Vircurex Second Exchange Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 15:11, 1 May 2024 by Azoundria (talk | contribs) (30 minutes. Adding a promotion to Twitter.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Vircurex Homepage/Logo

Vircurex experienced a second hack in 2013, which ultimately contributed to the collapse of the exchange later in 2014. It appears that attempts were made to repay the debt with ongoing profits, however this proposal suffered from implementation weaknesses and lacked any indication of how the platform was going to prevent future hacks.

About Vircurex

Vircurex was widely believed to be a Beijing-based virtual currency exchange[1][2], however they were actually based in Germany[2]. The exchange was operational since October 2011[1][3].

The exchange supported trading in different cryptocurrencies including bitcoin, namecoin, devcoin, litecoin, ixcoin, ppcoin, terracoin[4], and up to 12 other cryptocurrencies[1]. The Vircurex platform offered deposits and withdrawals in both USD and EUR[1][4].

Vircurex gained popularity by offering interest to users holding multiple cryptocurrencies[3].

The homepage of the website featured pricing tables for all supported coins[4]. They eliminated some less popular coins as time progressed[1].

Vircurex, the exchange platform for buying, selling and trading your Bitcoins and its various alt-chains. We currently support Bitcoin, Namecoin, Devcoin, Litecoin, Ixcoin, PPCoin, Terracoin

Homepage: vircurex.com[4]

The Reality

The Vircurex exchange had already been hacked once. The exchange had also lied about where they were based.

What Happened

"The hot wallet and “warm” wallet of Bitcoin to alternative cryptocurrency exchange service Vircurex was emptied in May 2013, resulting in a significant loss of three currencies: Bitcoin, Terracoin, and Litecoin."

Key Event Timeline - Vircurex Second Exchange Hack
Date Event Description
May 10th, 2013 2:52:27 AM MDT First Terracoin Transaction The first transaction takes exactly 95,000 Terracoin (TRC) from the Bitcoinica hot wallets[5].
May 10th, 2013 3:55:41 AM MDT Second Terracoin Transaction The second transaction takes another 130,263 Terracoin (TRC) from the Bitcoinica hot wallets[6].
May 10th, 2013 7:31:19 AM MDT First Bitcoin Transaction The first bitcoin blockchain transaction sends 706.01021412 BTC from the Bitcoinica hot wallets[7].
May 10th, 2013 7:53:49 AM MDT Litecoin Theft Transaction The only litecoin blockchain transaction sends 23,400 LTC from one of the Bitcoinica wallets to the hacker[8].
May 10th, 2013 8:40:25 AM MDT Second Bitcoin Transaction A second bitcoin blockchain transaction sends a further 748.01217755 BTC from the Bitcoinica hot wallets[9].
May 10th, 2013 Breach Date Reported date of breach[10][11].
June 5th, 2013 Report Released Vircurex releases a report covering the events of May, including the breach which happened[11].
March 23rd, 2014 1:55:52 PM MDT Homepage Distribution Announcement The Vircurex homepage warns users that due to recent large fund withdrawals depleting their cold wallet balance, the exchange has announced the immediate suspension of BTC, LTC, FTC, and TRC withdrawals and deposits[12]. On March 24, 2014, they plan to freeze current account balances and redistribute available coins, deleting open sell orders for the affected cryptocurrencies[12]. Two previous incidents led to significant losses, which were covered by the exchange's income[12]. However, recent withdrawals exhausted their cold wallet balance, prompting the introduction of "Frozen Funds." These funds will gradually be repaid to users from the exchange's profits[12]. Distribution logic entails allocating 50% of available funds from largest to smallest accounts and the remaining 50% from smallest to largest accounts[12]. This approach aims to ensure all users eventually receive their funds without penalizing new deposits or users[12].
March 25th, 2014 2:36:39 PM MDT Update To Homepage An update is provided on the homepage with the number of accounts remaining[13]. There are 355 bitcoin accounts, 1,563 litecoin accounts, 77 TRC accounts, and 42 FTC accounts which are still outstanding to be reimbursed[13]. TBD keep exploring homepage[14].
April 18th, 2014 7:56:22 PM MDT Included In BitcoinTalk List A subsequent Vircurex exchange hack is featured in the BitcoinTalk "List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses" published by user dree12[10].
January 12th, 2018 11:00:00 AM MST Lawsuit Against Vircurex Operators CoinDesk reports that former customers of the cryptocurrency exchange Vircurex are suing the platform four years after it froze their funds and allegedly failed to repay them[2]. Filed in the U.S. District Court in Colorado, the lawsuit accuses Vircurex of breach of contract, conversion of funds, fraud, and unjust enrichment[2]. It details how only a few account holders received their funds after the exchange froze withdrawals due to claimed lack of reserves, leaving $50 million in frozen accounts[2]. Despite allowing fund deposits over the past four years and still operating, Vircurex allegedly has not fully refunded its customers[2]. The lawsuit also accuses Vircurex of making deceptive statements and false promises to delay customer lawsuits, including falsely claiming incorporation in Belize and potential headquarters in Beijing when it's actually based in Germany[2]. The lawsuit names Vircurex's operators, Andreas Eckert and an unidentified individual, as defendants[2]. Requests for comment from the plaintiff's lawyers and Vircurex were not immediately answered[2].
July 19th, 2018 1:46:00 PM MDT Requested Class Certification A request is filed with the Colorado court for class certification to turn the lawsuit into a class action claim[15].
February 21st, 2019 4:36:00 PM MST Lawsuit Dismissed Based On Jurisdiction The lawsuit was ultimately dismissed by the judge on the basis that the Vircurex exchange had limited ties to the state of Colorado, where it was filed[16].

Technical Details

Based on an analysis report provided by Vircurex, the attack was a simple impersonation where the perpetrator claimed to be the exchange operator and requested a reset of the account credentials[11]. In addition to resetting the servers, the root password was provided outside of the normal email address to be used and the attacker was able to circumvent an IP-based restriction on the account's control panel[11].

The attacker has acquired login credentials to our VPS control account with our hosting service provider and has then asked for the root password reset of all servers which – unfortunately – the service provider has then done and posted the credentials in their helpdesk ticket, rather than the standard process of sending it to our email address (which has 2FA protection), also the security setup of allowing only our IP range to login to the management console was not working. It was an additional security feature the provider offered but was obviously circumvented by the attacker. As a result out of this incident we have moved all our services to a new provider who offers 2 factor authentication for all logins as well as other verification processes that we hope will make similar attempts impossible in the future.

Relevant blockchain transactions[10]:

  • cbce6bd1e274a9ea9d6946feaf4a1b0f80a5885a8482f4ebf3caa052f22bb4bf
  • 85489430661f3041608749acb3019a1dcbf07a60f22e4bc43acfd05b46496cc9

Relevant bitcoin addresses:[17]

Total Amount Lost

The amount lost is listed as being exactly 1454.015 bitcoin[10]. This was listed as being equivalent to $163,351 USD[10].

1454 BTC x $117.20 = $170408.8

In addition to the lost bitcoin, there was also 225,263 terracoin and 23,400 litecoin which were taken in the incident[11].

A breakdown of the losses was provided in a report published by Vircurex[11].

Table Of Loss Transactions
Currency Amount Address Transaction
BTC[7] 706.01021412 17gPdCyzEMRXdNTBpHrUhsM4FaiWMHhx2Q cbce6bd1e274a9ea9d6946feaf4a1b0f80a5885a8482f4ebf3caa052f22bb4bf
BTC[9] 748.01217755 1PWQJu9AskoXEBYMod1KqPE6TTG4VYNz1P 85489430661f3041608749acb3019a1dcbf07a60f22e4bc43acfd05b46496cc9
TRC[5] 95,000 1MeY3VVudFUV91gxVZsaY92TguRWy7eQbE 90239779a08243883f54bdb2503f4f40be2541487c2ef2383ef4d8277660e88b
TRC[6] 130,263 1Mu1wbyfkcrRarPveiihy5iuceLGC91Z4T 33011a0e26fe1c3515c699eecdae9d7550218779ae72fe7af063fffc80361d64
LTC[8] 23,400 LV8VnCDYJzd3FYNwn6n3Kyi1i7PB2MvXPo 30231aee25900b9cb1fba16f1a8923a0cd866d60b01e542be1a4b26f92d9d10f
Table Of Total Losses
Currency Amount Lost Market Price Total Value
Bitcoin (BTC) 1454.02239167 $117.20[18] $170,411.42
Terracoin (TRC) 225263.00000000 $0.400200[19] $90,150.25
Litecoin (LTC) 23400.00000000 $3.4433[20] $80,573.22
Total All Coins $341,134.89

The total amount lost has been estimated at $341,000 USD.

Immediate Reactions

"Initially, Vircurex operated normally despite the loss, though it no longer paid dividends to shareholders."

Initial Reports On The Incident

Vircurex's initial report on the incident explained that the funds could be recovered from operating profits[11].

The loss of the funds will be recovered out of the monthly dividends. Dividends will be used to purchase back the missing funds in the coming months. Depending on the trading volume development this is expected to take 9 to 12 months.

"In March 2014, due to strain caused by large withdrawals (in addition to a default by AurumXChange, a fiat processor Vircurex used), Vircurex froze large quantities of many currencies; however, it promises to pay these back eventually."

Ultimate Outcome

Addition of IP Whitelisting

After 3 user accounts reported being hacked, Vircurex added IP address whitelisting to their service, so users who logged in from a new IP address would have to confirm their IP address via email[11].

Frozen Fund Scheme Implementation

Due to recent large fund withdrawals depleting their cold wallet balance, Vircurex announced on their homepage the immediate suspension of BTC, LTC, FTC, and TRC withdrawals and deposits[12]. Two previous incidents led to significant losses, which were covered by the exchange's income[12]. However, recent withdrawals exhausted their cold wallet balance, prompting the introduction of "Frozen Funds." These funds will gradually be repaid to users from the exchange's profits. Distribution logic entails allocating 50% of available funds from largest to smallest accounts and the remaining 50% from smallest to largest accounts[12]. This approach aims to ensure all users eventually receive their funds without penalizing new deposits or users[12].

Lawsuit In Colorado State

With an anonymous exchange operator, once the hacks occurred, neither hack was revealed until far later. The exchange had also lied about where they were based[2].

A lawsuit was filed against the operators of the Vircurex exchange in the state of Colorado[2], however this was dismissed as the exchange operators have limited ties to Colorado[16].

Inclusion In Lists

The breach was ultimately included in a list published by user dree12 on Bitcoin Talk[10].

Total Amount Recovered

Vircurex planned to implement a recovery process which would provide users with "frozen fund" account balances and repay those users over time from the exchange profits. They would distribute 50% of profits to the accounts with the largest balance of lost funds, and 50% of profits to the accounts with the smallest balance of lost funds. While such an idea may have been better for affected users than an outright platform collapse, this scheme was inadequate because:

  • The primary issue of preventing future exchange breaches was not mentioned anywhere. Thus, users had no assurances against not losing additional funds or that they would ultimately be repaid.
  • The scheme was implemented too late, with the full balances of users being frozen instead of a partial freeze which could be beneficial to allow users access to some of their funds.
  • There was no reimbursement provided for users who were not at either end of the list. This prevented those users from participating in trading and generating any platform profit.
  • Once users were fully reimbursed, they had no incentive to remain using the platform or engaged in the recovery of others. As such, the largest traders and a large number of small traders could leave the platform quickly. By contrast, a scheme which distributed less to more users could keep more users engaged for longer.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

There may be future legal action taken against the operators of the Vircurex exchange[2], given that the initial suite in the state of Colorado was dismissed[16].

Individual Prevention Policies

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 1.3 1.4 Exchange Vircurex Freezes Withdrawals, Claims Lack of Reserves - CoinDesk - Archive September 18th, 2021 8:02:19 PM MDT (Feb 29, 2020)
  2. 2.00 2.01 2.02 2.03 2.04 2.05 2.06 2.07 2.08 2.09 2.10 2.11 Former Customers Sue Crypto Exchange Vircurex Over Frozen Funds - CoinDesk (Accessed Apr 18, 2024)
  3. 3.0 3.1 Vircurex Faces Class-Action Lawsuit - Finance Magnates (Jan 4, 2024)
  4. 4.0 4.1 4.2 4.3 Vircurex Exchange Homepage Archive April 24th, 2013 1:13:56 AM MDT (Dec 11, 2023)
  5. 5.0 5.1 Theft Transaction For 95,000 TRC - Cryptoid (Accessed Apr 17, 2024)
  6. 6.0 6.1 Theft Transaction For 130,263 TRC - Cryptoid (Accessed Apr 17, 2024)
  7. 7.0 7.1 Theft Transaction For 706.01021412 BTC - Blockchain.com (Accessed Apr 17, 2024)
  8. 8.0 8.1 Theft Transaction Of 23,400 LTC - Blockchair.com (Accessed Apr 18, 2024)
  9. 9.0 9.1 Theft Transaction For 748.01217755 BTC - Blockchain.com (Accessed Apr 17, 2024)
  10. 10.0 10.1 10.2 10.3 10.4 10.5 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses - BitcoinTalk (Feb 15, 2020)
  11. 11.0 11.1 11.2 11.3 11.4 11.5 11.6 11.7 May 2013 Report - Vircurex Archive March 23rd, 2014 1:59:16 PM MDT (Dec 12, 2023)
  12. 12.0 12.1 12.2 12.3 12.4 12.5 12.6 12.7 12.8 12.9 Vircurex Homepage Archive March 23rd, 2014 1:55:52 PM MDT (Accessed Apr 9, 2024)
  13. 13.0 13.1 Vircurex Homepage Archive March 25th, 2014 2:36:39 PM MDT (Accessed Apr 9, 2024)
  14. https://web.archive.org/web/20140715000000*/https://vircurex.com/welcome/ann_reserved.html
  15. Virtual Coin Owners Seek Cert. Against Currency Exchange - Law360 (Accessed Apr 18, 2024)
  16. 16.0 16.1 16.2 Virtual Coin Owners' Suit Against Currency Exchange Tossed - Law360 (Accessed Apr 18, 2024)
  17. Bitcoin Address 16cDeEFn6sraUEJrDCt2Yg3r7j2oazSYEd - Blockchain.info
  18. Bitcoin Historic Price Data - CoinMarketCap (Accessed Apr 17, 2024)
  19. Terracoin - CoinGecko (Accessed Apr 17, 2024)
  20. Litecoin Historic Price Data - CoinMarketCap (Accessed Apr 18, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Vircurex_Second_Exchange_Hack&oldid=5734"