Industry News

Major cryptocurrency exchange hacked – customers’ Bitcoin and Ethereum accounts plundered

One of the world’s largest cryptocurrency exchanges has fallen victim to hackers, who were able to use information they stole to plunder users’ accounts.

According to local media reports, Bithumb informed the Korea Internet & Security Agency (KISA) late last week that the personal information on approximately 32,000 customers was compromised – although passwords were not taken.

As Brave New Coin describes, a hacker broke into the home PC of an employee of South Korea’s largest bitcoin rather than the exchange’s internal network.

Questions obviously should be asked as to how such sensitive information was being stored on a worker’s home computer.

Having hacked into the computer, the criminal was able to grab personal information of thousands of users, including customers’ names, mobile phone numbers, and email addresses. Some victims are then thought to have been targeted by scammers who phoned them up, posing as employees of Bithumb:

One victim claims that the attacker posed as an executive at Bithumb and phoned to say that he was “suspicious of a foreign hacking transaction,” and instructed his victim to give him an “identification number written on the letter from Bithumb.” The number in question was the victim’s One-Time Password, (OTP) which granted the attacker immediate access to ten million won, worth about US $8,700.

Of course, we’ve all seen plenty of scams like this in the past – where fraudsters ring you at home claiming to work for a bank or organisation with which you have a relationship. Typically fraudsters will lull you into a false sense of security by quoting your account number, confirming your physical address, or other information which you may imagine that only the company would know (and that hopefully they would have kept under close guard) in order to extract more details.

That’s why it’s so important to put the onus on organisations who phone you up at home to prove their identity, before you share any additional information with them. One good technique can be to ring the company’s support team back (although be careful not to trust the phone number that the person on the other end of the call is offering you!) or to log into your account to see if you have any messages waiting.

A security and privacy-conscious company will certainly respect you for being cautious about who you share your sensitive account details with. And it should go without saying that you should never share your password with anyone else, in particular not someone who has rung you up out-of-the-blue claiming to be from the company.

Bithumb has apologised for the security breach, and the site is offering a lump sum payment of 100,000 South Korean Won (equivalent to about US $87) to any customer confirmed to have had their personal information leaked on July 5th.

It is reported that some of the compromised Bithumb users are planning to file a class action lawsuit in response to the hack.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment

  • Gullible fools are the only people who will fall for this. In our future security-conscious workplaces, gullible people will not be able to find jobs! If someone rings me to tell me something technical needs me to provide them with information, I am rude to them, and then hang up. It's the kind of thing you should put on your CV so employers look at your resilience to being conned as a positive. :-)