• Crypto Lists
  • Bitcoin
  • Blockchain
  • Cryptocurrency
  • Altcoin
  • Advertise With Us
  • Join our Telegram Community
Newsletter
ItsBlockchain
  • Bitcoin
    Is the Russia-Ukraine War the Biggest Test for Bitcoin? Market Update

    Is the Russia-Ukraine War the Biggest Test for Bitcoin? Market Update

    Bitcoin ETFs could have the same result as CME group futures launch in 2017

    Bitcoin ETFs could have the same result as CME group futures launch in 2017

    featured image

    How Bitcoin can be hacked?

    keep bitcoin safe

    Keep Your Bitcoins Safe: All You Need to Know About Crypto-Cyberthreats

    featured image

    Bitcoin IRA – Everything You Need to Know

    A trillion dollar tsunami is about to hit Bitcoin

    A trillion dollar tsunami is about to hit Bitcoin

    featured image

    Why Bitcoin will always be the number one cryptocurrency? Explained

    Crypto markets mirror Wall Street’s fall- Loses 100 billion in 24 hours and Delta Plus Variant creates extreme fear

    Crypto markets mirror Wall Street’s fall- Loses 100 billion in 24 hours and Delta Plus Variant creates extreme fear

    On-chain shows Divergence against Bearish Price-Action, But Bitcoin continues to stay in the Re-Accumulation Phase

    On-chain shows Divergence against Bearish Price-Action, But Bitcoin continues to stay in the Re-Accumulation Phase

    Trending Tags

    • Crypto Gems
    • NFT
    • DEFI
    • Crypto Lists
    • Altcoin
    • Crypto Market
    • Guide
    • IBC Capital
    No Result
    View All Result
    • Bitcoin
      Is the Russia-Ukraine War the Biggest Test for Bitcoin? Market Update

      Is the Russia-Ukraine War the Biggest Test for Bitcoin? Market Update

      Bitcoin ETFs could have the same result as CME group futures launch in 2017

      Bitcoin ETFs could have the same result as CME group futures launch in 2017

      featured image

      How Bitcoin can be hacked?

      keep bitcoin safe

      Keep Your Bitcoins Safe: All You Need to Know About Crypto-Cyberthreats

      featured image

      Bitcoin IRA – Everything You Need to Know

      A trillion dollar tsunami is about to hit Bitcoin

      A trillion dollar tsunami is about to hit Bitcoin

      featured image

      Why Bitcoin will always be the number one cryptocurrency? Explained

      Crypto markets mirror Wall Street’s fall- Loses 100 billion in 24 hours and Delta Plus Variant creates extreme fear

      Crypto markets mirror Wall Street’s fall- Loses 100 billion in 24 hours and Delta Plus Variant creates extreme fear

      On-chain shows Divergence against Bearish Price-Action, But Bitcoin continues to stay in the Re-Accumulation Phase

      On-chain shows Divergence against Bearish Price-Action, But Bitcoin continues to stay in the Re-Accumulation Phase

      Trending Tags

      • Crypto Gems
      • NFT
      • DEFI
      • Crypto Lists
      • Altcoin
      • Crypto Market
      • Guide
      • IBC Capital
      No Result
      View All Result
      ItsBlockchain
      No Result
      View All Result
      Home Crypto Market

      Be warned! Hackers are abusing API keys and stealing your funds

      Karthik Guttha by Karthik Guttha
      June 15, 2021
      in Crypto Market
      0 0
      0
      Be warned! Hackers are abusing API keys and stealing your funds
      158
      SHARES
      2k
      VIEWS
      Share on FacebookShare on Twitter

      Cybercriminals always find a way to exploit the loopholes present in the cryptocurrency market. As the blockchain space is gaining more interest and popularity, the technology is advancing at an unbelievable pace, leading to more complexity and a chance of error. We have seen founders inserting back-door exits to steal all the money present in the liquidity pools by pulling the plug. We have seen hackers exploiting DeFi projects by going after their vulnerabilities like Oracle Manipulation and smart contracts reentrancy. But the one thing that seems to have flown under the radar is- API keys manipulation. 

      The demand for trustworthy exchanges is so high right now that we see dozens of companies coming up with their own applications to allow traders to have a seamless experience. But when they use such services provided by third-party applications, they hand over control of their personal records via API keys. This means that the exchange or trading application executes all the operations on the user’s behalf without logging into the exchange. 

      Cryptocurrency hacks using API keys are terrifying because the attacker doesn’t need to have withdrawal rights or manipulate the markets to have a meaningful impact. They use multiple exploitation methods to steal funds, and it seems as if they are artificially manipulating the market. This article will deep dive into API key exploitation and break down how hackers go about stealing millions going unnoticed. 

      What are Exchange APIs

      API keys, in general, are used for authentication of a user’s identity in an automated or programmable manner. In exchange APIs, users will programmatically access their accounts and execute necessary actions or strategies. The APIs can process any request, as they use a secret key or private key to sign on behalf of the trader. 

      Integrating APIs and using third-party software solutions is beneficial for traders trying to access their accounts associated with different exchanges. Some of the common features for using exchange APIs are order placement, account data collection, and market data access.

      What API permissions are granted to traders

      Exchanges ask traders to enable certain settings so that they have access to both public and private keys. In most cases, exchanges categorize permissions into three groups: 

      Data- With APIs allowed to read data of the users’ accounts, and it will gain access to their open orders, balances, and trade history. (Note- It cannot make any modifications) 

      Trade- This permission is mainly for traders to automatically place open orders and close orders. In programming terms, these are called write operations. These operations will change account data. 

      Withdrawal- This permission is probably the most important one associated with API keys. It allows APIs to make withdrawals and send funds to another wallet without requiring authorization from the actual owner of the account. 

      Never ever enable withdrawal permission- if a trading application is asking for it, stop using it immediately and consider more reliable services. 

      Why do people keep losing their API keys 

      When users generate API keys from their exchange account, they will have to go through a process, giving necessary details and enabling permissions. In this process, the exchange will show their public and private API keys. Now, the public key is displayed on the exchange, but it will be shown only once in the case of a private key. So if a user fails to store their private key in a secured, private location, then they have officially lost control of their API key. 

      Keys can also be lost when a system crashes, leaving the user with no options for recovery. It is also important to note that- digital exposure of private keys is the same as losing control of private keys. Public key infrastructure is designed to increase security, implement authentication methods, and apply digital signatures. But if users accidentally expose their private key on a digital platform, they have effectively put themselves in a vulnerable position with zero control over the API key. 

      How do cybercriminals gain access to these stolen API keys 

      You must think hackers will deploy some dangerous malware or spyware to gain access to stolen API keys, but that’s not at all the case with such exploits. Cybercriminals use the online platform to their advantage, and it should not be a surprise because a majority of API keys are digitally exposed. 

      Public repositories like Github are a gold mine for hackers, as they are more or less likely to contain leaked information of thousands of accounts. Another similar platform to contain authentication tokens is a web application, which uses ENV files to store framework settings and, in most cases, includes API keys. 

      “This is why API keys should never appear on websites like Gitlab or Github; instead- they have to consider direct extraction from the application and create a new file to add to gitignore,” said Expert Cyber instructor at the University of Advancing Technology- Aaron Jones. 

      Another way some hackers gain access to stolen keys is by guessing the value of their stored addresses. A ‘blockchain bandit’ was able to find weak private keys that are easy to guess, and it was recorded that he was able to find 732 guessable keys. This may never happen again, but it is worthwhile to know about it. 

      How do they leverage these API keys- two methods  

      According to an investigation conducted by cybernews, we have come to know that accounts displayed on public repositories have anywhere between $5000- $155k worth of coins. The investigation also revealed that 90% of the accounts have trade rights enabled. This brings us to our main question- how are hackers using trade rights to empty out the victims’ trading accounts.

      Cybercriminals mainly implement two abusive techniques- Sell wall Buyouts and Price Boosting.  These methods artificially manipulate the price of coins, orders, and the entire trading setup. 

      Buying Sell Walls 

      Building a sell wall in the crypto market leads to massive losses for compromised trader accounts, but in the same breath, allows market manipulators to accumulate at a significantly lower price. 

      The tricky aspect of buying sell walls is it all happens in a fraction of a second. Massive sell orders will be placed from the victim’s account, and at the same time, hackers will place a buy order to snatch away all the coins at a low price. This only gets worse, as each sell order will cause an even bigger loss to the victim than the previous sale.

      Buy New Crypto Currency How To View Sell Buy Walls Crypto

      Price Boosting 

      The second method used to exploit stolen API keys is price boosting. This also doesn’t involve withdrawals of any kind and only uses trade permissions. The way it works is simple- hackers deploy a shitcoin with no value and inflate its price by initiating large buy orders. 

      They choose unworthy projects because it is easy to manipulate, given the low trading volume for such coins. Once the buy order is initiated, the attacker uses his middleman account to sell the same coin to the victim for a boosted price. In the end, the victim will have a bunch of worthless coins that he can never sell at a reasonable price. 

      How to safeguard your funds without compromising your API keys 

      As mentioned earlier, once your API keys are digitally exposed, you will no longer have complete control over your trading account. That is why you need to be cautious and follow a few simple steps to protect your API keys from being exploited. 

      Some best practices to follow are:

      Never store unencrypted secrets in .git repositories

      Many people assume private repositories are secure enough to store secrets like API keys, but in reality, they are some of the high-value targets for cybercriminals. It is easier for an expert developer to gain access to the complete history of a project, so any existing secrets will be open to all. 

      Never use messaging systems to send API keys. 

      Digital exploitation and data extraction can happen in any form, so stay away from messaging platforms like Slack and instead use secrets as a service-type solution. 

      Do not let APIs take complete control of your account 

      It is always recommended to minimize access control for APIs and only allow it when necessary. If possible, you should try whitelisting IP addresses, as it blocks hackers from gaining control of your trading bot control panel. 

      While these practices can help you prevent any API key exploitation, they cannot do anything for recovery. To recover private keys and regain ownership, we have to experiment with different recovery mechanisms and see which has the highest accuracy. Some studies have shown that it is possible to retrieve asset ownership in the blockchain using a symmetric key generated from the owner’s fingerprint and a distributed private key recovery system utilizing a secret sharing scheme supported by biometric. These methods may not have delivered desired results, but we may see better solutions in the future to track API keys and secure our trading accounts. 

      Final Thoughts 

      In the world of crypto, we should always expect the unexpected and be aware of all the scenarios that can likely take place. API key manipulation is a real threat right now, and we should verify whether we are working with a reliable third-party service. We should also make sure to follow some of the best practices mentioned in the above sections, as we never know how these hackers may exploit API keys. At the end of the day, you are responsible for your actions, so be careful and thoughtful when trading using API keys. 

      Karthik Guttha

      Born and brought up in India, Karthikeya Gutta is a crypto journalist and freelance contributor for ItsBlockchain. He covers various aspects of the industry with in-depth analysis and research. His passion towards blockchain and crypto ecosystem is mainly because he believes it can really change the world and help millions of people.

      IBC-Transparent-Logo-(1)

      Subscribe To Our Newsletter

      Join our mailing list to receive Cryptocurrency investing and trading recommendations to your mailbox.

      You have Successfully Subscribed!

      Tags: featured
      Share63Tweet40Share16

      Subscribe to get notified on latest posts.

      Unsubscribe

      Related Posts

      ATOM Set to Explode after the Revised Tokenomics

      ATOM Set to Explode after the Revised Tokenomics

      by Aniketh Paul
      October 14, 2022
      0

      ATOM 2.0 Tokenomics will change the future of Cosmos hub and its native token. In this article, We'll deep dive...

      What’s Ahead on the Cryptocurrency Rollercoaster?

      What’s Ahead on the Cryptocurrency Rollercoaster?

      by Guest Author
      January 11, 2022
      0

      Cryptocurrency came on fast and furious and surprised financial experts, governments, and users alike with massive fluctuations and outstanding climbs...

      Discussing Bull & Bear Cases in 2022 with On-Chain Analysis

      Discussing Bull & Bear Cases in 2022 with On-Chain Analysis

      by Karthik Guttha
      January 9, 2022
      0

      In our previous on-chain market analysis, we mainly discussed that bitcoin needs to reclaim the $53k level, which is the...

      Highlights from 2021: The Year of Crypto

      Highlights from 2021: The Year of Crypto

      by Karthik Guttha
      December 31, 2021
      0

      2021 will be remembered as a year when we defied the odds.  We lost hope in traditional financial systems that...

      On-Chain Data Shows Open Interest is Reset to Previous Lows in May, Indicating a Spot-Driven Market

      On-Chain Data Shows Open Interest is Reset to Previous Lows in May, Indicating a Spot-Driven Market

      by Karthik Guttha
      December 12, 2021
      0

      The crypto market has been making violent swings over the past couple of weeks. The new covid variant, Omicron, certainly...

      Load More

      About Us

      We curate the best cryptocurrency projects with the intention of adding value for investors through the process of selecting, organizing, and looking after different projects available in the cryptocurrency market.

      • Trending
      • Comments
      • Latest
      featured image

      List of leading partners of Ripple, and How they use XRP?

      February 2, 2021
      Polygon: The Swiss Army Knife of Web3

      Polygon: The Swiss Army Knife of Web3

      May 27, 2023
      Top 5 upcoming Token Airdrops (Step-by-Step Guides)

      Top 5 upcoming Token Airdrops (Step-by-Step Guides)

      November 22, 2022
      Worldcoin: The Biggest Crypto Scam or Innovation?

      Worldcoin: The Biggest Crypto Scam or Innovation?

      May 18, 2023
      crypto intrest

      How to Earn an Interest in Cryptocurrency: A Beginner’s Guide

      July 27, 2021
      Top 5 DeFi Projects on Tezos

      Top 5 DeFi Projects on Tezos

      December 26, 2022
      featured image

      Top 3 Coins That Have Outperformed Bitcoin This Year

      April 26, 2020
      Polygon: The Swiss Army Knife of Web3

      Polygon: The Swiss Army Knife of Web3

      May 27, 2023
      Worldcoin: The Biggest Crypto Scam or Innovation?

      Worldcoin: The Biggest Crypto Scam or Innovation?

      May 18, 2023
      EIP-4844 Explained | The Biggest Ethereum Upgrade

      EIP-4844 Explained | The Biggest Ethereum Upgrade

      February 7, 2023
      What Blockchain Can Learn From Barnes & Noble and the Jacksonville Jaguars

      What Blockchain Can Learn From Barnes & Noble and the Jacksonville Jaguars

      January 17, 2023
      RINO Enterprise Wallet launches free Community Edition

      RINO Enterprise Wallet launches free Community Edition

      January 14, 2023
      Top 5 DeFi Projects on Tezos

      Top 5 DeFi Projects on Tezos

      December 26, 2022
      Modular Blockchains: The Next Big Thing in Web3

      Modular Blockchains: The Next Big Thing in Web3

      December 12, 2022
      • Top 10 Cheap Cryptocurrencies with Huge Potential in 2021 | Best Penny Crypto Coins

        Top 10 Cheap Cryptocurrencies with Huge Potential in 2021 | Best Penny Crypto Coins

        29624 shares
        Share 11839 Tweet 7399
      • A Mysterious Bitcoin Whale who sold 3000 Bitcoins at 58K$, Bought back 3521 Bitcoins in the last three days

        9926 shares
        Share 3970 Tweet 2481
      • Top 10 Low market cap altcoins to invest in 2021

        7263 shares
        Share 2904 Tweet 1815
      • Top 10 NFT Crypto Projects You Should Know

        7249 shares
        Share 2620 Tweet 1638
      • List of leading partners of Ripple, and How they use XRP?

        6100 shares
        Share 2440 Tweet 1525
      ItsBlockchain

      We are India’s first and oldest Blockchain & Cryptocurrency publication platform started in 2016. We are a one-stop destination for technical analysis, cryptocurrency recommendations, and Blockchain technology resources.

      Buying Guides

      • Buy Bitcoins in India
      • Buy Bitcoins in China
      • Buy bitcoins in Russia
      • Buy Bitcoins in Japan
      • Buy Bitcoins in Turkey

      Important Links

      • Home
      • About US
      • Privacy Policy
      • Promote Your ICO
      • Submit post

      Follow Us

      Contact us

      support@itsblockchain.com

      © 2020 itsblockchain.com - Designed and maintained by Fanatic Coders

      No Result
      View All Result
      • Bitcoin
      • Crypto Gems
      • NFT
      • DEFI
      • Crypto Lists
      • Altcoin
      • Crypto Market
      • Guide
      • IBC Capital

      © 2020 itsblockchain.com - Designed and maintained by Fanatic Coders

      Login to your account below

      Forgotten Password?

      Fill the forms bellow to register

      All fields are required. Log In

      Retrieve your password

      Please enter your username or email address to reset your password.

      Log In
      This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.