How to steal crypto

If you’re into tech or crypto there’s one TV show you should definitely be watching.

It’s not a factual show. It’s not even a serious show. But it has correctly predicted tech and crypto breakthroughs time and again.

The show I’m talking about is aptly named Silicon Valley.

It’s a sitcom about a group of tech workers in, you guessed it, Silicon Valley.

Back in December I wrote about Silicon Valley pushing the idea of decentralised storage – along with the major players in decentralised storage at the time. You can read it here if you missed it.

But that was last season’s breakthrough. This year, Silicon Valley predicted not one, but two major developments in the world of crypto:

  • High-profile 51 per cent attacks
  • IOTA’s Q release.

A 51 per cent attack is when one person or group of people take control of a crypto’s network. This then lets them break the network and steal money. A whole lot of money, as you’ll see today.

IOTA’s Q release will enable people and companies all over the world to rent out their unused computing power and storage. It will also let anyone in the world buy virtually unlimited computing power, without having to own a supercomputer.

I’ll get to Q and its implications in another issue. But today, let’s look at the 51 per cent attack. Because you can bet we’ll be seeing many more of these attacks in the future.

The 51 per cent attack explained

In May a hacker made off with $18.6 million of Bitcoin Gold.

People losing money in crypto to hacking isn’t exactly new, but the way this hack was carried out is. And it’s entirely repeatable.

I’ll explain how it happened. But before I do, a disclaimer.

Today’s essay is meant to highlight a problem, not to condone the hacker’s actions. The more people that know about these exploits, the faster people will come up with solutions to fix them.

And it should go without saying, but, don’t try this at home. It will likely not end well for you if you do.

Okay, now back to the story.

In crypto there are a number of different ways you can keep your network secure. But the most popular is by proof-of-work (POW).

This is how bitcoin and all of its forks work.

Basically, computers (called miners) work on a hard maths problem and the first one to solve it gets rewarded in bitcoin.

When the puzzle is solved, it creates a block of data which contains all the transactions on the network since the last puzzle was solved.

That block is then added to the previous blocks and it forms a chain of blocks, or a blockchain.

And this blockchain is the record of all the transactions on the network.

So far so (relatively) simple. Right?

Now, here’s where the 51 per cent attack comes in.

If you can make/buy/steal enough computing power you can take control of the whole network and create your own blockchain.

The reason it is called a 51 per cent attack is because for it to succeed you need more than 50 per cent of the total computing power of all the miners on the network.

You can think of it a bit like when someone owns more than 50 per cent of a company’s stock. If you own more than 50 per cent of a company’s shares, you own that company. You can make all the decisions.

A 51 per cent attack on a POW crypto works in much the same way.

You get to decide which transactions stay on the network and which ones are erased.

So you can send crypto A to an exchange, trade it for crypto B, withdraw B and then reverse the transaction when you sent crypto A to the exchange.

You now have your original amount of crypto A and the crypto B that you traded it for.

This is how hackers stole $18.6 million of Bitcoin Gold in May.

There are more steps involved, and it is more complicated than this in real life. But that’s the gist of how it works.

Why aren’t 51 per cent attacks happening to bitcoin all the time?

The reason this hasn’t happened much before is because it’s “prohibitively expensive”. As people like to say.

As a crypto network grows, you would need more and more computing power to perform a 51 per cent attack on it. For a huge crypto like bitcoin or Ethereum, it is just too expensive. The amount you could make would not cover your costs.

However, for a smaller crypto, it’s remarkably cheap. Frighteningly cheap in fact.

In the wake of Bitcoin Gold’s 51 per cent attack, a Reddit user, xur17, created a website that calculates how much a 51 per cent attack costs on various cryptos.

After the Bitcoin Gold 51% attack a few weeks ago, I was curious what an attack like this costs against other currencies. I calculated the cost of renting hashing power from NiceHash to complete an attack.

I found it surprising that it is possible to rent enough hashing power for many of the smaller currencies, which makes me question the use of PoW for smaller coins.

Here’s the list of prices for some of the bigger coins:


And here’s the website, if you want to look for yourself.

The important column here is the NiceHash-able one. Basically if that’s over 100 per cent, it means you can simply hire the computing power using the website NiceHash.

This makes the whole thing so much cheaper and easier for the attackers because they don’t have to write off their hardware costs. They don’t even have to buy any hardware.

An attack on a crypto that has under 100 per cent in this column will be much, much more expensive than the 1hr attack cost listed, and highly unlikely to succeed.

But there are a whole lot of big cryptos which are over 100 per cent in that column.

For instance, you could effectively take control of Bytecoin, a $1.1 billion crypto, for just over $1,000 an hour.

Forks are great, until they aren’t

Now, as I said, a 51 per cent attack on bitcoin or Ethereum would be almost impossible, and would likely lose the attackers millions of pounds.

But for smaller cryptos using a POW system, this is very bad news.

In the same week that Bitcoin Gold was hacked, Monacoin was also subject to a similar attack, and it cost the network $90,000.

Forks of popular coins like bitcoin will end up with smaller networks than the one they forked from. The fewer people who use and mine a POW network, the less secure it is. If fewer people use it, it takes less computer power to take control of.

This is the case for most forks, and any small crypto that uses a POW system.

So while bitcoin may be the most secure crypto ever created, its forks are not. And it would seem that POW is not a good consensus mechanism to use unless you’re a top five crypto.

What’s the solution?

The best solution would to be for smaller cryptos to use a proof-of-stake (POS) system instead of POW.

In order to sabotage a POW system the attacker would need to own a huge amount of said crypto. As long as that crypto had been distributed fairly in the first place, this would be a hard task.

It’s a lot harder to buy up a niche crypto than it is to simply pay to rent computer gear. Especially if there are people committed to keeping the network secure, who already own a lot of the supply.

There may not even be enough of that crypto out there on exchanges for someone to buy up and launch an attack.

And, in a POS system, if you do something malicious – like trying to reverse transactions – you lose your stake. So the attacker could lose a whole lot of money and end up with nothing.

Even if they succeeded once, they would likely lose a lot of their crypto in the process.

This is why many people believe POS is a more secure system than POW, and one of the many reasons Ethereum is switching over from POW to POS.

But no system is perfect, and some argue that POS leads to more centralisation. Of course, then others point out that POW also leads to centralisation because groups of miners often join together and share rewards.

As I said, there is no perfect system. But POS seems to be a better solution in most cases.

And that’s before we even get into the energy consumption. POS only uses a fraction of the energy POW does – remember that W stands for work. It takes vast amounts of energy to secure the bitcoin network, as I’m sure you’re aware.

However, many people like the concept of mining and getting paid to secure the network with their computer power. Another solution is to create a token on an already strong crypto network.

For example, you could create a token on Ethereum that meant in order to do a 51 per cent attack on that crypto, the attacker would first have to get through Ethereum’s network. As I said earlier, an attack on Ethereum is not an economically viable thing to do.

As word spreads about the ease of these attacks, there’s a good chance we’ll see more and more of them happening on these smaller POW cryptos in the coming months.

This could then lead to even more forks as they move over to a POS system.

If you’re read this far, I think it’s fair to say you have a decent interest in crypto. We got a bit technical for a while there. So if you’re still here, you should check out my dedicated crypto service: Crypto Wire.

I release it once a month, and cover what I believe are the most important stores in crypto. I also rank my favourite cryptos and weigh up the pros and cons of investing in each one.

You can get a trial to Crypto Wire here. And when you do you’ll also get my 45-page beginner’s guide to investing in crypto, which covers everything from the different types of crypto you can investing, to buying, selling and storing each one. Click here for more information.

So to bring it all back to the start. What happened on Silicon Valley?

Well, in order to secure funding for its “new internet”, the team decided to create a crypto and do an initial coin offering (ICO).

Its competitors then realised they could perform a 51 per cent attack on the team’s crypto and take control of its company. That episode aired at almost the exact same time the Bitcoin Gold hack happened.

I won’t ruin how it all played out, but it was a great example of life imitating art.

Until next time,

Harry Hamburg
Editor, Exponential Investor

Category: Cryptocurrency

From time to time we may tell you about regulated products issued by Southbank Investment Research Limited. With these products your capital is at risk. You can lose some or all of your investment, so never risk more than you can afford to lose. Seek independent advice if you are unsure of the suitability of any investment. Southbank Investment Research Limited is authorised and regulated by the Financial Conduct Authority. FCA No 706697.

© 2019 Southbank Investment Research Ltd. Registered in England and Wales No 9539630. VAT No GB629 7287 94.
Registered Office: 2nd Floor, Crowne House, 56-58 Southwark Street, London, SE1 1UN.

Terms and conditions | Privacy Policy | Cookie Policy | FAQ | Contact Us | Top ↑