Token Tax API Key Breach SPT0615-JD

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 23:17, 15 June 2023 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/tokentaxapikeybreachspt0615jd.php}} {{Unattributed Sources}} thumb|Token Tax HomepageReddit user SPT0615-JD accidentally provided his token tax software with a full authorization to transfer assets from his exchange account, rather than a view-only access key. This key was later breached and used to withdraw funds from his exchange account. Neither the exchange nor the amount...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Token Tax Homepage

Reddit user SPT0615-JD accidentally provided his token tax software with a full authorization to transfer assets from his exchange account, rather than a view-only access key. This key was later breached and used to withdraw funds from his exchange account. Neither the exchange nor the amount lost are mentioned. It does not appear he was able to recover any funds.

This exchange or platform is based in United States, or the incident targeted people primarily in United States.[1][2][3][4][5][6][7][8]

About Token Tax

"TokenTax’s first version was created by co-founder Alex Miles back in 2017. This initial product imported data directly from Coinbase, and it won the Product Hunt Global Hackathon. Soon after, co-founder Zac McClure joined. Before starting TokenTax, Alex worked as a product designer for Readmill and Dropbox. Zac worked in impact capital, nonprofit corporate and legal structuring, investment banking, and as a mathematics teacher.

In 2019, TokenTax acquired Crypto CPAs, a cryptocurrency tax accounting firm led by CPA Andrew Perlin.

Now, TokenTax calculates cryptocurrency taxes and provides tax and accounting services for thousands of crypto investors around the world."

"Crypto taxes can be complex. But they don’t have to be painful. We‘re crypto tax calculation software, but we’re also a full-service crypto tax accounting firm."

"Crypto tax software + Crypto tax experts. When technology and human expertise combine, even the most sophisticated crypto tax cases can be stress free."

"People don’t love taxes. But they do love us."

"Big or small, we’ve seen it all. Our team has the experience to support every exchange or wallet and tackle crypto tax situations that range from HODLers to hedge funds."

"We offer advanced cryptocurrency reconciliation services. That means we can analyze your transaction history to backfill missing or incorrect data."

"I recently got hacked through my exchange API key linked to a popular tax service, all my funds were drained overnight. I somehow had transfers enabled on the API key which was my goof, but the fact of the matter is that the tax service seems to have lost control over their API keys or it was an inside job.

The API key had been copied from exchange and pasted into tax service on a clean corporate computer, and was never documented anywhere else. The exchange account was also highly secure (google auth, unique and regularly rolled password, clean devices), and there is no chance this was an issue with the exchange itself. This was a 100% verifiable loss of funds due to a compromised API key deriving from the tax service itself, whether through an inside job or through a leak.

I'm trying to connect with other victims as we may have stronger possibility of winning a case against the service if we can work together. There is strong evidence of another affected user. Please DM or comment if you were affected!! Even folks with read only keys may also be at risk of their data leaking from this site if this is confirmed.

Thanks for reading, also please don't disparage me for having the wrong permissions enabled in the first place, I know I already done goofed and I feel terrible about it.

Ps: I'm not naming the tax service for now as there is no reason to yet and I don't want to get hit with a stupid libel suit in the meantime."

"Major US exchange, I've generated keys for other tax software before and used read only. For some reason all three permissions were enabled on this key, but it is extremely unusual as I never would have done this. It was in 2020 so maybe my brain was fried and I just made a mistake."

"Yeah I've worked directly with the investigations team and we determined that it was the key and that apparently it had those permissions set from creation. I was really baffled when I heard that because I know way better than to do this and given I've set things up properly before it just feels unlikely.

Are you aware of any possibilities that a hacker could somehow change permissions to a key after it was created? I've been told there isn't. Also there was zero evidence that anyone actually got into the account."

"The CEO asked me to call him directly and was extremally dismissive and refuses to commit to investigating anything. He made claims that they "prevent API keys with the wrong permissions from being added in the first place", which isn't true. All he would say is "we haven't seen anyone access your key or anything else". It really feels like he isn't taking it seriously that this has wide implications to his overall customer base."

This exchange or platform is based in United States, or the incident targeted people primarily in United States.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Token Tax API Key Breach SPT0615-JD
Date Event Description
January 12th, 2022 5:19:16 PM MST Reddit Post Situation is posted on Reddit.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Tradegrow comments on [deleted by user] (Oct 3, 2022)
  2. [deleted by user] : CryptoCurrency (May 29, 2023)
  3. Popular crypto tax service appears to have lost control of my exchange API key, resulting in hacked account. Anyone else recently experience this? Seeking other to connect with other victims. : CryptoCurrency (May 29, 2023)
  4. SPT0615-JD comments on Popular crypto tax service appears to have lost control of my exchange API key, resulting in hacked account. Anyone else recently experience this? Seeking other to connect with other victims. (May 29, 2023)
  5. SPT0615-JD comments on Popular crypto tax service appears to have lost control of my exchange API key, resulting in hacked account. Anyone else recently experience this? Seeking other to connect with other victims. (May 29, 2023)
  6. SPT0615-JD comments on Popular crypto tax service appears to have lost control of my exchange API key, resulting in hacked account. Anyone else recently experience this? Seeking other to connect with other victims. (May 29, 2023)
  7. TokenTax | Crypto Tax Software and Accounting (Jun 1, 2023)
  8. About Us - TokenTax (Jun 1, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Token_Tax_API_Key_Breach_SPT0615-JD&oldid=4614"