BitGrail NANO Hack - Revision history

Azoundria at 19:45, 10 May 2024

2024-05-10T19:45:01Z

← Older revision		Revision as of 13:45, 10 May 2024
Line 4:		Line 4:
	BitGrail stored vast sums of NANO in the form of hot wallets and contained an exploit which allowed traders to withdraw their NANO twice, allowing users to withdraw more than they held on the exchange. After hackers repeatedly exploited this glitch in the withdrawal mechanism to steal 2.5m NANO from massive hot wallets on the site, Mr. Firano, who managed BitGrail largely by himself, did not choose to address the issue. He did not even choose to announce the issue or the loss. His sole action was to ban the offending users. Unsurprisingly, abuse of the exploit continued for months, including a future loss of over 7.5m more NANO. Months later, with the price of NANO significantly higher, Mr. Firano attempted to resolve the matter by asking the NANO team to create a hard fork (of months and months of transactions which had been being stolen continuously). When that didn’t work, he made a plan to relaunch the exchange and use ongoing profits to repay victims, however his plan failed to include any sort of security upgrades, change of leadership, or addition of new talent to address the extreme lack of competence. Mr. Firano posted a vague poll to the general public via Twitter, in which 80% of respondents requested he go into bankruptcy as opposed to relaunching. He then ignored both this poll and a court order, restarting the exchange for all of a few hours. The end result was that both he and the exchange were declared bankrupt, and assets of the exchange were seized. The BitGrail website is full of information on the ongoing bankruptcy proceedings which continue to this day.		BitGrail stored vast sums of NANO in the form of hot wallets and contained an exploit which allowed traders to withdraw their NANO twice, allowing users to withdraw more than they held on the exchange. After hackers repeatedly exploited this glitch in the withdrawal mechanism to steal 2.5m NANO from massive hot wallets on the site, Mr. Firano, who managed BitGrail largely by himself, did not choose to address the issue. He did not even choose to announce the issue or the loss. His sole action was to ban the offending users. Unsurprisingly, abuse of the exploit continued for months, including a future loss of over 7.5m more NANO. Months later, with the price of NANO significantly higher, Mr. Firano attempted to resolve the matter by asking the NANO team to create a hard fork (of months and months of transactions which had been being stolen continuously). When that didn’t work, he made a plan to relaunch the exchange and use ongoing profits to repay victims, however his plan failed to include any sort of security upgrades, change of leadership, or addition of new talent to address the extreme lack of competence. Mr. Firano posted a vague poll to the general public via Twitter, in which 80% of respondents requested he go into bankruptcy as opposed to relaunching. He then ignored both this poll and a court order, restarting the exchange for all of a few hours. The end result was that both he and the exchange were declared bankrupt, and assets of the exchange were seized. The BitGrail website is full of information on the ongoing bankruptcy proceedings which continue to this day.

	This exchange or platform is based in Italy, or the incident targeted people primarily in Italy.<ref name="bitcoinmagazine-6" /><ref name="kylegibson-86" /><ref name="cointelegraph-107" /><ref name="fortune-149" /><ref name="cointelegraph-150" /><ref name="thenextweb-151" /><ref name="bitgrailvictimsmedium-152" /><ref name="newsdotbitcoin-153" /><ref name="finder-154" /><ref name="marketswikicrypto-155" /><ref name="dropbox-156" /><ref name="techcrunch-157" /><ref name="bomberfrancytwitter-158" /><ref name="thenextweb-159" /><ref name="cryptopotato-161" /><ref name="blockexplorer-162" /><ref name="fintechnews-164" /><ref name="cointelegraph-197" /><ref name="bitcoinexchangeguide-218" /><ref name="ciphertrace-1152" /><ref name="slowmisthacked-1160" /><ref name="cryptonewsbullsmedium-7990" /><ref name="reddit-7991" /><ref name="reddit-9270" />		This exchange or platform is based in Italy, or the incident targeted people primarily in Italy.<ref name="bitcoinmagazine-6" /><ref name="kylegibson-86" /><ref name="cointelegraph-107" /><ref name="fortune-149" /><ref name="cointelegraph-150" /><ref name="thenextweb-151" /><ref name="bitgrailvictimsmedium-152" /><ref name="newsdotbitcoin-153" /><ref name="finder-154" /><ref name="marketswikicrypto-155" /><ref name="dropbox-156" /><ref name="techcrunch-157" /><ref name="bomberfrancytwitter-158" /><ref name="thenextweb-159" /><ref name="cryptopotato-161" /><ref name="blockexplorer-162" /><ref name="fintechnews-164" /><ref name="cointelegraph-197" /><ref name="bitcoinexchangeguide-218" /><ref name="ciphertrace-1152" /><ref name="slowmisthacked-1160" /><ref name="cryptonewsbullsmedium-7990" /><ref name="reddit-7991" /><ref name="reddit-9270" /><ref name="carnegieendowment-9983" />

	== About BitGrail ==		== About BitGrail ==
Line 58:		Line 58:
	\|		\|
	\|}		\|}

			== Technical Details ==
			This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

	== Total Amount Lost ==		== Total Amount Lost ==
Line 141:		Line 144:
	<ref name="reddit-7991">[https://www.reddit.com/r/CryptoCurrency/comments/7whjln/francesco_firano_bitgrail_stole_millions_never/ FRANCESCO FIRANO (BITGRAIL) STOLE MILLIONS. NEVER FORGET THIS FACE. : CryptoCurrency] (Jun 8, 2022)</ref>		<ref name="reddit-7991">[https://www.reddit.com/r/CryptoCurrency/comments/7whjln/francesco_firano_bitgrail_stole_millions_never/ FRANCESCO FIRANO (BITGRAIL) STOLE MILLIONS. NEVER FORGET THIS FACE. : CryptoCurrency] (Jun 8, 2022)</ref>

	<ref name="reddit-9270">[https://www.reddit.com/r/CryptoCurrency/comments/7u1hs4/either_you_die_a_programmer_or_live_long_enough/ "Either you die a programmer, or live long enough to become a scammer" - Owner of Bitgrail : CryptoCurrency] (Oct 17, 2022)</ref></references>		<ref name="reddit-9270">[https://www.reddit.com/r/CryptoCurrency/comments/7u1hs4/either_you_die_a_programmer_or_live_long_enough/ "Either you die a programmer, or live long enough to become a scammer" - Owner of Bitgrail : CryptoCurrency] (Oct 17, 2022)</ref>

			<ref name="carnegieendowment-9983">[https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline Timeline of Cyber Incidents Involving Financial Institutions - Carnegie Endowment for International Peace] (Dec 12, 2022)</ref></references>

Azoundria at 16:34, 14 April 2023

2023-04-14T16:34:19Z

Show changes

Azoundria at 05:32, 17 February 2023

2023-02-17T05:32:46Z

Show changes

Azoundria: Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/bitgrailnanohack.php}} BitGrail stored vast sums of NANO in the form of hot wallets and contained an exploit which allowed traders to withdraw their NANO twice, allowing users to withdraw more than they held on the exchange. After hackers repeatedly exploited this glitch in the withdrawal mechanism to steal 2.5m NANO from massive hot wallets on the site, Mr. Firano, who managed BitGrail largely by..."

2023-01-24T21:11:06Z

Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/bitgrailnanohack.php}} BitGrail stored vast sums of NANO in the form of hot wallets and contained an exploit which allowed traders to withdraw their NANO twice, allowing users to withdraw more than they held on the exchange. After hackers repeatedly exploited this glitch in the withdrawal mechanism to steal 2.5m NANO from massive hot wallets on the site, Mr. Firano, who managed BitGrail largely by..."

New page

{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/bitgrailnanohack.php}}

BitGrail stored vast sums of NANO in the form of hot wallets and contained an exploit which allowed traders to withdraw their NANO twice, allowing users to withdraw more than they held on the exchange. After hackers repeatedly exploited this glitch in the withdrawal mechanism to steal 2.5m NANO from massive hot wallets on the site, Mr. Firano, who managed BitGrail largely by himself, did not choose to address the issue. He did not even choose to announce the issue or the loss. His sole action was to ban the offending users. Unsurprisingly, abuse of the exploit continued for months, including a future loss of over 7.5m more NANO. Months later, with the price of NANO significantly higher, Mr. Firano attempted to resolve the matter by asking the NANO team to create a hard fork (of months and months of transactions which had been being stolen continuously). When that didn’t work, he made a plan to relaunch the exchange and use ongoing profits to repay victims, however his plan failed to include any sort of security upgrades, change of leadership, or addition of new talent to address the extreme lack of competence. Mr. Firano posted a vague poll to the general public via Twitter, in which 80% of respondents requested he go into bankruptcy as opposed to relaunching. He then ignored both this poll and a court order, restarting the exchange for all of a few hours. The end result was that both he and the exchange were declared bankrupt, and assets of the exchange were seized. The BitGrail website is full of information on the ongoing bankruptcy proceedings which continue to this day.

This exchange or platform is based in Italy, or the incident targeted people primarily in Italy.

== About BitGrail ==
“An obscure Italian cryptocurrency exchange called BitGrail claims that it was hacked late last week and lost roughly $195 million worth of customers’ cryptocurrency.” "Just last Thursday, the core team was contacted by Firano in regard to a loss from the BitGrail wallet. According to a leaked conversation, 15 million Nano was reported ‘stolen’ by Firano, and a request was made to fork the chain. However, Nano developer Zack Shapiro pointed out the fact that the situation had been going on for months. It seems as though Firano was dealing with undisclosed issues of insolvency rather than an apparent hack." “The court notes that in July 2017, 2.5 million Nano were stolen from the exchange, and that Firano has been aware of it and announced that the involved exchange accounts have been blacklisted on Twitter in the same month. According to the ruling, in October of the same year — three months later — another 7.5 million Nano was stolen.” “it was the BitGrail exchange that [because of a software flaw] actually requested to the node multiple times to allow the funds to leave the wallet” and “not the Nano network that allowed the multiple withdrawals.

Furthermore, the exchange also reportedly stored all of its Nano cryptocurrency holdings in a “hot wallet,” which compromised its security.” “BitGrail was offline at the time. He claimed to be torn between claiming bankruptcy (which would absolve himself of the responsibility to pay the money back), or returning 20 percent of the lost funds immediately with a pledge to eventually give back the rest.” “The Italian Bankruptcy Court published the sentence on Jan. 21. A post by the BGVG published the same day as the court sentence explains that “the court concluded that both Bitgrail and Mr. Firano, personally, be declared bankrupt, authorizing seizures of many of Mr. Firano’s personal assets.”

"The man who ran Italian-based cryptocurrency exchange BitGrail was arrested for allegedly defrauding more than 230,000 people of €120 million ($146 million) collectively. In what was deemed "the biggest cyber-financial attack in Italy and one of the biggest in the world," the BitGrail boss faced charges of computer fraud, fraudulent bankruptcy, and money laundering."

"In 2018, the same man alerted police of a Nano Coin hack, communicating the loss of "a huge sum." Ivano Gabrielli, who is the head of the National Centre for Cyber Crimes in Italy, said that when their team started investigating, it became clear that the man was actually the head of BitGrail “[and] it…[was]...not yet clear whether he participated actively in the theft or if he simply decided not to increase security measures after discovering it.” The police further allege that the man, a 34-year-old known as "F.F.," interfered to prevent them from halting the continuing theft."

This exchange or platform is based in Italy, or the incident targeted people primarily in Italy.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

* Known history of when and how the service was started.
* What problems does the company or service claim to solve?
* What marketing materials were used by the firm or business?
* Audits performed, and excerpts that may have been included.
* Business registration documents shown (fake or legitimate).
* How were people recruited to participate?
* Public warnings and announcements prior to the event.

Don't Include:

* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
* Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
{| class="wikitable"
|+Key Event Timeline - BitGrail NANO Hack
!Date
!Event
!Description
|-
|February 1st, 2018 12:00:58 AM
|First Event
|This is an expanded description of what happened and the impact. If multiple lines are necessary, add them here.
|-
|
|
|
|-
|
|
|
|}

== Total Amount Lost ==
The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

== Immediate Reactions ==
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

== Ultimate Outcome ==
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

== Total Amount Recovered ==
It is unknown how much was recovered.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?

== Prevention Policies ==
Coming soon.

== References ==
[https://bitcoinmagazine.com/articles/infographic-overview-compromised-bitcoin-exchange-events Infographic: An Overview of Compromised Bitcoin Exchange Events] (Jan 29)

[https://medium.com/@kylegibson/100-crypto-thefts-a-timeline-of-hacks-glitches-exit-scams-and-other-lost-cryptocurrency-873c87fd5522 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents] (Jan 24)

[https://cointelegraph.com/news/from-coincheck-to-bithumb-2018-s-largest-security-breaches-so-far From Coincheck to Bithumb: 2018’s Largest Security Breaches So Far] (Feb 22)

[https://fortune.com/2018/02/11/bitgrail-cryptocurrency-claims-hack/ BitGrail Cryptocurrency Exchange Claims $195 Million Lost to Hackers] (Feb 24)

[https://cointelegraph.com/news/owner-of-hacked-crypto-exchange-bitgrail-sentenced-to-return-funds-to-customers Owner of Hacked Crypto Exchange BitGrail Sentenced to Return Funds to Customers] (Feb 24)

[https://thenextweb.com/hardfork/2019/01/28/bitgrail-court-cryptocurrency-nano/ Italian court forces BitGrail CEO to repay $170M in ‘lost’ cryptocurrency] (Feb 24)

[https://medium.com/@bitgrailvictims/the-bitgrail-exchange-ruling-a-win-for-cryptocurrency-exchange-users-50df6c383571 THE BITGRAIL EXCHANGE RULING: A WIN FOR CRYPTOCURRENCY EXCHANGE USERS] (Feb 24)

[https://news.bitcoin.com/italian-court-orders-bitgrail-founder-to-refund-170m-of-missing-cryptocurrency/ Italian Court Orders Bitgrail Founder Firano $170 Million of Missing Cryptocurrency] (Feb 25)

[https://www.finder.com.au/the-nano-bitgrail-saga-is-now-over-and-its-changed-cryptocurrency The Nano-Bitgrail saga is now over, and it's changed cryptocurrency | finder.com.au] (Feb 25)

[http://crypto.marketswiki.com/index.php?title=BitGrail BitGrail - CryptoMarketsWiki] (Feb 25)

[https://www.dropbox.com/s/3g38y67luolfvqs/Colin_ZS_Bitgrail_chat_log.pdf?dl=0 Dropbox - Colin_ZS_Bitgrail_chat_log.pdf - Simplify your life] (Feb 25)

[https://techcrunch.com/2018/02/12/bitgrail-hack-nano/ Italian cryptocurrency exchange gets hacked for $170 million in Nano – TechCrunch] (Feb 25)

[https://twitter.com/bomberfrancy/status/965223247494119424 Francesco The Bomber on Twitter: "Cosa preferireste che facesse BitGrail?"] (Feb 25)

[https://thenextweb.com/hardfork/2018/02/20/bitgrail-cryptocurrency-exchange-nano/ Cryptocurrency exchange BitGrail contemplates exit scheme on Twitter] (Feb 25)

[https://cryptopotato.com/lessons-learned-from-the-biggest-crypto-hacks-in-history/ Lessons Learned from the Biggest Crypto Hacks in History] (Feb 25)

[https://blockexplorer.com/news/biggest-cryptocurrency-hacks-2018/ The Biggest Cryptocurrency Hacks of 2018 (A Year in Which $1 Billion Crypto Was Stolen)] (Feb 25)

[https://fintechnews.sg/23594/blockchain/cryptocurrency-hack-binance/ A Look Back on Some of the Most Devastating Crypto Hacks | Fintech Singapore] (Feb 26)

[https://cointelegraph.com/news/crypto-exchange-hacks-in-review-proactive-steps-and-expert-advice Crypto Exchange Hacks in Review: Proactive Steps and Expert Advice] (Mar 1)

[https://bitcoinexchangeguide.com/bitcoin/scams-hacks/ Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com] (Mar 4)

[https://ciphertrace.com/wp-content/uploads/2021/01/CipherTrace-Cryptocurrency-Crime-and-Anti-Money-Laundering-Report-012821.pdf CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020] (Jun 19)

[https://hacked.slowmist.io/en/?c=Exchange SlowMist Hacked - SlowMist Zone] (Jun 25)

[https://medium.com/@cryptonewsbulls/is-mercatox-involved-in-195-million-dollar-bitgrail-heist-d14cc95165c https://medium.com/@cryptonewsbulls/is-mercatox-involved-in-195-million-dollar-bitgrail-heist-d14cc95165c] (Jun 8)

[https://www.reddit.com/r/CryptoCurrency/comments/7whjln/francesco_firano_bitgrail_stole_millions_never/ FRANCESCO FIRANO (BITGRAIL) STOLE MILLIONS. NEVER FORGET THIS FACE. : CryptoCurrency] (Jun 8)

[https://www.reddit.com/r/CryptoCurrency/comments/7u1hs4/either_you_die_a_programmer_or_live_long_enough/ "Either you die a programmer, or live long enough to become a scammer" - Owner of Bitgrail : CryptoCurrency] (Oct 17)