QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$900 000 USD
MAY 2020
UNITED STATES
SHAPESHIFT
DESCRIPTION OF EVENTS
"ShapeShift is a crypto platform, enabling customers to buy, sell, trade, track, send, receive, and interact with their digital assets." "ShapeShift is a company that offers global trading of a variety of digital assets via web and mobile platforms. It is headquartered in Switzerland, but run out of Denver." "The company was founded July 1, 2014 in Switzerland by Erik Voorhees. In March 2015, it received a US$525,000 seed-stage investment by Roger Ver and Barry Silbert." "ShapeShift is a corporation organized and existing under the laws of the State of Delaware, with its principal place of business at 1624 Market Street, Suite 226 #29882, Denver, CO 80202."
"ShapeShift initially distinguished itself in the industry as a non-custodial exchange that did not require customers to register or open accounts. Its team also initially used pseudonyms, with Voorhees utilizing the name ‘Beorn Gonthier’ - a Tolkien reference - until 2015. Similarly, in 2015 ShapeShift announced that it would stop serving New York residents after the state implemented the BitLicense, a regulation that would have required it to collect identifying information about customers. However, in 2018, the company launched a membership program that it said would eventually become mandatory for all of its users. It remains a non-custodial exchange."
"In summer of 2019, the new ShapeShift platform launched to enable B2C users to self-custody their crypto assets, and buy, sell, trade, track, send, and receive all withouttrusting a 3rd party. ShapeShift also built and operates the real-time crypto market data service CoinCap.io, and acquired hardware wallet company KeepKey in mid-2017. The company is run by industry veteran Erik Voorhees."
"Unlike centralized custodians that hold your funds, with ShapeShift you’re always in control of your crypto." "Although ShapeShift never holds or custodies users’ cryptocurrency assets, it does maintain large balances of cryptocurrency assets to facilitate user trading. Such assets are held in company-controlled accounts."
"Instantly trade crypto. No ID required. No added fees." "First of its kind cross-chain swaps powered by 0x and THORChain. 1000s of trade pairs. Plus get FOX back on every trade."
"750+ cryptocurrencies supported across 11 blockchains." "Safely send, receive, buy, trade and store your crypto."
"ShapeShift goes to great lengths to secure its computers, servers, software, and other tangible and intangible property. The Company utilizes advanced security protocols and procedures to control, access, authenticate, encrypt, password-protect, classify, and transmit information in a secure fashion via its hardware and software."
"On August 3, 2018, ShapeShift offered Azamat [Mukhiddinov] a job as a Senior Software Engineer. Azamat accepted this offer on August 6, 2018, and began working at the Company on September 4, 2018." "Mukhiddinov joined Shapeshift on September 4, 2018 as the company’s Senior Software Engineer. Shapeshift gave Mukhiddinov access to a large part of his private and sensitive inner workings, which is called “computer infrastructure” when necessary. This included aspects such as the company’s software and servers."
"Shapeshift hired Mukhiddinov to oversee the backend of his services, including strengthening his defenses against potential threats. Prior to joining the company, Mukhiddinov reportedly signed documents, one of which indicated that he should not use these important private systems." "The guidelines also specifically prohibited employees from adding apps to the system without the company’s consent. as required. However, Mukhiddinov has installed his own software inside the system that is camouflaged to work unnoticed to steal Bitcoin from Shapeshift."
"On Thursday, May 21, 2020, Michael Perklin, ShapeShift’s Chief Information Security Officer, was notified by the Company’s Finance and Operations staff that their attempts to reconcile month-end balance sheets had uncovered evidence that bitcoin assets in the amount of approximately $900,000 (approximately 90 bitcoin) had been impermissibly transferred out of ShapeShift’s corporate account and into an unknown and externally controlled account. Stated simply, someone had stolen, via electronic transfer, $900,000 worth of bitcoin from ShapeShift."
"Crypto exchange ShapeShift is suing former engineer Azamat Mukhiddinov for allegedly stealing $900,000 in bitcoin via programs he installed on their servers, CoinDesk reported." "Executives said on Thursday (Aug. 27), in a request for a jury trial, that Mukhiddinov's reported theft was discovered May 21 as a hole in the balance sheet, traced back to him in a matter of days, the report stated."
“Azamat began stealing bitcoins in November 2019 and continued to do so until its theft was discovered on May 21, 2020.” the document says. "As detailed in the exchange's Wednesday demand for jury trail, Azamat Mukhiddinov allegedly siphoned 90 bitcoin away from his employer via "malicious code and programs" he is accused of having installed on its servers."
"The Company learned that Azamat, by exploiting a weakness in the Company’s computer system, had knowingly and purposefully installed a program on ShapeShift’s computer network that, upon each execution, transferred approximately one-half of a bitcoin from ShapeShift’s corporate account and sent it to Azamat’s externally controlled and owned personal account."
"[T]he program Azamat installed was initially run manually instead of automatically." "The program entailed a complicated set of commands that needed to be deliberately installed, operated, and maintained." "[I]n addition to executing the program almost every day over a period of months, Azamat eventually updated and modified it so that it would avoid detection and eventually be able to operate automatically." "He named the program to make it appear as though it was part of the Company’s standard operating infrastructure."
"Once his misconduct was discovered, Mr. Mukhiddinov apparently saw the error of his ways and agreed to return the full value of the Bitcoin that was stolen, but he had apparently already spent some of the Bitcoin." "Mukhiddinov made the company whole, the company said. He quickly paid it back via wire transfers, cash-packed "duffel bag" handoffs and bitcoin payments, according to the lawsuit." "According to the complaint, just hours after ShapeShift confronted him, Mukhiddinov handed over a duffle bag that contained $31,900 in US dollars and then wired 60 Bitcoin to ShapeShift. The rest came in dribs and drabs. “Eventually, Azamat returned, in one form or another, all of the $900,000 in bitcoin he had stolen,” said ShapeShift."
“However, these payments do not compensate ShapeShift for the damage caused by Azamat’s actions.” "While Mukhiddinov has made the company whole already, ShapeShift is also now seeking damages for the time and effort employees put in as they fixed the damage he did to their system, according to CoinDesk." "ShapeShift now wants Mukhiddinov to pay currently unspecified damages for the time and effort employees spent cleaning the exchange's servers of his bitcoin-stealing code." Shapeshift’s lawsuit against Mukhiddinov seeks compensation for extensive research on the matter, including time and resources invested in the company. The company reportedly had to delay the launch of its mobile app for several months. “The new ShapeShift mobile app was launched in July”, McGregor said, adding: “It’s a crypto self-custody interface with built-in trading.”
"Apparently, before the filing of the lawsuit, the issue of the additional damages suffered by ShapeShift could not be resolved between the company and Mr. Mukhiddinov, prompting the filing of the public document, the hiring of counsel by Mr. Mukhiddinov, the resolution of the dispute, the stipulation of dismissal, and the joint request to seal the complaint from public view." "The parties seek to restrict from public access [i.e., to seal -EV] a complaint filed by ShapeShift against Mr. Mukhiddinov under the Federal Computer Fraud and Abuse Act, 18 USC Section 1030. The complaint alleges one count of computer fraud and abuse and a second claim, under state law, for breach of the duty of loyalty." "For his part, Mr. Mukhiddinov, understandably, would like the allegations of his misconduct placed under wraps. He's young, only 25 years old. He has lost one potential job already because the allegations contained in the complaint became known to his prospective employer." "ShapeShift, too, would like its complaint placed under seal, because it is in ShapeShift's interest that Mr. Mukhiddinov be gainfully employed so that he can generate the income needed to reimburse ShapeShift for the remediation damages it has suffered."
"The parties are asking the Court to be complicit in concealing these allegations from the public so that the alleged thief can obtain employment with a new employer, presumably without disclosing this serious and arguably criminal activity." "Mr. Mukhiddinov wants to go to a new employer and not disclose the serious allegations raised against him at his former job at ShapeShift. This Court cannot be a party for—to such a deception. If the new employer does the legwork of a background check and learns of this lawsuit, then Mr. Mukhiddinov will have to explain himself. In fact, it might be a good idea for him to preemptively disclose what happened and give the best explanation he can, but this Federal Court will not be party to keeping secret these allegations."
ShapeShift operates a non-custodial crypto swap service, which allows the transfer of funds from one blockchain to another. As part of this service, the company maintains large hot wallets. One software developer, Azamat Mukhidinov, was effectively given access to the wallet through his role. Through clever manipulation and a lack of much diligence, he was able to steal funds for months.
After getting caught, he returned all the funds (luckily before the major rise in bitcoin price). He was then unable to resolve the costs expected to cover the investigation, which prompted a public lawsuit to be filed. This public lawsuit prevented his getting a job to repay the costs, hence leaving him without much prospect of employment and ShapeShift short the costs of the investigation.
HOW COULD THIS HAVE BEEN PREVENTED?
Generally, the most secure form of storage for funds are offline multi-signature wallets. ShapeShift placed vast quantities of funds in their hot wallets, without a level of scrutiny which could detect funds going missing.
There were no customer losses due to this being company funds, and the lost funds were fully recovered.
No Title (Aug 3)
ShapeShift-Azamat Complaint(38170944.7) (Aug 3)
ShapeShift | Home (Sep 1)
ShapeShift - Wikipedia (Sep 1)
ShapeShift (Sep 1)
ShapeShift - Crunchbase Company Profile & Funding (Sep 1)
Cryptocurrency Exchange ShapeShift Acquires Bitcoin Wallet Startup - CoinDesk (Sep 1)
Shapeshift | Company Overview & News (Sep 1)
ShapeShift Accuses Former Employee of Stealing $900K in Bitcoin (Sep 1)
ShapeShift Exchange Alleges $900K Bitcoin Theft | PYMNTS.com (Sep 2)
ShapeShift-Azamat Complaint(38170944.7) (Sep 2)
Blockchain Infrastructure at ShapeShift (Sep 2)
Defendant “Wants to Go to a New Employer and Not Disclose the Serious Allegations Raised Against Him [in a Suit by His Ex-Employer]” – Reason.com (Sep 2)
