Bancor and MyEtherWallet Hit by Security Breaches
Within less than a day, two cryptocurrency related security breaches have occurred. Decentralized cryptocurrency exchange Bancor has fallen victim to a theft of up to USD 23.5 million. Soon, popular Ethereum wallet MyEtherWallet warned its users that those who utilize Hola, a free VPN (virtual private network) which plugs into browsers and claims nearly 50 million users, may have been caught up in a malicious attack to steal crypto.
Bancor halted operations due to an investigation of a “security breach,” where a total of USD 23.5 million was stolen, although they managed to freeze around USD 10 million of those funds - the amount that was stolen in their native cryptocurrency, BNT. Other stolen funds include USD 12.5 million worth of ETH, and around USD 1 million worth of NPXS.
“A wallet used to upgrade smart contracts was compromised,” the official statement reads. A separate tweet stresses that no user wallets were compromised, but as it is not possible to freeze other coins, they are working on tracing them.
Bancor head of communications Nate Hindman told Cointelegraph that the exchange should be back online within 24 hours (the article was published at approximately UTC 1:00 AM.) He also told the news outlet that the exchange is working with a “number of industry players” to help the industry collaborate more effectively when thefts occur.
Charlie Lee of Litecoin tweeted, “A Bancor wallet got hacked and that wallet has the ability to steal coins out of their own smart contracts. An exchange is not decentralized if it can lose customer funds OR if it can freeze customer funds. Bancor can do BOTH. It's a false sense of decentralization.” Others in the community agree that the exchange holds at least some blame due to the way the breach was able to happen.
Meanwhile, MyEtherWallet (MEW) has also seen a lot of trouble in the past few hours. The company said that Hola, the VPN in question, was compromised for a period of five hours, during which time any Hola users who navigated to MEW and accessed their wallet with the VPN switched on may have been affected. Those users should move their tokens to a new wallet, the company urges, if they can access them.
There are currently no news on whether anything was stolen, as neither users nor the company have come forward with more information. Still, this is not the first time MEW has fallen victim to an attack: in February, they were affected by a DNS attack that saw at least USD 365,000 of crypto stolen from users. Hola does not have a clean sheet either, as back in 2015, Hola was accused of performing DDoS attacks “on demand” surreptitiously for paying clients using the computing power of its users.