back to article Stop us if you've heard this one before: Crypto exchange cracked, Bitcoin burgled

A cryptocurrency exchange called KuCoin says it has been cracked, with over $100m of assets misappropriated. The Register last covered KuCoin when it was mentioned by the Bitcoin-burgling cybercrooks who hacked a bunch of prominent Twitter users. The Seychelles-based outfit, founded in 2017, proudly boasts of its venture …

  1. redpawn

    Backed by the full faith and credit

    of crypto exchange insurance. No one has ever lost a single... Oh never mind

  2. Chris G

    Cash is king

    When you think about it, banks are robbed on an almost daily basis, compared to the days when a bank robber had to get dressed, nick one of his wife's stockings then go outside the house and either blow a safe or bang on the windscreen of a rolling piggy bank to get his hard won loot.

    Now all they need is an internet connection and a pc.

    I am no fan of the notion of digital currency, for a number of reasons.

    Aside from security, privacy is likely to go right down the drain, unless there will be guaranteed methods to provide anonymity, I'll be trading veg, almonds and figs for my shopping as I grow them anyway.

    Having worked in banks, including actually inside some vaults, breaking into one if you have the tools is not difficult but doing it rapidly and getting away with it is not trivial, whereas cracking a digital system requires no personal presence and can be carried out at leisure.

    1. Andy The Hat Silver badge

      Re: Cash is king

      The difference here is if Lloyds had a £130m heist there would be public screaming going on, coppers and the FSC running everywhere and the potential of some prison sentences for the purpotrators, those who were responsible for letting them in and (usually) the management who will take a hit (or promotion!) When it happens to a BC repository/exchange/moneypit there are a few very people rich people wimpering in the corner whilst having their bods looking for some recently rich people's testicles to nail to a wall. At best an IT geek may design some kind of sticking-plaster patch to not let the naughty boys and girls do it again and otherwise things will continue as normal ... until next time.

      1. MatthewSt

        Re: Cash is king

        That's the main selling point though isn't it? Free from regulation, free from oversight, free from any sort of control.

        1. Chris G

          Re: Cash is king

          Free from regulations and free from oversight?

          Seriously, how long fo you think that will last as digital currency supercedes cash.

          Most of the central banks and many mainstream commercial banks are looking at their own bit coins.

          My previous post was in reference to governments and world banks all considering going digital, something many of them see as the future for two main reasons, cash costs money to make and maintain and it gives almost total control with all digital payment.

          1. Blank Reg

            Re: Cash is king

            "digital currency supercedes cash"

            That's not going to happen until governments start issuing their own. Even then it will take a while.

            What good is a currency that can take 10's of minutes per transaction and that is accepted at only a tiny number of retailers? Even pro-crypto web sites only list a hand full of places to spend your bitcoin, So few that they can all fit on one infographic. And typically I've not even heard of the majority of the retailers listed.

            1. Sorry that handle is already taken. Silver badge

              Re: Cash is king

              The dollar(s), the pound, the Euro are already primarily digital. For example, of the US dollars in circulation, less than 10% are in notes and coins.

              In 2019, Australians used cash for only 20% of overall transaction value and in 2020, well I haven't used cash for a transaction in several months.

      2. I ain't Spartacus Gold badge

        Re: Cash is king

        Andy the Hat,

        It can still be done. I don't think the people who stole that money from the Bangladeshi central bank last year have been caught, or even identified. But there are massive differences.

        If Lloyds lost $130m they'd simply make smaller profits in most years. They also have a capital reserve, of assets owned by the bank itself, which could be deployed to cover the losses. They're also regulated - so there would be independent investigation of the screw-up.

        And they operate in a financial system that has controls designed to help facilitate tracing money that's gone astray. Even if there are also people within that system designing systems to make things opaque again, for the purposes of avoiding scrutiny/tax/whatever.

        Whereas many fans of Bitcoin seem to see regulation as a bad thing.

        Actually this does have one unique feature. We're all used to the initial statement from the hacked exchange to tell us it's all under control, only the hot wallets were stolen ($130m is a stupidly high amount for a hot wallet - I bet that's hundreds of times more than their total daily transactions) - and they've got the reserves to cover it. Only for them to shut down all services for a week to "investigate" (Lloyds would probably be up-and-running the same day) - and then shamefacedly admit in a month or so that all/more of their money is lost and they promise to pay everyone back. And then cease to exist a month after that...

        But the unusual thing is that they claim they had cooperation from other exchanges to try to trace transactions and freeze them. If true, that's an interesting change. And suggests that maybe regulation will come to crypto currency. The problem is that while the self-interest of the criminal users outweighs that of the legitimate users - crytocoin will always be a jungle. If the legit users outweigh the crims, then eventually they'll get tired of having their stuff stolen, and will do something about it. Assuming they don't all vote with their feet first.

    2. Pascal Monett Silver badge

      Re: banks are robbed on an almost daily basis

      Citation please ?

      When is the last time somebody digitally broke into a client account and siphoned off the money ?

      That doesn't happen, pure and simple.

      Oh, ATM's can get pilfered, for sure. And there's that one transfer that got cracked, indeed. But that was not access to client accounts, that was the hijacking of money in movement between banks and it happened because it was an inside job and the security was lacking.

      I have never read that a true bank's customer's account got hacked, and I doubt very much that I ever will.

      1. Chris G

        Re: banks are robbed on an almost daily basis

        You misunderstand, banks are robbed digitally on a daily basis just based on reading reports here. Keyboard criminals attempting to steal money from banks digitally are far more prevalent than criminals attempting to stick up banks and armoured cars or break in to blow safes in previous times. I said zero about anyone hacking personal accounts.

        1. I ain't Spartacus Gold badge

          Re: banks are robbed on an almost daily basis

          Chris G,

          It's true. But not really the banks being robbed, it's the users. And tends to be in small amounts - because they can only take what the users have in their accounts. Or at least it's a mix of the users being tricked into giving away their credentials and/or security failures on the part of the banks.

          Although saying that, someone above asked for an example of an actually significant sized digital bank raid - well they do happen.

          About a billion dollars from the Bangladeshi Central Bank's US account. I'd thought it was last year, but a quick search tells me it was 2016. Doesn't time fly once you've got old...

          Lazy link to Wiki

      2. c1ue

        Re: banks are robbed on an almost daily basis

        Totally wrong.

        Regular bank account customers are hacked all the time.

        The difference is that retail customers in the US (and in many other countries) are protected by laws from absorbing most of the losses, much as retail customers in the US are protected against credit card number theft.

        The lack of cryptocurrency exchange regulation - said exchanges being a combination of bank and security exchange/stock exchange - throws out this vitally important protection for the consumer along with all the "red tape" and what not.

  3. Scott Broukell

    Don't most, if not all, traditional retail banking operations block substantial transfers these days and request confirmation from the account holder before proceeding? Whilst perhaps not entirely fool proof, at least it applies a pause where some due consideration and oversight can be applied. One would imagine that a similar system might be in use where craptocurrencies are involved! - just a thought.

    1. Anonymous Coward
      Anonymous Coward

      But who's going to ask for that authorisation?

      The whole point of blockchain technologies is that only *you* as the resource owner (doesn't have to be currency it can be anything with value - real or imaginary) have the key required to authorise those transfers. If your key is stolen (through lax security or insecure systems, such as in this case) then the only two parties involved are you and the hacker. There is nobody else to act as an intermediary (and take their cut).

      A suitable analogy would be: If you had a suitcase full of cash in your garden shed and that's stolen, why didn't your shed ask for authorisation before allowing the suitcase to be removed?

      1. Scott Broukell

        @Def - Thank you for that, I'm not really up to speed on digital currency / wallets etc. Think I'll Dodge it all for now - see comment below. (Bring back Postal Orders I say!)

    2. Andy The Hat Silver badge

      I think the bitcoin account formation process is different ...

      Yes, like there would be someone at the end of a phone when thousands of millions of dollars of hot money are involved every day ... The exchange *may* be as dodgy as the money ...

  4. Pascal Monett Silver badge

    "new payment players [..] not allowed anywhere near its innermost workings"

    That is a wise decision. Crypto exchanges are not banks and are not run by banking professionals. Anyone can set one up and, by the rich history of exchanges having been hacked, anybody does.

    Even if I did want to give funny money a try, I would be at a loss to choose someone who is worth trusting because there aren't any. It would be like walking into a den of thieves and handing my money over to the guy who did not have an eye patch yet.

    1. Anonymous Coward
      Anonymous Coward

      Re: "new payment players [..] not allowed anywhere near its innermost workings"

      But if you did want to start using a digital currency you wouldn't need to trust anyone but yourself. As with "real" money, exchanges are only needed for exchanging currencies. If you created a Bitcoin wallet for yourself, you and only you would be responsible for the security of that wallet (by keeping the software you use to manage it secure and the passkey associated with the wallet and software backed up in a secure location - which could be anything from storing it on another computer to having it engraved on a granite block and buried in your garden).

      1. I ain't Spartacus Gold badge

        Re: "new payment players [..] not allowed anywhere near its innermost workings"


        And how would you know which wallet software to trust?

        But even assuming that the world of crypto wallets isn't as riddled with insecurities and fraud as the world of crypto currency exchanges - how would you get any Crapto-Coins to put in your wallet? You either need to earn some money in them - or you need to go to an exchange to buy them with your credit card/bank account/cash.

        At which point you're at risk of being defrauded by the exchange.

        The alternative being you earn some crapto-coins - then how do you turn them into actual cash with which you can pay your rent/mortage or buy beer. You need an exchange...

        1. MatthewSt

          Re: "new payment players [..] not allowed anywhere near its innermost workings"

          I'm not pro-bitcoin, but you're missing the primary use case here

          You get paid by other people in Bitcoin for services / products you provide

          You pay others in Bitcoin for services / products you require

          There could even be a physical shop somewhere that would take cash from you in person and send you the equivalent amount of Bitcoin (so they could do it right in front of you).

          No exchange use needed.

          As a side note, the problem with these hacking episodes isn't the transfer of money in/out of the bitcoin world, it's that people are "storing" their Bitcoin in these exchanges like bank accounts.

          1. Anonymous Coward
            Anonymous Coward

            Re: "new payment players [..] not allowed anywhere near its innermost workings"

            There are Bitcoin ATMs available that perform the transaction almost immediately too.

        2. Anonymous Coward
          Anonymous Coward

          Re: "new payment players [..] not allowed anywhere near its innermost workings"

          How do you trust any software? Or if given the choice, how do you choose which particular software application and/or vendor to trust? If you take this argument to its logical conclusion you would never step near a computer or smartphone ever again. And yet here you are... wasting my time.

          A wallet could be riddled with insecurities, sure. As could any other piece of software. Most (if not all) wallets are open source. And they're not running 24/7, in the same way you're not logged on to your bank account 24/7. You open your wallet to check your balance or make a payment. That's all.

          1. MatthewSt

            Re: "new payment players [..] not allowed anywhere near its innermost workings"

            Being pedantic here, but you don't need to open your wallet to "read" transactions (eg checking your balance), or receive money. So you only need to open your wallet to send money to someone else.

    2. Lee D Silver badge

      Re: "new payment players [..] not allowed anywhere near its innermost workings"

      Anyone can run a Bitcoin client.

      You need a few hundred Gb of storage space, a decent Internet connection and a computer. That's all.

      Having a third-party do that on your behalf is the problem, but some people would rather do that. No different to giving your money to a financial adviser or anything else. Check they're certified, but it's still not guarantee that they won't get hacked or run off with your money. You would at least hope they have insurance, sure, but that's as far as it goes.

      But if you don't trust them, Bitcoin is incredibly simple to store on your own. The problem is getting money in-and-out. It's a transaction, so you have to trust that the person holding lots of Bitcoin that you want to buy will do so without running off with your money. And vice-versa the other end. That's a problem for any transaction.

      There are escrow services for this too, however, no different to buying a house or a car using such a service rather than giving Dodgy Dave a grand in a dark alleyway and hoping he just hands over the keys.

      The problem is that due to money laundering laws, you can't trade Bitcoin on most bank accounts. They block Bitcoin providers and exchanges from accepting money from your account. Sure, there are ways round it but when you're bypassing money laundering laws to trade Bitcoin with an unknown that was flagged by your bank... then you do have to question how safe your investment actually is.

      The problem is not what service you use, it's what you're trying to do. You're trying to buy an intangible asset from a random third party whose identity you do not know, with real cash, so that you can later spend that asset via untraceable services and later cash it back out from random un-named third parties back to cash in a real bank. If that doesn't make alarm bells go off at your bank, your bank are literally not compliant with the law.

      Sure, it sucks if you just want to use it for casual shopping, but you do have to look at it from the point of view that transactions like that are big warning signs of fraud, laundering, Ponzi schemes, illegal gambling, criminal enterprise, etc.

      I had a Bitcoin once. A whole Bitcoin. I cashed it out in small pieces here and there. The last £35 of it I tried to extract the other day and it took me an entire day to find an exchange willing to do it that my bank would accept. Basically they sent me an Amazon gift card. Can you say "dodgy as all hell?" I did get the card, spent it successfully and never had any comeback, but that's not a safe place to put your life savings, by any measure.

      I'm a mathematician and computer scientist. I love Bitcoin's concept, operation, algorithm, etc. - it's literal genius. But put my life-savings in it? No. Do I wish I'd kept a ton of Bitcoin from when they were basically given away, now that they're worth thousands each? Of course. Would I have put thousands of my own money into them, even back then? No. Not without 100% foresight. And if I had that, there are easier ways to make a ton of money from a pittance.

      Hell, I only have a couple of hundred in the stock market, I see it as too much a game rather than a sound retirement strategy even for that. I can afford to lose that, and I'm getting 0.5% on my savings account with a ton of withdrawal restrictions anyway so if I make even 0.5% I'm better off. And that's, what? A tenner a year? If that.

      Sorry, but Bitcoin is never going to be legitimised. Maybe another cryptocurrency with identity-tracing run by the banks, crypto-currency serves far more useful purposes than just anonymity alone. And I'm not at all concerned about anonymity, the same as most of the people who just want to put their money somewhere safe.

      But anonymity is the killer of both legitimate currency conversion, and the security of your money with a random third-party using that service. The fact this company are registered in the Seychelles tells you everything you need to know. When they up and disappear will all your money tomorrow, what are you going to do? Nothing, that's what.

    3. bombastic bob Silver badge

      Re: "new payment players [..] not allowed anywhere near its innermost workings"

      Crypto exchanges are not banks and are not run by banking professionals. Anyone can set one up and, by the rich history of exchanges having been hacked, anybody does.

      The new "dot bomb" revolution, I guess. reminiscent of the early noughties... and all of the hype over "dot com dot com dot com" etc.. And now look, crypto currency hacking ripoffs.

      I wonder if deliberately creating a crypto-currency startup so that you could ROB it, later, has already been done (or at least considered). Good enough reason to NOT "go there". Hard to say whether it's worse to do THAT than to blatantly lie about a company's value (to prop up stock prices) until the bottom drops out [right after the startup's original investors sell off all of their stock].

  5. noboard


    "The company also promised that any losses would be covered by insurance"

    which should read

    "We need some time to clear up and get out, please believe there's a chance you'll get your money back for a few more days/weeks"

  6. Anonymous Coward
    Anonymous Coward

    Yeah well. Talk about online banking.

    Barclays internet banking is failing today.

    Two different accounts and two different browsers.

    Login screwed.

    AC for obvious reasons.

    1. IGotOut Silver badge

      Re: Yeah well. Talk about online banking.

      Have Barclays lost $100million of customers money? Are those customers going to get it back?

      Are you posting as A/C because your handle is your login name at Barclays?

  7. fidodogbreath

    Maybe I'm just old...

    but I don't invest in anything where I can't identify why it has value in the first place. If the "value" is solely due to artificial scarcity and FOMO, the odds are good that it will be just another bubble.

  8. DS999 Silver badge

    "Losses covered by insurance"

    Who the heck would insure a bitcoin exchange?

    Maybe that's the scam - set yourself up as an insurer of bitcoin exchanges, and require an in-depth evaluation of a potential customer's security. Then use that information to go rob them. Do that with a few small clients, and pay it off using their own money you stole from them to build some cred in the industry as a reliable insurer of bitcoin exchanges. When you sign up a big client you can rob $100 million from you just disappear to a private island.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like