Analyzing the $260,000 iToken Hack: Are Non-Custodial Wallets Really Secure?

iToken (formerly known as Huobi Wallet) made waves recently after news of a possible leak was reported by Peckshield. Users reported missing funds in their wallets (totalling around $260,000), which the exploiter converted to approximately 2.9 million TRX before transferring them out to crypto exchanges ChangeNow and Binance respectively. Sadly, our very own customer who uses the iToken wallet also reported his assets stolen - the last straw prompting him to move what’s left of his assets over to CoinWallet.

Speculation is rampant that this was an inside job, seeing as an ex-employee of Huobi Wallet was actually arrested for implementing a Trojan virus that leaks user’s mnemonics or private keys. Adding more fuel to the fire, this isn’t the only security incident involving Huobi - HTX Global (formerly known as Huobi) was also hacked for 5,000 ETH recently, worth approximately $8 million at the time.

Regardless, the iToken incident has revealed that, secure as they are, non-custodial wallets are NOT invulnerable. For example, a developer could write malicious code while developing the wallet, the device on which the wallet is installed is compromised in some manner, or worse, the person managing the private key could get careless and fall victim to phishing scams and the like.

Yet, we shouldn’t overreact - the value proposition of non-custodial wallets remains abundantly clear. Their inherent design and features align seamlessly with the growing demand for transparent, secure, and autonomous digital asset management.

However, it is important to pick the RIGHT non-custodial wallet. As the digital asset ecosystem matures, the market is flooded with numerous wallet options. Here's a guide to ensure you're selecting the safest and most reliable non-custodial wallet:

Four Useful Tips for Choosing the Right Non-Custodial Wallet

While this is by no means a comprehensive guide, it should serve as a useful point of reference to begin your search.

Choose Wallets from Reliable Companies

It's imperative to align with established and reputable brands in the wallet space. Companies with a proven track record not only ensure technical competence but also typically have more rigorous security measures in place. Research user reviews, industry recognition, and any historical security incidents before settling on a choice.

Can’t go wrong with the top 1-2 rows of results for “crypto wallet” in the US Play Store!

Download from Trusted Sources

Third-party APKs might be embedded with malicious code, which can compromise your assets. This is why you should always procure your wallet apps directly from official platforms like the Play Store or App Store only. An official source guarantees that you're getting the genuine, untampered version of the app.

Utilize Multiparty Computation (MPC) for Enhanced Security

Private key management is fraught with risks. The private key owner might mishandle the key, or might even abscond with it with bad intentions. Modern security measures, like MPC, enable splitting private keys into multiple shares, ensuring no single party has access to the complete key. This not only complicates potential breaches but also adds layers of redundancy, safeguarding your assets even if one share becomes compromised.

Opt for Recognized Device Brands

The device on which you operate your wallet plays a pivotal role in its security. It's advisable to avoid handsets from mainland China, given concerns around built-in backdoors or inadequate security protocols. Instead, gravitate towards trusted global brands like Apple, Samsung, or Google. These companies invest heavily in device security, providing an added layer of protection for your digital assets.

Non-Custodial Wallets are Still the Better Choice

The iToken incident, while unfortunate, also shows us that non-custodial wallets remain a better choice than centralized wallets PROVIDED you choose the RIGHT non-custodial wallet. If iToken was a centralized wallet provider, the attackers would most likely have gotten away with more than just $260,000.

If you’re thinking of making the switch to non-custodial wallets, consider our MPC-powered CoinWallet that is trusted by professional and retail users worldwide. Click here (Android) or here (iOS) to download CoinWallet and experience unparalleled security and peace of mind!