CryptoRush Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 11:58, 13 March 2024 by Azoundria (talk | contribs) (Another 30 minutes. Filling in more information tracing the original hacks and events happening around BlackCoin. Found and added video. Found and attempted to access technical analysis article. Promotion on Twitter.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

CryptoRush Logo/Homepage

The primary issue here appears to be numerous exploits in the various alt coin withdrawal processes which CryptoRush handled through hot wallets. This seems to be based on the service being coded in a "rush", with development of only a few months.

This exchange or platform is based in United States, or the incident targeted people primarily in United States.[1][2][3][4][5]

About CryptoRush

While CryptoRush used a .in extension[6] which is the country code of India, the exchange was actually based in the United States. CryptoRush appears to favour small alternate currencies, and was aiming to be a top cryptocurrency exchange[7]. Kristian (Devianttwo) founded the platform, while the other team members were reportedly named Matt and Chris, and they reportedly joined after beta[7].

Crypto Rush strives to help give all coins a chance. We aim to be at the top of the crypto currency exchanges as we grow, we offer low fees compared to other exchanges. We also want to give new coins a chance and have a low cost system to help get coins in. When a coin goes down, users will be automatically alerted via twitter and e-mail and the markets suspended to secure your coins! Thank you for using Crypto Rush!

Crypto Rush started by the owner Kristian in 2014 was originally to be just one market. But soon evolved into more, and even more. Matt joined the team fairly soon into development as co-owner, within a fortnight the basis was written from the ground up with security in mind.

When beta launched, Chris joined the team and helped increase productivity with his skillset

A Frequently Asked Questions (FAQ) page lists supported coins on the platform, providing users with comprehensive information about the available cryptocurrencies for trading[8]. It clarifies the fees charged by Crypto Rush, including buying and selling fees, withdrawal fees, and fees for accepting new coins, aiming to offer competitive rates and superior service[8]. Transactions on CryptoRush were all peer to peer[8]. Purchasing coins directly from Crypto Rush was not currently available, but was planned in the future[8]. Users are assured about the safety of their coins, detailing the platform's security measures and separate storage for wallets[8].

Devianttwo

Devianttwo is the founder of CryptoRush, named Kristian[7].

DogeyMcDoge

One member of the CryptoRush support team goes by the nickname DogeyMcDoge[9]. They started to work for CryptoRush in late February of 2014[9].

BitcoinTalk:[10][11]

The Reality

Using any third party platform involves a high degree of risk. In this case, there was a critical vulnerability in the BlackCoin client where each user was given a daemon account and the balance was calculated incorrectly[12]. Additional signs of limited experience were visible from the FAQ page of CryptoRush.in itself[8].

Negative Balance Concern

For discrepancies in order fulfillment, users are encouraged to contact support for investigation and can review their transaction history for clarity[8]. The FAQ covers issues related to negative balances after placing orders, attributing them to rounding errors and assuring users that they usually resolve automatically within 30 minutes[8]. Negative balances suggest weakness in the platform, which had not been corrected, suggesting the possibility of a vulnerability that could be more serious if repeatedly exploited[8].

Email Address Security Theater

A FAQ entry mentioned that using email addresses was more secure than using usernames[8]. It is not clear how this is the case, since many exploits can start from the user's email address being compromised, and one of the steps in exploiting to recover an account is often obtaining access to recovery points such as the email address. There is likely to be a similar number of breaches of username/password combinations in comparison to email/password combinations for users who reuse passwords. The only case where this could be useful is if the username is publicly visible on the platform itself, giving an attacker knowledge of which username to use, however most exchange platforms do not identify the counterparties to a trade.

Trade Engine Limitations

The FAQ page explains the trading engine's limitations, such as the trade rate matching and order fulfillment process, while offering guidance on resolving balance discrepancies caused by sync issues[8].

Each Coin Adds Attack Surface

A big part of CryptoRush was the support for a wide range of coins[6]. Every coin supported increases the attack surface against a platform, since an issue in one coin could inflate the user's balance and allow them to trade against other coins.

What Happened

The CryptoRush platform was exploited, with the attacker managing to withdraw 950 BTC and 2500 LTC.

Key Event Timeline - CryptoRush Hack
Date Event Description
February 26th, 2014 6:22:00 PM MST BlackCoin Trading Pairs Added The BlackCoin trading pairs are added to the CryptoRush website[13]. It can be traded against bitcoin, litecoin, potcoin, and teacoin[13].
March 11th, 2014 Date Widely Cited According to DogeyMcDoge, this is the date when he was notified by Devianttwo that "something bad" had happened and brought into a Skype call where the hack was revealed[9]. This date is widely cited as the date of the incident by sources including Kyle Gibson[1].
March 24th, 2014 8:30 AM MDT Emergency Call DogeyMcDoge reportedly calls Devianttwo on the emergency phone number and is told that he wasn't going to be able to fix the problems at the moment[9].
March 25th, 2014 3:58:02 AM MDT Chat Log Uploaded To PasteBin A chat log of the discussion with BlackCoin developer rat4 is shared to PasteBin[12].
March 25th, 2014 11:21:03 PM MDT Information Leak To PasteBin The information leak is uploaded to PasteBin[9].
March 26th, 2014 5:02:01 AM MDT Insider Information Leak A CCN article sheds visibility into the lack of funds in the CryptoRush exchange platform[14]. A support worker at CryptoRush, named DogeyMcDoge, has leaked inside information regarding the exchange's troubles. This leak sheds light on the challenges faced by CryptoRush in the past month, including two hacking incidents and unorthodox methods to recover losses. Despite attempts to reassure users with solutions like CryptoRushShares, transparency issues persisted, leading to insolvency. DogeyMcDoge's confession has been confirmed by CryptoRush's administrators, who announced an official statement forthcoming. Meanwhile, CryptoRush has appointed a new CEO and promised to reimburse stolen funds. However, doubts linger about the exchange's ability to address its issues effectively[14].
April 1st, 2014 10:17:48 AM MDT Death Thread On BitcoinTalk BitcoinTalk forum discussion about the "death" of the CryptoRush platform[15].
October 16th, 2014 4:59:44 PM MDT YouTube Video On Relaunch Adrian Crenshaw posts a video about relaunching CryptoRush with many details of the attack included[16].
November 11th, 2020 8:32:40 PM MST CCN Article Redirects In future captures, the CCN article appears to automatically redirect users to an article about the "PS5 Skeleton Leaks to Peek Inside Sony’s Next-Gen Console"[17][18]. The article was still online in 2019[19].
May 9th, 2021 11:22:00 AM MDT PasteBin Information Censored The information about this case is removed from the PasteBin site for the content being "potentially harmful"[20].
October 26th, 2022 9:28:15 AM MDT Further Censorship Redirect Removed The CCN article no longer redirects, but instead displays a 404 error that the article does not exist[21].

Technical Details

The primary issue involved the implementation of the BlackCoin client on the platform[12].

CryptoRush support worker leaks inside info - CCN

Timezones: Linkandzelda 8 AM = Devianttwo 4 AM = Server 3 AM.

BitComSec shared a technical analysis tracing the flow of the funds, however this was never captured by ther Internet Archive due to dynamic JavaScript on the website[22] and their website is presently offline[23]. [24][25][26][27][28]

Total Amount Lost

Losses were reportedly up to 950 BTC[1] and 2500 LTC[4].

The total amount lost has been estimated at $800,000 USD[1].

Immediate Reactions

The hack was not disclosed to platform users when it occurred[9]. Instead, the platform continued to operate[9].

"The guilt was starting to build up inside of me. I answered very few tickets the week of the 16th. I was conflicted, but I worked at my full time job >40 hours that week, so it kept my mind off of things a little. The issues continued. I kept suggesting ways we could maybe get some BTC back, arbitrage, etc. We didn’t even have enough funds for that. I wanted so bad for the exchange to stay afloat, thinking “Maybe tomorrow will bring us back our volume!” But alas, the problems with Zeit, and BTC withdrawals killed our volume. There was no coming back."

Ultimate Outcome

The CryptoRush platform theft and collapse were widely reported. Around 2020, content about the incident started disappearing from the internet.

Article/PasteBin Removal

Both the CCN article[29], and the PasteBin[20] were removed from the internet.

Inclusion/Recognition On Lists

The issue was featured on several lists including Kyle Gibson[1], CryptoXDirectory[30], and the Idex Blog[4].

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

The exchange issued a “Debt Management Plan” which outlined plans and potential refunds for victims[4].

Ongoing Developments

It appears that there is an ongoing effort to suppress the information on what happened prior to the collapse of the CryptoRush platform[20][29].

Individual Prevention Policies

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 1.3 1.4 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents - Kyle Gibson (Jan 25, 2020)
  2. List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses - BitcoinTalk (Feb 15, 2020)
  3. Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Mar 5, 2020)
  4. 4.0 4.1 4.2 4.3 A Complete List of Cryptocurrency Exchange Hacks [Updated] - Idex Blog Archive February 15th, 2021 4:34:24 AM MST (Accessed Mar 26, 2022)
  5. Bitcoin’s Correction Could Well Have Shaken Out Potentially Damaging Investors - CoinTelegraph (Mar 26, 2022)
  6. 6.0 6.1 CryptoRush Homepage Archive March 17th, 2014 5:05:38 AM MDT (Accessed Mar 1, 2024)
  7. 7.0 7.1 7.2 About CryptoRush Archive March 1st, 2014 11:56:08 PM MST (Accessed Mar 1, 2024)
  8. 8.00 8.01 8.02 8.03 8.04 8.05 8.06 8.07 8.08 8.09 8.10 CryptoRush FAQ Page Archive March 1st, 2014 11:25:52 PM MST (Accessed Mar 1, 2024)
  9. 9.0 9.1 9.2 9.3 9.4 9.5 9.6 DogeyMcDoge Pastebin Archive June 24th, 2019 11:36:46 AM MDT (Accessed Mar 7, 2024)
  10. https://bitcointalk.org/index.php?action=profile;u=224348
  11. https://bitcointalk.org/index.php?action=profile;u=180394
  12. 12.0 12.1 12.2 PasteBin Chat Log Archive June 24th, 2019 11:35:14 AM MDT (Accessed Feb 27, 2024)
  13. 13.0 13.1 CryptoRush - "@CoinBlack added, BC/BTC BC/LTC BC/POT BC/TEA #blackcoin" - Twitter (Accessed Mar 12, 2024)
  14. 14.0 14.1 CryptoRush support worker leaks inside info - CCN Archive June 24th, 2019 1:37:19 AM MDT (Accessed Feb 27, 2024)
  15. Death Of Cryptorush.in - BitcoinTalk (Accessed Mar 12, 2024)
  16. v04 CryptoRush a Rising from the Ashes King Dragon - YouTube (Accessed Mar 13, 2024)
  17. https://web.archive.org/web/20210308011115/https://www.ccn.com/cryptorush-support-worker-leaks-inside-info (Accessed Mar 8, 2024)
  18. CryptoRush support worker leaks inside info - CCN Archive November 11th, 2020 8:32:40 PM MST (Accessed Mar 8, 2024)
  19. CryptoRush support worker leaks inside info - CCN Archive June 28th, 2019 2:03:10 AM MDT (Accessed Mar 8, 2024)
  20. 20.0 20.1 20.2 DogeyMcDoge Pastebin (Accessed Mar 1, 2024)
  21. CryptoRush support worker leaks inside info - CCN Archive October 26th, 2022 9:28:15 AM MDT (Accessed Mar 8, 2024)
  22. Tracking A Bitcoin Theft CryptoRush Hack Archive October 24th, 2014 3:51:04 AM MDT (Accessed Mar 13, 2024)
  23. BitComSec Homepage (Accessed Mar 13, 2024)
  24. https://bitcointalk.org/index.php?topic=2588973.0
  25. https://twitter.com/bitcomsec
  26. https://www.reddit.com/r/Bitcoin/comments/2k1t3w/bitcomsec_tracking_a_bitcoin_thief_pt_i_the/
  27. https://www.facebook.com/ElPasoDevelopers
  28. https://yro.slashdot.org/story/14/10/23/2216201/tracking-a-bitcoin-thief
  29. 29.0 29.1 CryptoRush support worker leaks inside info - CCN (Accessed Mar 8, 2024)
  30. CryptoRush - CryptoXDirectory (Accessed Mar 13, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=CryptoRush_Hack&oldid=5558"