Coinapult Hot Wallet Hack: Difference between revisions
(Another 30 minutes complete. Created a logo graphic. Populating in detailed about information on the service. Some on the notice which was placed on the website.) |
(Another 30 minutes. Integrated information from Reddit post and Bitcoin Wiki. Improved the wiki article summary and information on investment seed round. Started analysis of breach information as available in the Google Doc.) |
||
| Line 1: | Line 1: | ||
{{Case Study Under Construction}}[[File:Coinapult.jpg|thumb|Coinapult Logo/Homepage]] | {{Case Study Under Construction}}[[File:Coinapult.jpg|thumb|Coinapult Logo/Homepage]] | ||
Coinapult was a Panama-based wallet service. In March 2015, the service was breached and 150 bitcoin were stolen. The breach appears to have not affected any customer deposits, although the service level reported with the platform has subsequently declined. | |||
== About Coinapult == | == About Coinapult == | ||
Coinapult was a Panama-based wallet service with a goal of simplifying Bitcoin usage for individuals and businesses alike<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. Through their website, they offered a range of services to enhance accessibility and usability in the cryptocurrency space, including sending Bitcoin by email and SMS<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. These features enable users to send Bitcoin to anyone, even those unfamiliar with the cryptocurrency, through email or simple text messages<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. Additionally, Coinapult provided payment processing services for businesses, ensuring no fees, guaranteed pricing, and daily bank settlements<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. Merchants could use Coinapult to accept Bitcoin payments quickly and easily, expanding their payment options without incurring additional fees<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. | Coinapult was a Panama-based wallet service with a goal of simplifying Bitcoin usage for individuals and businesses alike<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref><ref name=":3">[https://bitcoinwiki.org/wiki/coinapult Coinapult - Bitcoin Wiki] (Accessed Mar 12, 2024)</ref>. Through their website, they offered a range of services to enhance accessibility and usability in the cryptocurrency space, including sending Bitcoin by email and SMS<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref><ref name=":3">[https://bitcoinwiki.org/wiki/coinapult Coinapult - Bitcoin Wiki] (Accessed Mar 12, 2024)</ref>. These features enable users to send Bitcoin to anyone, even those unfamiliar with the cryptocurrency, through email or simple text messages<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. Additionally, Coinapult provided payment processing services for businesses, ensuring no fees, guaranteed pricing, and daily bank settlements<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. Merchants could use Coinapult to accept Bitcoin payments quickly and easily, expanding their payment options without incurring additional fees<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. | ||
Locks, a feature offered by Coinapult, enables users to easily receive, save, and spend Bitcoin while mitigating price volatility<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. Users could receive, lock, unlock, and spend Bitcoin seamlessly, allowing for instant transactions worldwide. Locks provided a simple and fast way for both new and experienced users to engage with Bitcoin without needing to speculate on its price<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. It promised a convenient tool for introducing newcomers to Bitcoin and facilitating regular Bitcoin payments for more experienced users<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>.<ref name=":1">[https://www.youtube.com/watch?v=AxriIkGaY60 Coinapult Locks - YouTube] (Accessed Feb 28, 2024)</ref> | Locks, a feature offered by Coinapult, enables users to easily receive, save, and spend Bitcoin while mitigating price volatility<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref><ref name=":3">[https://bitcoinwiki.org/wiki/coinapult Coinapult - Bitcoin Wiki] (Accessed Mar 12, 2024)</ref>. Users could receive, lock, unlock, and spend Bitcoin seamlessly, allowing for instant transactions worldwide. Locks provided a simple and fast way for both new and experienced users to engage with Bitcoin without needing to speculate on its price<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. It promised a convenient tool for introducing newcomers to Bitcoin and facilitating regular Bitcoin payments for more experienced users<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>.<ref name=":1">[https://www.youtube.com/watch?v=AxriIkGaY60 Coinapult Locks - YouTube] (Accessed Feb 28, 2024)</ref> | ||
Coinapult offered a hassle-free service for businesses that were looking to integrate Bitcoin payments<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. Businesses were promised the ability to provide more payment options and enhance their payment processing capabilities with no fees and user-friendly features<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. Coinapult also provided developer resources for integrating Bitcoin services into applications, including ready-to-use API clients and shopping cart plugins<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. | Coinapult offered a hassle-free service for businesses that were looking to integrate Bitcoin payments<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. Businesses were promised the ability to provide more payment options and enhance their payment processing capabilities with no fees and user-friendly features<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. Coinapult also provided developer resources for integrating Bitcoin services into applications, including ready-to-use API clients and shopping cart plugins<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. | ||
== The Reality == | == The Reality == | ||
The Coinapult platform was vulnerable. | |||
== What Happened == | == What Happened == | ||
| Line 35: | Line 24: | ||
|Locks Video Promotion | |Locks Video Promotion | ||
|A video is put on YouTube to announce the Coinapult locks program<ref name=":1" />. | |A video is put on YouTube to announce the Coinapult locks program<ref name=":1" />. | ||
|- | |||
|September 30th, 2014 | |||
|Seed Investment Round | |||
|A seed investment round is conducted, with investors including "Bitcoin Opportunity Corp, Roger Ver, FirstMark Capital, Erik Voorhees, and Ira Miller"<ref name=":3" />. | |||
|- | |- | ||
|March 17th, 2015 11:55:00 AM MDT | |March 17th, 2015 11:55:00 AM MDT | ||
| Line 43: | Line 36: | ||
|Coinapult Website Notice Captured | |Coinapult Website Notice Captured | ||
|The first time that the Coinapult homepage is captured with a notice placed for users. Coinapult notifies users they are currently investigating a security breach of the hot wallet and advises customers to refrain from sending Bitcoin to existing Coinapult addresses immediately, including Lock Addresses<ref name=":2" />. Updates on the situation will be provided as they become available<ref name=":2" />. The company has contained the situation, ensuring the safety of all funds except for the 150 BTC withdrawn during the breach. Investigations are ongoing to determine the method of attack, and until the attack vector is identified and patched, Coinapult will not re-enable its services<ref name=":2" />. If the process extends beyond a few days, the company promises to issue manual refunds to affected customers<ref name=":2" />. | |The first time that the Coinapult homepage is captured with a notice placed for users. Coinapult notifies users they are currently investigating a security breach of the hot wallet and advises customers to refrain from sending Bitcoin to existing Coinapult addresses immediately, including Lock Addresses<ref name=":2" />. Updates on the situation will be provided as they become available<ref name=":2" />. The company has contained the situation, ensuring the safety of all funds except for the 150 BTC withdrawn during the breach. Investigations are ongoing to determine the method of attack, and until the attack vector is identified and patched, Coinapult will not re-enable its services<ref name=":2" />. If the process extends beyond a few days, the company promises to issue manual refunds to affected customers<ref name=":2" />. | ||
|- | |||
|November 13th, 2017 5:58:22 PM MST | |||
|Challenges Getting Out Funds | |||
|Reddit user ChrissMejia reports being a former employee of Coinapult and still having trouble getting their funds out of the exchange<ref name=":4">[https://old.reddit.com/r/Bitcoin/comments/7crwcb/why_i_dont_trust_coinapult_from_ex_employee/ ChrissMejia - Why I don't trust Coinapult? (From ex employee) - Reddit] (Accessed Mar 12, 2024)</ref>. They reminisce about their positive experiences working at Coinapult in 2014 under CEO Ira Miller, praising the company, the team, and their software contributions<ref name=":4">[https://old.reddit.com/r/Bitcoin/comments/7crwcb/why_i_dont_trust_coinapult_from_ex_employee/ ChrissMejia - Why I don't trust Coinapult? (From ex employee) - Reddit] (Accessed Mar 12, 2024)</ref>. However, they express disappointment with the company's subsequent changes, particularly after Ira's departure, leading them to move their coins to another platform<ref name=":4">[https://old.reddit.com/r/Bitcoin/comments/7crwcb/why_i_dont_trust_coinapult_from_ex_employee/ ChrissMejia - Why I don't trust Coinapult? (From ex employee) - Reddit] (Accessed Mar 12, 2024)</ref>. They recount difficulties in accessing their account due to being locked out and facing challenges with account recovery<ref name=":4">[https://old.reddit.com/r/Bitcoin/comments/7crwcb/why_i_dont_trust_coinapult_from_ex_employee/ ChrissMejia - Why I don't trust Coinapult? (From ex employee) - Reddit] (Accessed Mar 12, 2024)</ref>. Despite being a former employee, they feel ignored by Coinapult's support team, leading them to warn others to transfer their coins away from Coinapult promptly<ref name=":4">[https://old.reddit.com/r/Bitcoin/comments/7crwcb/why_i_dont_trust_coinapult_from_ex_employee/ ChrissMejia - Why I don't trust Coinapult? (From ex employee) - Reddit] (Accessed Mar 12, 2024)</ref>. The update mentions the eventual return of their coins, albeit belatedly, expressing gratitude to Coinapult while highlighting the prolonged wait. Subsequent comments in the post echo similar experiences and concerns about Coinapult's decline in service quality<ref name=":4">[https://old.reddit.com/r/Bitcoin/comments/7crwcb/why_i_dont_trust_coinapult_from_ex_employee/ ChrissMejia - Why I don't trust Coinapult? (From ex employee) - Reddit] (Accessed Mar 12, 2024)</ref>. | |||
|} | |} | ||
== Technical Details == | == Technical Details == | ||
On March 17, 2015, an unauthorized withdrawal of 150 BTC occurred from Coinapult's hot wallet, with no subsequent spending recorded. The incident involved individuals from Coinapult's team with various levels of access to servers, including CEO Ira, IT Admin Zach, CTO GP, Developer Cindy, COO Justin, and Customer Service Robinson<ref name=":5">[https://web.archive.org/web/20170905192246/https://docs.google.com/document/d/1_xxKLUVvEcen6XI7DsUzLtv2_C8oQ8JzAwlsNOMnapg/pub March 17 2015 Incidence Report - Google Doc Archive September 5th, 2017 1:22:46 PM MDT] (Accessed Mar 12, 2024)</ref>. Investigations revealed suspicious activities on the finance server, including modifications to log files and unusual network behavior on Zach's laptop, potentially indicating a man-in-the-middle attack. Furthermore, an outage at the data center and plans to transition IT services may have been related to the incident's timing. Clues from the finance, API, and SaaS servers, alongside an objective timeline, provided insights into the attack's execution. Robinson's account corroborated the timeline, indicating early detection of anomalies. Next steps involved forensic analysis of hardware and data recovery efforts. Additionally, updates clarified unrelated issues, such as Zach's IP address discrepancy. Plans included requesting access logs and surveillance footage from the data center to gather more information about the outage<ref name=":5">[https://web.archive.org/web/20170905192246/https://docs.google.com/document/d/1_xxKLUVvEcen6XI7DsUzLtv2_C8oQ8JzAwlsNOMnapg/pub March 17 2015 Incidence Report - Google Doc Archive September 5th, 2017 1:22:46 PM MDT] (Accessed Mar 12, 2024)</ref>. | |||
== Total Amount Lost == | == Total Amount Lost == | ||
| Line 59: | Line 56: | ||
“Coinapult COO and CFO Justin Blincoe stressed that the hot wallet was used only for funds owned by the bitcoin wallet and service provider, and that no customer funds were affected.” | “Coinapult COO and CFO Justin Blincoe stressed that the hot wallet was used only for funds owned by the bitcoin wallet and service provider, and that no customer funds were affected.” | ||
Coinapult updated their homepage to provide high level information about the breach and reassure users that their funds were safe<ref name=":2" />.<blockquote>To summarize, Coinapult has the situation contained and all funds (minus the 150 BTC withdrawn last night) are safe. Investigations are ongoing to determine the method of attack. Until we are able to determine and patch the attack vector, we will not re-enable our services. If this takes more than a few days, we will refund customers manually.</blockquote> | |||
== Ultimate Outcome == | == Ultimate Outcome == | ||
Revision as of 15:56, 12 March 2024
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Coinapult was a Panama-based wallet service. In March 2015, the service was breached and 150 bitcoin were stolen. The breach appears to have not affected any customer deposits, although the service level reported with the platform has subsequently declined.
About Coinapult
Coinapult was a Panama-based wallet service with a goal of simplifying Bitcoin usage for individuals and businesses alike[1][2]. Through their website, they offered a range of services to enhance accessibility and usability in the cryptocurrency space, including sending Bitcoin by email and SMS[1][2]. These features enable users to send Bitcoin to anyone, even those unfamiliar with the cryptocurrency, through email or simple text messages[1]. Additionally, Coinapult provided payment processing services for businesses, ensuring no fees, guaranteed pricing, and daily bank settlements[1]. Merchants could use Coinapult to accept Bitcoin payments quickly and easily, expanding their payment options without incurring additional fees[1].
Locks, a feature offered by Coinapult, enables users to easily receive, save, and spend Bitcoin while mitigating price volatility[1][2]. Users could receive, lock, unlock, and spend Bitcoin seamlessly, allowing for instant transactions worldwide. Locks provided a simple and fast way for both new and experienced users to engage with Bitcoin without needing to speculate on its price[1]. It promised a convenient tool for introducing newcomers to Bitcoin and facilitating regular Bitcoin payments for more experienced users[1].[3]
Coinapult offered a hassle-free service for businesses that were looking to integrate Bitcoin payments[1]. Businesses were promised the ability to provide more payment options and enhance their payment processing capabilities with no fees and user-friendly features[1]. Coinapult also provided developer resources for integrating Bitcoin services into applications, including ready-to-use API clients and shopping cart plugins[1].
The Reality
The Coinapult platform was vulnerable.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| July 18th, 2014 5:29:41 PM MDT | Locks Video Promotion | A video is put on YouTube to announce the Coinapult locks program[3]. |
| September 30th, 2014 | Seed Investment Round | A seed investment round is conducted, with investors including "Bitcoin Opportunity Corp, Roger Ver, FirstMark Capital, Erik Voorhees, and Ira Miller"[2]. |
| March 17th, 2015 11:55:00 AM MDT | Coinapult Under Maintenance | The Coinapult website is placed under maintenance, according to their homepage[4]. |
| March 19th, 2015 3:01:58 AM MDT | Coinapult Website Notice Captured | The first time that the Coinapult homepage is captured with a notice placed for users. Coinapult notifies users they are currently investigating a security breach of the hot wallet and advises customers to refrain from sending Bitcoin to existing Coinapult addresses immediately, including Lock Addresses[4]. Updates on the situation will be provided as they become available[4]. The company has contained the situation, ensuring the safety of all funds except for the 150 BTC withdrawn during the breach. Investigations are ongoing to determine the method of attack, and until the attack vector is identified and patched, Coinapult will not re-enable its services[4]. If the process extends beyond a few days, the company promises to issue manual refunds to affected customers[4]. |
| November 13th, 2017 5:58:22 PM MST | Challenges Getting Out Funds | Reddit user ChrissMejia reports being a former employee of Coinapult and still having trouble getting their funds out of the exchange[5]. They reminisce about their positive experiences working at Coinapult in 2014 under CEO Ira Miller, praising the company, the team, and their software contributions[5]. However, they express disappointment with the company's subsequent changes, particularly after Ira's departure, leading them to move their coins to another platform[5]. They recount difficulties in accessing their account due to being locked out and facing challenges with account recovery[5]. Despite being a former employee, they feel ignored by Coinapult's support team, leading them to warn others to transfer their coins away from Coinapult promptly[5]. The update mentions the eventual return of their coins, albeit belatedly, expressing gratitude to Coinapult while highlighting the prolonged wait. Subsequent comments in the post echo similar experiences and concerns about Coinapult's decline in service quality[5]. |
Technical Details
On March 17, 2015, an unauthorized withdrawal of 150 BTC occurred from Coinapult's hot wallet, with no subsequent spending recorded. The incident involved individuals from Coinapult's team with various levels of access to servers, including CEO Ira, IT Admin Zach, CTO GP, Developer Cindy, COO Justin, and Customer Service Robinson[6]. Investigations revealed suspicious activities on the finance server, including modifications to log files and unusual network behavior on Zach's laptop, potentially indicating a man-in-the-middle attack. Furthermore, an outage at the data center and plans to transition IT services may have been related to the incident's timing. Clues from the finance, API, and SaaS servers, alongside an objective timeline, provided insights into the attack's execution. Robinson's account corroborated the timeline, indicating early detection of anomalies. Next steps involved forensic analysis of hardware and data recovery efforts. Additionally, updates clarified unrelated issues, such as Zach's IP address discrepancy. Plans included requesting access logs and surveillance footage from the data center to gather more information about the outage[6].
Total Amount Lost
According to the homepage notice, the total loss is 150 bitcoin[4].
The total amount lost has been estimated at $43,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
“Coinapult COO and CFO Justin Blincoe stressed that the hot wallet was used only for funds owned by the bitcoin wallet and service provider, and that no customer funds were affected.”
Coinapult updated their homepage to provide high level information about the breach and reassure users that their funds were safe[4].
To summarize, Coinapult has the situation contained and all funds (minus the 150 BTC withdrawn last night) are safe. Investigations are ongoing to determine the method of attack. Until we are able to determine and patch the attack vector, we will not re-enable our services. If this takes more than a few days, we will refund customers manually.
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
Coming soon.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST (Accessed Feb 28, 2024)
- ↑ 2.0 2.1 2.2 2.3 Coinapult - Bitcoin Wiki (Accessed Mar 12, 2024)
- ↑ 3.0 3.1 Coinapult Locks - YouTube (Accessed Feb 28, 2024)
- ↑ 4.0 4.1 4.2 4.3 4.4 4.5 4.6 Coinapult Homepage Archive March 19th, 2015 3:01:58 AM MDT (Accessed Feb 28, 2024)
- ↑ 5.0 5.1 5.2 5.3 5.4 5.5 ChrissMejia - Why I don't trust Coinapult? (From ex employee) - Reddit (Accessed Mar 12, 2024)
- ↑ 6.0 6.1 March 17 2015 Incidence Report - Google Doc Archive September 5th, 2017 1:22:46 PM MDT (Accessed Mar 12, 2024)