News is breaking that an unauthorized entity has stolen $25 million from trading firm Kronos Research through compromised API keys.
Following the attack, disclosed via X post on Nov. 19, Kronos suspended all trading services on its platform. They are also conducting an internal investigation to identify the perpetrator and recover stolen company assets.
Cybersecurity experts offered the following comments:
Jeannie Warner, Director of Product Marketing, Exabeam
“Three security challenges are apparent in this incident: designing secured API connections that strictly control authentication and authorization, compromised credentials, and distinguishing between normal and abnormal behavior. Valid credentials, potentially obtained from previous attacks or other incidents, likely provided the threat actors with potential access to sensitive data – in this case API keys. Private key exploits are proving to be one of the most common methods for attacking crypto wallets and systems. Such breaches are often amplified by the inherent difficulty in differentiating between unauthorized and legitimate logins.
Addressing these challenges necessitates comprehensive cybersecurity strategies. Education about safe credential practices and feedback loops, complete network activity visibility, and robust technical safeguards such as hardening applications and API controls and employing multi-factor authentication, all contribute to a resilient defense against credential-based attacks.
Organizations should also be able to establish a clear behavioral baseline for users and devices on their network. Understanding “normal” behavior allows for the identification of deviations that may signify a compromise of the network. Businesses must make sure they strike a balance between security and business needs including API keys and enforcing transaction requirements by source and destination, and they must have the right monitoring and controls in place to protect sensitive personal information from unauthorized access.”
Richard Bird, Chief Security Officer, Traceable AI
“Kronos Research’s recently reported loss of more than $20 million in funds appears to be a textbook API key compromise. The event highlights the over-dependency almost all organizations have on the implied trust that they put into keys and credentials. Bad guys have shown over and over again that our reliance on, and faith in, these components is misplaced. If you don’t have security solutions in place that help you not only understand what APIs you have but whether those APIs are doing what they are supposed to be doing, you really don’t stand a chance against opportunistic hackers who exploit these obvious and well-understood weaknesses.”
