Coinapult Hot Wallet Hack: Difference between revisions
(Another 30 minutes. Integrated information from Reddit post and Bitcoin Wiki. Improved the wiki article summary and information on investment seed round. Started analysis of breach information as available in the Google Doc.) |
(Update to add prevention and remove templates.) |
||
| Line 14: | Line 14: | ||
== What Happened == | == What Happened == | ||
The | The Coinapult hot wallet was breached, and 150 BTC were taken. | ||
{| class="wikitable" | {| class="wikitable" | ||
|+Key Event Timeline - Coinapult Hot Wallet Hack | |+Key Event Timeline - Coinapult Hot Wallet Hack | ||
| Line 49: | Line 49: | ||
The total amount lost has been estimated at $43,000 USD. | The total amount lost has been estimated at $43,000 USD. | ||
== Immediate Reactions == | == Immediate Reactions == | ||
“Coinapult COO and CFO Justin Blincoe stressed that the hot wallet was used only for funds owned by the bitcoin wallet and service provider, and that no customer funds were affected.” | “Coinapult COO and CFO Justin Blincoe stressed that the hot wallet was used only for funds owned by the bitcoin wallet and service provider, and that no customer funds were affected.” | ||
| Line 60: | Line 56: | ||
== Ultimate Outcome == | == Ultimate Outcome == | ||
Service at Coinapult reportedly deteriorated over the years before the platform ultimately stopped functioning. Reddit user ChrissMejia reports being a former employee of Coinapult and still having trouble getting their funds out of the exchange<ref name=":4" />. They reminisce about their positive experiences working at Coinapult in 2014 under CEO Ira Miller, praising the company, the team, and their software contributions<ref name=":4" />. However, they express disappointment with the company's subsequent changes, particularly after Ira's departure, leading them to move their coins to another platform<ref name=":4" />. They recount difficulties in accessing their account due to being locked out and facing challenges with account recovery<ref name=":4" />. Despite being a former employee, they feel ignored by Coinapult's support team, leading them to warn others to transfer their coins away from Coinapult promptly<ref name=":4" />. The update mentions the eventual return of their coins, albeit belatedly, expressing gratitude to Coinapult while highlighting the prolonged wait. Subsequent comments in the post echo similar experiences and concerns about Coinapult's decline in service quality<ref name=":4" />. | |||
== Total Amount Recovered == | == Total Amount Recovered == | ||
There do not appear to have been any funds recovered in this case. | There do not appear to have been any funds recovered in this case. | ||
== Ongoing Developments == | == Ongoing Developments == | ||
It is unclear what investigation is underway. | |||
== Individual Prevention Policies == | == Individual Prevention Policies == | ||
{{Prevention:Individuals: | {{Prevention:Individuals:Avoid Third Party Custodians}} | ||
{{Prevention:Individuals:Store Funds Offline}} | |||
{{Prevention:Individuals:End}} | {{Prevention:Individuals:End}} | ||
== Platform Prevention Policies == | == Platform Prevention Policies == | ||
{{Prevention:Platforms: | {{Prevention:Platforms:Implement Multi-Signature}} | ||
{{Prevention:Platforms:Establish Industry Insurance Fund}} | |||
{{Prevention:Platforms:End}} | {{Prevention:Platforms:End}} | ||
== Regulatory Prevention Policies == | == Regulatory Prevention Policies == | ||
{{Prevention:Regulators: | {{Prevention:Regulators:Platform Security Assessments}} | ||
{{Prevention:Regulators:Establish Industry Insurance Fund}} | |||
{{Prevention:Regulators:End}} | {{Prevention:Regulators:End}} | ||
Latest revision as of 15:20, 24 March 2024
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Coinapult was a Panama-based wallet service. In March 2015, the service was breached and 150 bitcoin were stolen. The breach appears to have not affected any customer deposits, although the service level reported with the platform has subsequently declined.
About Coinapult
Coinapult was a Panama-based wallet service with a goal of simplifying Bitcoin usage for individuals and businesses alike[1][2]. Through their website, they offered a range of services to enhance accessibility and usability in the cryptocurrency space, including sending Bitcoin by email and SMS[1][2]. These features enable users to send Bitcoin to anyone, even those unfamiliar with the cryptocurrency, through email or simple text messages[1]. Additionally, Coinapult provided payment processing services for businesses, ensuring no fees, guaranteed pricing, and daily bank settlements[1]. Merchants could use Coinapult to accept Bitcoin payments quickly and easily, expanding their payment options without incurring additional fees[1].
Locks, a feature offered by Coinapult, enables users to easily receive, save, and spend Bitcoin while mitigating price volatility[1][2]. Users could receive, lock, unlock, and spend Bitcoin seamlessly, allowing for instant transactions worldwide. Locks provided a simple and fast way for both new and experienced users to engage with Bitcoin without needing to speculate on its price[1]. It promised a convenient tool for introducing newcomers to Bitcoin and facilitating regular Bitcoin payments for more experienced users[1].[3]
Coinapult offered a hassle-free service for businesses that were looking to integrate Bitcoin payments[1]. Businesses were promised the ability to provide more payment options and enhance their payment processing capabilities with no fees and user-friendly features[1]. Coinapult also provided developer resources for integrating Bitcoin services into applications, including ready-to-use API clients and shopping cart plugins[1].
The Reality
The Coinapult platform was vulnerable.
What Happened
The Coinapult hot wallet was breached, and 150 BTC were taken.
| Date | Event | Description |
|---|---|---|
| July 18th, 2014 5:29:41 PM MDT | Locks Video Promotion | A video is put on YouTube to announce the Coinapult locks program[3]. |
| September 30th, 2014 | Seed Investment Round | A seed investment round is conducted, with investors including "Bitcoin Opportunity Corp, Roger Ver, FirstMark Capital, Erik Voorhees, and Ira Miller"[2]. |
| March 17th, 2015 11:55:00 AM MDT | Coinapult Under Maintenance | The Coinapult website is placed under maintenance, according to their homepage[4]. |
| March 19th, 2015 3:01:58 AM MDT | Coinapult Website Notice Captured | The first time that the Coinapult homepage is captured with a notice placed for users. Coinapult notifies users they are currently investigating a security breach of the hot wallet and advises customers to refrain from sending Bitcoin to existing Coinapult addresses immediately, including Lock Addresses[4]. Updates on the situation will be provided as they become available[4]. The company has contained the situation, ensuring the safety of all funds except for the 150 BTC withdrawn during the breach. Investigations are ongoing to determine the method of attack, and until the attack vector is identified and patched, Coinapult will not re-enable its services[4]. If the process extends beyond a few days, the company promises to issue manual refunds to affected customers[4]. |
| November 13th, 2017 5:58:22 PM MST | Challenges Getting Out Funds | Reddit user ChrissMejia reports being a former employee of Coinapult and still having trouble getting their funds out of the exchange[5]. They reminisce about their positive experiences working at Coinapult in 2014 under CEO Ira Miller, praising the company, the team, and their software contributions[5]. However, they express disappointment with the company's subsequent changes, particularly after Ira's departure, leading them to move their coins to another platform[5]. They recount difficulties in accessing their account due to being locked out and facing challenges with account recovery[5]. Despite being a former employee, they feel ignored by Coinapult's support team, leading them to warn others to transfer their coins away from Coinapult promptly[5]. The update mentions the eventual return of their coins, albeit belatedly, expressing gratitude to Coinapult while highlighting the prolonged wait. Subsequent comments in the post echo similar experiences and concerns about Coinapult's decline in service quality[5]. |
Technical Details
On March 17, 2015, an unauthorized withdrawal of 150 BTC occurred from Coinapult's hot wallet, with no subsequent spending recorded. The incident involved individuals from Coinapult's team with various levels of access to servers, including CEO Ira, IT Admin Zach, CTO GP, Developer Cindy, COO Justin, and Customer Service Robinson[6]. Investigations revealed suspicious activities on the finance server, including modifications to log files and unusual network behavior on Zach's laptop, potentially indicating a man-in-the-middle attack. Furthermore, an outage at the data center and plans to transition IT services may have been related to the incident's timing. Clues from the finance, API, and SaaS servers, alongside an objective timeline, provided insights into the attack's execution. Robinson's account corroborated the timeline, indicating early detection of anomalies. Next steps involved forensic analysis of hardware and data recovery efforts. Additionally, updates clarified unrelated issues, such as Zach's IP address discrepancy. Plans included requesting access logs and surveillance footage from the data center to gather more information about the outage[6].
Total Amount Lost
According to the homepage notice, the total loss is 150 bitcoin[4].
The total amount lost has been estimated at $43,000 USD.
Immediate Reactions
“Coinapult COO and CFO Justin Blincoe stressed that the hot wallet was used only for funds owned by the bitcoin wallet and service provider, and that no customer funds were affected.”
Coinapult updated their homepage to provide high level information about the breach and reassure users that their funds were safe[4].
To summarize, Coinapult has the situation contained and all funds (minus the 150 BTC withdrawn last night) are safe. Investigations are ongoing to determine the method of attack. Until we are able to determine and patch the attack vector, we will not re-enable our services. If this takes more than a few days, we will refund customers manually.
Ultimate Outcome
Service at Coinapult reportedly deteriorated over the years before the platform ultimately stopped functioning. Reddit user ChrissMejia reports being a former employee of Coinapult and still having trouble getting their funds out of the exchange[5]. They reminisce about their positive experiences working at Coinapult in 2014 under CEO Ira Miller, praising the company, the team, and their software contributions[5]. However, they express disappointment with the company's subsequent changes, particularly after Ira's departure, leading them to move their coins to another platform[5]. They recount difficulties in accessing their account due to being locked out and facing challenges with account recovery[5]. Despite being a former employee, they feel ignored by Coinapult's support team, leading them to warn others to transfer their coins away from Coinapult promptly[5]. The update mentions the eventual return of their coins, albeit belatedly, expressing gratitude to Coinapult while highlighting the prolonged wait. Subsequent comments in the post echo similar experiences and concerns about Coinapult's decline in service quality[5].
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
Ongoing Developments
It is unclear what investigation is underway.
Individual Prevention Policies
When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST (Accessed Feb 28, 2024)
- ↑ 2.0 2.1 2.2 2.3 Coinapult - Bitcoin Wiki (Accessed Mar 12, 2024)
- ↑ 3.0 3.1 Coinapult Locks - YouTube (Accessed Feb 28, 2024)
- ↑ 4.0 4.1 4.2 4.3 4.4 4.5 4.6 Coinapult Homepage Archive March 19th, 2015 3:01:58 AM MDT (Accessed Feb 28, 2024)
- ↑ 5.00 5.01 5.02 5.03 5.04 5.05 5.06 5.07 5.08 5.09 5.10 5.11 ChrissMejia - Why I don't trust Coinapult? (From ex employee) - Reddit (Accessed Mar 12, 2024)
- ↑ 6.0 6.1 March 17 2015 Incidence Report - Google Doc Archive September 5th, 2017 1:22:46 PM MDT (Accessed Mar 12, 2024)