Home / Education / How to avoid a hack: Cryptopia ‘success’ case

How to avoid a hack: Cryptopia ‘success’ case

What Happened to New Zealand-based Cryptocurrency Exchange Cryptopia?


“The Exchange Suffered A Security Breach” is a statement that makes the heart beat faster. There has never been a day when this phrase brought some positive connotation because it always means hacks, data leakage, and considerable loss of money. On January 15, 2018 such a phrase was published on Cryptopia, a New Zealand crypto exchange. The NZ Police and High Tech Crimes Unit are now engaged in the investigation. In turn, we do claim that if the crypto industry had cybersecurity standards and requirements this hack could have been avoided.

About Cryptopia

Cryptopia was mainly famous for its record-breaking number of listed altcoins. One of the altcoins served Cryptopia a dirty trick in November 2018 when a 51% attack on AurumCoin happened and more than $500,000 were stolen.

Today Cryptopia is on maintenance mode. Let’s get closer to the hack timeline.

Hack Details

At 1:30 PM, January 13, 2019 someone sent $2,437,018.55 from Cryptopia wallet. Naturally, the transaction remained unnoticed. Next, the hackers began to withdraw funds from more than 76,000 other wallets until January 17. In total, $3.6 million in Ethereum was stolen, $2.4 million in Dentacoin, almost $2 million in Oyster Pearl, and smaller amounts in other tokens.

Remarkably, Oyster Pearl was already involved in another scandal in October when it appeared that the project had gone through 3 automated smart contract audits which hadn’t identified the critical issue: one of the smart contract lines allowed contract private key owner to open crowd sale at any point.

It is noted that about $880,000 are withdrawn to various crypto exchanges including Binance, Huobi, and HitBTC. Another $15 million is still located at two addresses, allegedly controlled by hackers.

January 17, 2019 CEO Binance Changphen Zhao announced that they had managed to block the funds transferred by the attacker to their platform.

January 29, an unknown attacker output another 1,675 coins of Ethereum (more than $175 thousand at the current rate) of approximately 17, 000 wallets of Cryptopia.

Unlike a hacker, Cryptopia employees no longer control the private keys of Ethereum wallets, and funds stolen from the exchange continue to flow to the ETH address.

The Need for Cybersecurity CERtification

We are sure, if Cryptopia got CERtified, this hack would not have happened.

There is no doubt that crypto is becoming more structured than at the beginning stage when hype and FOMO moved the industry. And although crypto is now having not the best times, market capitalization has reached $113 billion. Would you like to give 70% of the money to hackers? Maybe 50%? We believe that you won’t give a hacker even 1% of that money. So what is the point of risking?

A hacker can exploit even the tiniest bug in the system and steal millions of investors’ funds. For this reason, CER offers Cybersecurity Certification. This CERtificate will help to ensure that a crypto exchange is compliant with the security standards, to make sure that it passed fundamental audits along with conducting a bug bounty program for the direct communication and interaction with white hackers.

How does it work?

If an exchange has already passed some security audits, has an ongoing bug bounty program, and can present the necessary reports to CER & Hacken for the check, then, we grant the CERtificate without a Pen Test.

If not, Crypto Exchange Ranks together with Hacken cybersecurity experts check security level and perform penetration testing. We check:

  • Server Security
  • User Security
  • Crowdsourced Security (the existence of a Bug Bounty Program) 

After the test, we provide a report with a detailed list of bugs and vulnerabilities and recommendations on how to improve them. Afterward, a crypto exchange should start a bug bounty program either self-hosted or on the platform such as HackenProof. As soon as you improve your level of cybersecurity, we distribute a transparent and objective sign of safety for the whole community — Cybersecurity CERtificate.

Cryptopia, BitFinex, CoinCheck hacks. This all could have been avoided if crypto exchange owners took care of cybersecurity and started a bug bounty program in time.

CER learns from this experience and aims to bring relevant regulations and trust to the crypto industry. Now, the market needs clear standards more than ever before. CERtification is the only visible and beneficial solution to encounter modern crypto issues.

We rank exchanges like no one else!

Go CERtified