Quarter 1 of 2019 was very interesting, involving high-profile cases such as QuadrigaCX. At MyCrypto, we published five security-related articles to help educate users entering and staying safe within the cryptocurrency world.

TL;DR: A website can trick the user into thinking that they are on a different website by crafting specific images and forcing the browser to go into full-screen mode. This can then be used to extract secrets (private keys, mnemonics, etc.) and sign non-intended transactions.

TL;DR: Browser extensions can be good, but also very, very bad. The CCB Cash extension, in particular, is designed to steal your login credentials to various exchanges. The CCB Cash campaign stole over 12 BTC.

TL;DR: In this story, we aimed to standardize how entities in the industry react and communicate during a security incident. We were motivated by our observation that a lot of these events were occurring with very little coordination between parties after-the-fact.

TL;DR: Unsolicited airdrops can be useful(?), but be vigilant to inform yourself as to what they are advertising. This story investigates a big airdrop campaign that ties into a fake MyEtherWallet UI to steal your wallet secrets!

TL;DR: Are you confused about what a “hardware wallet” means? We go into detail on the specifics of different solutions for a hardware wallet so you can make an educated decision based on your threat models.

QuadrigaCX

QuadrigaCX was one of the top Canadian cryptocurrency exchanges and its shutdown in Q1 of 2019 was the event of note. The unexpectedly strange story began after QCX filed for creditor protection after the CEO allegedly died in India (while, apparently, having sole access of the cold wallets). The first reports estimated $130,000,000 was owed to its customers. The true amount owed is yet to be known as, apparently, the administrators of QCX were prone to trading on their own exchange as well as other exchanges. Apparently the database which logged user balances was… a bit of a mess and not entirely tied to reality. The investigation into QuadrigaCX is ongoing.

MyCrypto CEO (Taylor Monahan) did an in-depth investigation of the Ethereum on-chain activity for Quadriga and published a spreadsheet of her findings.

Since that tweetstorm, the case has only become more muddled as new information comes to light. We strongly recommend checking out the recent Vanity Fair article on the case, which gives some additional insight into the players and moving pieces of the case. Here’s to hoping 2020 brings answers to those who lost funds due to QuadrigaCX’s ineptitudes.

Bithumb

Another high profile exchange hack happened in the first quarter of 2019. Bithumb is a South Korean cryptocurrency exchange, and was reported to have been hacked for a loss of $13,000,000 worth of EOS holdings. However, in an official statement from the exchange, it was declared the theft did not affect users, as those funds are “under the protection of a cold wallet.”

Cryptopia

In January 2019, Cryptopia, a New Zealand-based exchange, went dark after reporting a security incident. Information, including the amount stolen, has been scarce. Cryptopia only disclosed, “We are continuing to work on assessing the impact incurred as a result of the hack in January. Currently, we have calculated that worst case 9.4% of our total holdings was stolen.”

Some have estimated approximately $16M in ether and ERC-20 tokens were stolen. Cryptopia is working with various law enforcement agencies to determine the scope of the damage.