 2015, at 22:21, a user requested a withdrawal, which was confirmed by the staff through a phone call at 22:26, and later via email at 22:38, due to a different IP location. After confirmation, the customer service manager initiated the withdrawal at 22:50. When a user reported that the withdrawal did not arrive around 3:50 am, the company investigated and discovered a vulnerability in a recently updated submodule that was exploited by hackers. The attackers manipulated the user's withdrawal address and used a similar address to deceive both the user and the manual review process. The issue has been fixed, and additional encryption and monitoring features have been implemented. The exchange, 796, will cover the loss by allocating undistributed profits from major shareholders, who have committed to covering the loss of funds during the transaction. Despite the inherent risks in the cryptocurrency exchange industry, 796 aims to strengthen risk prevention measures and enhance user account fund security monitoring in the future. | |||
|- | |||
|January 28th, 2015 4:51:42 AM MST | |||
|CoinTelegraph Article Published | |||
|CoinTelegraph publishes an article reporting on the Chinese Bitcoin exchange 796 losing 1,000 BTC of customer funds due to a botched customer service request. A screenshot of the erroneous transaction was posted on 8btc.com, along with an explanation from microblogging site Weibo, allegedly from 796. The statement mentioned that hackers compromised areas of the exchange in preceding days, leading to a user's address being tampered with. The hackers intentionally used a similar address to confuse users. The exchange claimed to have contained the problem and implemented additional security measures. Despite the attack, 796 asserted that its wallet system was not affected, and major shareholders covered the loss of funds during the transaction, emphasizing transparency in its business operations<ref name=":1">[https://cointelegraph.com/news/chinese-exchange-suffers-1000-btc-loss-in-uncertain-service-compromise Chinese Exchange Gets 'Goxed' for 1,000 bitcoins (UPDATE: Company Responds) - CoinTelegraph] (Dec 11, 2023)</ref>. | |||
TBD - Want to get the original article without the platform response. However, it appears to be at a different URL which needs to be determined. | |||
TBD - May be more information in this archived version of article:<ref>[https://web.archive.org/web/20170905001332/https://cointelegraph.com/news/chinese-exchange-suffers-1000-btc-loss-in-uncertain-service-compromise Chinese Exchange Gets 'Goxed' for 1,000 bitcoins (UPDATE: Company Responds) - CoinTelegraph Archive September 4th, 2017 6:13:32 PM MDT] (Dec 11, 2023)</ref> | |||
|- | |||
|January 28th, 2015 | |||
|Date Commonly Associated | |||
|The widely reported date of the incident, which actually happened the day prior<ref name="kylegibson-86" /><ref name="bitcoinexchangeguide-218" />. | |||
|- | |||
|February 27th, 2019 11:31:32 AM MST | |||
|Inclusion In Kyle Gibson Timeline | |||
|Kyle Gibson includes the incident in his "100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents"<ref name="kylegibson-86" />. | |||
|- | |- | ||
| | |May 7th, 2019 7:49:57 PM MDT | ||
| | |Inclusion In BitcoinExchangeGuide | ||
| | |The incident is included as a "Hack / Theft" in a published list by BitcoinExchangeGuide.com<ref name="bitcoinexchangeguide-218" />. | ||
|} | |} | ||
== Technical Details == | == Technical Details == | ||
A quote from Kyle Gibson<ref name="kylegibson-86" />: | |||
"According to the explanation, hackers had compromised areas of the exchange in the previous days, which had caused a user “to mention the current address has been tampered with, coupled with hackers deliberately [using] a similar address with the original withdrawals address to confuse users…” | |||
The company also published a detailed report on the incident to Weibo<ref name=":0" />. | |||
== Total Amount Lost == | == Total Amount Lost == | ||
The amount of loss was 1,000 bitcoin<ref name=":0" />. This was estimated to be worth $230,000 USD by both Kyle Gibson<ref name="kylegibson-86" /> and BitcoinExchangeGuide<ref name="bitcoinexchangeguide-218" />. | |||
The total amount lost has been estimated at $230,000 USD. | The total amount lost has been estimated at $230,000 USD. | ||
== Immediate Reactions == | |||
The 796 platform published a summary of the incident online on the Weibo platform<ref name=":0" />. The original post was in Chinese titled "Notes on the theft last night". A translation is below:<blockquote>At 22:21 last night, users applied for 1000BTC cash on the 796 exchange. Our staff called at 22:26 to confirm that it was my own operation, because the registered IP has different areas and emails were distributed at 22:38 Confirm. After confirmation, the customer service manager issued the present at 22:50. After receiving the user's phone call at about 3:50 in the morning and saying that the cash was not received, I immediately called the relevant person in charge of the company to study the problem. After detailed analysis of various logs and audit records, we found that there was a sub-module updated by the system a few days ago. Hackers attacked the loopholes used, causing users to tamper with their current addresses,In addition, the hacker's deliberate use of an address similar to the original present address to confuse the user and our division's manual review. At present, this problem has been repaired, and encryption and monitoring functions have been added. Although the encrypted currency exchange is often exposed to such risks, the 796 exchange has also been involved in this risk prevention after nearly two years of operation. Synchronized and strengthened, and will continue to strengthen the monitoring of user account funds security in the later period. | |||
The stolen system was used by hackers for problems with the 796 exchange. The 796 exchange will accrue the company’s major shareholders for unallocated profits to cover this loss, which has been reissued. In such a high-risk industry, problems are inevitable, which is why the 796 major shareholders have not received dividends. Before getting the venture capital, we will do our best to ensure the safety of customer assets first. The future is very long. 796 will continue to maintain the principle of openness and fairness. Integrity will only serve. Thank you for your support. Thank you for coming all the way!</blockquote> | |||
== Ultimate Outcome == | == Ultimate Outcome == | ||
The incident was included in multiple references including the BitcoinExchangeGuide<ref name="bitcoinexchangeguide-218" /> and a list of incidents published by Kyle Gibson<ref name="kylegibson-86" />. | |||
== Total Amount Recovered == | == Total Amount Recovered == | ||
The platform fully reimbursed the affected user<ref name=":0" /><ref name=":1" />. | |||
== Ongoing Developments == | == Ongoing Developments == | ||
It is unclear if there is any investigation to trace the 1,000 bitcoin which were withdrawn. | |||
== General Prevention Policies == | == General Prevention Policies == | ||
Coming soon. | Coming soon. | ||
| Line 92: | Line 103: | ||
== References == | == References == | ||
<references><ref name="kylegibson-86">[https://medium.com/@kylegibson/100-crypto-thefts-a-timeline-of-hacks-glitches-exit-scams-and-other-lost-cryptocurrency-873c87fd5522 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents] (Jan 25, 2020)</ref> | <references> | ||
<ref name="kylegibson-86">[https://medium.com/@kylegibson/100-crypto-thefts-a-timeline-of-hacks-glitches-exit-scams-and-other-lost-cryptocurrency-873c87fd5522 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents] (Jan 25, 2020)</ref> | |||
<ref name="bitcoinexchangeguide-218">[https://bitcoinexchangeguide.com/bitcoin/scams-hacks/ Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com] (Mar 5, 2020)</ref></references> | <ref name="bitcoinexchangeguide-218">[https://web.archive.org/web/20200413134528/https://bitcoinexchangeguide.com/bitcoin/scams-hacks/ Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com Archive April 13th, 2020 7:45:28 AM MDT] (Mar 5, 2020)</ref> | ||
</references> | |||
Revision as of 12:56, 11 December 2023
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
This is an unusual case, where the hacker exploited vulnerabilities in the exchange to tamper with the withdrawal address of a customer. The customer legitimately requested the withdrawal and failed to notice the changed address. “796” appears to have handled this well, and the situation was quickly made right. No other customers appear to have been affected. It is suggested that all large withdrawals must be tested before completion.
About 796 Exchange
The 796 exchange platform was based in China.
The Reality
The 796 exchange platform had a vulnerability present in their withdrawal module, which could allow an attacker to modify the withdrawal address after a withdrawal had been started.
What Happened
Due to a vulnerability in the 796 exchange, a bitcoin withdrawal address was modified to a similar address. This sent a withdrawal of 1,000 bitcoin from the platform to an attacker.
| Date | Event | Description |
|---|---|---|
| January 27th, 2015 3:21:00 PM MST | User Requests Withdrawal | 10:21 PM local time in China, a user on the 796 exchange platform requested a withdrawal[1]. |
| January 27th, 2015 3:26:00 PM MST | Phone Call Confirmation | Staff of the 796 exchange platform confirm the withdrawal through a phone call with the customer[1]. |
| January 27th, 2015 3:38:00 PM MST | Email Confirmation | The withdrawal is also confirmed through an email, which is apparently "due to a different IP location"[1]. |
| January 27th, 2015 3:50:00 PM MST | Withdrawal Processed | The withdrawal for 1,000 bitcoin is released to the blockchain[1]. |
| January 27th, 2015 8:50:00 PM MST | Call From Customer About Not Receiving Withdrawal | The 796 exchange reportedly receives a call from the customer about having not received their requested funds[1]. |
| January 28th, 2015 5:16:00 AM MST | Weibo Announcement Published | The 796 exchange announces the breach on the social media platform Weibo[1]. The statement from 796 exchange addresses the incident of a user's 1000 BTC withdrawal being stolen. On January 27, 2015, at 22:21, a user requested a withdrawal, which was confirmed by the staff through a phone call at 22:26, and later via email at 22:38, due to a different IP location. After confirmation, the customer service manager initiated the withdrawal at 22:50. When a user reported that the withdrawal did not arrive around 3:50 am, the company investigated and discovered a vulnerability in a recently updated submodule that was exploited by hackers. The attackers manipulated the user's withdrawal address and used a similar address to deceive both the user and the manual review process. The issue has been fixed, and additional encryption and monitoring features have been implemented. The exchange, 796, will cover the loss by allocating undistributed profits from major shareholders, who have committed to covering the loss of funds during the transaction. Despite the inherent risks in the cryptocurrency exchange industry, 796 aims to strengthen risk prevention measures and enhance user account fund security monitoring in the future. |
| January 28th, 2015 4:51:42 AM MST | CoinTelegraph Article Published | CoinTelegraph publishes an article reporting on the Chinese Bitcoin exchange 796 losing 1,000 BTC of customer funds due to a botched customer service request. A screenshot of the erroneous transaction was posted on 8btc.com, along with an explanation from microblogging site Weibo, allegedly from 796. The statement mentioned that hackers compromised areas of the exchange in preceding days, leading to a user's address being tampered with. The hackers intentionally used a similar address to confuse users. The exchange claimed to have contained the problem and implemented additional security measures. Despite the attack, 796 asserted that its wallet system was not affected, and major shareholders covered the loss of funds during the transaction, emphasizing transparency in its business operations[2].
TBD - Want to get the original article without the platform response. However, it appears to be at a different URL which needs to be determined. TBD - May be more information in this archived version of article:[3] |
| January 28th, 2015 | Date Commonly Associated | The widely reported date of the incident, which actually happened the day prior[4][5]. |
| February 27th, 2019 11:31:32 AM MST | Inclusion In Kyle Gibson Timeline | Kyle Gibson includes the incident in his "100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents"[4]. |
| May 7th, 2019 7:49:57 PM MDT | Inclusion In BitcoinExchangeGuide | The incident is included as a "Hack / Theft" in a published list by BitcoinExchangeGuide.com[5]. |
Technical Details
A quote from Kyle Gibson[4]:
"According to the explanation, hackers had compromised areas of the exchange in the previous days, which had caused a user “to mention the current address has been tampered with, coupled with hackers deliberately [using] a similar address with the original withdrawals address to confuse users…”
The company also published a detailed report on the incident to Weibo[1].
Total Amount Lost
The amount of loss was 1,000 bitcoin[1]. This was estimated to be worth $230,000 USD by both Kyle Gibson[4] and BitcoinExchangeGuide[5].
The total amount lost has been estimated at $230,000 USD.
Immediate Reactions
The 796 platform published a summary of the incident online on the Weibo platform[1]. The original post was in Chinese titled "Notes on the theft last night". A translation is below:
At 22:21 last night, users applied for 1000BTC cash on the 796 exchange. Our staff called at 22:26 to confirm that it was my own operation, because the registered IP has different areas and emails were distributed at 22:38 Confirm. After confirmation, the customer service manager issued the present at 22:50. After receiving the user's phone call at about 3:50 in the morning and saying that the cash was not received, I immediately called the relevant person in charge of the company to study the problem. After detailed analysis of various logs and audit records, we found that there was a sub-module updated by the system a few days ago. Hackers attacked the loopholes used, causing users to tamper with their current addresses,In addition, the hacker's deliberate use of an address similar to the original present address to confuse the user and our division's manual review. At present, this problem has been repaired, and encryption and monitoring functions have been added. Although the encrypted currency exchange is often exposed to such risks, the 796 exchange has also been involved in this risk prevention after nearly two years of operation. Synchronized and strengthened, and will continue to strengthen the monitoring of user account funds security in the later period. The stolen system was used by hackers for problems with the 796 exchange. The 796 exchange will accrue the company’s major shareholders for unallocated profits to cover this loss, which has been reissued. In such a high-risk industry, problems are inevitable, which is why the 796 major shareholders have not received dividends. Before getting the venture capital, we will do our best to ensure the safety of customer assets first. The future is very long. 796 will continue to maintain the principle of openness and fairness. Integrity will only serve. Thank you for your support. Thank you for coming all the way!
Ultimate Outcome
The incident was included in multiple references including the BitcoinExchangeGuide[5] and a list of incidents published by Kyle Gibson[4].
Total Amount Recovered
The platform fully reimbursed the affected user[1][2].
Ongoing Developments
It is unclear if there is any investigation to trace the 1,000 bitcoin which were withdrawn.
General Prevention Policies
Coming soon.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 关于昨晚出现被盗一事的说明 - Weibo (Dec 11, 2023)
- ↑ 2.0 2.1 Chinese Exchange Gets 'Goxed' for 1,000 bitcoins (UPDATE: Company Responds) - CoinTelegraph (Dec 11, 2023)
- ↑ Chinese Exchange Gets 'Goxed' for 1,000 bitcoins (UPDATE: Company Responds) - CoinTelegraph Archive September 4th, 2017 6:13:32 PM MDT (Dec 11, 2023)
- ↑ 4.0 4.1 4.2 4.3 4.4 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents (Jan 25, 2020)
- ↑ 5.0 5.1 5.2 5.3 Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com Archive April 13th, 2020 7:45:28 AM MDT (Mar 5, 2020)