Vircurex Exchange Hack: Difference between revisions
No edit summary |
(Another 30 minutes complete. Reviewing information and more about lawsuit to try to gain any blockchain data.) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{Case Study Under Construction}} | {{Case Study Under Construction}}[[File:Vircurex.jpg|thumb|Vircurex Homepage/Logo]]Vircurex was a virtual currency exchange which supported trading in bitcoin and various alternative blockchains. In January 2013, multiple wallets with customer funds were reportedly compromised. The platform reopened and went on to be breached again in May 2013. Customers were not provided with the full details of the platform's solvency, and large withdrawals which happened in March 2014 ultimately brought the platform to a close. It appears that legal actions continue, having been complicated by the operators providing false information about their location. | ||
== About Vircurex == | |||
Vircurex was a Beijing-based virtual currency exchange<ref name="coindesk-179" /> which was operational since October 2011<ref name="coindesk-179" /><ref name=":5">[https://www.financemagnates.com/cryptocurrency/news/vircurex-faces-class-action-lawsuit/ Vircurex Faces Class-Action Lawsuit - Finance Magnates] (Jan 4, 2024)</ref>. | |||
Vircurex was based in Germany(?). The exchange supported trading in different cryptocurrencies including bitcoin, namecoin, devcoin, litecoin, ixcoin, ppcoin, and terracoin<ref name=":0" />. The Vircurex platform enabled trading between BTC, USD or EUR, plus up to 18 other cryptocurrencies, however they've eliminated some less popular coins over time<ref name="coindesk-179" />. | |||
= | Vircurex gained popularity by offering interest to users holding multiple cryptocurrencies<ref name=":5">[https://www.financemagnates.com/cryptocurrency/news/vircurex-faces-class-action-lawsuit/ Vircurex Faces Class-Action Lawsuit - Finance Magnates] (Jan 4, 2024)</ref>. | ||
Vircurex | |||
The exchange offered deposits and withdrawals in both USD and EUR<ref name=":0" />. The homepage of the website featured pricing tables for all supported coins<ref name=":0" />.<blockquote>Vircurex, the exchange platform for buying, selling and trading your Bitcoins and its various alt-chains. | |||
Homepage: vircurex.com<ref>[https://web.archive.org/web/20130424071356/https://vircurex.com/ Vircurex Exchange Homepage] (Dec 11, 2023)</ref> | We currently support Bitcoin, Namecoin, Devcoin, Litecoin, Ixcoin, PPCoin, Terracoin</blockquote>Homepage: vircurex.com<ref name=":0">[https://web.archive.org/web/20130424071356/https://vircurex.com/ Vircurex Exchange Homepage Archive April 24th, 2013 1:13:56 AM MDT] (Dec 11, 2023)</ref> | ||
== The Reality == | == The Reality == | ||
The Vircurex platform | The Vircurex platform wallets were vulnerable. | ||
=== False Information About Location === | |||
TBD | |||
== What Happened == | == What Happened == | ||
The | The Vircurex wallets were breached and funds were stolen. | ||
{| class="wikitable" | {| class="wikitable" | ||
|+Key Event Timeline - Vircurex Exchange Hack | |+Key Event Timeline - Vircurex Exchange Hack | ||
| Line 20: | Line 25: | ||
!Event | !Event | ||
!Description | !Description | ||
|- | |||
|January 11th, 2013 5:19:25 AM MST | |||
|BitcoinTalk Thread Posted | |||
|An initial post is made on the BitcoinTalk forums "to announce that [the Vircurex] wallet has been compromised" and "DO NOT send any further funds to any of the coin wallets"<ref name=":1">[https://bitcointalk.org/index.php?topic=135919.0 VIRCUREX - BitcoinTalk] (Dec 12, 2023)</ref><ref name=":2">[https://web.archive.org/web/20130304224610/https://bitcointalk.org/index.php?topic=135919.0 VIRCUREX !!! IMPORTANT !!! - BitcoinTalk Archive March 4th, 2013 3:46:10 PM MST] (Dec 12, 2023)</ref>. | |||
|- | |||
|January 11th, 2013 6:58:50 AM MST | |||
|Attribution to Ruby on Rails Vulnerability | |||
|In a follow up response, the incident is attributed to a Ruby on Rails vulnerability<ref name=":1" />. TBD expand with more details.<ref name=":3">https://web.archive.org/web/20130304224610/http://www.exploit-db.com/exploits/24019/ (Dec 12, 2023)</ref><ref name=":4">http://www.exploit-db.com/exploits/24019/ (Dec 12, 2023)</ref> | |||
|- | |- | ||
|January 11th, 2013 | |January 11th, 2013 | ||
|Date Of Incident | |Date Of Incident | ||
|The widely referenced date of the incident<ref name="bitcoinexchangeguide-218" />. | |The widely referenced date of the incident<ref name="bitcoinexchangeguide-218" /><ref name="kylegibson-86" />. | ||
|- | |||
|March 16th, 2013 4:11:48 AM MDT | |||
|BitcoinTalk Thread Editted | |||
|The BitcoinTalk thread is edited, however it appears that only the title was modified from "VIRCUREX !!! IMPORTANT !!!" to just "VIRCUREX"<ref name=":1" /><ref name=":2" /> | |||
|- | |||
|March 3rd, 2014 9:44:52 AM MST | |||
|Bitcoin Withdrawal Error Appearing | |||
|Users almightyruler and Littleshop report that they have received an error "Do you have a pop-up blocke[r] active or did you manually change the URL?" when attempting to withdraw bitcoin from the platform. It's mentioned that withdrawals are temporarily stopped at this time<ref>[https://bitcointalk.org/index.php?topic=49383.720 Re: closed - BitcoinTalk] (Dec 14, 2023)</ref>. This is later included in a CoinDesk article<ref name="coindesk-179" />. | |||
|- | |||
|March 23rd, 2014 6:01:00 PM MDT | |||
|CoinDesk Reports Funds Frozen | |||
|CoinDesk reports that the Vircurex platform has announced a freeze on most of its digital currency withdrawals, including bitcoin, litecoin, feathercoin, and terracoin, citing a lack of reserves to cover customer requests. The article mentions the shortfall and freeze of BTC/LTC withdrawals in January 2013 after reporting compromised wallets. "The company pledged to cover the losses from its own income and had been doing so until yesterday, when "large fund withdrawals in the last weeks" completely depleted its cold wallet reserves." At this point, the company plans to create a new balance type called 'Frozen Funds' to cover affected balances and pledges to gradually pay back the losses, emphasizing that it does not intend to shut down. The recent freeze is attributed to large fund withdrawals depleting its cold wallet reserves. The incident raises concerns about exchanges operating fractional reserve systems, leading to calls for proof of reserves through secure cryptographic methods<ref name="coindesk-179" />. | |||
|- | |||
|April 18th, 2014 7:56:22 PM MDT | |||
|Included In BitcoinTalk List | |||
|A Vircurex exchange hack is featured in the BitcoinTalk "List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses" published by user dree12, although this list includes [[Vircurex Second Exchange Hack|the second Vircurex hack which happened in May 2013]], and not the January 2013 hack<ref name="bitcointalklist-87" />. | |||
|- | |- | ||
| | |January 2016 | ||
| | |Last Payment From Exchange | ||
| | |The exchange makes it's last repayment to affected users<ref name=":5" />. | ||
|- | |- | ||
|January 12th, 2018 11:00:48 AM MST | |January 12th, 2018 11:00:48 AM MST | ||
|CoinDesk Report Of Lawsuit | |CoinDesk Report Of Lawsuit | ||
|CoinDesk reports that former customers of the cryptocurrency exchange Vircurex are suing the platform four years after it froze their funds and allegedly failed to repay them. Filed in the U.S. District Court in Colorado, the lawsuit accuses Vircurex of breach of contract, conversion of funds, fraud, and unjust enrichment. The complaint details how only a few account holders received their funds after the exchange froze withdrawals due to claimed insufficient reserves, with approximately $50 million collectively frozen in accounts. Despite the loss, Vircurex has allowed customers to deposit funds over the past four years and continues to operate. The lawsuit alleges deceptive statements and false promises by Vircurex, accusing the exchange of attempting to evade accountability<ref name="coindesk-178" />. | |CoinDesk reports that former customers of the cryptocurrency exchange Vircurex are suing the platform four years after it froze their funds and allegedly failed to repay them. Filed in the U.S. District Court in Colorado, the lawsuit accuses Vircurex of breach of contract, conversion of funds, fraud, and unjust enrichment. The complaint details how only a few account holders received their funds after the exchange froze withdrawals due to claimed insufficient reserves, with approximately $50 million collectively frozen in accounts. Despite the loss, Vircurex has allowed customers to deposit funds over the past four years and continues to operate. The lawsuit alleges deceptive statements and false promises by Vircurex, accusing the exchange of attempting to evade accountability<ref name="coindesk-178" />. | ||
|- | |||
|January 15th, 2018 1:39:08 AM MST | |||
|Finance Magnate Article | |||
|Finance Magnate also reports details of the lawsuit<ref name=":5" />. Cryptocurrency exchange Vircurex is facing a class-action lawsuit for failing to return approximately $50 million worth of frozen assets to its customers. In 2014, the exchange froze withdrawals due to insufficient funds, exacerbated by major hacks in 2013 and increased withdrawal requests following the Mt. Gox incident. While assuring users they would eventually receive their funds, the last payment occurred in January 2016. The lawsuit, filed by customer Timothy Shaw in Colorado District Court, accuses Vircurex's founder, Andreas Eckert, and an unknown Chinese national of deceptive statements and false promises, seeking recovery for the frozen funds totaling 1,666 BTC, 124,763 LTC, and 78,782 TRC<ref name=":5" />. | |||
|- | |||
|February 27th, 2019 11:31:32 AM MST | |||
|Inclusion In Kyle Gibson Timeline | |||
|Kyle Gibson includes the incident in his "100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents"<ref name="kylegibson-86" />. The incident is listed as a "Hack - Theft". References are provided to BitcoinTalk and CoinDesk. | |||
|- | |- | ||
|May 7th, 2019 7:49:57 PM MDT | |May 7th, 2019 7:49:57 PM MDT | ||
| Line 39: | Line 76: | ||
== Technical Details == | == Technical Details == | ||
<ref name=":3" /><ref name=":4" /><blockquote>Further update: The system was not breached, no passwords were compromised (they are salted and multiple times hashed anyways). The attacker used a RubyOnRails vulnerability that was released yesterday (<nowiki>http://www.exploit-db.com/exploits/24019/</nowiki>) to withdraw the funds therefore.</blockquote> | |||
Yet more of its reserve funds were depleted by large withdrawals by some of its customers." | Yet more of its reserve funds were depleted by large withdrawals by some of its customers." | ||
TBD - review more of the BitcoinTalk thread<ref name=":1" />. | |||
== Total Amount Lost == | == Total Amount Lost == | ||
BitcoinExchangeGuide reports the loss as "1.666 Bitcoin" or "$50.000k" USD<ref name="bitcoinexchangeguide-218" />. | BitcoinExchangeGuide reports the loss as "1.666 Bitcoin" or "$50.000k" USD<ref name="bitcoinexchangeguide-218" />. | ||
Kyle Gibson reports the loss as "1666" and "50,000,000.00"<ref name="kylegibson-86" />'''.''' | |||
The total amount lost has been estimated at $50,000,000 USD. | The total amount lost has been estimated at $50,000,000 USD. | ||
| Line 52: | Line 92: | ||
== Immediate Reactions == | == Immediate Reactions == | ||
Vircurex representatives announced the breach on the BitcoinTalk forums<ref name=":1" />. | |||
=== BitcoinTalk Thread Posted === | |||
BitcoinTalk user Kumala posted a notice to the BitcoinTalk forums about a wallet compromise<ref name=":1" />.<blockquote>We sadly need to announce that our wallet has been compromised thus DO NOT send any further funds to any of the coin wallets, BTC, DVC, LTC, etc. We will setup a new wallet and reset all the addresses. This will most likely take the whole weekend.</blockquote>TBD - review more of the BitcoinTalk thread<ref name=":1" />. | |||
== Ultimate Outcome == | == Ultimate Outcome == | ||
TBD - Review more of the BitcoinTalk thread<ref name=":1" />. | |||
TBD - Review more of the lawsuit<ref>[https://www.courthousenews.com/wp-content/uploads/2018/01/Shaw-Vircurex-COMPLAINT.pdf Shaw Vircurex Complaint] (Jan 4, 2024)</ref> | |||
"In 2014, the exchange reported it was near insolvency after losing large amounts of its reserve funds. According to the lawsuit, part of this loss came from “two purported hacks the exchange experienced in mid-2013.” | "In 2014, the exchange reported it was near insolvency after losing large amounts of its reserve funds. According to the lawsuit, part of this loss came from “two purported hacks the exchange experienced in mid-2013.” | ||
| Line 66: | Line 110: | ||
“In a lawsuit filed in the U.S. District Court in Colorado, a former Vircurex customer accuses the exchange of breach of contract, conversion of funds, fraud and unjust enrichment. The suit explained how only a few of the account holders had received their funds after the exchange froze all withdrawals due to a claimed lack of reserves. At present, the frozen accounts contain a combined $50 million.” “Vircurex’s steps to prevent its customers from suing included stating it was incorporated in Belize, which it is not, as well as indicating it might be based in Beijing. The lawsuit states the exchange is actually based out of Germany, but has never been legally incorporated in any jurisdiction, meaning it is not recognized as a formal business by any government.” | “In a lawsuit filed in the U.S. District Court in Colorado, a former Vircurex customer accuses the exchange of breach of contract, conversion of funds, fraud and unjust enrichment. The suit explained how only a few of the account holders had received their funds after the exchange froze all withdrawals due to a claimed lack of reserves. At present, the frozen accounts contain a combined $50 million.” “Vircurex’s steps to prevent its customers from suing included stating it was incorporated in Belize, which it is not, as well as indicating it might be based in Beijing. The lawsuit states the exchange is actually based out of Germany, but has never been legally incorporated in any jurisdiction, meaning it is not recognized as a formal business by any government.” | ||
=== Hack Again Later In 2013 === | |||
Vircurex was [[Vircurex Second Exchange Hack|hacked again later in 2013]]<ref>https://web.archive.org/web/20140323195552/https://vircurex.com/welcome/ann_reserved.html</ref>. | |||
=== Ultimate Freezing Of Funds === | |||
In March 2014, Vircurex announced a freeze on most of its digital currency withdrawals, including bitcoin, litecoin, feathercoin, and terracoin, citing a lack of reserves to cover customer requests<ref name="coindesk-179" />. The company announced plans to create a new balance type called 'Frozen Funds' to cover affected balances and pledges to gradually pay back the losses, emphasizing that it does not intend to shut down. Vircurex faced a reserve shortfall previously, freezing BTC/LTC withdrawals in January 2013 after reporting compromised wallets. The recent freeze is attributed to large fund withdrawals depleting its cold wallet reserves. | |||
=== Legal Action Brought Against Owners === | |||
With an anonymous exchange operator, once the hacks occurred, neither hack was revealed until far later. The exchange even lied about where they were based in an effort to prevent a lawsuit from occurring. | |||
== Total Amount Recovered == | == Total Amount Recovered == | ||
Vircurex continued to pay out funds to affected users until January 2016<ref name="coindesk-178" />, however the total amount fell far short of what had originally been lost. | |||
== Ongoing Developments == | == Ongoing Developments == | ||
There is presently legal action being taken against the operators of the Vircurex exchange. | |||
== General Prevention Policies == | == General Prevention Policies == | ||
Coming soon. | Coming soon. | ||
| Line 93: | Line 144: | ||
== References == | == References == | ||
<references> | <references> | ||
<ref name="kylegibson-86">[https://medium.com/@kylegibson/100-crypto-thefts-a-timeline-of-hacks-glitches-exit-scams-and-other-lost-cryptocurrency-873c87fd5522 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents] (Jan 25, 2020)</ref> | <ref name="kylegibson-86">[https://medium.com/@kylegibson/100-crypto-thefts-a-timeline-of-hacks-glitches-exit-scams-and-other-lost-cryptocurrency-873c87fd5522 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents - Kyle Gibson] (Jan 25, 2020)</ref> | ||
<ref name="bitcointalklist-87">[https://bitcointalk.org/index.php?topic=576337 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses] (Feb 15, 2020)</ref> | <ref name="bitcointalklist-87">[https://bitcointalk.org/index.php?topic=576337 dree12 - List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses - BitcoinTalk] (Feb 15, 2020)</ref> | ||
<ref name="coindesk-178">[https://www.coindesk.com/former-customers-sue-vircurex-exchange-over-frozen-crypto-funds Former Customers Sue Crypto Exchange Vircurex Over Frozen Funds - CoinDesk] (Feb 29, 2020)</ref> | <ref name="coindesk-178">[https://www.coindesk.com/former-customers-sue-vircurex-exchange-over-frozen-crypto-funds Former Customers Sue Crypto Exchange Vircurex Over Frozen Funds - CoinDesk] (Feb 29, 2020)</ref> | ||
<ref name="coindesk-179">[https://www.coindesk.com/exchange-vircurex-freezes-withdrawals-claims-lack-reserves Exchange Vircurex Freezes Withdrawals, Claims Lack of Reserves - CoinDesk] (Feb 29, 2020)</ref> | <ref name="coindesk-179">[https://web.archive.org/web/20210919020219/https://www.coindesk.com/markets/2014/03/24/exchange-vircurex-freezes-withdrawals-claims-lack-of-reserves/ Exchange Vircurex Freezes Withdrawals, Claims Lack of Reserves - CoinDesk - Archive September 18th, 2021 8:02:19 PM MDT] (Feb 29, 2020)</ref> | ||
<ref name="bitcoinexchangeguide-218">[https://web.archive.org/web/20200413134528/https://bitcoinexchangeguide.com/bitcoin/scams-hacks/ Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com Archive April 13th, 2020 7:45:28 AM MDT] (Mar 5, 2020)</ref> | <ref name="bitcoinexchangeguide-218">[https://web.archive.org/web/20200413134528/https://bitcoinexchangeguide.com/bitcoin/scams-hacks/ Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com Archive April 13th, 2020 7:45:28 AM MDT] (Mar 5, 2020)</ref> | ||
</references> | </references> | ||
Latest revision as of 12:16, 4 January 2024
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Vircurex was a virtual currency exchange which supported trading in bitcoin and various alternative blockchains. In January 2013, multiple wallets with customer funds were reportedly compromised. The platform reopened and went on to be breached again in May 2013. Customers were not provided with the full details of the platform's solvency, and large withdrawals which happened in March 2014 ultimately brought the platform to a close. It appears that legal actions continue, having been complicated by the operators providing false information about their location.
About Vircurex
Vircurex was a Beijing-based virtual currency exchange[1] which was operational since October 2011[1][2].
Vircurex was based in Germany(?). The exchange supported trading in different cryptocurrencies including bitcoin, namecoin, devcoin, litecoin, ixcoin, ppcoin, and terracoin[3]. The Vircurex platform enabled trading between BTC, USD or EUR, plus up to 18 other cryptocurrencies, however they've eliminated some less popular coins over time[1].
Vircurex gained popularity by offering interest to users holding multiple cryptocurrencies[2].
The exchange offered deposits and withdrawals in both USD and EUR[3]. The homepage of the website featured pricing tables for all supported coins[3].
Vircurex, the exchange platform for buying, selling and trading your Bitcoins and its various alt-chains. We currently support Bitcoin, Namecoin, Devcoin, Litecoin, Ixcoin, PPCoin, Terracoin
Homepage: vircurex.com[3]
The Reality
The Vircurex platform wallets were vulnerable.
False Information About Location
TBD
What Happened
The Vircurex wallets were breached and funds were stolen.
| Date | Event | Description |
|---|---|---|
| January 11th, 2013 5:19:25 AM MST | BitcoinTalk Thread Posted | An initial post is made on the BitcoinTalk forums "to announce that [the Vircurex] wallet has been compromised" and "DO NOT send any further funds to any of the coin wallets"[4][5]. |
| January 11th, 2013 6:58:50 AM MST | Attribution to Ruby on Rails Vulnerability | In a follow up response, the incident is attributed to a Ruby on Rails vulnerability[4]. TBD expand with more details.[6][7] |
| January 11th, 2013 | Date Of Incident | The widely referenced date of the incident[8][9]. |
| March 16th, 2013 4:11:48 AM MDT | BitcoinTalk Thread Editted | The BitcoinTalk thread is edited, however it appears that only the title was modified from "VIRCUREX !!! IMPORTANT !!!" to just "VIRCUREX"[4][5] |
| March 3rd, 2014 9:44:52 AM MST | Bitcoin Withdrawal Error Appearing | Users almightyruler and Littleshop report that they have received an error "Do you have a pop-up blocke[r] active or did you manually change the URL?" when attempting to withdraw bitcoin from the platform. It's mentioned that withdrawals are temporarily stopped at this time[10]. This is later included in a CoinDesk article[1]. |
| March 23rd, 2014 6:01:00 PM MDT | CoinDesk Reports Funds Frozen | CoinDesk reports that the Vircurex platform has announced a freeze on most of its digital currency withdrawals, including bitcoin, litecoin, feathercoin, and terracoin, citing a lack of reserves to cover customer requests. The article mentions the shortfall and freeze of BTC/LTC withdrawals in January 2013 after reporting compromised wallets. "The company pledged to cover the losses from its own income and had been doing so until yesterday, when "large fund withdrawals in the last weeks" completely depleted its cold wallet reserves." At this point, the company plans to create a new balance type called 'Frozen Funds' to cover affected balances and pledges to gradually pay back the losses, emphasizing that it does not intend to shut down. The recent freeze is attributed to large fund withdrawals depleting its cold wallet reserves. The incident raises concerns about exchanges operating fractional reserve systems, leading to calls for proof of reserves through secure cryptographic methods[1]. |
| April 18th, 2014 7:56:22 PM MDT | Included In BitcoinTalk List | A Vircurex exchange hack is featured in the BitcoinTalk "List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses" published by user dree12, although this list includes the second Vircurex hack which happened in May 2013, and not the January 2013 hack[11]. |
| January 2016 | Last Payment From Exchange | The exchange makes it's last repayment to affected users[2]. |
| January 12th, 2018 11:00:48 AM MST | CoinDesk Report Of Lawsuit | CoinDesk reports that former customers of the cryptocurrency exchange Vircurex are suing the platform four years after it froze their funds and allegedly failed to repay them. Filed in the U.S. District Court in Colorado, the lawsuit accuses Vircurex of breach of contract, conversion of funds, fraud, and unjust enrichment. The complaint details how only a few account holders received their funds after the exchange froze withdrawals due to claimed insufficient reserves, with approximately $50 million collectively frozen in accounts. Despite the loss, Vircurex has allowed customers to deposit funds over the past four years and continues to operate. The lawsuit alleges deceptive statements and false promises by Vircurex, accusing the exchange of attempting to evade accountability[12]. |
| January 15th, 2018 1:39:08 AM MST | Finance Magnate Article | Finance Magnate also reports details of the lawsuit[2]. Cryptocurrency exchange Vircurex is facing a class-action lawsuit for failing to return approximately $50 million worth of frozen assets to its customers. In 2014, the exchange froze withdrawals due to insufficient funds, exacerbated by major hacks in 2013 and increased withdrawal requests following the Mt. Gox incident. While assuring users they would eventually receive their funds, the last payment occurred in January 2016. The lawsuit, filed by customer Timothy Shaw in Colorado District Court, accuses Vircurex's founder, Andreas Eckert, and an unknown Chinese national of deceptive statements and false promises, seeking recovery for the frozen funds totaling 1,666 BTC, 124,763 LTC, and 78,782 TRC[2]. |
| February 27th, 2019 11:31:32 AM MST | Inclusion In Kyle Gibson Timeline | Kyle Gibson includes the incident in his "100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents"[9]. The incident is listed as a "Hack - Theft". References are provided to BitcoinTalk and CoinDesk. |
| May 7th, 2019 7:49:57 PM MDT | Inclusion In BitcoinExchangeGuide | The incident is included as a "Hack / Theft" in a published list by BitcoinExchangeGuide.com[8]. |
Technical Details
Further update: The system was not breached, no passwords were compromised (they are salted and multiple times hashed anyways). The attacker used a RubyOnRails vulnerability that was released yesterday (http://www.exploit-db.com/exploits/24019/) to withdraw the funds therefore.
Yet more of its reserve funds were depleted by large withdrawals by some of its customers." TBD - review more of the BitcoinTalk thread[4].
Total Amount Lost
BitcoinExchangeGuide reports the loss as "1.666 Bitcoin" or "$50.000k" USD[8].
Kyle Gibson reports the loss as "1666" and "50,000,000.00"[9].
The total amount lost has been estimated at $50,000,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
Vircurex representatives announced the breach on the BitcoinTalk forums[4].
BitcoinTalk Thread Posted
BitcoinTalk user Kumala posted a notice to the BitcoinTalk forums about a wallet compromise[4].
We sadly need to announce that our wallet has been compromised thus DO NOT send any further funds to any of the coin wallets, BTC, DVC, LTC, etc. We will setup a new wallet and reset all the addresses. This will most likely take the whole weekend.
TBD - review more of the BitcoinTalk thread[4].
Ultimate Outcome
TBD - Review more of the BitcoinTalk thread[4].
TBD - Review more of the lawsuit[13]
"In 2014, the exchange reported it was near insolvency after losing large amounts of its reserve funds. According to the lawsuit, part of this loss came from “two purported hacks the exchange experienced in mid-2013.”
“The freeze will affect all bitcoin, litecoin, feathercoin and terracoin withdrawals. A message on Vircurex’s site says it will create a new balance type called ‘Frozen Funds’ covering all balances in the aforementioned currencies. The company maintains it won’t be shutting down, saying it intends to “gradually pay back the losses”.”
“That Vircurex had a reserve shortfall had been known for some time, though not the exact amount. It froze BTC/LTC withdrawals in January 2013 after reporting that wallets had been compromised, but still allowed deposits in those currencies to continue.”
“In a lawsuit filed in the U.S. District Court in Colorado, a former Vircurex customer accuses the exchange of breach of contract, conversion of funds, fraud and unjust enrichment. The suit explained how only a few of the account holders had received their funds after the exchange froze all withdrawals due to a claimed lack of reserves. At present, the frozen accounts contain a combined $50 million.” “Vircurex’s steps to prevent its customers from suing included stating it was incorporated in Belize, which it is not, as well as indicating it might be based in Beijing. The lawsuit states the exchange is actually based out of Germany, but has never been legally incorporated in any jurisdiction, meaning it is not recognized as a formal business by any government.”
Hack Again Later In 2013
Vircurex was hacked again later in 2013[14].
Ultimate Freezing Of Funds
In March 2014, Vircurex announced a freeze on most of its digital currency withdrawals, including bitcoin, litecoin, feathercoin, and terracoin, citing a lack of reserves to cover customer requests[1]. The company announced plans to create a new balance type called 'Frozen Funds' to cover affected balances and pledges to gradually pay back the losses, emphasizing that it does not intend to shut down. Vircurex faced a reserve shortfall previously, freezing BTC/LTC withdrawals in January 2013 after reporting compromised wallets. The recent freeze is attributed to large fund withdrawals depleting its cold wallet reserves.
Legal Action Brought Against Owners
With an anonymous exchange operator, once the hacks occurred, neither hack was revealed until far later. The exchange even lied about where they were based in an effort to prevent a lawsuit from occurring.
Total Amount Recovered
Vircurex continued to pay out funds to affected users until January 2016[12], however the total amount fell far short of what had originally been lost.
Ongoing Developments
There is presently legal action being taken against the operators of the Vircurex exchange.
General Prevention Policies
Coming soon.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.0 1.1 1.2 1.3 1.4 1.5 Exchange Vircurex Freezes Withdrawals, Claims Lack of Reserves - CoinDesk - Archive September 18th, 2021 8:02:19 PM MDT (Feb 29, 2020)
- ↑ 2.0 2.1 2.2 2.3 2.4 Vircurex Faces Class-Action Lawsuit - Finance Magnates (Jan 4, 2024)
- ↑ 3.0 3.1 3.2 3.3 Vircurex Exchange Homepage Archive April 24th, 2013 1:13:56 AM MDT (Dec 11, 2023)
- ↑ 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 VIRCUREX - BitcoinTalk (Dec 12, 2023)
- ↑ 5.0 5.1 VIRCUREX !!! IMPORTANT !!! - BitcoinTalk Archive March 4th, 2013 3:46:10 PM MST (Dec 12, 2023)
- ↑ 6.0 6.1 https://web.archive.org/web/20130304224610/http://www.exploit-db.com/exploits/24019/ (Dec 12, 2023)
- ↑ 7.0 7.1 http://www.exploit-db.com/exploits/24019/ (Dec 12, 2023)
- ↑ 8.0 8.1 8.2 Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com Archive April 13th, 2020 7:45:28 AM MDT (Mar 5, 2020)
- ↑ 9.0 9.1 9.2 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents - Kyle Gibson (Jan 25, 2020)
- ↑ Re: closed - BitcoinTalk (Dec 14, 2023)
- ↑ dree12 - List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses - BitcoinTalk (Feb 15, 2020)
- ↑ 12.0 12.1 Former Customers Sue Crypto Exchange Vircurex Over Frozen Funds - CoinDesk (Feb 29, 2020)
- ↑ Shaw Vircurex Complaint (Jan 4, 2024)
- ↑ https://web.archive.org/web/20140323195552/https://vircurex.com/welcome/ann_reserved.html