不久前，黑客入侵了東京加密貨幣交易所Coincheck Inc.，卷走了價值近5億美元的數字代幣。這是史上最大規模的搶劫之一，交易所損失了超過5億枚NEM幣。這次黑客入侵引發了世界各地對于加密貨幣安全性的質疑。

1. 黑客是如何成功入侵的？

Coincheck沒有披露系統是如何被入侵的，只表示這次不是內部人員作案。公司坦承自身在安全方面存在過錯，導致竊賊拿走了這么大一筆錢：他們把用戶資產保存在熱錢包中，與外部網絡相聯。通常來說，交易所應當設法把大部分儲蓄保存在與外部斷絕聯系的冷錢包中，這樣就不太容易遭受黑客攻擊了。Coincheck也沒有多重簽名的安全措施，資金在轉移之前不必獲得多份簽名許可。

2. 被盜的錢流向何處？

這類搶劫有一個特殊之處。由于比特幣和類似貨幣的交易都是公開的，因此很容易看到這些NEM幣位于何處——即使它們已經遭竊了。Coincheck已經確認并公布了5.23億枚遭竊貨幣流向的全部11個地址。你自己就能上網看到。麻煩在于，沒有人知道這些賬戶的所有者是誰。每個賬戶都被貼上了標簽“Coincheck被盜貨幣，不要接受交易：賬戶所有者是黑客”。NEM的開發者設計了一個追蹤工具，可以讓各大交易所自動拒收遭竊資金。

3. 這是否意味著黑客無法把它們兌換成現金？

不一定。竊賊可以嘗試通過ShapeShift等服務擺脫監視，它們支持加密貨幣的交易，卻不收集個人數據。將NEM幣變成另一種更加匿名的貨幣例如Monero幣，很可能就可以把錢洗干凈。ShapeShift在平臺上發布了所有的交易，他們聲稱已經屏蔽了與黑客有關的地址。另外還有一些“不倒翁”服務可以隱藏身份和交易，不過這次被盜的錢幣數額過大，對竊賊而言是個難題。

4. NEM開發者還可以做些什么來修正問題？

他們可以回滾記錄到黑客攻擊之前的某個時段，從而改變NEM區塊鏈。這種所謂的硬分叉會創造兩個版本的NEM，一個從未經歷過黑客攻擊，另一個的資金已經遭竊。盡管以太坊（Ethereum）在2015年用過這種方式，但NEM Foundation的副總裁杰夫·麥克唐納表示不會選擇分叉。

5. 這些交易所是不是屢次被黑客攻擊？

沒錯，加密貨幣交易所和錢包有著悠久的遭竊史，這可以追溯到2014年著名的東京Mt. Gox遭竊案。隨著數字資產的價格一路上揚，這些平臺在黑客眼中的誘惑力也與日俱增。據說，由于朝鮮面臨的經濟制裁形勢日益嚴峻，領導人金正恩已經派出黑客來洗劫數字貨幣。一位研究人員估計，超過14%的比特幣和其競爭對手以太幣已經遭竊。

6. 如何保證加密貨幣資產的安全？

對于加密貨幣的愛好者而言，這次的教訓在于：交易所是黑客的主要目標，不適合儲存你的貨幣。一個方案是把這些資產存在自己的軟件錢包中，它們可能有在線、移動或桌面的多種形式。硬件錢包則是那些儲存加密貨幣的專用設備，提供了額外的安全保護層。對于那些妄想癥嚴重的人士，還有一個模擬選項：把加密貨幣的私人密鑰打印在紙上。（財富中文網）

譯者：嚴匡正?

Early Friday morning in Tokyo, hackers broke into a cryptocurrency exchange called Coincheck Inc. and made off with nearly $500 million in digital tokens. It’s one of the biggest heists in history, with the exchange losing more than 500 million of the somewhat obscure NEM coins. The hack has raised questions about security of cryptocurrencies around the world.

1.How did the hackers pull it off?

Coincheck hasn’t disclosed how their system was breached beyond saying that it wasn’t an inside job. The company did own up to a security lapse that allowed the thief to seize such a large sum: It kept customer assets in what’s known as a hot wallet, which is connected to external networks. Exchanges generally try to keep a majority of customer deposits in cold wallets, which aren’t connected to the outside world and thus are less vulnerable to hacks. Coincheck also lacked multi-signature security, a measure requiring multiple sign-offs before funds can be moved.

2.Where did the stolen coins go?

That’s one of the stranger aspects of these heists. Because transactions for Bitcoin and the like are all public, it’s easy to see where the NEM coins are — even though they’re stolen. Coincheck has identified and published 11 addresses where all 523 million of the stolen coins ended up. You can see for yourself online. Trouble is, no one knows who owns the accounts. Each one has been labeled with a tag that reads “coincheck stolen funds do not accept trades : owner of this account is hacker.”NEM developers created a tracking tool that would allow exchanges to automatically reject stolen funds.

3.Does that mean the hackers won’t be able to cash in?

Not necessarily. The thief could attempt to shake off surveillance by going through a service like ShapeShift, which offers cryptocurrency trading without collecting personal data. Converting NEM coins into a more anonymized currency, like Monero, could conceivably launder them. ShapeShift, which publishes all trades on its platform, said they have already blocked addresses associated with the hack. There are also “tumbler” services, designed to obscure both identities and transactions, but the huge total amount of money stolen presents a challenge.

4.What else can NEM developers do to fix this?

They could change the NEM blockchain by rolling back the record to a point before the attack. The so-called hard fork would create two versions of NEM, one that has never been hacked and another containing the stolen funds. While this approach worked for Ethereum in 2015, NEM Foundation Vice President Jeff McDonald said a fork is not an option.

5.Aren’t these exchanges being hacked a lot?

Yes, there’s a long history of thefts at cryptocurrency exchanges and wallets, dating back to the infamous robbery of Tokyo-based Mt. Gox in 2014. As prices of digital assets have soared, the platforms have become increasingly juicy targets for hackers. North Korean leader Kim Jong Un has allegedly sent his hackers out to swipe digital coins as his country faces tightening trade sanctions. One researcher estimates that more than 14 percent of Bitcoin and rival currency Ether has been stolen.

6.So what can you do to keep crypto-assets safe?

The lesson for crypto-enthusiasts is that exchanges are prime targets for hackers and no place to store your coins. One alternative is to keep the assets in software wallets, which come in online, mobile and desktop varieties. Hardware wallets are dedicated devices that offer an additional layer of security. For the extra paranoid, there is always the analog option: printing out the private keys for your coins on paper.