Cybercriminals always find a way to exploit the loopholes present in the cryptocurrency market. As the blockchain space is gaining more interest and popularity, the technology is advancing at an unbelievable pace, leading to more complexity and a chance of error. We have seen founders inserting back-door exits to steal all the money present in the liquidity pools by pulling the plug. We have seen hackers exploiting DeFi projects by going after their vulnerabilities like Oracle Manipulation and smart contracts reentrancy. But the one thing that seems to have flown under the radar is- API keys manipulation.
The demand for trustworthy exchanges is so high right now that we see dozens of companies coming up with their own applications to allow traders to have a seamless experience. But when they use such services provided by third-party applications, they hand over control of their personal records via API keys. This means that the exchange or trading application executes all the operations on the user’s behalf without logging into the exchange.
Cryptocurrency hacks using API keys are terrifying because the attacker doesn’t need to have withdrawal rights or manipulate the markets to have a meaningful impact. They use multiple exploitation methods to steal funds, and it seems as if they are artificially manipulating the market. This article will deep dive into API key exploitation and break down how hackers go about stealing millions going unnoticed.
What are Exchange APIs
API keys, in general, are used for authentication of a user’s identity in an automated or programmable manner. In exchange APIs, users will programmatically access their accounts and execute necessary actions or strategies. The APIs can process any request, as they use a secret key or private key to sign on behalf of the trader.
Integrating APIs and using third-party software solutions is beneficial for traders trying to access their accounts associated with different exchanges. Some of the common features for using exchange APIs are order placement, account data collection, and market data access.
What API permissions are granted to traders
Exchanges ask traders to enable certain settings so that they have access to both public and private keys. In most cases, exchanges categorize permissions into three groups:
Data- With APIs allowed to read data of the users’ accounts, and it will gain access to their open orders, balances, and trade history. (Note- It cannot make any modifications)
Trade- This permission is mainly for traders to automatically place open orders and close orders. In programming terms, these are called write operations. These operations will change account data.
Withdrawal- This permission is probably the most important one associated with API keys. It allows APIs to make withdrawals and send funds to another wallet without requiring authorization from the actual owner of the account.
Never ever enable withdrawal permission- if a trading application is asking for it, stop using it immediately and consider more reliable services.
Why do people keep losing their API keys
When users generate API keys from their exchange account, they will have to go through a process, giving necessary details and enabling permissions. In this process, the exchange will show their public and private API keys. Now, the public key is displayed on the exchange, but it will be shown only once in the case of a private key. So if a user fails to store their private key in a secured, private location, then they have officially lost control of their API key.
Keys can also be lost when a system crashes, leaving the user with no options for recovery. It is also important to note that- digital exposure of private keys is the same as losing control of private keys. Public key infrastructure is designed to increase security, implement authentication methods, and apply digital signatures. But if users accidentally expose their private key on a digital platform, they have effectively put themselves in a vulnerable position with zero control over the API key.
How do cybercriminals gain access to these stolen API keys
You must think hackers will deploy some dangerous malware or spyware to gain access to stolen API keys, but that’s not at all the case with such exploits. Cybercriminals use the online platform to their advantage, and it should not be a surprise because a majority of API keys are digitally exposed.
Public repositories like Github are a gold mine for hackers, as they are more or less likely to contain leaked information of thousands of accounts. Another similar platform to contain authentication tokens is a web application, which uses ENV files to store framework settings and, in most cases, includes API keys.
“This is why API keys should never appear on websites like Gitlab or Github; instead- they have to consider direct extraction from the application and create a new file to add to gitignore,” said Expert Cyber instructor at the University of Advancing Technology- Aaron Jones.
Another way some hackers gain access to stolen keys is by guessing the value of their stored addresses. A ‘blockchain bandit’ was able to find weak private keys that are easy to guess, and it was recorded that he was able to find 732 guessable keys. This may never happen again, but it is worthwhile to know about it.
How do they leverage these API keys- two methods
According to an investigation conducted by cybernews, we have come to know that accounts displayed on public repositories have anywhere between $5000- $155k worth of coins. The investigation also revealed that 90% of the accounts have trade rights enabled. This brings us to our main question- how are hackers using trade rights to empty out the victims’ trading accounts.
Cybercriminals mainly implement two abusive techniques- Sell wall Buyouts and Price Boosting. These methods artificially manipulate the price of coins, orders, and the entire trading setup.
Buying Sell Walls
Building a sell wall in the crypto market leads to massive losses for compromised trader accounts, but in the same breath, allows market manipulators to accumulate at a significantly lower price.
The tricky aspect of buying sell walls is it all happens in a fraction of a second. Massive sell orders will be placed from the victim’s account, and at the same time, hackers will place a buy order to snatch away all the coins at a low price. This only gets worse, as each sell order will cause an even bigger loss to the victim than the previous sale.
The second method used to exploit stolen API keys is price boosting. This also doesn’t involve withdrawals of any kind and only uses trade permissions. The way it works is simple- hackers deploy a shitcoin with no value and inflate its price by initiating large buy orders.
They choose unworthy projects because it is easy to manipulate, given the low trading volume for such coins. Once the buy order is initiated, the attacker uses his middleman account to sell the same coin to the victim for a boosted price. In the end, the victim will have a bunch of worthless coins that he can never sell at a reasonable price.
How to safeguard your funds without compromising your API keys
As mentioned earlier, once your API keys are digitally exposed, you will no longer have complete control over your trading account. That is why you need to be cautious and follow a few simple steps to protect your API keys from being exploited.
Some best practices to follow are:
Never store unencrypted secrets in .git repositories
Many people assume private repositories are secure enough to store secrets like API keys, but in reality, they are some of the high-value targets for cybercriminals. It is easier for an expert developer to gain access to the complete history of a project, so any existing secrets will be open to all.
Never use messaging systems to send API keys.
Digital exploitation and data extraction can happen in any form, so stay away from messaging platforms like Slack and instead use secrets as a service-type solution.
Do not let APIs take complete control of your account
It is always recommended to minimize access control for APIs and only allow it when necessary. If possible, you should try whitelisting IP addresses, as it blocks hackers from gaining control of your trading bot control panel.
While these practices can help you prevent any API key exploitation, they cannot do anything for recovery. To recover private keys and regain ownership, we have to experiment with different recovery mechanisms and see which has the highest accuracy. Some studies have shown that it is possible to retrieve asset ownership in the blockchain using a symmetric key generated from the owner’s fingerprint and a distributed private key recovery system utilizing a secret sharing scheme supported by biometric. These methods may not have delivered desired results, but we may see better solutions in the future to track API keys and secure our trading accounts.
In the world of crypto, we should always expect the unexpected and be aware of all the scenarios that can likely take place. API key manipulation is a real threat right now, and we should verify whether we are working with a reliable third-party service. We should also make sure to follow some of the best practices mentioned in the above sections, as we never know how these hackers may exploit API keys. At the end of the day, you are responsible for your actions, so be careful and thoughtful when trading using API keys.
Born and brought up in India, Karthikeya Gutta is a crypto journalist and freelance contributor for ItsBlockchain. He covers various aspects of the industry with in-depth analysis and research. His passion towards blockchain and crypto ecosystem is mainly because he believes it can really change the world and help millions of people.
Subscribe to get notified on latest posts.