$1 413 000 USD





"Based in Toronto, Coinberry is Canada's first federally registered commission-free crypto trading platform, which secures the best cryptocurrency prices from trusted exchanges using proprietary algorithms." "Coinberry was founded in 2017. In 2019, the Town of Innisfil officially partnered with the exchange. This was the first Canadian property tax payment paid in Bitcoin. Today, Coinberry also has a partnership with the City of Richmond Hill." "Coinberry is one of the first Canadian cryptocurrency trading platforms to audit its first year financial statements." "The audit was conducted by MNP LLP, one of the preeminent Canadian public accounting firms active in the blockchain and cryptocurrency space."


As CoinBerry says on their website, "[p]racticing due diligence is paramount. Research and continuous education of cryptocurrencies and the markets will arm you with the highest protection level possible." "Thieves and scammers in the crypto ecosystem write malware to attack your digital wallet, empty your accounts, spy on your clipboards to steal your cryptocurrency addresses, and swap out your exact addresses for those belonging to a scammer."


"We only use multisig cold storage wallets [m]eaning that any 2 members of the executive team are able to access the funds. What does this mean for you? If the CEO goes missing during a trip to open an orphanage in India, your Bitcoin, Ethereum and Litecoin will still be accessible by the Coinberry executive team."


“On April 13, 2020, Coinberry implemented a software update to the Coinberry Platform. Unfortunately, the said update contained a vulnerability whereby Coinberry’s system was notified of e-transfers of CAD despite the fact that the moneys had not actually been received by Coinberry,” the lawsuit read.


"Customers could initiate an Interac e-transfer, get the amount credited to their Coinberry accounts, buy bitcoin and transfer the coins out, and then cancel the original e-transfer, retaining their own funds and getting free bitcoin." "In the end, users would then cancel the original e-transfer, thereby retaining their own funds and getting free bitcoin, [a later] lawsuit said."


Evidence "suggests that the majority of the people who allegedly misappropriated from Coinberry had done so in small amounts — more than 80 per cent of those accused of taking bitcoin and not returning it had allegedly taken amounts under $5,000, and added together, their alleged haul comprises only a quarter of the total outstanding amount." "Due to a software glitch, the platform accidentally tricked people into buying bitcoin using Canadian dollars, which had not yet been properly transferred to their accounts."


"According to Coinberry, the largest amount misappropriated by a single user and not returned was $385,722.31, valued in April 2022. That is attributed to two people — Jordan Steifuk and Connor Heffernan — that Coinberry says are actually the same person." "The company further noted that the largest amount misappropriated and not returned was $385,722.31 by two accounts under the names Jordan Steifuk and Connor Heffernan, which the Canadian crypto exchange said are actually the same person." "That person, whether he is Steifuk or Heffernan, could not immediately be reached for comment."


On August 24th, 2020, "there were no withdrawals processed from Coinberry's hot wallet for about 17 hours." It "[h]asn't been publicly reported yet. 8.33 BTC stolen from Coinberry's hot wallet & sent to 1KcTk7kJMjYaCV3FXo5bzpjaZs2aK18ntz. I guess they can't say they've never been hacked anymore."


"Not sure exactly what the issue was, but possibilities include a social engineering attack, impersonation scam, or a bug that may have been exploited that allowed an attacker withdraw more than what they had (the latter seems by far to be the least likely vector to me)."


"After the [situation was noticed] (on 8/24), there were no withdrawals processed from Coinberry's hot wallet for about 17 hours. Then it started up again, but the address did not change -- this 8.33 BTC breach (not a huge amount of course) appears not to be a compromise of the seed phrase or private key (otherwise they wouldn't continue using that wallet), but presumably another issue."


"[T]here are other solutions apart from multi-sig that are suitable, for example SSSS and MPC so we don't know what type of setup they have on their hot wallet. But their hot wallet address is P2PKH, not P2SH (i.e. starts with a 1, not a 3), and while P2PKH addresses can theoretically be multi-sig, that's almost never the case. Our view is that hot wallets need to be multi-sig/SSSS/MPC but also have preventative measures that would allow any one person (such as a founder) to run off with any funds even in the hot wallet by themselves, and that's easier said than done. A spear-phishing attack is a possibility here."


"After the breach, when the hot wallet was turned off it had a balance of 0.06324605 BTC for a while -- if the seedphrase or private key had been breached, there would obviously be a balance of 0 (or very close to it). After about 17 hours, they (Coinberry) topped the hot wallet up with some funds before turning it on again."


“Coinberry contacted all of the said 546 affected registered users by email and demanded return of the misappropriated bitcoins,” the lawsuit read. “Coinberry also immediately contacted Binance.”


“Binance acknowledged that it had identified a quantity of the misappropriated BTC and undertook to restrict any access to the accounts,” [a later] lawsuit read.


"[T]hey're still using the same wallet for withdrawals they were using before, presumably because they know it wasn't compromised, which is presumably because they know the real reason for the breach. If they knew the compromise occurred due to a social engineering attack for example, the wallet is still perfectly safe to use (or more technically, just as safe as it was before)."


"[I]f an individual account was compromised, there would be no reason for Coinberry to turn off their hot (withdrawal) wallet for 17 hours. Coinberry was compromised, not a Coinberry account."


"Regarding whether or not customers are going to bear the loss, remember that the number in your account is just that, a number and an IOU. It doesn't mean they have the assets to back that IOU even before this breach happened. What do you think happened to Einstein? Coinberry may or may not be insolvent."


"Toronto-based Coinberry has acquired a financial institution bond." "Coinberry’s surety bond is underwritten by the Lloyd’s of London insurance market and the coverage limit is CAD$1,000,000 ($764,000) per claim/incident, said Poliakov."


While CoinBerry's original "[t]rading fees [we]re around 0.5 percent." this was later updated to 1% and now fine print in the bottom of the fee pages states that "Coinberry establishes the rate for cryptocurrency transactions on our platform by adding a margin, or spread, of between 0% and 2.5% to the rate offered by our liquidity sources." "Coinberry claims $0 withdrawal fees but increased their mining/network fee to 0.003 BTC ($55 CAD currently)."


“Coinberry was able to secure the return of approximately 37 of the misappropriated bitcoins from 270 of the affected registered users.” "That leaves 83 bitcoins outstanding from about 270 other users." "According to Coinberry’s list, 20 out of 120 bitcoins were originally lost, but more than 200 users out of 546 were accused of misusing them from Coinberry."


"Coinberry [became] backed by WonderFi Technologies, a Vancouver-based crypto organization backed by Shark Tank personality O’Leary, which bought Coinberry in July in a deal worth $38.5 million." "On Aug. 25, Coinberry's parent company, WonderFi, applied to start trading on the Nasdaq. It currently trades on the Toronto Stock exchange."


"That loss of about 120 bitcoins, which has not been previously disclosed, is detailed in a lawsuit by Coinberry, filed in Brampton, Ont., west of Toronto [finally filed in June of 2022]." "The lawsuit, filed in Ontario in June, explains that during a software upgrade in 2020, Coinberry accidentally let users buy BTC with Canadian dollars that had not properly transferred to their accounts." "Canadian cryptocurrency exchange Coinberry has filed a lawsuit against 50 users who collectively withdrew 120 bitcoins (BTC) following [the] software error in 2020."


"The lawsuit filed by Coinberry, which was acquired by crypto marketplace WonderFi (WNDR) in July, also names the Binance crypto exchange, as it was a venue several customers used to transfer approximately 9.48 of the misappropriated BTC."


"As Financial Post points out, 83 bitcoin are still floating around in the hands of tricksy customers." "The lawsuit was for 63 of [the defrauded] bitcoins, including 9.48 units that were transferred to Binance. In a list that Coinberry provided to court, all that was attributed to the 50 users named in the lawsuit." "That still leaves out 20 of the 120 bitcoins originally lost — and more than 200 of the 546 users who had allegedly misappropriated from Coinberry." "It is unclear how or if Coinberry is going after those people, given that they are not named in the lawsuit."


“Binance acknowledges that it had identified incorrect BTC amounts and undertook to restrict any access to the accounts,” the lawsuit read. "In reply, Binance worked hard to identify all the inappropriate bitcoin and restricted access to all those accounts asap." "Binance reportedly acknowledged detecting a significant quantity of the misappropriated funds and restricted any access to the accounts." "It is unclear why Coinberry had resorted to suing Binance, given the latter’s apparent cooperation." Binance declined to comment on the lawsuit but said in a statement: “The company is committed to prevent bad actors from using the platform, which includes a world-renowned investigative team.” "Coinberry did not immediately respond to CoinDesk's request for comment."

In April 2020, CoinBerry reportedly made an update to their service which allowed customers to purchase bitcoin with what we can presume to be nothing more than starting an eTransfer process. It appears this was exploited all the way through to August 24th, 2020, when withdrawals were shut off for a period of 17 hours. According to a lawsuit later filed by CoinBerry, 120 bitcoins were ultimately withdrawn without paying during this time. CoinBerry requested the return of funds, and 37 bitcoins were returned by customers.


No announcements were made to explain the situation. There was speculation on what happened in this case for roughly 2 years, until June 2022 when CoinBerry finally published a lawsuit in Brampton, Ontario. Lawsuits in Ontario are not publicly available without paying a fee, so this didn't come to light until September 2022. It is unclear if CoinBerry has been able to recover any further bitcoins in this case.


The primary failure in this case, was the lack of proving reserves on the platform. We have recommended a published assessment of the platform at an interval of 6 months or less, which most likely would have caught this situation. In addition, having an internal validation that assets are properly backed would have noticed the anomalies sooner. This is expecially prudent shortly after deploying a system upgrade.


While this is not directly the cause of the incident, our recommendation continue to be that all customer funds be secured by a multi-signature wallet requiring at least 3 signatures for release, and that CoinBerry revisit their approach to training and/or background checks of signatories. Platforms should be held to account with transparent disclosure of breaches. An efficient insurance fund which is overseen by industry operators could be a cheap, flexible, and highly protective option to restore reserves in cases like this.


Check Our Framework For Safe Secure Exchange Platforms

@cipher_blade Twitter (May 16)
Coinberry claims $0 withdrawal fees but increased their mining/network fee to 0.003 BTC ($55 CAD currently) : BitcoinCA (May 16)
Coinberry was hacked earlier this year according to blockchain forensics firm - legit? : BitcoinCA (May 16)
The Latest Crypto Scams: Identify and Avoid Them (May 16)
The Importance of Digital Security for Cryptocurrency Investors (May 16)
Bitcoin Trading Fees in Canada | Coinberry (May 16)
Coinberry Review: 5 Things to Know (2021 Updated) (May 16)
No Fee Crypto Trading Platform Coinberry Partners with Crypto Giant BRD (May 16)
9 Reasons CoinBerry is Ahead of Competition When it Comes to Security and Accountability (May 16)
Coinberry successfully completes first-year financial statement audit (May 16)
Coinberry Crypto Exchange Gets Lloyd’s Cover as Canada’s Post-Quadriga Rules Tighten (May 16)
Coinberry Traders Keep Control of Keys With BRD Crypto Wallet Integration - Bitcoin Magazine: Bitcoin News, Articles, Charts, and Guides (May 16)
Bitcoin price today, BTC live marketcap, chart, and info | CoinMarketCap (May 16)
Coinberry says it lost $3 million in bitcoin due to a software glitch | Financial Post (Dec 1)
Canadian Crypto Exchange Coinberry Files Lawsuit Against 50 Users After Losing 120 BTC (Dec 1)
Coinberry loses $3m due to software glitch - files suit for recovery - Business News (Dec 1)
Canadian Crypto Exchange Sues Users for Return of Bitcoin Misappropriated During Software Glitch – Exchanges Bitcoin News (Dec 2)
Glitch sees users pinch $3M in bitcoin from crypto exchange Coinberry (Dec 2)
Coinberry sued its users for stealing bitcoins - TechStory (Dec 2)
Coinberry Crypto Exchange Files Lawsuit After Losing $3 Million in Software Glitch (Dec 2)
Coinberry's Software Blunder Costs $3M in Bitcoin: Report (Dec 2)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.