CoinBerry ETransfer Glitch Fraud: Difference between revisions

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

CoinBerry

In April 2020, CoinBerry reportedly made an update to their service which allowed customers to purchase bitcoin with what we can presume to be nothing more than starting an eTransfer process. It appears this was exploited all the way through to August 24th, 2020, when withdrawals were shut off for a period of 17 hours. According to a lawsuit later filed by CoinBerry, 120 bitcoins were ultimately withdrawn without paying during this time. CoinBerry requested the return of funds, and 37 bitcoins were returned by customers.

No announcements were made to explain the situation. There was speculation on what happened in this case for roughly 2 years, until June 2022 when CoinBerry finally published a lawsuit in Brampton, Ontario. Lawsuits in Ontario are not publicly available without paying a fee, so this didn't come to light until September 2022. It is unclear if CoinBerry has been able to recover any further bitcoins in this case.

This exchange or platform is based in Canada, or the incident targeted people primarily in Canada. ^{[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19]}

About CoinBerry

Coinberry is Canada’s first regulated crypto-only trading platform^[20].

"Based in Toronto, Coinberry is Canada's first federally registered commission-free crypto trading platform, which secures the best cryptocurrency prices from trusted exchanges using proprietary algorithms."

Partnerships With Municipalities

One of the strategies which CoinBerry used to gain early trust with Canadians was their ongoing partnership with municipalities including the Town of Innisfil and the City of Richmond Hill.

"Coinberry was founded in 2017. In 2019, the Town of Innisfil officially partnered with the exchange. This was the first Canadian property tax payment paid in Bitcoin. Today, Coinberry also has a partnership with the City of Richmond Hill."

Under this strategy, CoinBerry offered the towns the ability to accept payment for taxes through bitcoin. As there was no cost to participate, the municipalities only derived a potential benefit of extra revenue from the partnership.

Audit By MNP LLP

CoinBerry completed an audit by Canadian public accounting firm MNP LLP.

"Coinberry is one of the first Canadian cryptocurrency trading platforms to audit its first year financial statements." "The audit was conducted by MNP LLP, one of the preeminent Canadian public accounting firms active in the blockchain and cryptocurrency space."

Multi-Signature Wallet Storage

CoinBerry placed a strong public emphasis on diligence.

"Practicing due diligence is paramount. Research and continuous education of cryptocurrencies and the markets will arm you with the highest protection level possible." "Thieves and scammers in the crypto ecosystem write malware to attack your digital wallet, empty your accounts, spy on your clipboards to steal your cryptocurrency addresses, and swap out your exact addresses for those belonging to a scammer."

The service reportedly implemented a proper multi-signature protection scheme on client funds.

"We only use multisig cold storage wallets [m]eaning that any 2 members of the executive team are able to access the funds. What does this mean for you? If the CEO goes missing during a trip to open an orphanage in India, your Bitcoin, Ethereum and Litecoin will still be accessible by the Coinberry executive team."

The Reality

“On April 13, 2020, Coinberry implemented a software update to the Coinberry Platform. Unfortunately, the said update contained a vulnerability whereby Coinberry’s system was notified of e-transfers of CAD despite the fact that the moneys had not actually been received by Coinberry,” the lawsuit read.

CoinBerry underwent a platform upgrade, whereby customers could initiate an Interac eTransfer, get the amount credited to their CoinBerry accounts, and then cancel the original eTransfer, which enabled them to get bitcoins without paying for them^[20].

"Customers could initiate an Interac e-transfer, get the amount credited to their Coinberry accounts, buy bitcoin and transfer the coins out, and then cancel the original e-transfer, retaining their own funds and getting free bitcoin." "In the end, users would then cancel the original e-transfer, thereby retaining their own funds and getting free bitcoin, [a later] lawsuit said."

What Happened

Evidence suggests that CoinBerry operated in a glitched state where customers could obtain free bitcoin by initiating and not completing eTransfers for a period of over 4 months. By the time that CoinBerry fixed the issue, 546 of their customers had already taken advantage of it^[20]. Data suggests more than 80% of customers had done so in small amounts below $5,000^[20], and there is some speculation that many customers did so unintentionally.

"Due to a software glitch, the platform accidentally tricked people into buying bitcoin using Canadian dollars, which had not yet been properly transferred to their accounts."

Total Amount Lost

The total amount lost has been estimated at $1,413,000 USD.

CoinBerry reported that the largest loss of $385,722.31 (as valued in April 2022) was from a user named both Jordan Steifuk and Connor Heffernan, who CoinBerry states is actually the same person^[20].

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

CoinBerry reportedly fixed the issue and contacted all 546 customers to demand the bitcoin be returned^[20].

“Coinberry contacted all of the said 546 affected registered users by email and demanded return of the misappropriated bitcoins”

CoinBerry also reportedly contacted Binance, who restricted accounts that had received the funds^[20].

“Binance acknowledged that it had identified a quantity of the misappropriated BTC and undertook to restrict any access to the accounts,”

On August 24th, 2020, "there were no withdrawals processed from Coinberry's hot wallet for about 17 hours." It "[h]asn't been publicly reported yet. 8.33 BTC stolen from Coinberry's hot wallet & sent to 1KcTk7kJMjYaCV3FXo5bzpjaZs2aK18ntz. I guess they can't say they've never been hacked anymore."

"Not sure exactly what the issue was, but possibilities include a social engineering attack, impersonation scam, or a bug that may have been exploited that allowed an attacker withdraw more than what they had (the latter seems by far to be the least likely vector to me)."

"After the [situation was noticed] (on 8/24), there were no withdrawals processed from Coinberry's hot wallet for about 17 hours. Then it started up again, but the address did not change -- this 8.33 BTC breach (not a huge amount of course) appears not to be a compromise of the seed phrase or private key (otherwise they wouldn't continue using that wallet), but presumably another issue."

"[T]here are other solutions apart from multi-sig that are suitable, for example SSSS and MPC so we don't know what type of setup they have on their hot wallet. But their hot wallet address is P2PKH, not P2SH (i.e. starts with a 1, not a 3), and while P2PKH addresses can theoretically be multi-sig, that's almost never the case. Our view is that hot wallets need to be multi-sig/SSSS/MPC but also have preventative measures that would allow any one person (such as a founder) to run off with any funds even in the hot wallet by themselves, and that's easier said than done. A spear-phishing attack is a possibility here."

"After the breach, when the hot wallet was turned off it had a balance of 0.06324605 BTC for a while -- if the seedphrase or private key had been breached, there would obviously be a balance of 0 (or very close to it). After about 17 hours, they (Coinberry) topped the hot wallet up with some funds before turning it on again."

“Coinberry contacted all of the said 546 affected registered users by email and demanded return of the misappropriated bitcoins,” the lawsuit read. “Coinberry also immediately contacted Binance.”

“Binance acknowledged that it had identified a quantity of the misappropriated BTC and undertook to restrict any access to the accounts,” [a later] lawsuit read.

"[T]hey're still using the same wallet for withdrawals they were using before, presumably because they know it wasn't compromised, which is presumably because they know the real reason for the breach. If they knew the compromise occurred due to a social engineering attack for example, the wallet is still perfectly safe to use (or more technically, just as safe as it was before)."

"[I]f an individual account was compromised, there would be no reason for Coinberry to turn off their hot (withdrawal) wallet for 17 hours. Coinberry was compromised, not a Coinberry account."

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Community Reactions

Reddit user

"Not a good look Coinberry. Yet another Canadian "exchange" failing to build the cryptoeconomy in Canada. Damn shame man I really though Canada would be a bigger player in that domain."

"Regarding whether or not customers are going to bear the loss, remember that the number in your account is just that, a number and an IOU. It doesn't mean they have the assets to back that IOU even before this breach happened. What do you think happened to Einstein? Coinberry may or may not be insolvent."

Ultimate Outcome

Acquisition by WonderFi

CoinBerry was acquired by WonderFi in July 2022 for $38.5m^[20]. WonderFi is a Vancouver-based crypto outlet backed by Shark Tank personality Kevin O'Leary^[20].

"Coinberry [became] backed by WonderFi Technologies, a Vancouver-based crypto organization backed by Shark Tank personality O’Leary, which bought Coinberry in July in a deal worth $38.5 million." "On Aug. 25, Coinberry's parent company, WonderFi, applied to start trading on the Nasdaq. It currently trades on the Toronto Stock exchange."

Recovery From Customers

Apparently, 37 bitcoin were recovered from 270 of the registered users, leaving 83 bitcoin outstanding from the other 270^[20].

“Coinberry was able to secure the return of approximately 37 of the misappropriated bitcoins from 270 of the affected registered users.”

"As Financial Post points out, 83 bitcoin are still floating around in the hands of tricksy customers."

Financial Institution Bond

"Toronto-based Coinberry has acquired a financial institution bond." "Coinberry’s surety bond is underwritten by the Lloyd’s of London insurance market and the coverage limit is CAD$1,000,000 ($764,000) per claim/incident, said Poliakov."

Trading Fee Increases

While CoinBerry's original "[t]rading fees [we]re around 0.5 percent." this was later updated to 1% and now fine print in the bottom of the fee pages states that "Coinberry establishes the rate for cryptocurrency transactions on our platform by adding a margin, or spread, of between 0% and 2.5% to the rate offered by our liquidity sources." "Coinberry claims $0 withdrawal fees but increased their mining/network fee to 0.003 BTC ($55 CAD currently)."

Binance Recovery Effort

This lawsuit was against 50 of the remaining users, demanding 63 of the bitcoin, including 9.48 BTC which were transferred to Binance^[20].

“Binance acknowledges that it had identified incorrect BTC amounts and undertook to restrict any access to the accounts,” the lawsuit read. "In reply, Binance worked hard to identify all the inappropriate bitcoin and restricted access to all those accounts asap." "Binance reportedly acknowledged detecting a significant quantity of the misappropriated funds and restricted any access to the accounts." "It is unclear why Coinberry had resorted to suing Binance, given the latter’s apparent cooperation." Binance declined to comment on the lawsuit but said in a statement: “The company is committed to prevent bad actors from using the platform, which includes a world-renowned investigative team.” "Coinberry did not immediately respond to CoinDesk's request for comment."

Lawsuit Against Customers

CoinBerry was unsuccessful in obtaining the return of funds from at least 270 of the customers, and later undertook a lawsuit, which was filed in Brampton, Ontario^[20]. CoinBerry reportedly did not include users who had amounts below $5,000, as valued in May 2020, in the lawsuit^[20].

"The lawsuit was for 63 of [the defrauded] bitcoins, including 9.48 units that were transferred to Binance. In a list that Coinberry provided to court, all that was attributed to the 50 users named in the lawsuit." "That still leaves out 20 of the 120 bitcoins originally lost — and more than 200 of the 546 users who had allegedly misappropriated from Coinberry." "It is unclear how or if Coinberry is going after those people, given that they are not named in the lawsuit."

Total Amount Recovered

The total amount recovered has been estimated at $436,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

CoinBerry's lawsuit has yet to be tested in court^[20].

CoinBerry's lawsuit included Binance, despite the apparent cooperation of the platform^[20]. Binance has not commented on the lawsuit. They've only issued a general statement^[20].

“The company is committed to prevent bad actors from using the platform, which includes a world-renowned investigative team.”

Prevention Policies

The primary failure in this case, was the lack of proving reserves on the platform. We have recommended a published assessment of the platform at an interval of 6 months or less, which most likely would have caught this situation. In addition, having an internal validation that assets are properly backed would have noticed the anomalies sooner. This is expecially prudent shortly after deploying a system upgrade.

While this is not directly the cause of the incident, our recommendation continue to be that all customer funds be secured by a multi-signature wallet requiring at least 3 signatures for release, and that CoinBerry revisit their approach to training and/or background checks of signatories. Platforms should be held to account with transparent disclosure of breaches. An efficient insurance fund which is overseen by industry operators could be a cheap, flexible, and highly protective option to restore reserves in cases like this.

References