- Platform was not breached; Incident has been isolated, all user accounts are safe
- Attacker gained access through users’ credentials and exploiting a gap which has since been plugged
- CoinDCX to award user with bug bounty for highlighting security gap and will bear all loss on behalf of the user
The CoinDCX support team received a ticket from a user on the 13th of May stating that the user had lost access to his CoinDCX account. After due process, CoinDCX restored access to his account and it was then that the user reported that funds from his account were missing. Following a primary security check, CoinDCX reported no breach of security on CoinDCX’s infrastructure—that the entire exchange was safe and this was but an isolated incident. As this was an attack that happened on the user access level, CoinDCX ensured all threats were immediately taken care of. This was important to avert any similar events. After the security team gave clearance, a detailed investigation was begun. Our internal investigation revealed that the user’s account was accessed using the user’s log-in credentials. Further discussions with the user revealed that he faced a similar challenge with his E-Mail Client. The team examined multiple facets of the case, from identifying the source of the attack to tracing and tracking the funds, even after it was transferred off of the CoinDCX exchange.
In addition to the internal security team, CoinDCX also engaged an external forensic agency to trace and track the funds. From the IP Address of the attacker, CoinDCX had a belief that the attacker was from India and was therefore of the opinion that tracing the funds would help CoinDCX coordinate with other Indian entities to catch the perpetrator. While CoinDCX was coordinating with the user throughout this phase of the assessment, due to the nature of the investigation, the CoinDCX team was unable to reveal all data and sensitive information to the user. Additionally, sensitive information of the user and the case was being circulated on social media. This leakage of information had to be curtailed as this was negatively impacting the investigation process. The focus at CoinDCX was always to nab the attacker and ensure a similar situation will not happen again for any CoinDCX users.
In an effort to improve our chances of a positive outcome, CoinDCX remained silent publicly while maintaining an open line of communication with the user with any necessary assurances and updates. There was no intention to silence anyone, nor to discourage anyone from reaching out to authorities. While CoinDCX did release a small statement to the community, in hindsight, there was a serious trust deficit within the Indian crypto community. As such, CoinDCX released an official statement and reached out to community leaders and the wider crypto community. With the user’s support, CoinDCX was able to conduct a fair investigation. CoinDCX is also actively cooperating with the relevant government authorities to take the investigation forward.
Today’s report highlights the facts of the case in a transparent and open manner so that this helps improve overall security of the community.
Overview of Security
Vulnerabilities, Threats, Attacks and Controls
A vulnerability is a weakness in the security system—for example, in procedures, design or implementation that might be exploited to cause loss or harm. A threat to a security system is a set of circumstances that has the potential to cause loss or harm. The difference between a threat and a vulnerability is one of potential and actual weakness. A security system is always being prepared to wade of all such threats. An attack happens when a vulnerability is exploited by someone. To prevent this, we enable controls to ensure that such vulnerabilities are taken care of. Hence, first rule of security is
A threat is blocked by the control of a vulnerability.
The types of threats that may occur, but not limited to these, are as below
- Interception: an unauthorized party has gained access to the asset
- Interruption: an asset of the system is lost, unavailable, or unusable
- Modification: an unauthorized party not only accesses, but tampers, with an asset
- Fabrication: an unauthorized party may create a fabrication of counterfeit objects of the security system and try to enter
Method, Opportunity and Motive
An attacker must possess three things to perpetrate an attack,
- Method: the skills, knowledge, tools and other things with which to be able to pull off the attack
- Opportunity: the time and access to accomplish the attack
- Motive: a reason to want to perform this attack against this system
Deny any of these three things and the attack will not occur. However, this is easier said than done. In order to do so, a system must be strengthened against an array of potential attacks. Secure exchanges, such as CoinDCX, use both protective measures to challenge a would-be-attackers skills, or method, and remove their opportunity, as well as preventive measures to mitigate motive For example, multiple layers of security and checks work as a strong deterrent for attackers. Motive can be reduced by distributing funds across various storages (such as cold wallets) to reduce the potential “gains” of a successful security breach.
When we talk about security, we mean that we are addressing three important aspects — confidentiality, integrity and availability.
- Confidentiality: ensures that the assets are accessed only by authorized users
- Integrity: means that the assets can be modified by authorized users or in authorized ways
- Availability: means that assets are accessible to authorized users at appropriate times
Security addresses these three goals. One of the challenges in building a secure system is finding the right balance amongst the goals, which often conflict. For example, it is easy to preserve a particular asset’s confidentiality by preventing all access. However this does not fulfill the goal of availability. Security systems basically try to find the right balance to ensure the three goals are met
A Note: The discussion around security here is a very basic overview, with the intention of providing our users and members of the cryptocurrency community with the necessary knowledge to understand and prepare against online attacks. This section doesn’t aim to be a comprehensive guide on security systems but is instead a starting point.
- An attacker entered the user’s CoinDCX account on the night of 13th May using the user’s credentials. The user’s email account was also accessed.
- Attacker uses an India based IP Address to enter the account and then uses a Riga Latvia based VPN to withdraw funds
- User realizes something is wrong with the account when he notices he has lost access to his account and has received some withdrawal OTPs that he did not initiate
- User then raises a ticket and notifies the support team about losing access and having received multiple OTPs
- CoinDCX then secures the users’ account and asks the user to redo KYC to help us re-establish the identity of the user and to shift the user from a 2FA to a Mobile Based OTP system
- CoinDCX also verified and validated that the attack did not happen on the CoinDCX platform nor was there any security breach at an infrastructural level
- CoinDCX also ensured all users’ funds are safe and an active monitoring system was initiated against any future attacks
- Vulnerabilities of the existing system that was exploited by the user were identified next and fixes were immediately put into place
- In accordance with standard practice in the case of an account breach and loss of funds, all stakeholders associated with the case were put under review, including the user.
- All log files around the attack were downloaded from the system and the security team went through gigabytes of data to identify what had happened during the attack and isolate the attacker and his IP
- The wallet address to which the funds were transferred was also identified and a forensic analysis was initiated
- CoinDCX employed a third party international forensic agency to help with the analysis and to trace and track the funds flow
- Once the transaction tree was made available to CoinDCX, further tracing with third parties exchanges was initiated
- The Investigation has now moved to the Cyber Cell in India while discussions with other exchanges to retrieve the funds are ongoing
A Note : The investigation is an ongoing process. Detailed documents, activity logs and all necessary reports have been shared with the necessary authorities. This is a summary of the actual investigation report, created for the purpose of consumption by the general public. This doesn’t intend to replace or supersede the detailed investigation that is currently underway.
The case has highlighted a few learnings that can help improve security of the entire crypto community. CoinDCX has been using industry best practices and policies in place across not just the crypto domain but also the larger financial space. However, there is always room to improve—both at CoinDCX and others. Following this incident, CoinDCX has made several improvements and amendments to our standard operating procedures, including:
- Login OTPs were being sent to emails as standard practice. This was as per the three “security goals” as detailed above. Availability was ensured when someone requested an OTP resend. This practice proved to be a vulnerability in this case. – Resolved
- When a user changes the security system from mobile based OTP to 2FA, it is generally considered a strengthening of the security process. When the reverse happens it is considered weakening. Hence, when a user strengthens their security by moving from OTP to 2FA, we did not have a KYC-based verification in place. On the flip side, when users weakened their security by moving from 2FA to OTP, we had a KYC-based verification process in place. Again, this is part of the security goals and was kept as a practice that was not breached for 2 years. This practice proved to be a vulnerability in this case. – Resolved
- Some of the current practices that were made available to ensure safety of funds despite the user losing credentials proved to fall short overall. This needs a structural improvement – Resolved
- Over the course of our investigation and resolution of this incident, CoinDCX was in constant communication with the user and the necessary authorities. However, following feedback from both the user in question and our community, we understand that our communications processes in instances of such attacks may be further optimized to increase transparency and prevent any potential trust deficit between the parties involved. We will continue to review and improve our communications procedures in line with these learnings and all feedback received in similar situations. – Resolved
Additionally, learnings for the crypto community:
- Secure your passwords, don’t let them fall into the wrong hands
- In general, avoid clicking on random links or downloading unverified softwares or apps to your devices
- Additionally, enable 2FA using an authenticator app on CoinDCX to avoid OTPs on mobile
- Don’t reveal sensitive information in public as this may give attackers a motive or an opportunity
Security is an ongoing process and security systems daily struggle to be one step ahead of would-be-attackers. As malicious actors develop new and innovative ways of accessing platforms and accounts without permission, security systems must constantly be updated as new information and instances come to light. With a first of its kind isolated incident on CoinDCX in more than 2 years of operation, this event has let us recognise some new gaps in our security framework. That said, we shall not be complacent, and let our guard down against prospective attacks. At CoinDCX, we place a premium on the security of our users and have partnered with third parties such as Onfido and BitGo to ensure we offer industry-leading onboarding and insurance measures. We believe that safe and secure use of crypto should be the goal for all. We have been working hard for this and will continue to do so.
Due to this incident, we have learnt a lot about security improvements as well as certain policy changes. We have upgraded our security already, and more upgrades are in the pipeline. As the user assisted us in this process, we would like to announce a special bounty prize for the user as well as bearing all losses due to the incident directly in CoinDCX’s books.
Moving forward, let us all keep an eye out for these attackers and continue to show them that we collectively envision a strong, secure crypto community in India. In order to achieve this vision, we will continue to fight back against illegal actors so that such attacks cannot take place and traders may feel safe and secure in the cryptocurrency market.