Kronos Research is a trading firm operating in the crypto space. In November 2023, the firm suffered a hack that resulted in the loss of an estimated $26 million.
Inside the Attack
The attack on Kronos Research didn’t involve the theft of private keys like many similar attacks. Instead, the attacker targeted the organization’s API keys.
API keys are another form of authentication factor used with an application programming interface (APIs). APIs are interfaces that allow a program to request data or run certain functions on a web application. In general, web sites are a front-end provided for human users — who need a nice graphical user interface (GUI) — while APIs are designed for other programs — which prefer well-formatted data delivered using a JSON or XML blob of data.
An API key - like the ones stolen in the Kronos Research breach - acts as an alternative to a password for programs working with an API. Like a password or a private key, an attacker with access to an API key has the potential to access the API while masquerading as the owner of the API key.
In this case, Kronos Research is a trading, venture capital, and market-making company, so the API in question is related to its trading capabilities. As a result, an attacker with access to these API keys could also access the company’s blockchain wallets and perform transactions on its behalf.
The theft of these API keys allowed the attacker to drain about $26 million from the project’s wallets.
After the attack was revealed, Kronos Research halted trading on its platform. The company also claims that — despite the size of the breach — the organization has ample reserves and remains in good financial standing.
Lessons Learned from the Attack
The Kronos hack was similar to many breaches of centralized exchanges and trading firms in that the attacker gained access to the company’s hot wallets and drained them of crypto.
However, the Kronos hack differed in the fact that, in this case, the attackers targeted the company’s API keys rather than the private keys that directly controlled those wallets.
API key security has been a challenge across many industries with many companies having API keys stolen or accidentally exposing them on public GitHub repos. These authentication tokens can be just as powerful as a password or private key and need to be protected appropriately.
For more information on developing a data security program for your project’s API keys, private keys, and other sensitive information, get in touch with Halborn.