Preventing account takeover on centralized cryptocurrency exchanges in 2025 – Source: securityboulevard.com

By Kelly Kaoudis and Evan Sultanik

This blog post highlights key points from our new white paper Preventing Account Takeovers on Centralized Cryptocurrency Exchanges, which documents ATO-related attack vectors and defenses tailored to CEXes.

Imagine trying to log in to your centralized cryptocurrency exchange (CEX) account and your password and username just… don’t work. You try them again. Same problem. Your heart rate increases a little bit at this point, especially since you are using a password manager. Maybe a service outage is all that’s responsible (knock on wood), and your password will work again as soon as it’s fixed? But it is becoming increasingly likely that you’re the victim of an account takeover (ATO).

CEXes’ choices dictate how (or if) the people who use them can secure their funds. Since account security features vary between platforms and are not always documented, the user might not know what to expect nor how to configure their account best for their personal threat model. Design choices like not supporting phishing-resistant multifactor authentication (MFA) methods like U2F hardware security keys, or not tracking user events in order to push in-app “was this you?” account lockdown prompts when anomalies happen invite the attacker in.

Our white paper’s goal is to inform and enable CEXes to provide a secure-by-design platform for their users. Executives can get a high-level overview of the vulnerabilities and entities involved in user account takeover. We recommend a set of overlapping security controls that they can bring to team leads and technical product managers to check for and prioritize if not yet implemented. Security engineers and software engineers can also use our work as a reference for the risks of not integrating, maintaining, and documenting appropriate ATO mitigations.

Account takeover

When the topic of fraud involving crypto comes up, our minds might jump to the FTX collapse, blackmail scams, romance scams, or maybe to social media posts advertising “investment opportunities.” ATO is another common type of fraud that happens due to security failures, even though financial institutions like CEXes that serve US customers must protect their users’ information from (among other harms) unauthorized access.

In an ATO, the attacker obtains access to someone else’s account, then locks the rightful account owner out by changing the access credentials. In 2023, the Sift Q3 Digital Trust and Safety Index disclosed an 808% year-over-year increase in reported takeovers of financial (including crypto) accounts, and the Sift Q3 2024 index reported a further increase in ATO across all industries since 2023.

Not only has ATO become more common, not all platforms have sufficient logging and monitoring in place to be able to detect it when it occurs and alert users promptly. Fewer than half of the victims that Sift surveyed were notified that any data loss or breach had occurred. In addition to damaging user trust in the platform, if users are not quickly and appropriately notified (and steps to prevent further future abuse aren’t taken), ATO can be costly for victims. A 2016 RAND survey of consumer attitudes toward data breach notifications and loss of personal information included the grim statistic that 68% of their respondents had suffered a median financial loss of $864 if their financial information was compromised¹.

Attacker tactics and opportunities

Attackers can gain initial access to user accounts through multiple vectors. In our whitepaper, we cover common weaknesses that CEX platforms must actively guard against.

For example, the user might have failed to use a strong password and a second factor. Maybe the attacker then can brute-force the user password or phish the user into giving up their credentials. But the user might, on the other hand, already leverage every available security feature the CEX provides. The platform might simply not provide appropriately implemented security controls that users need to keep their accounts and funds safe.

Suppose the platform only supports less-secure second-factor options that aren’t phishing-resistant like SMS, mobile authenticator app, or email. If the user sends their MFA codes to their email account, the attacker could then compromise the email account to secondarily gain CEX account access. Or, if SMS is set as the target CEX account’s second authentication factor, the attacker can SIM swap the user’s phone to receive their second-factor code. Or, if a CEX password reset flow is exploitable, perhaps the attacker can leverage it to bypass needing the user’s second factor at all to achieve ATO.

Avoiding terrible outcomes

CEXes (just like any other type of service with people that rely on it) need to leverage strong, intertwined technical security mechanisms, processes, and documentation to defend themselves and their users. ATO not only poses a threat to accountholders’ financial safety, but also reduces public trust in the CEX in question and in cryptocurrency more broadly. At Trail of Bits, we believe that knowledge is our most fundamental defense against threats like ATO. Our whitepaper includes the following:

• Discussion of common ATO attack methods
• System actors common to account takeover threat scenarios
• Actionable steps that CEX platforms can take to enhance their systems’ security and to protect their users
• Basic personal security guidelines that CEXes can provide to their end users

Read more in our full white paper.

Want to learn more about how to use crypto safely, or how to secure your platform or dapp? We’d love to help.

¹Loss of user funds also might not be the immediate outcome. An attacker might take advantage of a security flaw in a CEX platform to exfiltrate credentials or valid session tokens to sell. Another attacker might buy datasets of credentials or identifiers on the darknet and attempt to validate them against multiple platforms, before reselling just the working entries. This could lead to some time elapsing from an initial account compromise to when attempts are actually made to buy something or to transfer funds using the stolen credentials.

*** This is a Security Bloggers Network syndicated blog from Trail of Bits Blog authored by Trail of Bits. Read the original post at: https://blog.trailofbits.com/2025/02/05/preventing-account-takeover-on-centralized-cryptocurrency-exchanges-in-2025/