ShapeShift Three Thefts: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
(30 minutes. Organizing information and sources. Improving and making tables for the loss amounts of each attack. Detailed review of CoinTelegraph article and Reddit thread.)
(30 minutes. Preparing a draft promotion for Twitter. Reviewing significantly more media online to learn more about this case. Adding new sources to wiki.)
 
(5 intermediate revisions by the same user not shown)
Line 5: Line 5:
Without fully securing their system, they then proceeded to reopen the platform, not just once but twice. Even though the employee had been fired, he was able to use the UDP to provide details to another hacker - who accessed and withdrew more funds.
Without fully securing their system, they then proceeded to reopen the platform, not just once but twice. Even though the employee had been fired, he was able to use the UDP to provide details to another hacker - who accessed and withdrew more funds.


This exchange or platform is based in United States, or the incident targeted people primarily in United States.<ref name="crunchbase-2946" /><ref name="wikipedia-2944" /><ref name="coindesk-3038" /><ref name="newsdotbitcoin-3039" /><ref name="blockchaindotcom-3040" /><ref name=":5">[https://www.reddit.com/r/shapeshiftio/comments/4fcpui/update_for_monday_april_18th_on_the_shapeshift/ UPDATE for Monday, April 18th on the ShapeShift Hacking Incident - Reddit]</ref><ref name=":6">[https://cointelegraph.com/news/shapeshift-rebuilds-after-losing-230000-promised-to-be-back-wednesday Shapeshift Rebuilds After Losing $230,000, Promised to Be Back Wednesday - CoinTelegraph]</ref><ref name=":0">[https://web.archive.org/web/20160429180007/https://zh.scribd.com/doc/309591980/ShapeShift-Postmortem ShapeShift Postmortem - Scribd Archive April 29th, 2016 12:00:07 PM MDT] (Accessed Apr 1, 2024)</ref><ref name=":1">[https://hackingdistributed.com/2016/04/25/shapeshift-hack-simply-incredible/ The ShapeShift Hack: Simply Incredible - Hacking Distributed] (Accessed Apr 2, 2024)</ref><ref>[https://www.reddit.com/r/Bitcoin/comments/4gdxe9/cornell_professor_doubts_shapeshift_story/ https://old.reddit.com/r/Bitcoin/comments/4gdxe9/cornell_professor_doubts_shapeshift_story/]</ref><ref>[https://www.reddit.com/r/Bitcoin/comments/4gdxe9/comment/d2gy4iz/ https://old.reddit.com/r/Bitcoin/comments/4gdxe9/comment/d2gy4iz/]</ref>
This exchange or platform is based in United States, or the incident targeted people primarily in United States.<ref name="crunchbase-2946" /><ref name="coindesk-3038" /><ref name="newsdotbitcoin-3039" /><ref name="blockchaindotcom-3040" /><ref name=":5">[https://www.reddit.com/r/shapeshiftio/comments/4fcpui/update_for_monday_april_18th_on_the_shapeshift/ UPDATE for Monday, April 18th on the ShapeShift Hacking Incident - Reddit]</ref><ref name=":6">[https://cointelegraph.com/news/shapeshift-rebuilds-after-losing-230000-promised-to-be-back-wednesday Shapeshift Rebuilds After Losing $230,000, Promised to Be Back Wednesday - CoinTelegraph]</ref><ref name=":0">[https://web.archive.org/web/20160429180007/https://zh.scribd.com/doc/309591980/ShapeShift-Postmortem ShapeShift Postmortem - Scribd Archive April 29th, 2016 12:00:07 PM MDT] (Accessed Apr 1, 2024)</ref><ref name=":1">[https://hackingdistributed.com/2016/04/25/shapeshift-hack-simply-incredible/ The ShapeShift Hack: Simply Incredible - Hacking Distributed] (Accessed Apr 2, 2024)</ref><ref name=":7">[https://old.reddit.com/r/Bitcoin/comments/4gdxe9/cornell_professor_doubts_shapeshift_story/ Cornell Professor Doubts ShapeShift Story - Reddit] (Accessed Apr 5, 2024)</ref><ref>[https://www.reddit.com/r/Bitcoin/comments/4gdxe9/comment/d2gy4iz/ https://old.reddit.com/r/Bitcoin/comments/4gdxe9/comment/d2gy4iz/]</ref><ref>[https://web.archive.org/web/20200607163632/https://www.coindesk.com/company/shapeshift/ ShapeShift Description - CoinDesk] (Accessed Apr 8, 2024)</ref><ref name=":8">[https://old.reddit.com/r/shapeshiftio/comments/4eolhy/update_on_last_weeks_hack_apr_13/ Update on Last Week's Hack - Apr 13 - Reddit] (Accessed Apr 8, 2024)</ref><ref>https://www.linkedin.com/pulse/shapeshift-loses-230000-bitcoin-data-breach-blame-ilesh-dattani/</ref><ref>https://news.bitcoin.com/shapeshift-hack-funds-move/</ref><ref>https://www.ft.com/content/beeb2f8c-99ec-494b-aa76-a7be0bf9dae6</ref><ref>https://www.youtube.com/watch?v=LiYNafMs7f8</ref>


== About ShapeShift ==
== About ShapeShift ==
ShapeShift was founded on July 1st, 2014<ref name="wikipedia-2944" />, and operated out of Denver, Colorado<ref name="crunchbase-2946" />.
ShapeShift was founded on July 1st, 2014<ref name="wikipedia-2944" />, with their swapping services launching in August 2014<ref name=":9">[https://bitcoinist.com/interview-shapeshift-io-ceo-beorn-gonthier/ Interview with Shapeshift.io CEO Beorn Gonthier - Bitcoinist] (Accessed Apr 9, 2024)</ref>. The company operated out of Denver, Colorado<ref name="crunchbase-2946" />. The company operated on core principles of decentralization and user privacy<ref name=":9" />. ShapeShift CEO Erik Voorhees initially used the pseudonym Beorn Gonthier<ref name=":9" /><ref name=":10">[https://www.coindesk.com/markets/2015/03/10/shapeshift-raises-525k-reveals-erik-voorhees-as-creator/ ShapeShift Raises $525k, Reveals Erik Voorhees as Creator - CoinDesk] (Accessed Apr 9, 2024)</ref>.


In March 2015, ShapeShift secured a seed-stage investment of US$525,000 from Roger Ver and Barry Silbert<ref name="wikipedia-2944" /><ref name=":10" />, followed by an additional funding round in September 2015, raising a total of US$1.6 million from investors such as Digital Currency Group, Bitfinex, Bitcoin Capital, and Mardal Investments<ref name="wikipedia-2944" />. The company launched its iOS platform on June 2015, enabling users to exchange 25 digital currencies and value tokens<ref name="wikipedia-2944" />. On June 11, 2015, ShapeShift ceased its services in New York in response to the state's newly introduced regulatory framework for digital currency businesses known as the BitLicense, citing concerns that complying with these regulations would jeopardize users' personal and private data<ref name="wikipedia-2944" />.


"ShapeShift is a crypto platform, enabling customers to buy, sell, trade, track, send, receive, and interact with their digital assets." "ShapeShift calls itself the "safest asset exchange on Earth" and is used to convert between different virtual currencies." "ShapeShift is headquartered in Switzerland, but run out of Denver." "The company was founded July 1, 2014 in Switzerland by Erik Voorhees. In March 2015, it received a US$525,000 seed-stage investment by Roger Ver and Barry Silbert." "ShapeShift is a corporation organized and existing under the laws of the State of Delaware, with its principal place of business at 1624 Market Street, Suite 226 #29882, Denver, CO 80202."
Former Principle Address: 1624 Market Street, Suite 226 #29882, Denver, CO 80202
 
"ShapeShift initially distinguished itself in the industry as a non-custodial exchange that did not require customers to register or open accounts. Its team also initially used pseudonyms, with Voorhees utilizing the name ‘Beorn Gonthier’ - a Tolkien reference - until 2015. Similarly, in 2015 ShapeShift announced that it would stop serving New York residents after the state implemented the BitLicense, a regulation that would have required it to collect identifying information about customers. However, in 2018, the company launched a membership program that it said would eventually become mandatory for all of its users. It remains a non-custodial exchange."
 
"[T]o many, ShapeShift appears to be a simple web service. It’s taken a lot of work by our engineers to keep up that appearance. Behind the scenes, the platform is complex. Over 1,400 direct asset trading pairs, integrations with half a dozen exchange API’s requiring real-time price information on all offered cryptocurrencies, low-latency service API’s to several dozen partners, the monitoring and calculation of constantly changing exchange rates and order book depth in some of the most volatile markets on Earth, and incorporation of what can only be described as alpha-level software in various states of disarray (coin daemons…bleh)."
 
"Since its inception in the Spring of 2014, ShapeShift has been an evolving creature. What began as a quick experimental way to swap between Bitcoin and Litecoin grew into an advanced engine for the effortless exchange of all major blockchain assets, each one into the other, with no user friction. No user accounts. No signup process. It is the Google Translate of cryptocurrency."


=== Expansion Of Architecture Team ===
"And we’ve always been playing catch-up. Trying to build at the speed of this industry, not only along the vertical of Bitcoin proper, but along the breadth of all crypto, is a challenge."
"And we’ve always been playing catch-up. Trying to build at the speed of this industry, not only along the vertical of Bitcoin proper, but along the breadth of all crypto, is a challenge."


=== Expansion Of Architecture Team ===
"Last Fall, we realized the “minimum viable product” server architecture established originally for ShapeShift was insufficient. We needed a professional to join the small team, and craft a scalable, and secure, server apparatus upon which our technology could grow."
"Last Fall, we realized the “minimum viable product” server architecture established originally for ShapeShift was insufficient. We needed a professional to join the small team, and craft a scalable, and secure, server apparatus upon which our technology could grow."


"We hired such a person, and patted ourselves on the back for our proactive decision. On paper, he looked great; the reference we called confirmed his prior role and responsibility. He’d even been into Bitcoin since 2011/2012 and had built miners in his room. Awesome."
"We hired such a person, and patted ourselves on the back for our proactive decision. On paper, he looked great; the reference we called confirmed his prior role and responsibility. He’d even been into Bitcoin since 2011/2012 and had built miners in his room. Awesome."<blockquote>"[T]o many, ShapeShift appears to be a simple web service. It’s taken a lot of work by our engineers to keep up that appearance. Behind the scenes, the platform is complex. Over 1,400 direct asset trading pairs, integrations with half a dozen exchange API’s requiring real-time price information on all offered cryptocurrencies, low-latency service API’s to several dozen partners, the monitoring and calculation of constantly changing exchange rates and order book depth in some of the most volatile markets on Earth, and incorporation of what can only be described as alpha-level software in various states of disarray (coin daemons…bleh)."</blockquote>


== The Reality ==
== The Reality ==
The newly hired employee was dishonest and stole from ShapeShift, including adding backdoors onto their system.
The newly hired employee hadn't been properly background checked. It turned out that they were dishonest and stole from ShapeShift, and additionally added backdoors onto their system.<blockquote>"We learn some more things. [The thief employee] has prior police records in Florida, where he’s from." "With civil and criminal cases proceeding against him"</blockquote>
 
"We learn some more things. [The thief employee] has prior police records in Florida, where he’s from." "With civil and criminal cases proceeding against him, and with further discovery that [he] fled to Florida (leaving his dog to be temporarily cared for by his neighbor… who is now wondering where he is and hasn’t heard from him in weeks), we thought the case was basically closed. We’d get him somewhere, sooner or later. And, hopefully, we’d get our stolen property returned, or the fiat equivalent."


== What Happened ==
== What Happened ==
"In 2016, ShapeShift lost around $230,000 in three thefts over the course of four weeks in March and April, which it claimed were carried out by [this] company employee."
In 2016, ShapeShift lost around $230,000 in three thefts over the course of four weeks in March and April, which were carried out by a company employee and a Russian hacker who was granted backdoor access to their servers.  
{| class="wikitable"
{| class="wikitable"
|+Key Event Timeline - ShapeShift Three Thefts
|+Key Event Timeline - ShapeShift Three Thefts
Line 42: Line 35:
|ShapeShift Founded
|ShapeShift Founded
|ShapeShift is founded<ref name="crunchbase-2946" /><ref name="wikipedia-2944" />.
|ShapeShift is founded<ref name="crunchbase-2946" /><ref name="wikipedia-2944" />.
|-
|August 2014
|Services Launch
|The launch of the ShapeShift swapping services<ref name=":9" />.
|-
|February 4th, 2015 6:00:15 AM MST
|Bitcoinist Interview Published
|Bitcoinist published an interview with Shapeshift.io CEO, known at the time as Beorn Gonthier, where they discussed various aspects of the cryptocurrency industry and Shapeshift's role within it<ref name=":9" />. Gonthier highlighted Shapeshift's evolution from a simple exchange service to a full-fledged platform offering decentralized finance (DeFi) solutions<ref name=":9" />. He emphasized the importance of decentralization and user privacy, which are core principles for Shapeshift<ref name=":9" />. Gonthier also addressed the challenges facing the cryptocurrency industry, including regulatory compliance and the need for interoperability between different blockchain networks<ref name=":9" />. Additionally, he discussed the potential impact of emerging technologies such as non-fungible tokens (NFTs) and decentralized autonomous organizations (DAOs) on the industry's future landscape<ref name=":9" />. Gonthier expressed optimism about the continued growth and innovation in the cryptocurrency space, with Shapeshift poised to play a significant role in shaping its trajectory<ref name=":9" />.
|-
|March 10th, 2015 9:00:00 AM MDT
|CEO Identity Unmasked
|CoinDesk reported on ShapeShift having secured $525,000 in seed funding from investors Barry Silbert and Roger Ver<ref name=":10" />. CEO Erik Voorhees, previously operating under the alias Beorn Gonthier, revealed his identity as the creator of ShapeShift<ref name=":10" />. The funding will be allocated towards enhancing the exchange engine, marketing efforts, and legal work in Switzerland<ref name=":10" />. With a team of eight full-time staff, ShapeShift has seen a significant increase in volume, emphasizing trust by design and eliminating the need for custodianship of user funds<ref name=":10" />. The company operates entirely on Bitcoin, avoiding bank accounts and fiat currency transactions, and adheres to regulatory requirements in the markets it operates in<ref name=":10" />.
|-
|June 11th, 2015
|BitLicense Cease New York Services
|ShapeShift ceased its services in New York in response to the state's newly introduced regulatory framework for digital currency businesses known as the BitLicense<ref name="wikipedia-2944" />. The company cited concerns that complying with these regulations would jeopardize users' personal and private data<ref name="wikipedia-2944" />.
|-
|-
|March 14th, 2016
|March 14th, 2016
Line 54: Line 63:
|Ledger Labs Contacted
|Ledger Labs Contacted
|After the third consecutive theft, "On 2016-04-09 at 13:00 EDT, ShapeShift CEO Erik Voorhees contacted Ledger Labs Inc. (LLI) with a request for digital investigative assistance."<ref name=":0" />
|After the third consecutive theft, "On 2016-04-09 at 13:00 EDT, ShapeShift CEO Erik Voorhees contacted Ledger Labs Inc. (LLI) with a request for digital investigative assistance."<ref name=":0" />
|-
|April 13th, 2016 6:32:12 PM MDT
|Reddit Community Updated
|Erik posts an update on Reddit for the community. The team is confident that their own team member was involved in the attack. At this time, they are still resolving refunds for prior pending orders of customers<ref name=":8" />.
|-
|April 18th, 2016 10:25:00 AM MDT
|CoinDesk Article Published
|CoinDesk reports that ShapeShift experienced losses totaling $230,000 in three separate thefts over the span of a month, as revealed in an incident report obtained by CoinDesk<ref name="coindesk-3038" />. The report disclosed that an employee perpetrated the initial theft of $130,000 in mid-March and subsequently sold sensitive security information to an external hacker after being terminated<ref name="coindesk-3038" />. Further thefts amounting to $100,000 occurred in early April. ShapeShift took steps to enhance security measures following the attacks and partnered with Toronto-based consultancy Ledger Labs to develop new protocols<ref name="coindesk-3038" />. Despite the setbacks, ShapeShift assured users that no customer funds were lost or compromised and aimed to resume operations by April 20<ref name="coindesk-3038" />. Legal action has been initiated against the former employee, and efforts are underway to recover the stolen funds<ref name="coindesk-3038" />.
|-
|April 19th, 2016 12:15:42 AM MDT
|Bitcoin.com Article From Erik Voorhees
|In a harrowing account shared on Bitcoin.com, Erik Voorhees details the company's ordeal of being repeatedly hacked, shedding light on the betrayal of a trusted employee, Bob<ref name="newsdotbitcoin-3039" />. Initially experiencing theft of Bitcoin due to Bob's actions, the company faces further breaches despite implementing new infrastructure<ref name="newsdotbitcoin-3039" />. Through forensic investigation and communication with the hacker, Rovion, it becomes evident that Bob had sold sensitive information, including server access and source code, to the hacker<ref name="newsdotbitcoin-3039" />. Bob's betrayal not only led to significant financial losses but also raised questions about the security practices within the company<ref name="newsdotbitcoin-3039" />. The narrative underscores the importance of robust security measures and vigilance in the face of evolving cyber threats<ref name="newsdotbitcoin-3039" />.
|-
|-
|April 19th, 2016 9:01:00 AM MDT
|April 19th, 2016 9:01:00 AM MDT
Line 61: Line 82:
|April 25th, 2016 6:48:00 AM MDT
|April 25th, 2016 6:48:00 AM MDT
|Hacking Distributed Article
|Hacking Distributed Article
|A Hacking Distributed article is published which is highly critical of the official story from Erik Voorhes<ref name=":1" />. Several "red flags" are highlighted in the story.
|A Hacking Distributed article is published which is highly critical of the official story from Erik Voorhes<ref name=":1" />. However, several "red flags" are highlighted in the detailed account of the incidents. According to Voorhees, a sysadmin named Bob initiated the thefts by installing a backdoor on a colleague's computer, then emptied the Bitcoin hot wallet using his own credentials. Afterward, Bob sold the backdoor access to a hacker named Rovion, who subsequently raided ShapeShift's hot wallets in multiple currencies<ref name=":1" />. However, Emin Gün Sirer finds numerous inconsistencies in Voorhees's explanation, pointing out implausible scenarios such as Bob's willingness to use his real name in criminal activities and Rovion's unlikely moral stance against Bob<ref name=":1" />. Sirer raises flags regarding the believability of the story, questioning the motives and actions of the involved parties<ref name=":1" />. While acknowledging ShapeShift's security failures, Sirer emphasizes the importance of a thorough investigation to uncover the truth behind the hacks and prevent future incidents, expressing skepticism toward accepting the provided narrative solely based on the accounts of the involved hackers<ref name=":1" />.
|-
|April 25th, 2016 9:52:21 AM MDT
|Reddit And Defense
|The Hacking Distribute article is shared on Reddit<ref name=":7" />. In response to points raised by Emin Gün Sirer regarding the recent digital currency thefts at ShapeShift, Erik Voorhees addresses each issue individually<ref name=":7" />. He clarifies that the communication between ShapeShift and the hacker, known as Rovion, occurred after Rovion reached out to ShapeShift, not the other way around, resolving one of Sirer's concerns<ref name=":7" />. Voorhees acknowledges the oversight in recognizing the employee's incompetence earlier and agrees with Sirer's point on this matter<ref name=":7" />. However, he disputes some of Sirer's assertions, such as the insinuation that ShapeShift's response was motivated by race<ref name=":7" />. Voorhees defends the steps taken by ShapeShift in handling the situation and invites Sirer to engage directly if he wishes to discuss further<ref name=":7" />. Another user, itsreallyonlysmellz, criticizes ShapeShift's approach and urges them to acknowledge the shortcomings in their story<ref name=":7" />.
|-
|April 25th, 2016 5:16:29 PM MDT
|Discussion Of Russian Hacker
|Erik Voorhees discusses his interactions with the Russian hacker<ref>[https://old.reddit.com/r/Bitcoin/comments/4gdxe9/cornell_professor_doubts_shapeshift_story/d2h7etc/ Erik Voorhees - "Maybe you don't know what "exchange" means? We traded, at market rate, ETH for BTC." - Reddit] (Apr 10, 2024)</ref>.
|-
|-
|June 30th, 2016
|June 30th, 2016
Line 71: Line 100:
|CoinTelegraph reports that Bitcoin stolen from ShapeShift have begun moving, with the thief sending portions of the loot to different addresses to obscure traceability<ref name="cointelegraph-3042" />. Despite CEO Erik Voorhees' updates on the situation, the perpetrator remains unidentified, and most of the stolen funds, valued at over $230,000, have not been recovered<ref name="cointelegraph-3042" />. The thief's tactic involves splitting transactions and sending them to multiple addresses to cover their tracks, leveraging the anonymity of Bitcoin transactions<ref name="cointelegraph-3042" />. ShapeShift, focused on rebuilding and recovering since the attack, assures customers that their funds were not affected, and the platform's infrastructure has been reconstructed<ref name="cointelegraph-3042" />.
|CoinTelegraph reports that Bitcoin stolen from ShapeShift have begun moving, with the thief sending portions of the loot to different addresses to obscure traceability<ref name="cointelegraph-3042" />. Despite CEO Erik Voorhees' updates on the situation, the perpetrator remains unidentified, and most of the stolen funds, valued at over $230,000, have not been recovered<ref name="cointelegraph-3042" />. The thief's tactic involves splitting transactions and sending them to multiple addresses to cover their tracks, leveraging the anonymity of Bitcoin transactions<ref name="cointelegraph-3042" />. ShapeShift, focused on rebuilding and recovering since the attack, assures customers that their funds were not affected, and the platform's infrastructure has been reconstructed<ref name="cointelegraph-3042" />.
|-
|-
|
|September 4th, 2018 2:10:00 PM MDT
|
|Membership Model Introduced
|
|ShapeShift introduced a membership model for users, which would eventually become mandatory, marking a departure from ShapeShift's previous model of "exchange without accounts"<ref name=":11">[https://www.coindesk.com/markets/2018/09/04/crypto-exchange-shapeshift-is-moving-away-from-its-no-account-model/ Crypto Exchange ShapeShift Is Moving Away From Its No-Account Model - CoinDesk] (Accessed Apr 9, 2024)</ref>. CEO Erik Voorhees expressed reluctance about making personal information collection mandatory and emphasized the importance of financial privacy. Members will receive discounts on exchange rates, rewards for using the FOX token, and higher transaction limits. The shift towards account-based features is driven by user requests, growing interest in tokenization, and regulatory uncertainties in the cryptocurrency exchange sector. Despite these changes, ShapeShift will maintain its non-custodial exchange status, ensuring that it does not hold customer funds<ref name=":11">[https://www.coindesk.com/markets/2018/09/04/crypto-exchange-shapeshift-is-moving-away-from-its-no-account-model/ Crypto Exchange ShapeShift Is Moving Away From Its No-Account Model - CoinDesk] (Accessed Apr 9, 2024)</ref>.
|}
|}


Line 105: Line 134:
|
|
|$106k
|$106k
|Initial attack by a rogue internal employee of ShapeShift.
|Initial theft by an internal employee of ShapeShift.
|-
|-
|2
|2
Line 132: Line 161:
|
|
|}
|}




Line 153: Line 183:
!Attacks
!Attacks
!Notes
!Notes
|-
|CoinDesk<ref name="coindesk-3038" />
|April 18th, 2016
|469
|5800
|1900
|$230k
|All Three
|Initial theft $130k, subsequent $100k.
|-
|-
|CoinTelegraph<ref name=":6" />
|CoinTelegraph<ref name=":6" />
Line 208: Line 247:


== Ultimate Outcome ==
== Ultimate Outcome ==
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
ShapeShift investigate further, going into past system logs to uncover further information about their employee and ultimately bringing in outside help from Michael Perkins, the Head of Security and Investigative Services at Ledger Labs. Together they were able to uncover the UDP access point and restore the security of the exchange.


=== Further Investigation ===
=== Further Investigation ===
Line 218: Line 257:


"I have investors to whom I owe a level of protocol diligence, so, we also made arrangements for a criminal case, and herein the theft constitutes a Class 3 Felony, with 4-12 years in prison. Honestly, I don’t care whether he is punished. I care whether we are made whole, and whether he realizes his error and changes his life to become a better person. No sign yet, of that."
"I have investors to whom I owe a level of protocol diligence, so, we also made arrangements for a criminal case, and herein the theft constitutes a Class 3 Felony, with 4-12 years in prison. Honestly, I don’t care whether he is punished. I care whether we are made whole, and whether he realizes his error and changes his life to become a better person. No sign yet, of that."
=== Community Update Posted To Reddit ===
<ref name=":8" /><blockquote>"To our loyal foxes,
It's been a long week, and very instructive.
Since the investigation into the ShapeShift hack last week started, we had suspicion that someone previously on the team was involved, and that this person assisted an outside hacker. We are confident now that is is indeed the case.
The story continues to unfold, and evidence continues to be revealed. We have been working with a forensic specialist from LedgerLabs, who has been terrific. A civil suit is ongoing, as are multiple criminal investigations of the perpetrators.
Our team continues to revise and rebuild infrastructure, hardening not only prior vulnerabilities, but future potential attack vectors. It has been inspiring to see anti-fragility in action as ShapeShift gets stronger.
At this point, customer refunds for prior pending orders are in the process of being resolved. Again, no customer funds were ever at risk, by design.
A more detailed post-mortem will be released at the appropriate time, after forensic work is complete. Thank you again to everyone who has contacted us for the heartfelt support. We will be back in action very soon."</blockquote>


=== Improved Security Infrastructure ===
=== Improved Security Infrastructure ===
Line 225: Line 279:


"Ledger Labs has worked with ShapeShift on new infrastructure for a vastly more secure platform going forward," Perklin told CoinDesk by email. "Even with internal sabotage from an employee, the company avoided any customer funds being lost."
"Ledger Labs has worked with ShapeShift on new infrastructure for a vastly more secure platform going forward," Perklin told CoinDesk by email. "Even with internal sabotage from an employee, the company avoided any customer funds being lost."
=== Criticism From Cornell Professor ===
A Cornell professor named Emin Gün Sirer announced numerous inconsistencies in Voorhees's explanation, pointing out implausible scenarios such as the hacker's willingness to use his real name in criminal activities and Rovion's unlikely moral stance against the hacker<ref name=":1" />. Sirer raises flags regarding the believability of the story, questioning the motives and actions of the involved parties<ref name=":1" />. While acknowledging ShapeShift's security failures, Sirer emphasizes the importance of a thorough investigation to uncover the truth behind the hacks and prevent future incidents, expressing skepticism toward accepting the provided narrative solely based on the accounts of the involved hackers<ref name=":1" />.
In response to points raised by Emin Gün Sirer regarding the recent digital currency thefts at ShapeShift, Erik Voorhees addresses each issue individually in a response on Reddit<ref name=":7" />. He clarified that the communication between ShapeShift and the hacker, known as Rovion, occurred after Rovion reached out to ShapeShift, not the other way around, resolving one of Sirer's concerns<ref name=":7" />. Voorhees acknowledges the oversight in recognizing the employee's incompetence earlier and agrees with Sirer's point on this matter<ref name=":7" />. However, he disputes some of Sirer's assertions, such as the insinuation that ShapeShift's response was motivated by race<ref name=":7" />. Voorhees defends the steps taken by ShapeShift in handling the situation and invites Sirer to engage directly if he wishes to discuss further<ref name=":7" />. Another user, itsreallyonlysmellz, criticizes ShapeShift's approach and urges them to acknowledge the shortcomings in their story<ref name=":7" />.


=== Exchange Brought Back Online ===
=== Exchange Brought Back Online ===
Line 250: Line 309:


== Ongoing Developments ==
== Ongoing Developments ==
Unclear if the exchange has recovered the funds or not. TBD
The exchange continues to pursue the employee who stole for them. As for the Russian hacker, they technically appear to have assisted him in laundering the stolen funds by knowingly swapping his stolen ethereum for bitcoin at market rate.


"Legal action in the form of a civil lawsuit has also been taken against the former employee, though ShapeShift declined to comment on where the suit has been filed, citing privacy reasons."
"Legal action in the form of a civil lawsuit has also been taken against the former employee, though ShapeShift declined to comment on where the suit has been filed, citing privacy reasons."
Line 256: Line 315:
=== Operation Of DAO ===
=== Operation Of DAO ===
ShapeShift changed into a DAO in 2021<ref name=":3" />.
ShapeShift changed into a DAO in 2021<ref name=":3" />.
== Individual Prevention Policies ==
{{Prevention:Individuals:No Individual Funds Lost}} ShapeShift does not store any customer funds beyond the point of transfer. All individual funds were returned. The risk level can be minimized by decreasing the size of transactions and carefully reviewing to ensure that you are using a reputable platform from the correction location prior to any swap.


== General Prevention Policies ==
{{Prevention:Individuals:End}}
Things started based on the lack of a background check on the employee - who had a known criminal record.


Hot wallet keys were generated on a single PC, outside of dedicated hardware. All transactions (large and small) were performed from the hot wallet.
== Platform Prevention Policies ==
It would have helped to perform a background check on the employee - who had a known criminal record.


While it is true that ShapeShift was dealing with a large volume of transactions, these would most likely have followed a 80-20 pareto distribution. By manually processing the largest transactions, the needed size of the hot wallet could have been drastically reduced.
Hot wallet keys were generated on a single PC, outside of dedicated hardware. All transactions (large and small) within ShapeShift appear to have been performed from the same hot wallet. ShapeShift could have benefited from gaining the opinions of  security experts on their setup early in the process, rather than relying on a single team member.


A more secure structure would use a multi-sig, where the signatures of multiple employees are required to confirm larger transactions.
While it is true that ShapeShift was dealing with a large volume of transactions, these would most likely have followed a 80-20 pareto distribution. By manually processing the largest transactions, the needed size of the hot wallet can be drastically reduced. For these large transactions, using a multi-sig, where the signatures of multiple employees are required, would prevent those assets from being stolen by one insider.


ShapeShift would have benefit extensively from gaining the opinions of various security experts on their setup early in the process, rather than relying on a single team member.
{{Prevention:Platforms:Implement Multi-Signature}}


No customer funds were lost in this case, since ShapeShift does not store any customer funds.
{{Prevention:Platforms:Regular Audit Procedures}}
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}


{{Prevention:Individuals:End}}
{{Prevention:Platforms:Establish Industry Insurance Fund}}
 
== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}


{{Prevention:Platforms:End}}
{{Prevention:Platforms:End}}


== Regulatory Prevention Policies ==
== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}
{{Prevention:Regulators:Platform Security Assessments}}
 
{{Prevention:Platforms:Establish Industry Insurance Fund}}


{{Prevention:Regulators:End}}
{{Prevention:Regulators:End}}

Latest revision as of 16:29, 11 April 2024

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

ShapeShift At Trade Show

ShapeShift hired a new security "expert" and gave them full access to hot wallet funds and unrestricted access to different computers. The employee then installed UDP on a few computers and stole from the hot wallet.

Without fully securing their system, they then proceeded to reopen the platform, not just once but twice. Even though the employee had been fired, he was able to use the UDP to provide details to another hacker - who accessed and withdrew more funds.

This exchange or platform is based in United States, or the incident targeted people primarily in United States.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16]

About ShapeShift

ShapeShift was founded on July 1st, 2014[17], with their swapping services launching in August 2014[18]. The company operated out of Denver, Colorado[1]. The company operated on core principles of decentralization and user privacy[18]. ShapeShift CEO Erik Voorhees initially used the pseudonym Beorn Gonthier[18][19].

In March 2015, ShapeShift secured a seed-stage investment of US$525,000 from Roger Ver and Barry Silbert[17][19], followed by an additional funding round in September 2015, raising a total of US$1.6 million from investors such as Digital Currency Group, Bitfinex, Bitcoin Capital, and Mardal Investments[17]. The company launched its iOS platform on June 2015, enabling users to exchange 25 digital currencies and value tokens[17]. On June 11, 2015, ShapeShift ceased its services in New York in response to the state's newly introduced regulatory framework for digital currency businesses known as the BitLicense, citing concerns that complying with these regulations would jeopardize users' personal and private data[17].

Former Principle Address: 1624 Market Street, Suite 226 #29882, Denver, CO 80202

Expansion Of Architecture Team

"And we’ve always been playing catch-up. Trying to build at the speed of this industry, not only along the vertical of Bitcoin proper, but along the breadth of all crypto, is a challenge."

"Last Fall, we realized the “minimum viable product” server architecture established originally for ShapeShift was insufficient. We needed a professional to join the small team, and craft a scalable, and secure, server apparatus upon which our technology could grow."

"We hired such a person, and patted ourselves on the back for our proactive decision. On paper, he looked great; the reference we called confirmed his prior role and responsibility. He’d even been into Bitcoin since 2011/2012 and had built miners in his room. Awesome."

"[T]o many, ShapeShift appears to be a simple web service. It’s taken a lot of work by our engineers to keep up that appearance. Behind the scenes, the platform is complex. Over 1,400 direct asset trading pairs, integrations with half a dozen exchange API’s requiring real-time price information on all offered cryptocurrencies, low-latency service API’s to several dozen partners, the monitoring and calculation of constantly changing exchange rates and order book depth in some of the most volatile markets on Earth, and incorporation of what can only be described as alpha-level software in various states of disarray (coin daemons…bleh)."

The Reality

The newly hired employee hadn't been properly background checked. It turned out that they were dishonest and stole from ShapeShift, and additionally added backdoors onto their system.

"We learn some more things. [The thief employee] has prior police records in Florida, where he’s from." "With civil and criminal cases proceeding against him"

What Happened

In 2016, ShapeShift lost around $230,000 in three thefts over the course of four weeks in March and April, which were carried out by a company employee and a Russian hacker who was granted backdoor access to their servers.

Key Event Timeline - ShapeShift Three Thefts
Date Event Description
July 1st, 2014 ShapeShift Founded ShapeShift is founded[1][17].
August 2014 Services Launch The launch of the ShapeShift swapping services[18].
February 4th, 2015 6:00:15 AM MST Bitcoinist Interview Published Bitcoinist published an interview with Shapeshift.io CEO, known at the time as Beorn Gonthier, where they discussed various aspects of the cryptocurrency industry and Shapeshift's role within it[18]. Gonthier highlighted Shapeshift's evolution from a simple exchange service to a full-fledged platform offering decentralized finance (DeFi) solutions[18]. He emphasized the importance of decentralization and user privacy, which are core principles for Shapeshift[18]. Gonthier also addressed the challenges facing the cryptocurrency industry, including regulatory compliance and the need for interoperability between different blockchain networks[18]. Additionally, he discussed the potential impact of emerging technologies such as non-fungible tokens (NFTs) and decentralized autonomous organizations (DAOs) on the industry's future landscape[18]. Gonthier expressed optimism about the continued growth and innovation in the cryptocurrency space, with Shapeshift poised to play a significant role in shaping its trajectory[18].
March 10th, 2015 9:00:00 AM MDT CEO Identity Unmasked CoinDesk reported on ShapeShift having secured $525,000 in seed funding from investors Barry Silbert and Roger Ver[19]. CEO Erik Voorhees, previously operating under the alias Beorn Gonthier, revealed his identity as the creator of ShapeShift[19]. The funding will be allocated towards enhancing the exchange engine, marketing efforts, and legal work in Switzerland[19]. With a team of eight full-time staff, ShapeShift has seen a significant increase in volume, emphasizing trust by design and eliminating the need for custodianship of user funds[19]. The company operates entirely on Bitcoin, avoiding bank accounts and fiat currency transactions, and adheres to regulatory requirements in the markets it operates in[19].
June 11th, 2015 BitLicense Cease New York Services ShapeShift ceased its services in New York in response to the state's newly introduced regulatory framework for digital currency businesses known as the BitLicense[17]. The company cited concerns that complying with these regulations would jeopardize users' personal and private data[17].
March 14th, 2016 Employee Theft Incident ShapeShift reports that 315 bitcoin went missing and their employee who was in charge of security showed up at 11:30 AM.
April 7th, 2016 More Fund Stolen Additional funds are stolen from the platform "On Thursday April 7th, around midday, we notice a bunch of Ethereum had left the hot wallet on the new infrastructure at [a new cloud service provider]. The NEW infrastructure. The infrastructure that was not even public yet. At first, we believed our code had done something weird, perhaps sweeping funds to a development server address or similar. Then we noticed a bunch of Bitcoin was also missing. And then Litecoin also."
April 9th, 2016 11:00:00 AM MDT Ledger Labs Contacted After the third consecutive theft, "On 2016-04-09 at 13:00 EDT, ShapeShift CEO Erik Voorhees contacted Ledger Labs Inc. (LLI) with a request for digital investigative assistance."[7]
April 13th, 2016 6:32:12 PM MDT Reddit Community Updated Erik posts an update on Reddit for the community. The team is confident that their own team member was involved in the attack. At this time, they are still resolving refunds for prior pending orders of customers[12].
April 18th, 2016 10:25:00 AM MDT CoinDesk Article Published CoinDesk reports that ShapeShift experienced losses totaling $230,000 in three separate thefts over the span of a month, as revealed in an incident report obtained by CoinDesk[2]. The report disclosed that an employee perpetrated the initial theft of $130,000 in mid-March and subsequently sold sensitive security information to an external hacker after being terminated[2]. Further thefts amounting to $100,000 occurred in early April. ShapeShift took steps to enhance security measures following the attacks and partnered with Toronto-based consultancy Ledger Labs to develop new protocols[2]. Despite the setbacks, ShapeShift assured users that no customer funds were lost or compromised and aimed to resume operations by April 20[2]. Legal action has been initiated against the former employee, and efforts are underway to recover the stolen funds[2].
April 19th, 2016 12:15:42 AM MDT Bitcoin.com Article From Erik Voorhees In a harrowing account shared on Bitcoin.com, Erik Voorhees details the company's ordeal of being repeatedly hacked, shedding light on the betrayal of a trusted employee, Bob[3]. Initially experiencing theft of Bitcoin due to Bob's actions, the company faces further breaches despite implementing new infrastructure[3]. Through forensic investigation and communication with the hacker, Rovion, it becomes evident that Bob had sold sensitive information, including server access and source code, to the hacker[3]. Bob's betrayal not only led to significant financial losses but also raised questions about the security practices within the company[3]. The narrative underscores the importance of robust security measures and vigilance in the face of evolving cyber threats[3].
April 19th, 2016 9:01:00 AM MDT CoinTelegraph Article Published CoinTelegraph reports a total of 469 BTC, 1900 LTC, and 5800 ETH taken through all 3 attacks, and estimates a value of $230,000[6]. The incident has prompted a complete shutdown of its website for reconstruction with enhanced security measures[6]. CEO Erik Voorhees disclosed that a rogue employee had provided information to the hacker, identified as Rovion Vavilov, facilitating the breaches[6]. Forensic investigations led by Michael Perklin from Ledger Labs are ongoing, aiming to recover funds and ensure improved security[6]. Despite the setbacks, ShapeShift assured customers that the platform is set to relaunch on April 20[6].
April 25th, 2016 6:48:00 AM MDT Hacking Distributed Article A Hacking Distributed article is published which is highly critical of the official story from Erik Voorhes[8]. However, several "red flags" are highlighted in the detailed account of the incidents. According to Voorhees, a sysadmin named Bob initiated the thefts by installing a backdoor on a colleague's computer, then emptied the Bitcoin hot wallet using his own credentials. Afterward, Bob sold the backdoor access to a hacker named Rovion, who subsequently raided ShapeShift's hot wallets in multiple currencies[8]. However, Emin Gün Sirer finds numerous inconsistencies in Voorhees's explanation, pointing out implausible scenarios such as Bob's willingness to use his real name in criminal activities and Rovion's unlikely moral stance against Bob[8]. Sirer raises flags regarding the believability of the story, questioning the motives and actions of the involved parties[8]. While acknowledging ShapeShift's security failures, Sirer emphasizes the importance of a thorough investigation to uncover the truth behind the hacks and prevent future incidents, expressing skepticism toward accepting the provided narrative solely based on the accounts of the involved hackers[8].
April 25th, 2016 9:52:21 AM MDT Reddit And Defense The Hacking Distribute article is shared on Reddit[9]. In response to points raised by Emin Gün Sirer regarding the recent digital currency thefts at ShapeShift, Erik Voorhees addresses each issue individually[9]. He clarifies that the communication between ShapeShift and the hacker, known as Rovion, occurred after Rovion reached out to ShapeShift, not the other way around, resolving one of Sirer's concerns[9]. Voorhees acknowledges the oversight in recognizing the employee's incompetence earlier and agrees with Sirer's point on this matter[9]. However, he disputes some of Sirer's assertions, such as the insinuation that ShapeShift's response was motivated by race[9]. Voorhees defends the steps taken by ShapeShift in handling the situation and invites Sirer to engage directly if he wishes to discuss further[9]. Another user, itsreallyonlysmellz, criticizes ShapeShift's approach and urges them to acknowledge the shortcomings in their story[9].
April 25th, 2016 5:16:29 PM MDT Discussion Of Russian Hacker Erik Voorhees discusses his interactions with the Russian hacker[20].
June 30th, 2016 ChainSec Date Listed The date which ChainSec lists for this incident[21]. There is no indication provided as to where this date came from. At least the year is consistent.
July 9th, 2016 5:05:00 AM MDT CoinTelegraph Article Coins Moving CoinTelegraph reports that Bitcoin stolen from ShapeShift have begun moving, with the thief sending portions of the loot to different addresses to obscure traceability[22]. Despite CEO Erik Voorhees' updates on the situation, the perpetrator remains unidentified, and most of the stolen funds, valued at over $230,000, have not been recovered[22]. The thief's tactic involves splitting transactions and sending them to multiple addresses to cover their tracks, leveraging the anonymity of Bitcoin transactions[22]. ShapeShift, focused on rebuilding and recovering since the attack, assures customers that their funds were not affected, and the platform's infrastructure has been reconstructed[22].
September 4th, 2018 2:10:00 PM MDT Membership Model Introduced ShapeShift introduced a membership model for users, which would eventually become mandatory, marking a departure from ShapeShift's previous model of "exchange without accounts"[23]. CEO Erik Voorhees expressed reluctance about making personal information collection mandatory and emphasized the importance of financial privacy. Members will receive discounts on exchange rates, rewards for using the FOX token, and higher transaction limits. The shift towards account-based features is driven by user requests, growing interest in tokenization, and regulatory uncertainties in the cryptocurrency exchange sector. Despite these changes, ShapeShift will maintain its non-custodial exchange status, ensuring that it does not hold customer funds[23].

Technical Details

"From the recovered data, we discovered the malware, if that’s the right term. There was a program, written in Go, installed on a crucial server which communicated with coins. This program had its dates changed to appear consistent with the setup of the server, and its filename made to look innocuous. But it was the direct tool by which funds were stolen." The thief employee "had installed an RDP (remote desktop protocol – basically a screen viewer or controller) on Greg’s computer. And perhaps on others, we must assume."

"The employee, who was not identified, later sold sensitive security information to an outside hacker after being fired from the exchange. Another $100,000 in funds denominated in bitcoin, ether and litecoin were stolen on 7th and 9th April." "The report goes on highlight the steps taken by the hacker to obscure his or her tracks. It also details two conversations between the hacker and CEO Erik Voorhees, during which it was claimed that the employee had sold key security data."

Total Amount Lost

There were a total of three separate attacks carried out against the ShapeShift platform in March and April of 2016. All attacks took funds from the hot wallet. The first was carried out by an internal employee, and the second and third were carried out by an external actor.

List Of Attacks
# Date Actor BTC ETH LTC USD Notes
1 March 14th Rogue Employee 315[5][6] $106k Initial theft by an internal employee of ShapeShift.
2 April 7th Rovion Vavilov[5][6] 97[5] 3600[5] 1900[5] First attack by external hacker Rovion, using UDP access point set up by rogue employee.
3 April 9th Rovion Vavilov[5][6] 57[5] 2200[5][5] Final attack by external hacker Rovion, using UDP access point set up by rogue employee.
Total From All Attacks 469 5800 1900 $230k


"Thieves broke in three separate times over a time span of two weeks and cleaned out the hot wallets each time, totaling around $200K USD." "Digital currency exchange ShapeShift lost as much as $230,000 in three separate thefts over the course of a month, according to an incident report prepared by the service."

"According to the report, that employee stole $130,000 from ShapeShift in mid-March."

"After their dismissal, the ex-employee sold security information such as ShapeShift’s IP address to an outside hacker, who then stole 154 BTC, 5,800 ETH and 1,900 LTC in two further hacks."


Table of loss amounts:

Table Of Loss Amounts Reported
Source Date BTC ETH LTC USD Attacks Notes
CoinDesk[2] April 18th, 2016 469 5800 1900 $230k All Three Initial theft $130k, subsequent $100k.
CoinTelegraph[6] April 19th, 2016 469 5800 1900 $230k All Three 315 BTC in first attack, $124k in second and third attacks.
ChainSec[21] June 29th, 2019 $200k Unspecified

The total amount lost has been estimated at $230,000 USD.

Immediate Reactions

Initial Theft Dealt With

"According to the report, the first incident took place on 14th March, the company said, resulting in the loss of 315 BTC. It was soon established that a ShapeShift employee was behind the incident." "Despite our note to all employees to come into the office urgently, our head IT guy, the one responsible for security and infrastructure, arrives at 11:30am."

"We ask [him] to join our discussion. We reveal the hack to him. We ask him if he had logged in at all that morning, to which he responded no (on several occasions). On the new[s] of the theft, he seems neither particularly shocked nor outraged, yet it was his security that failed us. Immediately, he starts pointing to red herring explanations, “It must be one of the exchanges that got hacked, that happens all the time.”"

“Well, look at the IP address, it happened somewhere off west Africa.” Umm, IP addresses on block explorers indicate only the first node that noticed a transaction, and are generally meaningless in the context of Bitcoin. (What kind of Bitcoiner doesn’t know that?)"

Subsequent Thefts After Sale

"After their dismissal, the ex-employee sold security information such as ShapeShift’s IP address to an outside hacker, who then stole 154 BTC, 5,800 ETH and 1,900 LTC in two further hacks."

"The employee, who was not identified, later sold sensitive security information to an outside hacker after being fired from the exchange. Another $100,000 in funds denominated in bitcoin, ether and litecoin were stolen on 7th and 9th April." "The report goes on highlight the steps taken by the hacker to obscure his or her tracks. It also details two conversations between the hacker and CEO Erik Voorhees, during which it was claimed that the employee had sold key security data."

"On Thursday April 7th, around midday, we notice a bunch of Ethereum had left the hot wallet on the new infrastructure at [a new cloud service provider]. The NEW infrastructure. The infrastructure that was not even public yet. At first, we believed our code had done something weird, perhaps sweeping funds to a development server address or similar. Then we noticed a bunch of Bitcoin was also missing. And then Litecoin also."

"After several hours of fruitless investigation, we decide that one of the most likely explanations is that the cloud company itself was compromised. This has happened before in Bitcoinland. We thought [they were] reputable, but who knows? Clouds are very convenient and scalable, but on some level you’re trusting that company with your infrastructure. We decided we had to keep the site down for at least 24 hours, and bust our asses to prepare, yet again, an entirely new infrastructure on an entirely new set of servers."

"Despite that, we watched the blockchains for the hacked funds. We tracked some to an exchange account. We got profile information of the depositor." “Nice job on the hack. How did you do it? -Erik”

"The rest of that night, and into the next day (Friday, the 8th), the team worked feverishly to rebuild everything on new infrastructure, once again, in a wholly clean environment on a wholly separate host." "[A]fter herculean efforts, we had everything ready by Friday night, 24 hrs later. We launched the site on yet a new provider."

"Then it was Saturday 9am, and I start emerging from slumber. My phone rings. It was Greg." “We were hacked again. Bitcoin and Ethereum taken from the [new] hot wallets.”

Ultimate Outcome

ShapeShift investigate further, going into past system logs to uncover further information about their employee and ultimately bringing in outside help from Michael Perkins, the Head of Security and Investigative Services at Ledger Labs. Together they were able to uncover the UDP access point and restore the security of the exchange.

Further Investigation

"While much of the logs were gone, we in fact recovered a great portion of them off the “empty” disk space itself using forensic techniques. This was just lucky. Perhaps the Ghost of Satoshi was looking out for us (could have used his help a week ago, of course!)"

"Over the next days, we file the formal civil complaint. The address Bob had given us was a PO box, though we had his legal name, his bank info, and his social serfdom number. We hired a private investigator. We found his apartment within a couple days. Several attempts at service failed, though the investigator heard a dog barking behind the door. One of his cars was found; he drives two unmarked retired police cruisers."

"We learn some more things. [The theif employee] has prior police records in Florida, where he’s from." "With civil and criminal cases proceeding against him, and with further discovery that [he] fled to Florida (leaving his dog to be temporarily cared for by his neighbor… who is now wondering where he is and hasn’t heard from him in weeks), we thought the case was basically closed. We’d get him somewhere, sooner or later. And, hopefully, we’d get our stolen property returned, or the fiat equivalent."

"I have investors to whom I owe a level of protocol diligence, so, we also made arrangements for a criminal case, and herein the theft constitutes a Class 3 Felony, with 4-12 years in prison. Honestly, I don’t care whether he is punished. I care whether we are made whole, and whether he realizes his error and changes his life to become a better person. No sign yet, of that."

Community Update Posted To Reddit

[12]

"To our loyal foxes,

It's been a long week, and very instructive.

Since the investigation into the ShapeShift hack last week started, we had suspicion that someone previously on the team was involved, and that this person assisted an outside hacker. We are confident now that is is indeed the case.

The story continues to unfold, and evidence continues to be revealed. We have been working with a forensic specialist from LedgerLabs, who has been terrific. A civil suit is ongoing, as are multiple criminal investigations of the perpetrators.

Our team continues to revise and rebuild infrastructure, hardening not only prior vulnerabilities, but future potential attack vectors. It has been inspiring to see anti-fragility in action as ShapeShift gets stronger.

At this point, customer refunds for prior pending orders are in the process of being resolved. Again, no customer funds were ever at risk, by design.

A more detailed post-mortem will be released at the appropriate time, after forensic work is complete. Thank you again to everyone who has contacted us for the heartfelt support. We will be back in action very soon."

Improved Security Infrastructure

"As I gather my thoughts, I decide it’s time to call in some professional resources." "Michael Perklin, Head of Security and Investigative Services at Ledger Labs, and chairman of the Steering Committee for the Board of CCSS, is first on my list. He’s in Toronto, and agrees to fly out to meet us that evening. He was on his way to the hospital; he had a toe broken in an event he’d prefer not to discuss. He changes course and heads to the airport. What a champion." "Amid a subsequent investigation conducted in partnership with Michael Perklin of Ledger Labs, a hacker contacted the exchange claiming to have purchased information, including the IP address of ShapeShift’s office and access details for the exchange’s admin interface, from that former employee."

"The exchange says it has improved its security procedures, including how it goes about transmitting secure information between employees and manages access to its servers. In the wake of the hack. ShapeShift has also moved to draft and put in place formal security policies."

"Ledger Labs has worked with ShapeShift on new infrastructure for a vastly more secure platform going forward," Perklin told CoinDesk by email. "Even with internal sabotage from an employee, the company avoided any customer funds being lost."

Criticism From Cornell Professor

A Cornell professor named Emin Gün Sirer announced numerous inconsistencies in Voorhees's explanation, pointing out implausible scenarios such as the hacker's willingness to use his real name in criminal activities and Rovion's unlikely moral stance against the hacker[8]. Sirer raises flags regarding the believability of the story, questioning the motives and actions of the involved parties[8]. While acknowledging ShapeShift's security failures, Sirer emphasizes the importance of a thorough investigation to uncover the truth behind the hacks and prevent future incidents, expressing skepticism toward accepting the provided narrative solely based on the accounts of the involved hackers[8].

In response to points raised by Emin Gün Sirer regarding the recent digital currency thefts at ShapeShift, Erik Voorhees addresses each issue individually in a response on Reddit[9]. He clarified that the communication between ShapeShift and the hacker, known as Rovion, occurred after Rovion reached out to ShapeShift, not the other way around, resolving one of Sirer's concerns[9]. Voorhees acknowledges the oversight in recognizing the employee's incompetence earlier and agrees with Sirer's point on this matter[9]. However, he disputes some of Sirer's assertions, such as the insinuation that ShapeShift's response was motivated by race[9]. Voorhees defends the steps taken by ShapeShift in handling the situation and invites Sirer to engage directly if he wishes to discuss further[9]. Another user, itsreallyonlysmellz, criticizes ShapeShift's approach and urges them to acknowledge the shortcomings in their story[9].

Exchange Brought Back Online

"To our customers, I would like to personally apologize for our downtime. While we can ensure your funds are not at risk, I know many rely on our service, and it has been unavailable. Redundancy, even in the face of disaster, will be one of our primary development goals going forward."

Blockchain Movement Of Funds

The stolen funds remained stationary and unspent for multiple months following the theft[22].

"On June 30th, the stolen funds were moved to two separate addresses, one in a $205,666 chunk and the other in a $654 chunk. Each one of these addresses shows only two transactions: the receipt of the funds, and the subsequent transmission of those funds to two separate addresses. This continues on seemingly endlessly, as each new transaction is separated into two and sent to two new, empty addresses so as to cover the thief’s tracks."

Inclusion In Lists

The incident was included in a list compiled by ChainSec[21].

US-Based Crypto Exchange Dissolved

ShapeShift dissolved it's US-based cryptocurrency exchange in 2021[24].

Deletion Of Postmortem Document

The postmortem has since been deleted[25][7]. The deletion happened at some point between April 25th, 2021[26] and December 5th, 2022[27].

Settlement With Security Exchange Commission

In March, 2014, ShapeShift completed a settlement with the United States Security and Exchange Commission[24][28]. In this settlement, ShapeShift would be required to pay a penalty of $275,000 USD for previous operations in the United States[24][28]. The cease and desist applies only to the existing entity.

Total Amount Recovered

"1500 ETH recovered, and exchanges are hunting for more. The thief is probably upset by this… it sucks to be stolen from, after all."

"The exchange says it believes it can recover a “significant” amount of the lost funds." "Because ShapeShift is a non-custodial exchange, no customer funds were lost during the hacks."

Ongoing Developments

The exchange continues to pursue the employee who stole for them. As for the Russian hacker, they technically appear to have assisted him in laundering the stolen funds by knowingly swapping his stolen ethereum for bitcoin at market rate.

"Legal action in the form of a civil lawsuit has also been taken against the former employee, though ShapeShift declined to comment on where the suit has been filed, citing privacy reasons."

Operation Of DAO

ShapeShift changed into a DAO in 2021[27].

Individual Prevention Policies

This case does not appear to have resulted in a loss to any individual. ShapeShift does not store any customer funds beyond the point of transfer. All individual funds were returned. The risk level can be minimized by decreasing the size of transactions and carefully reviewing to ensure that you are using a reputable platform from the correction location prior to any swap.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

It would have helped to perform a background check on the employee - who had a known criminal record.

Hot wallet keys were generated on a single PC, outside of dedicated hardware. All transactions (large and small) within ShapeShift appear to have been performed from the same hot wallet. ShapeShift could have benefited from gaining the opinions of security experts on their setup early in the process, rather than relying on a single team member.

While it is true that ShapeShift was dealing with a large volume of transactions, these would most likely have followed a 80-20 pareto distribution. By manually processing the largest transactions, the needed size of the hot wallet can be drastically reduced. For these large transactions, using a multi-sig, where the signatures of multiple employees are required, would prevent those assets from being stolen by one insider.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 ShapeShift Company Profile - Crunchbase (Sep 1, 2021)
  2. 2.0 2.1 2.2 2.3 2.4 2.5 2.6 ShapeShift Lost $230k in String of Thefts, Report Finds - CoinDesk (Sep 18, 2021)
  3. 3.0 3.1 3.2 3.3 3.4 3.5 Looting of the Fox: The Story of Sabotage at ShapeShift - Bitcoin.com (Sep 18, 2021)
  4. Address: 1LchKFYxkugq3EPMoJJp5cvUyTyPMu1qBR - Blockchain Explorer (Sep 18, 2021)
  5. 5.0 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 UPDATE for Monday, April 18th on the ShapeShift Hacking Incident - Reddit
  6. 6.0 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 Shapeshift Rebuilds After Losing $230,000, Promised to Be Back Wednesday - CoinTelegraph
  7. 7.0 7.1 7.2 ShapeShift Postmortem - Scribd Archive April 29th, 2016 12:00:07 PM MDT (Accessed Apr 1, 2024)
  8. 8.0 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 The ShapeShift Hack: Simply Incredible - Hacking Distributed (Accessed Apr 2, 2024)
  9. 9.00 9.01 9.02 9.03 9.04 9.05 9.06 9.07 9.08 9.09 9.10 9.11 9.12 9.13 Cornell Professor Doubts ShapeShift Story - Reddit (Accessed Apr 5, 2024)
  10. https://old.reddit.com/r/Bitcoin/comments/4gdxe9/comment/d2gy4iz/
  11. ShapeShift Description - CoinDesk (Accessed Apr 8, 2024)
  12. 12.0 12.1 12.2 Update on Last Week's Hack - Apr 13 - Reddit (Accessed Apr 8, 2024)
  13. https://www.linkedin.com/pulse/shapeshift-loses-230000-bitcoin-data-breach-blame-ilesh-dattani/
  14. https://news.bitcoin.com/shapeshift-hack-funds-move/
  15. https://www.ft.com/content/beeb2f8c-99ec-494b-aa76-a7be0bf9dae6
  16. https://www.youtube.com/watch?v=LiYNafMs7f8
  17. 17.0 17.1 17.2 17.3 17.4 17.5 17.6 17.7 ShapeShift - Wikipedia (Sep 1, 2021)
  18. 18.0 18.1 18.2 18.3 18.4 18.5 18.6 18.7 18.8 18.9 Interview with Shapeshift.io CEO Beorn Gonthier - Bitcoinist (Accessed Apr 9, 2024)
  19. 19.0 19.1 19.2 19.3 19.4 19.5 19.6 ShapeShift Raises $525k, Reveals Erik Voorhees as Creator - CoinDesk (Accessed Apr 9, 2024)
  20. Erik Voorhees - "Maybe you don't know what "exchange" means? We traded, at market rate, ETH for BTC." - Reddit (Apr 10, 2024)
  21. 21.0 21.1 21.2 The Complete List of Crypto Exchange Hacks - ChainSec (May 11, 2021)
  22. 22.0 22.1 22.2 22.3 22.4 ShapeShift Thief Begins to Move Stolen Bitcoin - CoinTelegraph (Accessed Sep 18, 2021)
  23. 23.0 23.1 Crypto Exchange ShapeShift Is Moving Away From Its No-Account Model - CoinDesk (Accessed Apr 9, 2024)
  24. 24.0 24.1 24.2 ShapeShift Settles SEC Charges It Sold Crypto Securities - CoinDesk (Accessed Apr 3, 2024)
  25. ShapeShift Postmortem - Scribd (Sep 18, 2021)
  26. ShapeShift Postmortem - Scribd Archive April 25th, 2021 1:07:38 AM MDT (Accessed Apr 1, 2024)
  27. 27.0 27.1 ShapeShift Postmortem - Scribd Archive December 5th, 2022 10:07:03 AM MST (Accessed Apr 1, 2024)
  28. 28.0 28.1 ShapeShift settles pre-DAO SEC case, Uniswap hits 2-year high: Finance Redefined - CoinTelegraph (Accessed Apr 3, 2024)

Cite error: <ref> tag with name "coindesk-2945" defined in <references> is not used in prior text.

Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=ShapeShift_Three_Thefts&oldid=5649"