paint-brush
How your trading API keys can be used to drain your fundsby@solanto.whizzkid
6,404 reads
6,404 reads

How your trading API keys can be used to drain your funds

by Olusola David O.March 9th, 2018
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Many crypto investors have probably not given it enough thought. The exchanges have implicitly made us believe that as far as your <a href="https://hackernoon.com/tagged/api" target="_blank">API</a> keys are disabled for withdrawal, it will be hard for anyone to move your funds. But recent hacks are beginning to make it clear that the new target of attackers is traders’ API keys. This especially goes for traders and investors that use bots and different cloud-based services to manage their accounts.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - How your trading API keys can be used to drain your funds
Olusola David O. HackerNoon profile picture

source: gifimage.net

Many crypto investors have probably not given it enough thought. The exchanges have implicitly made us believe that as far as your API keys are disabled for withdrawal, it will be hard for anyone to move your funds. But recent hacks are beginning to make it clear that the new target of attackers is traders’ API keys. This especially goes for traders and investors that use bots and different cloud-based services to manage their accounts.

Just 2 days ago, there was a widespread rumor that Binance may have been hacked. This was due to an attack on certain users’ accounts which used funds from their accounts to manipulate market prices. Binance has claimed this was due to improper handling of API keys by bots used by the affected users. Phishing attacks from last month which stole user login credentials may also be responsible. I doubt the attackers lost money as Binance claimed though. Not if they implemented the strategy below.

How did this attack play out? Simple. The attackers got hold of users’ trading API keys. Since they are able to trade but not withdraw, they needed a way to manipulate the market. A common way to do this is via a pump and dump. In a typical pump and dump, a number of users would come together on a secret group and try to artificially increase the price of an asset by buying up a large volume of the asset over a very short period of time. This price increase will then trigger some other investors or bots to buy in and get on a potential bull run. The domino effect that results will further serve to increase the price. Usually, the organizers of this pump and dump group would have done a pre-pump by buying up the asset before notifying others of the chosen asset.

Depending on the target of the pump group, a massive sell-out happens almost as sudden as the initial pump. Coming to the API keys attack, the attackers understood that a physical user was just as useful as the restriction on their API keys. Since they could trade with these API keys, it only took a little insight to realize that they could also simulate a traditional pump and dump using these API keys.

All they needed was to:

  1. Borrow some BTC if they didn’t have enough.
  2. Buy the target asset (Viacoin in the case of Binance) in a pre-pump.
  3. Program a bot to take a victim’s trading API Keys, sell all their altcoins to BTC and then buy the target asset (Viacoin) at an already inflated market price.

By repeating step 3, the attackers were able to pump the price of $VIA by almost 70x (according to Bitcoin.com) in a matter of minutes. Now if a user whose account was compromised was lucky enough to get in during the period of the attack and withdraw their funds from Binance, they would probably be most grateful for the attack. But as it happens, the pump doesn’t last long. It’s usually followed by a fatal dip in price as a result of massive sell-offs. This results in a big loss for a larger percentage of the compromised accounts.

If the attackers are fast enough, they are able to withdraw their loots before Binance clamps down on withdrawal and resets their system. And with just 1 BTC of initial investment, the attackers cart off with 60+ BTC of loot.

This post was put up for educational purposes to make investors aware of the risks associated with exposing their trading API keys to non-secure and non-trustworthy 3rd party services or bots. To protect yourself against losses from API key compromisation or phishing attacks, always make sure you:

  • Setup Two-Factor Authentication (2FA) on all your exchange accounts.
  • Setup your IP whitelist to allow only trusted IP addresses to access your account.

If you have a crypto portfolio and you have not started maximizing your returns, check out my post on maximizing your crypto returns.

Thanks for reading. If you found this article informative, don’t hesitate to clap it up (as many as 50 times) so that others can discover it. Also, if you found an error in my analysis, feel free to drop a comment below. Follow me for more interesting and informative reads.