Token Tax API Key Breach SPT0615-JD: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/tokentaxapikeybreachspt0615jd.php}} {{Unattributed Sources}} thumb|Token Tax HomepageReddit user SPT0615-JD accidentally provided his token tax software with a full authorization to transfer assets from his exchange account, rather than a view-only access key. This key was later breached and used to withdraw funds from his exchange account. Neither the exchange nor the amount...")
 
(Another 30 minutes complete.)
Line 1: Line 1:
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/tokentaxapikeybreachspt0615jd.php}}
{{Case Study Under Construction}}{{Unattributed Sources}}
{{Unattributed Sources}}


[[File:Tokentax.jpg|thumb|Token Tax Homepage]]Reddit user SPT0615-JD accidentally provided his token tax software with a full authorization to transfer assets from his exchange account, rather than a view-only access key. This key was later breached and used to withdraw funds from his exchange account. Neither the exchange nor the amount lost are mentioned. It does not appear he was able to recover any funds.
[[File:Tokentax.jpg|thumb|Token Tax Homepage]]Reddit user SPT0615-JD accidentally provided his token tax software with a full authorization to transfer assets from his exchange account, rather than a view-only access key. This key was later breached and used to withdraw funds from his exchange account. Neither the exchange nor the amount lost are mentioned. It does not appear he was able to recover any funds.


This exchange or platform is based in United States, or the incident targeted people primarily in United States.<ref name="redditold-11176" /><ref name="redditold-11177" /><ref name="redditoldarchive-11178" /><ref name="redditoldarchive-11179" /><ref name="redditoldarchive-11180" /><ref name="redditoldarchive-11181" /><ref name="tokentax-11182" /><ref name="tokentax-11183" />
This exchange or platform is based in United States, or the incident targeted people primarily in United States.<ref name="redditoldarchive-11178" /><ref name="redditoldarchive-11179" /><ref name="redditoldarchive-11180" />


== About Token Tax ==
== About Token Tax ==
<ref name="tokentax-11182" /><ref name="tokentax-11183" />
"TokenTax’s first version was created by co-founder Alex Miles back in 2017. This initial product imported data directly from Coinbase, and it won the Product Hunt Global Hackathon. Soon after, co-founder Zac McClure joined. Before starting TokenTax, Alex worked as a product designer for Readmill and Dropbox. Zac worked in impact capital, nonprofit corporate and legal structuring, investment banking, and as a mathematics teacher.
"TokenTax’s first version was created by co-founder Alex Miles back in 2017. This initial product imported data directly from Coinbase, and it won the Product Hunt Global Hackathon. Soon after, co-founder Zac McClure joined. Before starting TokenTax, Alex worked as a product designer for Readmill and Dropbox. Zac worked in impact capital, nonprofit corporate and legal structuring, investment banking, and as a mathematics teacher.


Line 22: Line 23:


"We offer advanced cryptocurrency reconciliation services. That means we can analyze your transaction history to backfill missing or incorrect data."
"We offer advanced cryptocurrency reconciliation services. That means we can analyze your transaction history to backfill missing or incorrect data."
"I recently got hacked through my exchange API key linked to a popular tax service, all my funds were drained overnight. I somehow had transfers enabled on the API key which was my goof, but the fact of the matter is that the tax service seems to have lost control over their API keys or it was an inside job.
The API key had been copied from exchange and pasted into tax service on a clean corporate computer, and was never documented anywhere else. The exchange account was also highly secure (google auth, unique and regularly rolled password, clean devices), and there is no chance this was an issue with the exchange itself. This was a 100% verifiable loss of funds due to a compromised API key deriving from the tax service itself, whether through an inside job or through a leak.
I'm trying to connect with other victims as we may have stronger possibility of winning a case against the service if we can work together. There is strong evidence of another affected user. Please DM or comment if you were affected!! Even folks with read only keys may also be at risk of their data leaking from this site if this is confirmed.
Thanks for reading, also please don't disparage me for having the wrong permissions enabled in the first place, I know I already done goofed and I feel terrible about it.
Ps: I'm not naming the tax service for now as there is no reason to yet and I don't want to get hit with a stupid libel suit in the meantime."
"Major US exchange, I've generated keys for other tax software before and used read only. For some reason all three permissions were enabled on this key, but it is extremely unusual as I never would have done this. It was in 2020 so maybe my brain was fried and I just made a mistake."
"Yeah I've worked directly with the investigations team and we determined that it was the key and that apparently it had those permissions set from creation. I was really baffled when I heard that because I know way better than to do this and given I've set things up properly before it just feels unlikely.
Are you aware of any possibilities that a hacker could somehow change permissions to a key after it was created? I've been told there isn't. Also there was zero evidence that anyone actually got into the account."
"The CEO asked me to call him directly and was extremally dismissive and refuses to commit to investigating anything. He made claims that they "prevent API keys with the wrong permissions from being added in the first place", which isn't true. All he would say is "we haven't seen anyone access your key or anything else". It really feels like he isn't taking it seriously that this has wide implications to his overall customer base."
This exchange or platform is based in United States, or the incident targeted people primarily in United States.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
* Known history of when and how the service was started.
* What problems does the company or service claim to solve?
* What marketing materials were used by the firm or business?
* Audits performed, and excerpts that may have been included.
* Business registration documents shown (fake or legitimate).
* How were people recruited to participate?
* Public warnings and announcements prior to the event.
Don't Include:
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
* Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.


== The Reality ==
== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
TBD
 
* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.


== What Happened ==
== What Happened ==
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
SPT0615-JD held an account at a major US exchange, and set up an API key on their platform which had "all three permissions" were enabled. The provided this API key to the TokenTax software. The API key was breached, and his funds were stolen from his exchange account.
{| class="wikitable"
{| class="wikitable"
|+Key Event Timeline - Token Tax API Key Breach SPT0615-JD
|+Key Event Timeline - Token Tax API Key Breach SPT0615-JD
Line 78: Line 37:
|January 12th, 2022 5:19:16 PM MST
|January 12th, 2022 5:19:16 PM MST
|Reddit Post
|Reddit Post
|Situation is posted on Reddit.
|Situation is posted on Reddit<ref name="redditold-11177" /><ref name="redditoldarchive-11178" />.
|-
|January 12th, 2022 6:18:55 PM MST
|Additional Details
|SPT0615-JD reports that they were using a major US exchange at the time. He suggests that perhaps his "brain was fried" and he "made a mistake" in enabling "all three permissions" on the API key<ref name="redditoldarchive-11181" />.
|-
|January 12th, 2022 6:02:34 PM MST
|Additional Details
|<ref name="redditoldarchive-11180" /> TBD integrate.
|}
|}


== Technical Details ==
== Technical Details ==
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Based on the available information, it appears that SPT0615-JD provided an API key which had access to "all three permissions" within his unspecified major US exchange account to TokenTax. The TokenTax service was subsequently breached, and malicious actors used the API key to drain funds from his account.
 
"Major US exchange, I've generated keys for other tax software before and used read only. For some reason all three permissions were enabled on this key, but it is extremely unusual as I never would have done this. It was in 2020 so maybe my brain was fried and I just made a mistake."
 
Yeah I've worked directly with the investigations team and we determined that it was the key and that apparently it had those permissions set from creation. I was really baffled when I heard that because I know way better than to do this and given I've set things up properly before it just feels unlikely.
 
Are you aware of any possibilities that a hacker could somehow change permissions to a key after it was created? I've been told there isn't. Also there was zero evidence that anyone actually got into the account.


== Total Amount Lost ==
== Total Amount Lost ==
The total amount lost is unknown.
The total amount lost is unknown.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?


== Immediate Reactions ==
== Immediate Reactions ==
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
=== Original Post To Reddit ===
"I recently got hacked through my exchange API key linked to a popular tax service, all my funds were drained overnight. I somehow had transfers enabled on the API key which was my goof, but the fact of the matter is that the tax service seems to have lost control over their API keys or it was an inside job.
The API key had been copied from exchange and pasted into tax service on a clean corporate computer, and was never documented anywhere else. The exchange account was also highly secure (google auth, unique and regularly rolled password, clean devices), and there is no chance this was an issue with the exchange itself. This was a 100% verifiable loss of funds due to a compromised API key deriving from the tax service itself, whether through an inside job or through a leak.
I'm trying to connect with other victims as we may have stronger possibility of winning a case against the service if we can work together. There is strong evidence of another affected user. Please DM or comment if you were affected!! Even folks with read only keys may also be at risk of their data leaking from this site if this is confirmed.
Thanks for reading, also please don't disparage me for having the wrong permissions enabled in the first place, I know I already done goofed and I feel terrible about it.
Ps: I'm not naming the tax service for now as there is no reason to yet and I don't want to get hit with a stupid libel suit in the meantime."
=== Reactions To Reddit Report ===
Several users attempted to assist and get more details on Reddit<ref>[https://old.reddit.com/r/CryptoCurrency/comments/s2lcol/deleted_by_user/hsfavr2/ <nowiki>Bucksaway03 - "OP you really end to mention what this tax service is for everyone's sake. Doesn't matter who's at fault, if it was the tax service people deserve to know so they can shut [things] down before they get done." - Reddit</nowiki>] (Jul 23, 2023)</ref><ref name="redditold-11176" />.<blockquote>OP you really end to mention what this tax service is for everyone's sake. Doesn't matter who's at fault, if it was the tax service people deserve to know so they can shut [things] down before they get done.</blockquote><blockquote>"Are you able to get transaction details of where the stolen crypto ended up . Try trace it to a exchange and reach out to them ."</blockquote>


== Ultimate Outcome ==
== Ultimate Outcome ==
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
 
=== Further Investigation With Team ===
"Yeah I've worked directly with the investigations team and we determined that it was the key and that apparently it had those permissions set from creation. I was really baffled when I heard that because I know way better than to do this and given I've set things up properly before it just feels unlikely.
 
Are you aware of any possibilities that a hacker could somehow change permissions to a key after it was created? I've been told there isn't. Also there was zero evidence that anyone actually got into the account."
 
=== Reported CEO Dismissive Reactions ===
"The CEO asked me to call him directly and was extremally dismissive and refuses to commit to investigating anything. He made claims that they "prevent API keys with the wrong permissions from being added in the first place", which isn't true. All he would say is "we haven't seen anyone access your key or anything else". It really feels like he isn't taking it seriously that this has wide implications to his overall customer base."


== Total Amount Recovered ==
== Total Amount Recovered ==
Line 104: Line 96:
== Individual Prevention Policies ==
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}
{{Prevention:Individuals:Placeholder}}
{{Prevention:Individuals:Protect Personal Information}}
{{Prevention:Individuals:Store Funds Offline}}


{{Prevention:Individuals:End}}
{{Prevention:Individuals:End}}
Line 109: Line 105:
== Platform Prevention Policies ==
== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}
{{Prevention:Platforms:Placeholder}}
{{Prevention:Platforms:Establish Industry Insurance Fund}}


{{Prevention:Platforms:End}}
{{Prevention:Platforms:End}}
Line 114: Line 112:
== Regulatory Prevention Policies ==
== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}
{{Prevention:Regulators:Placeholder}}
{{Prevention:Regulators:Establish Industry Insurance Fund}}


{{Prevention:Regulators:End}}
{{Prevention:Regulators:End}}


== References ==
== References ==
<references><ref name="redditold-11176">[https://old.reddit.com/r/CryptoCurrency/comments/s2lcol/deleted_by_user/hsghcws/ <nowiki>Tradegrow comments on [deleted by user]</nowiki>] (Oct 3, 2022)</ref>
<references>
 
<ref name="redditold-11176">[https://old.reddit.com/r/CryptoCurrency/comments/s2lcol/deleted_by_user/hsghcws/ Tradegrow - "Are you able to get transaction details of where the stolen crypto ended up . Try trace it to a exchange and reach out to them " - Reddit] (Oct 3, 2022)</ref>
<ref name="redditold-11177">[https://old.reddit.com/r/CryptoCurrency/comments/s2lcol/deleted_by_user/ <nowiki>[deleted by user] : CryptoCurrency</nowiki>] (May 29, 2023)</ref>
<ref name="redditold-11177">[https://old.reddit.com/r/CryptoCurrency/comments/s2lcol/deleted_by_user/ SPT0615-JD - Popular crypto tax service appears to have lost control of my exchange API key, resulting in hacked account. Anyone else recently experience this? Seeking other to connect with other victims. - Reddit] (May 29, 2023)</ref>
 
<ref name="redditoldarchive-11178">[https://web.archive.org/web/20220113012401/https://old.reddit.com/r/CryptoCurrency/comments/s2lcol/popular_crypto_tax_service_appears_to_have_lost/ SPT0615-JD - Popular crypto tax service appears to have lost control of my exchange API key, resulting in hacked account. Anyone else recently experience this? Seeking other to connect with other victims. - Reddit Archive January 12th, 2022 6:24:01 PM MST] (May 29, 2023)</ref>
<ref name="redditoldarchive-11178">[https://web.archive.org/web/20220113012401/https://old.reddit.com/r/CryptoCurrency/comments/s2lcol/popular_crypto_tax_service_appears_to_have_lost/ Popular crypto tax service appears to have lost control of my exchange API key, resulting in hacked account. Anyone else recently experience this? Seeking other to connect with other victims. : CryptoCurrency] (May 29, 2023)</ref>
 
<ref name="redditoldarchive-11179">[https://web.archive.org/web/20220113012401/https://old.reddit.com/r/CryptoCurrency/comments/s2lcol/popular_crypto_tax_service_appears_to_have_lost/hsfa6p2/ SPT0615-JD comments on Popular crypto tax service appears to have lost control of my exchange API key, resulting in hacked account. Anyone else recently experience this? Seeking other to connect with other victims.] (May 29, 2023)</ref>
<ref name="redditoldarchive-11179">[https://web.archive.org/web/20220113012401/https://old.reddit.com/r/CryptoCurrency/comments/s2lcol/popular_crypto_tax_service_appears_to_have_lost/hsfa6p2/ SPT0615-JD comments on Popular crypto tax service appears to have lost control of my exchange API key, resulting in hacked account. Anyone else recently experience this? Seeking other to connect with other victims.] (May 29, 2023)</ref>
 
<ref name="redditoldarchive-11180">[https://web.archive.org/web/20220113012401/https://old.reddit.com/r/CryptoCurrency/comments/s2lcol/popular_crypto_tax_service_appears_to_have_lost/hsfcc95/ SPT0615-JD - "Yeah I've worked directly with the investigations team and we determined that it was the key and that apparently it had those permissions set from creation. I was really baffled when I heard that because I know way better than to do this and given I've set things up properly before it just feels unlikely. ... Also there was zero evidence that anyone actually got into the account." - Reddit Archive January 12th, 2022 6:05:00 PM MST] (May 29, 2023)</ref>
<ref name="redditoldarchive-11180">[https://web.archive.org/web/20220113012401/https://old.reddit.com/r/CryptoCurrency/comments/s2lcol/popular_crypto_tax_service_appears_to_have_lost/hsfcc95/ SPT0615-JD comments on Popular crypto tax service appears to have lost control of my exchange API key, resulting in hacked account. Anyone else recently experience this? Seeking other to connect with other victims.] (May 29, 2023)</ref>
<ref name="redditoldarchive-11181">[https://web.archive.org/web/20220113012401/https://old.reddit.com/r/CryptoCurrency/comments/s2lcol/popular_crypto_tax_service_appears_to_have_lost/hsfefzt/ SPT0615-JD - "Major US exchange, I've generated keys for other tax software before and used read only. For some reason all three permissions were enabled on this key, but it is extremely unusual as I never would have done this. It was in 2020 so maybe my brain was fried and I just made a mistake." - Reddit] (May 29, 2023)</ref>
 
<ref name="redditoldarchive-11181">[https://web.archive.org/web/20220113012401/https://old.reddit.com/r/CryptoCurrency/comments/s2lcol/popular_crypto_tax_service_appears_to_have_lost/hsfefzt/ SPT0615-JD comments on Popular crypto tax service appears to have lost control of my exchange API key, resulting in hacked account. Anyone else recently experience this? Seeking other to connect with other victims.] (May 29, 2023)</ref>
 
<ref name="tokentax-11182">[https://tokentax.co/ TokenTax | Crypto Tax Software and Accounting] (Jun 1, 2023)</ref>
<ref name="tokentax-11182">[https://tokentax.co/ TokenTax | Crypto Tax Software and Accounting] (Jun 1, 2023)</ref>
 
<ref name="tokentax-11183">[https://tokentax.co/about About Us - TokenTax] (Jun 1, 2023)</ref>
<ref name="tokentax-11183">[https://tokentax.co/about About Us - TokenTax] (Jun 1, 2023)</ref></references>
</references>

Revision as of 11:48, 23 July 2023

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Token Tax Homepage

Reddit user SPT0615-JD accidentally provided his token tax software with a full authorization to transfer assets from his exchange account, rather than a view-only access key. This key was later breached and used to withdraw funds from his exchange account. Neither the exchange nor the amount lost are mentioned. It does not appear he was able to recover any funds.

This exchange or platform is based in United States, or the incident targeted people primarily in United States.[1][2][3]

About Token Tax

[4][5]

"TokenTax’s first version was created by co-founder Alex Miles back in 2017. This initial product imported data directly from Coinbase, and it won the Product Hunt Global Hackathon. Soon after, co-founder Zac McClure joined. Before starting TokenTax, Alex worked as a product designer for Readmill and Dropbox. Zac worked in impact capital, nonprofit corporate and legal structuring, investment banking, and as a mathematics teacher.

In 2019, TokenTax acquired Crypto CPAs, a cryptocurrency tax accounting firm led by CPA Andrew Perlin.

Now, TokenTax calculates cryptocurrency taxes and provides tax and accounting services for thousands of crypto investors around the world."

"Crypto taxes can be complex. But they don’t have to be painful. We‘re crypto tax calculation software, but we’re also a full-service crypto tax accounting firm."

"Crypto tax software + Crypto tax experts. When technology and human expertise combine, even the most sophisticated crypto tax cases can be stress free."

"People don’t love taxes. But they do love us."

"Big or small, we’ve seen it all. Our team has the experience to support every exchange or wallet and tackle crypto tax situations that range from HODLers to hedge funds."

"We offer advanced cryptocurrency reconciliation services. That means we can analyze your transaction history to backfill missing or incorrect data."

The Reality

TBD

What Happened

SPT0615-JD held an account at a major US exchange, and set up an API key on their platform which had "all three permissions" were enabled. The provided this API key to the TokenTax software. The API key was breached, and his funds were stolen from his exchange account.

Key Event Timeline - Token Tax API Key Breach SPT0615-JD
Date Event Description
January 12th, 2022 5:19:16 PM MST Reddit Post Situation is posted on Reddit[6][1].
January 12th, 2022 6:18:55 PM MST Additional Details SPT0615-JD reports that they were using a major US exchange at the time. He suggests that perhaps his "brain was fried" and he "made a mistake" in enabling "all three permissions" on the API key[7].
January 12th, 2022 6:02:34 PM MST Additional Details [3] TBD integrate.

Technical Details

Based on the available information, it appears that SPT0615-JD provided an API key which had access to "all three permissions" within his unspecified major US exchange account to TokenTax. The TokenTax service was subsequently breached, and malicious actors used the API key to drain funds from his account.

"Major US exchange, I've generated keys for other tax software before and used read only. For some reason all three permissions were enabled on this key, but it is extremely unusual as I never would have done this. It was in 2020 so maybe my brain was fried and I just made a mistake."

Yeah I've worked directly with the investigations team and we determined that it was the key and that apparently it had those permissions set from creation. I was really baffled when I heard that because I know way better than to do this and given I've set things up properly before it just feels unlikely.

Are you aware of any possibilities that a hacker could somehow change permissions to a key after it was created? I've been told there isn't. Also there was zero evidence that anyone actually got into the account.

Total Amount Lost

The total amount lost is unknown.

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Original Post To Reddit

"I recently got hacked through my exchange API key linked to a popular tax service, all my funds were drained overnight. I somehow had transfers enabled on the API key which was my goof, but the fact of the matter is that the tax service seems to have lost control over their API keys or it was an inside job.

The API key had been copied from exchange and pasted into tax service on a clean corporate computer, and was never documented anywhere else. The exchange account was also highly secure (google auth, unique and regularly rolled password, clean devices), and there is no chance this was an issue with the exchange itself. This was a 100% verifiable loss of funds due to a compromised API key deriving from the tax service itself, whether through an inside job or through a leak.

I'm trying to connect with other victims as we may have stronger possibility of winning a case against the service if we can work together. There is strong evidence of another affected user. Please DM or comment if you were affected!! Even folks with read only keys may also be at risk of their data leaking from this site if this is confirmed.

Thanks for reading, also please don't disparage me for having the wrong permissions enabled in the first place, I know I already done goofed and I feel terrible about it.

Ps: I'm not naming the tax service for now as there is no reason to yet and I don't want to get hit with a stupid libel suit in the meantime."

Reactions To Reddit Report

Several users attempted to assist and get more details on Reddit[8][9].

OP you really end to mention what this tax service is for everyone's sake. Doesn't matter who's at fault, if it was the tax service people deserve to know so they can shut [things] down before they get done.

"Are you able to get transaction details of where the stolen crypto ended up . Try trace it to a exchange and reach out to them ."

Ultimate Outcome

Further Investigation With Team

"Yeah I've worked directly with the investigations team and we determined that it was the key and that apparently it had those permissions set from creation. I was really baffled when I heard that because I know way better than to do this and given I've set things up properly before it just feels unlikely.

Are you aware of any possibilities that a hacker could somehow change permissions to a key after it was created? I've been told there isn't. Also there was zero evidence that anyone actually got into the account."

Reported CEO Dismissive Reactions

"The CEO asked me to call him directly and was extremally dismissive and refuses to commit to investigating anything. He made claims that they "prevent API keys with the wrong permissions from being added in the first place", which isn't true. All he would say is "we haven't seen anyone access your key or anything else". It really feels like he isn't taking it seriously that this has wide implications to his overall customer base."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

Set up separate email addresses for each service, and avoid providing your phone number whenever possible. Any received emails or phone calls must be viewed with scrutiny, especially if unsolicited. Interact with companies only through their official websites and confirm anything with the company directly via multiple official sources, especially if it promises a significant incentive to take an action or threatens access to your funds if an action is not taken. It would be recommended to also establish a network of multiple trusted individuals who use the same services and have a strong level of security knowledge.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 SPT0615-JD - Popular crypto tax service appears to have lost control of my exchange API key, resulting in hacked account. Anyone else recently experience this? Seeking other to connect with other victims. - Reddit Archive January 12th, 2022 6:24:01 PM MST (May 29, 2023)
  2. SPT0615-JD comments on Popular crypto tax service appears to have lost control of my exchange API key, resulting in hacked account. Anyone else recently experience this? Seeking other to connect with other victims. (May 29, 2023)
  3. 3.0 3.1 SPT0615-JD - "Yeah I've worked directly with the investigations team and we determined that it was the key and that apparently it had those permissions set from creation. I was really baffled when I heard that because I know way better than to do this and given I've set things up properly before it just feels unlikely. ... Also there was zero evidence that anyone actually got into the account." - Reddit Archive January 12th, 2022 6:05:00 PM MST (May 29, 2023)
  4. TokenTax | Crypto Tax Software and Accounting (Jun 1, 2023)
  5. About Us - TokenTax (Jun 1, 2023)
  6. SPT0615-JD - Popular crypto tax service appears to have lost control of my exchange API key, resulting in hacked account. Anyone else recently experience this? Seeking other to connect with other victims. - Reddit (May 29, 2023)
  7. SPT0615-JD - "Major US exchange, I've generated keys for other tax software before and used read only. For some reason all three permissions were enabled on this key, but it is extremely unusual as I never would have done this. It was in 2020 so maybe my brain was fried and I just made a mistake." - Reddit (May 29, 2023)
  8. Bucksaway03 - "OP you really end to mention what this tax service is for everyone's sake. Doesn't matter who's at fault, if it was the tax service people deserve to know so they can shut [things] down before they get done." - Reddit (Jul 23, 2023)
  9. Tradegrow - "Are you able to get transaction details of where the stolen crypto ended up . Try trace it to a exchange and reach out to them " - Reddit (Oct 3, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Token_Tax_API_Key_Breach_SPT0615-JD&oldid=4841"