Takeaways from Our $250,000 Bounty For Hacking Our Cold Wallet
Co-Founder and CEO of GK8
The first time I laid eyes on a cold blockchain wallet, I was stunned. It wasn’t just the novelty of blockchain technology that shocked me, but the inherent vulnerabilities of wallets currently on the market. Where others saw secure pieces of equipment capable of safely storing millions of dollars in digital assets, I saw HSM formats, USB, ethernet cables, QR codes, and SD cards. In other words, I saw weak points that hackers could use to penetrate the wallets’ defenses, including WI-FI and bluetooth connections that made the notion of “air-gapped” computers laughable.
I knew that each and every one of them was hackable. This was how millions of people around the world were holding their cryptocurrencies? There had to have been a better way.
Sure enough, we discovered hardware and software vulnerabilities in several leading cold wallets, namely, the ability to manipulate the front-end application to show misleading data for the wallet holder during a transaction. Indeed, any device that has some kind of connection to the internet throughout the transaction process (all wallets do) is certain to experience a breach at some point.
As such, referring to such wallets as “cold wallets” is misleading, because the modifier “cold” implies a lack of internet connection. Sure, many companies that claim to provide cold wallets make life harder for hackers, but at the end of the day, with enough research, resources, and will power, malicious actors will find and exploit the loopholes.
With this knowledge, how is a wallet provider able to build a successful bounty program for its product that it truly believes to be unhackable? Part of the trick lies in providing the information hackers need in order to exploit vulnerabilities -- if the hacker never has a chance to hack, was it really a bounty program?
At GK8 provide a step-by-step guidebook for building a truly convincing bounty program
for wallet providers who seek to follow in our footsteps.
STEP 1: Provide an incentive to lure in the big-league players
Firstly, it’s important to lure in the top hackers in the world with a major incentive to prove your wallet can truly withstand any attack. We did this in two ways.
First, we offered a prize of $250,000, one of the largest bounties ever offered for such a program. The prize offered needs to be high enough to tempt the bad guys -- generally known as black-hat hackers -- who know what they’re doing.
Their hack attempts, and failures, only serve to bolster your company’s claim of providing a truly unhackable wallet.
Second, third, and fourth -- Bitcoin, Bitcoin, and Bitcoin. There is nothing that will attract state level actors more than offering the bounty prize in Bitcoin, because it’s a one-stroke, untraceable steal for the hacker if they are able to break into the wallet. We knew they wouldn’t be able to, but the idea is for them to try
We knew hackers would make the attempt, as the inherent weaknesses of blockchain protocols are well-known in cybersecurity circles.
Blockchain is interactive in nature, as users must use wallet end-points to conduct transactions. In other words, any wallet can be compromised because it needs to have internet connectivity at some point, which opens many internet attack vectors.
STEP 2: Build cyber defenses all around your company’s network
Companies running a bounty program should consider the possible collateral damage, which can include DDOS attacks, ransomware attacks, and reputation damage.
Companies should prepare for attacks on their networks, websites, or social media profiles. Failing to secure high-risk, sensitive data on company platforms that are hackable can single handedly ruin the entire program.
From those platforms, hackers can potentially find their way to company workflows, as well as the way the product is designed. Companies must heighten their internal cybersecurity defenses before announcing.
STEP 3: Prove the cold wallet is live
Before a company goes live with its bounty, it needs to publicly declare that a live Bitcoin transaction will be executed at an expected time so hackers can forecast exactly when and to whom will the transaction be sent.
Why is this important? Because it tells bounty participants when the device will be active and gives them the ability to exploit internet exposure and leverage a security breach within the wallet.
A company can’t declare its device truly hack-proof if it doesn’t give hackers an actual shot at breaking into it. If I were an outside observer, watching our bounty program from the sidelines, I’d think we’re nuts, marching willingly to the gallows.
Publicly disclosing the company’s physical address, as well as the sender and receiver address and the exact time the transaction is taking place a week in advance?
Giving the hacker all that time to plant malicious code that can be activated when the transaction is executed? These guys can’t be serious, I’d think. And yet, we did it.
There are many wallet providers who claim their solution is “offline.” While that kind of descriptor might appeal to marketing types, it induces skepticism among security experts.
Blockchain is an interactive protocol: In order to sign transactions, you must communicate with the blockchain. That means that even if a wallet is generally not connected to the internet, it does connect the moment it needs to sign a transaction, exposing the risk-sensitive private key to the internet and opening the wallet to a vector attack.
We, at GK8, were able to send a transaction without an internet connection through our technology. The idea of the bounty was to prove to skeptical security ears that we’re able to do so, for real.
First, we needed to eliminate the possibility of such skeptics suggesting that we predefined the transaction details -- meaning the address, amount, and signature -- before the day of the event, because it is possible to do so.
To ensure no one could accuse us of such meddling, as well as prove the liveability of the cold wallet, we built a formula so that no one on GK8’s staff could predict the address in advance, meaning we had to send it in real time, during the bounty.
During the bounty, every 24 blocks, we sent a real-time transaction to the address of the miner that closed the last block. In doing so, we proved that we had to generate the bitcoin addresses in addressee information in real time -- there was no manipulation of the results involved.
STEP 4: Protect against physical theft -- We kid you not
A sum of $250,000 in Bitcoin is quite a trophy. As such, we had to take every step necessary to ensure this money would remain safe. It’s important to gather security experts -- the best the field has to offer -- in order to map out all the possible doomsday scenarios.
Now, to be clear, I wasn’t at all worried about the product. When we say our cold wallet is hack-proof, we mean it. Still, we needed to act responsibly in order to protect our personnel and company infrastructure.
Yes, that’s right. We even considered the possibility of an armed attacker physically entering the office and taking someone hostage for the money. In order to prevent that from happening, GK8 locked down its office, escorted staff to and from bus stations, and prepared a secure location with second-layer physical protection to lower the risk of physical attacks.
There weren’t any physical attempts to rob the company on game day, although there was a minor-league hack attempt on GK8’s company network that was handily thwarted.
Step 5: Bask in the success
A couple hundred of hackers from all over the world -- including Russia, England, Israel, Ukraine, Turkey, and North America -- signed up for the bounty. This only accounts for “white hat” hackers who actually provided personal details to claim legal holding on the prize if they were to succeed.
It doesn’t count for the black hat hackers that didn’t sign up, but still took a stab at hacking our cold wallet. GK8 is aware of thousands of users globally downloading, viewing, and going through company information. There were attempts to hack our business network, but nothing happened.
None of the attempts to break into our wallet were successful. That’s because our cold wallet is the only true cold wallet on the market, as it is able to send a transaction without direct or indirect internet connection. That means it’s physically impossible to cyber-hack our wallet.
But the bounty journey doesn’t quite end there…
Step 6: PR, PR, PR!
Once a company has shown that none of the thousands of hackers that tried to crack your wallet failed to do so, it needs to make it known to the world. In fact, public relations and marketing efforts should begin before the bounty even hits the ground running.
That’s how you get attention. Companies shouldn’t be afraid to reach out to everyone, even directly. As long as you’re confident in your product, all PR is good PR.
TechCrunch’s Zack Whittaker remains skeptical even after our successful bounty program. But, as he’ll eventually come to understand, our cold wallet is truly hack-proof.
At GK8, we’re serious about changing the world of security and blockchain, making it possible for financial institutions to utilize blockchain technology’s benefits confidently and safely.
We challenge others with the same aim to run equally successful bounty programs in the future, using the above steps as their guide. Good luck!
About Lior: Lior Lamesh is the Co-founder and CEO of GK8, a cybersecurity company that offers high-security custodian technology for managing and safeguarding digital assets. Lior gained his expertise in cybersecurity while serving in an elite team that answered directly to the Israeli Prime Minister’s Office on matters of strategic state assets protection.
Subscribe to get your daily round-up of top tech stories!