Skip to Content

How Bitcoin Is Stolen: 5 Common Threats

A bitcoin mining service was hacked to the tune of $64 million this week, underscoring once again how the world of digital currency attracts scammers and thieves.

Such stories can scare off amateur investors who fear bitcoin isn’t just volatile, but that it’s insecure. This isn’t really fair to bitcoin. The reality is bitcoin is secure, and ordinary people can protect it without much effort. The real problem is not everyone understands how bitcoin works, which leads them to make choices that expose them to theft.

This will become clear in the examples below, which describe five common ways that thieves make off with other people’s bitcoin. But first there’s a short explanation of how bitcoin works and why it’s secure (skip this if you’re already familiar).

How Bitcoin’s Technology Protects Your Funds

You can think of bitcoin as money that comes wrapped in a safety deposit box. The question then becomes whether you want to operate that box yourself, or entrust a third party to do it for you.

Most ordinary investors choose the latter option, buying, and storing their bitcoin with a service like Coinbase. This is a sensible option since those services rely on the security features built into bitcoin—just like you would do if you hold the bitcoin yourself.

The other option is to acquire a bitcoin wallet for yourself. This entails keeping track of two strings of keyboard characters—known as a “public key” and a “private key.” You can think of the public key like a deposit slot for your safety deposit box where anyone can give you bitcoin, while the private key is a secret way to open the box that only you should know.

Bitcoin is designed so that it’s basically impossible to guess the private key, which means no one can hack or force themselves into your wallet/safety deposit box. (You can read about the math behind it here.)

All of this means that the only way bitcoin can be stolen is for a thief to trick you—or a third party you rely on—into giving access to it, or for the third party to get compromised. Here are the examples on how this happens, and advice on how to prevent it.

A Thief Obtains the Password for Your Account at a Storage Service

How it happens: If you use a service like Coinbase, you don’t have to go through the hassle of remembering a public and private key. Instead, it’s more like online banking where you use a user name (typically an email address) and a basic password.

This also makes it possible for thieves to rob you by obtaining your password. The most common way they do this is by breaking into customers’ email accounts, and then asking Coinbase (or whatever service you’re using) to reset their password. The password reset request is then sent to the compromised email account, allowing the thief access to the bitcoin funds.

How to prevent it: First, lock down your email account with two-factor authentication to keep the hackers out in the first place. You should also do the same with your bitcoin storage service. In the case of Coinbase, the company already requires a two-factor log-in process that consists of a password and an SMS text. But because texts can be intercepted, you should avail yourself of an app-based verification option such as Google Authenticator. (This may sound complicated, but it’s not. This is they same basic cyber hygiene you should use for any password-protected online service.)

You Expose Your Private Key

How it happens: Once again, this risk only exists if you’re not using a service like Coinbase but managing your own wallet. In this situation, someone else might obtain your private key by getting into your email (if that’s where you keep it) or even seeing the private key in the physical world. In one famous example, someone showed their private key on a TV show—and hackers promptly copied it and emptied the person’s wallet.

How to prevent it: Store your private key off-line on a piece of paper or on a USB stick, and put it somewhere safe—like a real world safety deposit box.

A Hacker Impersonates a Bitcoin Recipient

How it Happens: Some of the more notorious bitcoin-related hacking stories this year occurred when companies held so-called “initial coin offerings” (a form of fundraising) and asked investors to send them bitcoins. In certain cases, clever hackers impersonated the companies with a fake website and persuaded the investors to send millions of dollars worth of funds to a different bitcoin wallet. Once the bitcoin was sent, there was no recovering it, and both the companies and investors lost their bitcoin.

How to prevent it: When you go to transfer bitcoin funds to someone, confirm the wallet address is genuine.

You Rely on an Insecure Third Party

How it happens: This week’s $64 million theft at the bitcoin mining service, known as NiceHash, appears to have occurred because hackers compromised an employee’s laptop and got access to the company’s payment services. Once the hackers were inside, they gained access to one of the company’s bitcoin wallets—which included funds belonging to NiceHash customers—and emptied it.

These sort of incidents are a little bit like when hackers compromised Target’s payment system, and stole customers’ credit card information. In the case of bitcoin owners, they are doing business with companies that don’t have proper cybersecurity measures in place—and worse, unlike the Target breach, no one is likely to refund their money.

How to prevent it: Be careful of the bitcoin companies with which you choose to do business.

The Exit Scam

How it happens: A company offers a bitcoin-related service such as an exchange or a market where customers maintain an account in bitcoin. All of a sudden the company vanishes, often after claiming to have been hacked. In reality, the owners pulled an exit scam—vanishing from the Internet with their clients’ bitcoin.

How to prevent it: Exit scams are often associated with the darker corners of the web or with fly-by-night crypto investment ventures. If these are the sort of places you like to roll with you bitcoin, well, the only advice is “buyer beware.”

This is part of Fortune’s new initiative, The Ledger, a trusted news source at the intersection of tech and finance. For more on The Ledger, click here.