Vircurex Second Exchange Hack: Difference between revisions
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/vircurexsecondexchangehack.php}} {{Unattributed Sources}} thumb|Vircurex Homepage/LogoVircurex experienced a second hack in 2013, which ultimately contributed to the collapse of the exchange later in 2014. It appears that attempts were made to repay the debt with ongoing profits, however this proposal appears to be very poorly implemented and lacked any indication of how the...") |
(30 minutes. Integrated about section information and updated template. Integrated inforamtion about Vircurex from other hacking article. Integrating information from BitcoinTalk article. Added in information from the Vircurex report, including the additional terracoin and litecoin which were stolen. Fully integrated may 2013 report and further review.) |
||
| Line 1: | Line 1: | ||
{{ | {{Case Study Under Construction}}{{Unattributed Sources}} | ||
{{Unattributed Sources}} | |||
[[File:Vircurex.jpg|thumb|Vircurex Homepage/Logo]]Vircurex experienced a second hack in 2013, which ultimately contributed to the collapse of the exchange later in 2014. It appears that attempts were made to repay the debt with ongoing profits, however this proposal appears to be very poorly implemented and lacked any indication of how the platform was going to prevent future hacks. | [[File:Vircurex.jpg|thumb|Vircurex Homepage/Logo]]Vircurex experienced a second hack in 2013, which ultimately contributed to the collapse of the exchange later in 2014. It appears that attempts were made to repay the debt with ongoing profits, however this proposal appears to be very poorly implemented and lacked any indication of how the platform was going to prevent future hacks. | ||
The country for this case study is not yet known.<ref | The country for this case study is not yet known.<ref>https://blockchain.info/address/16cDeEFn6sraUEJrDCt2Yg3r7j2oazSYEd</ref><ref>https://vircurex.com/welcome/ann_reserved.html</ref> | ||
== About Vircurex == | == About Vircurex == | ||
Vircurex was a Beijing-based virtual currency exchange<ref name="coindesk-179">[https://web.archive.org/web/20210919020219/https://www.coindesk.com/markets/2014/03/24/exchange-vircurex-freezes-withdrawals-claims-lack-of-reserves/ Exchange Vircurex Freezes Withdrawals, Claims Lack of Reserves - CoinDesk - Archive September 18th, 2021 8:02:19 PM MDT] (Feb 29, 2020)</ref> which was operational since October 2011<ref name="coindesk-179" /><ref name=":5">[https://www.financemagnates.com/cryptocurrency/news/vircurex-faces-class-action-lawsuit/ Vircurex Faces Class-Action Lawsuit - Finance Magnates] (Jan 4, 2024)</ref>. | |||
The | Vircurex was based in Germany(?). The exchange supported trading in different cryptocurrencies including bitcoin, namecoin, devcoin, litecoin, ixcoin, ppcoin, and terracoin<ref name=":0">[https://web.archive.org/web/20130424071356/https://vircurex.com/ Vircurex Exchange Homepage Archive April 24th, 2013 1:13:56 AM MDT] (Dec 11, 2023)</ref>. The Vircurex platform enabled trading between BTC, USD or EUR, plus up to 18 other cryptocurrencies, however they've eliminated some less popular coins over time<ref name="coindesk-179" />. | ||
Vircurex gained popularity by offering interest to users holding multiple cryptocurrencies<ref name=":5" />. | |||
The exchange offered deposits and withdrawals in both USD and EUR<ref name=":0" />. The homepage of the website featured pricing tables for all supported coins<ref name=":0" />.<blockquote>Vircurex, the exchange platform for buying, selling and trading your Bitcoins and its various alt-chains. We currently support Bitcoin, Namecoin, Devcoin, Litecoin, Ixcoin, PPCoin, Terracoin</blockquote>Homepage: vircurex.com<ref name=":0" /> | |||
== The Reality == | == The Reality == | ||
The [[Vircurex Exchange Hack|Vircurex exchange had already been hacked once]]. | |||
== What Happened == | == What Happened == | ||
The | "The hot wallet and “warm” wallet of Bitcoin to alternative cryptocurrency exchange service Vircurex was emptied in May 2013, resulting in a significant loss of three currencies: Bitcoin, Terracoin, and Litecoin." | ||
{| class="wikitable" | {| class="wikitable" | ||
|+Key Event Timeline - Vircurex Second Exchange Hack | |+Key Event Timeline - Vircurex Second Exchange Hack | ||
| Line 46: | Line 26: | ||
|May 10th, 2013 | |May 10th, 2013 | ||
|Breach Date | |Breach Date | ||
|Reported date of breach. | |Reported date of breach<ref name="bitcointalk-87" /><ref name="vircurexarchive-12744" />. | ||
|- | |||
|June 5th, 2013 | |||
|Report Released | |||
|Vircurex releases a report covering the events of May, including the breach which happened<ref name="vircurexarchive-12744" />. | |||
|- | |- | ||
|April 18th, 2014 7:56:22 PM MDT | |April 18th, 2014 7:56:22 PM MDT | ||
|Included In BitcoinTalk List | |Included In BitcoinTalk List | ||
|A subsequent Vircurex exchange hack is featured in the BitcoinTalk "List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses" published by user dree12 | |A subsequent Vircurex exchange hack is featured in the BitcoinTalk "List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses" published by user dree12<ref name="bitcointalk-87" />. | ||
|} | |} | ||
== Technical Details == | == Technical Details == | ||
Based on an analysis report provided by Vircurex, the attack was a simple impersonation where the perpetrator claimed to be the exchange operator and requested a reset of the account credentials. In addition to resetting the servers, the root password was provided outside of the normal email address to be used and the attacker was able to circumvent an IP-based restriction on the account's control panel<ref name="vircurexarchive-12744" />.<blockquote>The attacker has acquired login credentials to our VPS control account with our hosting service provider and has then asked for the root password reset of all servers which – unfortunately – the service provider has then done and posted the credentials in their helpdesk ticket, rather than the standard process of sending it to our email address (which has 2FA protection), also the security setup of allowing only our IP range to login to the management console was not working. It was an additional security feature the provider offered but was obviously circumvented by the attacker. As a result out of this incident we have moved all our services to a new provider who offers 2 factor authentication for all logins as well as other verification processes that we hope will make similar attempts impossible in the future.</blockquote>Relevant blockchain transactions<ref name="bitcointalk-87" />: | |||
* cbce6bd1e274a9ea9d6946feaf4a1b0f80a5885a8482f4ebf3caa052f22bb4bf | |||
* 85489430661f3041608749acb3019a1dcbf07a60f22e4bc43acfd05b46496cc9 | |||
== Total Amount Lost == | == Total Amount Lost == | ||
The amount lost is listed as being exactly 1454.015 bitcoin<ref name="bitcointalk-87" />. This was listed as being equivalent to $163,351 USD<ref name="bitcointalk-87" />. | |||
1454 BTC x $117.20 = $170408.8 | 1454 BTC x $117.20 = $170408.8 | ||
In addition to the lost bitcoin, there was also 225,263 terracoin and 23,400 litecoin which were taken in the incident<ref name="vircurexarchive-12744" />. | |||
A breakdown of the losses was provided in a report published by Vircurex<ref name="vircurexarchive-12744" />. | |||
{| class="wikitable" | |||
|+Table Breakdown Of Losses | |||
!Currency | |||
!Amount | |||
!Address | |||
!Transaction | |||
|- | |||
|BTC | |||
|706 | |||
|17gPdCyzEMRXdNTBpHrUhsM4FaiWMHhx2Q | |||
|cbce6bd1e274a9ea9d6946feaf4a1b0f80a5885a8482f4ebf3caa052f22bb4bf | |||
|- | |||
|BTC | |||
|748 | |||
|1PWQJu9AskoXEBYMod1KqPE6TTG4VYNz1P | |||
|85489430661f3041608749acb3019a1dcbf07a60f22e4bc43acfd05b46496cc9 | |||
|- | |||
|TRC | |||
|130,263 | |||
|1Mu1wbyfkcrRarPveiihy5iuceLGC91Z4T | |||
|33011a0e26fe1c3515c699eecdae9d7550218779ae72fe7af063fffc80361d64 | |||
|- | |||
|TRC | |||
|95,000 | |||
|1MeY3VVudFUV91gxVZsaY92TguRWy7eQbE | |||
|90239779a08243883f54bdb2503f4f40be2541487c2ef2383ef4d8277660e88b | |||
|- | |||
|LTC | |||
|23,400 | |||
|LV8VnCDYJzd3FYNwn6n3Kyi1i7PB2MvXPo | |||
|30231aee25900b9cb1fba16f1a8923a0cd866d60b01e542be1a4b26f92d9d10f | |||
|} | |||
The total amount lost has been estimated at $170,000 USD. | The total amount lost has been estimated at $170,000 USD. | ||
== Immediate Reactions == | == Immediate Reactions == | ||
"Initially, Vircurex operated normally despite the loss, though it no longer paid dividends to shareholders." | |||
Vircurex's initial report on the incident explained that the funds could be recovered from operating profits<ref name="vircurexarchive-12744" />.<blockquote>The loss of the funds will be recovered out of the monthly dividends. Dividends will be used to purchase back the missing funds in the coming months. Depending on the trading volume development this is expected to take 9 to 12 months.</blockquote>"In March 2014, due to strain caused by large withdrawals (in addition to a default by AurumXChange, a fiat processor Vircurex used), Vircurex froze large quantities of many currencies; however, it promises to pay these back eventually." | |||
== Ultimate Outcome == | == Ultimate Outcome == | ||
=== Addition of IP Whitelisting === | |||
After 3 user accounts reported being hacked, Vircurex added IP address whitelisting to their service, so users who logged in from a new IP address would have to confirm their IP address via email<ref name="vircurexarchive-12744" />. | |||
=== Inclusion In Lists === | |||
The breach was ultimately included in a list published by user dree12 on Bitcoin Talk<ref name="bitcointalk-87" />. | |||
== Total Amount Recovered == | == Total Amount Recovered == | ||
| Line 90: | Line 123: | ||
== References == | == References == | ||
<references><ref name="bitcointalk-87">[https://bitcointalk.org/index.php?topic=576337 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses] (Feb 15, 2020)</ref> | <references> | ||
<ref name="bitcointalk-87">[https://bitcointalk.org/index.php?topic=576337 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses - BitcoinTalk] (Feb 15, 2020)</ref> | |||
<ref name="vircurexarchive-12744">[https://web.archive.org/web/20140323195916/https://vircurex.com/Reports/2013-05.pdf | <ref name="vircurexarchive-12744">[https://web.archive.org/web/20140323195916/https://vircurex.com/Reports/2013-05.pdf May 2013 Report - Vircurex Archive March 23rd, 2014 1:59:16 PM MDT] (Dec 12, 2023)</ref> | ||
</references> | |||
Revision as of 13:45, 2 April 2024
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Vircurex experienced a second hack in 2013, which ultimately contributed to the collapse of the exchange later in 2014. It appears that attempts were made to repay the debt with ongoing profits, however this proposal appears to be very poorly implemented and lacked any indication of how the platform was going to prevent future hacks.
The country for this case study is not yet known.[1][2]
About Vircurex
Vircurex was a Beijing-based virtual currency exchange[3] which was operational since October 2011[3][4].
Vircurex was based in Germany(?). The exchange supported trading in different cryptocurrencies including bitcoin, namecoin, devcoin, litecoin, ixcoin, ppcoin, and terracoin[5]. The Vircurex platform enabled trading between BTC, USD or EUR, plus up to 18 other cryptocurrencies, however they've eliminated some less popular coins over time[3].
Vircurex gained popularity by offering interest to users holding multiple cryptocurrencies[4].
The exchange offered deposits and withdrawals in both USD and EUR[5]. The homepage of the website featured pricing tables for all supported coins[5].
Vircurex, the exchange platform for buying, selling and trading your Bitcoins and its various alt-chains. We currently support Bitcoin, Namecoin, Devcoin, Litecoin, Ixcoin, PPCoin, Terracoin
Homepage: vircurex.com[5]
The Reality
The Vircurex exchange had already been hacked once.
What Happened
"The hot wallet and “warm” wallet of Bitcoin to alternative cryptocurrency exchange service Vircurex was emptied in May 2013, resulting in a significant loss of three currencies: Bitcoin, Terracoin, and Litecoin."
| Date | Event | Description |
|---|---|---|
| May 10th, 2013 | Breach Date | Reported date of breach[6][7]. |
| June 5th, 2013 | Report Released | Vircurex releases a report covering the events of May, including the breach which happened[7]. |
| April 18th, 2014 7:56:22 PM MDT | Included In BitcoinTalk List | A subsequent Vircurex exchange hack is featured in the BitcoinTalk "List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses" published by user dree12[6]. |
Technical Details
Based on an analysis report provided by Vircurex, the attack was a simple impersonation where the perpetrator claimed to be the exchange operator and requested a reset of the account credentials. In addition to resetting the servers, the root password was provided outside of the normal email address to be used and the attacker was able to circumvent an IP-based restriction on the account's control panel[7].
The attacker has acquired login credentials to our VPS control account with our hosting service provider and has then asked for the root password reset of all servers which – unfortunately – the service provider has then done and posted the credentials in their helpdesk ticket, rather than the standard process of sending it to our email address (which has 2FA protection), also the security setup of allowing only our IP range to login to the management console was not working. It was an additional security feature the provider offered but was obviously circumvented by the attacker. As a result out of this incident we have moved all our services to a new provider who offers 2 factor authentication for all logins as well as other verification processes that we hope will make similar attempts impossible in the future.
Relevant blockchain transactions[6]:
- cbce6bd1e274a9ea9d6946feaf4a1b0f80a5885a8482f4ebf3caa052f22bb4bf
- 85489430661f3041608749acb3019a1dcbf07a60f22e4bc43acfd05b46496cc9
Total Amount Lost
The amount lost is listed as being exactly 1454.015 bitcoin[6]. This was listed as being equivalent to $163,351 USD[6].
1454 BTC x $117.20 = $170408.8
In addition to the lost bitcoin, there was also 225,263 terracoin and 23,400 litecoin which were taken in the incident[7].
A breakdown of the losses was provided in a report published by Vircurex[7].
| Currency | Amount | Address | Transaction |
|---|---|---|---|
| BTC | 706 | 17gPdCyzEMRXdNTBpHrUhsM4FaiWMHhx2Q | cbce6bd1e274a9ea9d6946feaf4a1b0f80a5885a8482f4ebf3caa052f22bb4bf |
| BTC | 748 | 1PWQJu9AskoXEBYMod1KqPE6TTG4VYNz1P | 85489430661f3041608749acb3019a1dcbf07a60f22e4bc43acfd05b46496cc9 |
| TRC | 130,263 | 1Mu1wbyfkcrRarPveiihy5iuceLGC91Z4T | 33011a0e26fe1c3515c699eecdae9d7550218779ae72fe7af063fffc80361d64 |
| TRC | 95,000 | 1MeY3VVudFUV91gxVZsaY92TguRWy7eQbE | 90239779a08243883f54bdb2503f4f40be2541487c2ef2383ef4d8277660e88b |
| LTC | 23,400 | LV8VnCDYJzd3FYNwn6n3Kyi1i7PB2MvXPo | 30231aee25900b9cb1fba16f1a8923a0cd866d60b01e542be1a4b26f92d9d10f |
The total amount lost has been estimated at $170,000 USD.
Immediate Reactions
"Initially, Vircurex operated normally despite the loss, though it no longer paid dividends to shareholders."
Vircurex's initial report on the incident explained that the funds could be recovered from operating profits[7].
The loss of the funds will be recovered out of the monthly dividends. Dividends will be used to purchase back the missing funds in the coming months. Depending on the trading volume development this is expected to take 9 to 12 months.
"In March 2014, due to strain caused by large withdrawals (in addition to a default by AurumXChange, a fiat processor Vircurex used), Vircurex froze large quantities of many currencies; however, it promises to pay these back eventually."
Ultimate Outcome
Addition of IP Whitelisting
After 3 user accounts reported being hacked, Vircurex added IP address whitelisting to their service, so users who logged in from a new IP address would have to confirm their IP address via email[7].
Inclusion In Lists
The breach was ultimately included in a list published by user dree12 on Bitcoin Talk[6].
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ https://blockchain.info/address/16cDeEFn6sraUEJrDCt2Yg3r7j2oazSYEd
- ↑ https://vircurex.com/welcome/ann_reserved.html
- ↑ 3.0 3.1 3.2 Exchange Vircurex Freezes Withdrawals, Claims Lack of Reserves - CoinDesk - Archive September 18th, 2021 8:02:19 PM MDT (Feb 29, 2020)
- ↑ 4.0 4.1 Vircurex Faces Class-Action Lawsuit - Finance Magnates (Jan 4, 2024)
- ↑ 5.0 5.1 5.2 5.3 Vircurex Exchange Homepage Archive April 24th, 2013 1:13:56 AM MDT (Dec 11, 2023)
- ↑ 6.0 6.1 6.2 6.3 6.4 6.5 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses - BitcoinTalk (Feb 15, 2020)
- ↑ 7.0 7.1 7.2 7.3 7.4 7.5 7.6 May 2013 Report - Vircurex Archive March 23rd, 2014 1:59:16 PM MDT (Dec 12, 2023)