A recent study found that cybercriminals are now able to abuse API keys used for cryptocurrency exchange and use them to steal millions of dollars worth of cryptocurrency.
With the boom in the cryptocurrency market in recent years, companies started offering apps and services to assist traders in the process. Part of the protocol of using these services requires that traders grant access to third-party programs to their accounts via API keys to execute actions on their behalf.
Each set of API keys has two elements: the public key and the private (or secret key). The latter is used by third-party apps to authorize trading. And even if someone steals the secret key, they shouldn’t be able to withdraw your cryptocurrency because cryptocurrency exchanges disable withdrawals by default.
But the research conducted found that there is an emerging criminal business on hacker forums recently of offering to empty crypto exchange accounts by exploiting the API keys – and alarmingly, it’s not just an empty promise.
Hackers are using these keys to empty crypto accounts without obtaining withdrawal rights.
But how cybercriminals abuse the API keys?
Cryptocurrency exchanges offer three types of API permissions:
- Data permissions allow the APIs to read data from the account such as trading history, account balance, and open orders
- Trade permissions allow APIs to execute trades and open or close orders on behalf of the account holder
- Withdrawal permissions allow APIs to withdraw currency from the account and transfer it to another location. Usually this permission is disabled by default.
It’s natural to think that for the hackers to be able to steal from the accounts, the stolen API keys would need to have the withdrawal permission enabled. However, the research could not find a single such incident of a stolen API key with withdrawal rights enabled.
How, then, were they able to perform this criminal activity?
It seems that hackers don’t even need to directly withdraw funds; they can just trade away the balance using appropriate permissions gained via stolen API keys.
There are two main methods of exploitation that the criminals use to steal funds: “sell wall” buyouts and price boosting.
- “Sell walls” are a manipulation method used in the stock market as well as in cryptomarkets. It involves creating artificial sell orders in order to lower cryptocurrency prices and be able to buy them cheap. Threat actors set up their trading bots and open up many sell orders below market value and authorize buy orders for the coins via stolen API keys. Orders are consecutively set up to sell coins for as long as it takes to empty the victim’s account.
- Price boosting involves using the API keys and initiating large buy orders for cheap coins which have a low trade volume to increase their price momentarily, and then selling them back to the victim at stupendous rates. After all the orders are execited, the coin goes back to its original low value, leaving the victim with a virtually worthless coin value.
Cybercriminals have various methods of stealing API keys including using leaked data sources for private keys and stealing unprotected keys stored in framework settings for apps. Make sure to protect your API keys by whitelisting IP addresses for API key usage and treating your keys as the private key for your cryptocurrency wallet. You could also try rotating them to make them harder to steal.