Vircurex Second Exchange Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 12:43, 9 April 2024 by Azoundria (talk | contribs) (30 minutes. Article review. Added in initial prevention strategies section. Review and information on the Vircurex recovery plan. Implemented all sources so far to remove template. More review of the homepage information over time.)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Vircurex Homepage/Logo

Vircurex experienced a second hack in 2013, which ultimately contributed to the collapse of the exchange later in 2014. It appears that attempts were made to repay the debt with ongoing profits, however this proposal suffered from implementation weaknesses and lacked any indication of how the platform was going to prevent future hacks.

About Vircurex

Vircurex was a Beijing-based virtual currency exchange[1] which was operational since October 2011[1][2].

Vircurex was based in Germany(?). The exchange supported trading in different cryptocurrencies including bitcoin, namecoin, devcoin, litecoin, ixcoin, ppcoin, and terracoin[3]. The Vircurex platform enabled trading between BTC, USD or EUR, plus up to 18 other cryptocurrencies, however they've eliminated some less popular coins over time[1].

Vircurex gained popularity by offering interest to users holding multiple cryptocurrencies[2].

The exchange offered deposits and withdrawals in both USD and EUR[3]. The homepage of the website featured pricing tables for all supported coins[3].

Vircurex, the exchange platform for buying, selling and trading your Bitcoins and its various alt-chains. We currently support Bitcoin, Namecoin, Devcoin, Litecoin, Ixcoin, PPCoin, Terracoin

Homepage: vircurex.com[3]

The Reality

The Vircurex exchange had already been hacked once.

What Happened

"The hot wallet and “warm” wallet of Bitcoin to alternative cryptocurrency exchange service Vircurex was emptied in May 2013, resulting in a significant loss of three currencies: Bitcoin, Terracoin, and Litecoin."

Key Event Timeline - Vircurex Second Exchange Hack
Date Event Description
May 10th, 2013 Breach Date Reported date of breach[4][5].
June 5th, 2013 Report Released Vircurex releases a report covering the events of May, including the breach which happened[5].
March 23rd, 2014 1:55:52 PM MDT Homepage Distribution Announcement The Vircurex homepage warns users that due to recent large fund withdrawals depleting their cold wallet balance, the exchange has announced the immediate suspension of BTC, LTC, FTC, and TRC withdrawals and deposits[6]. On March 24, 2014, they plan to freeze current account balances and redistribute available coins, deleting open sell orders for the affected cryptocurrencies[6]. Two previous incidents led to significant losses, which were covered by the exchange's income[6]. However, recent withdrawals exhausted their cold wallet balance, prompting the introduction of "Frozen Funds." These funds will gradually be repaid to users from the exchange's profits[6]. Distribution logic entails allocating 50% of available funds from largest to smallest accounts and the remaining 50% from smallest to largest accounts[6]. This approach aims to ensure all users eventually receive their funds without penalizing new deposits or users[6].
March 25th, 2014 2:36:39 PM MDT Update To Homepage An update is provided on the homepage with the number of accounts remaining[7]. There are 355 bitcoin accounts, 1,563 litecoin accounts, 77 TRC accounts, and 42 FTC accounts which are still outstanding to be reimbursed[7]. TBD keep exploring homepage[8].
April 18th, 2014 7:56:22 PM MDT Included In BitcoinTalk List A subsequent Vircurex exchange hack is featured in the BitcoinTalk "List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses" published by user dree12[4].

Technical Details

Based on an analysis report provided by Vircurex, the attack was a simple impersonation where the perpetrator claimed to be the exchange operator and requested a reset of the account credentials[5]. In addition to resetting the servers, the root password was provided outside of the normal email address to be used and the attacker was able to circumvent an IP-based restriction on the account's control panel[5].

The attacker has acquired login credentials to our VPS control account with our hosting service provider and has then asked for the root password reset of all servers which – unfortunately – the service provider has then done and posted the credentials in their helpdesk ticket, rather than the standard process of sending it to our email address (which has 2FA protection), also the security setup of allowing only our IP range to login to the management console was not working. It was an additional security feature the provider offered but was obviously circumvented by the attacker. As a result out of this incident we have moved all our services to a new provider who offers 2 factor authentication for all logins as well as other verification processes that we hope will make similar attempts impossible in the future.

Relevant blockchain transactions[4]:

  • cbce6bd1e274a9ea9d6946feaf4a1b0f80a5885a8482f4ebf3caa052f22bb4bf
  • 85489430661f3041608749acb3019a1dcbf07a60f22e4bc43acfd05b46496cc9

Relevant bitcoin addresses:[9]

Total Amount Lost

The amount lost is listed as being exactly 1454.015 bitcoin[4]. This was listed as being equivalent to $163,351 USD[4].

1454 BTC x $117.20 = $170408.8

In addition to the lost bitcoin, there was also 225,263 terracoin and 23,400 litecoin which were taken in the incident[5].

A breakdown of the losses was provided in a report published by Vircurex[5].

Table Breakdown Of Losses
Currency Amount Address Transaction
BTC 706 17gPdCyzEMRXdNTBpHrUhsM4FaiWMHhx2Q cbce6bd1e274a9ea9d6946feaf4a1b0f80a5885a8482f4ebf3caa052f22bb4bf
BTC 748 1PWQJu9AskoXEBYMod1KqPE6TTG4VYNz1P 85489430661f3041608749acb3019a1dcbf07a60f22e4bc43acfd05b46496cc9
TRC 130,263 1Mu1wbyfkcrRarPveiihy5iuceLGC91Z4T 33011a0e26fe1c3515c699eecdae9d7550218779ae72fe7af063fffc80361d64
TRC 95,000 1MeY3VVudFUV91gxVZsaY92TguRWy7eQbE 90239779a08243883f54bdb2503f4f40be2541487c2ef2383ef4d8277660e88b
LTC 23,400 LV8VnCDYJzd3FYNwn6n3Kyi1i7PB2MvXPo 30231aee25900b9cb1fba16f1a8923a0cd866d60b01e542be1a4b26f92d9d10f

The total amount lost has been estimated at $170,000 USD.

Immediate Reactions

"Initially, Vircurex operated normally despite the loss, though it no longer paid dividends to shareholders."

Vircurex's initial report on the incident explained that the funds could be recovered from operating profits[5].

The loss of the funds will be recovered out of the monthly dividends. Dividends will be used to purchase back the missing funds in the coming months. Depending on the trading volume development this is expected to take 9 to 12 months.

"In March 2014, due to strain caused by large withdrawals (in addition to a default by AurumXChange, a fiat processor Vircurex used), Vircurex froze large quantities of many currencies; however, it promises to pay these back eventually."

Ultimate Outcome

Addition of IP Whitelisting

After 3 user accounts reported being hacked, Vircurex added IP address whitelisting to their service, so users who logged in from a new IP address would have to confirm their IP address via email[5].

Frozen Fund Scheme Implementation

Due to recent large fund withdrawals depleting their cold wallet balance, Vircurex announced on their homepage the immediate suspension of BTC, LTC, FTC, and TRC withdrawals and deposits[6]. Two previous incidents led to significant losses, which were covered by the exchange's income[6]. However, recent withdrawals exhausted their cold wallet balance, prompting the introduction of "Frozen Funds." These funds will gradually be repaid to users from the exchange's profits. Distribution logic entails allocating 50% of available funds from largest to smallest accounts and the remaining 50% from smallest to largest accounts[6]. This approach aims to ensure all users eventually receive their funds without penalizing new deposits or users[6].

Inclusion In Lists

The breach was ultimately included in a list published by user dree12 on Bitcoin Talk[4].

Total Amount Recovered

Vircurex planned to implement a recovery process which would provide users with "frozen fund" account balances and repay those users over time from the exchange profits. They would distribute 50% of profits to the accounts with the largest balance of lost funds, and 50% of profits to the accounts with the smallest balance of lost funds. While such an idea may have been better for affected users than an outright platform collapse, this scheme was inadequate because:

  • The primary issue of preventing future exchange breaches was not mentioned anywhere. Thus, users had no assurances against not losing additional funds or that they would ultimately be repaid.
  • The scheme was implemented too late, with the full balances of users being frozen instead of a partial freeze which could be beneficial to allow users access to some of their funds.
  • There was no reimbursement provided for users who were not at either end of the list. This prevented those users from participating in trading and generating any platform profit.
  • Once users were fully reimbursed, they had no incentive to remain using the platform or engaged in the recovery of others. As such, the largest traders and a large number of small traders could leave the platform quickly. By contrast, a scheme which distributed less to more users could keep more users engaged for longer.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 Exchange Vircurex Freezes Withdrawals, Claims Lack of Reserves - CoinDesk - Archive September 18th, 2021 8:02:19 PM MDT (Feb 29, 2020)
  2. 2.0 2.1 Vircurex Faces Class-Action Lawsuit - Finance Magnates (Jan 4, 2024)
  3. 3.0 3.1 3.2 3.3 Vircurex Exchange Homepage Archive April 24th, 2013 1:13:56 AM MDT (Dec 11, 2023)
  4. 4.0 4.1 4.2 4.3 4.4 4.5 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses - BitcoinTalk (Feb 15, 2020)
  5. 5.0 5.1 5.2 5.3 5.4 5.5 5.6 5.7 May 2013 Report - Vircurex Archive March 23rd, 2014 1:59:16 PM MDT (Dec 12, 2023)
  6. 6.0 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 Vircurex Homepage Archive March 23rd, 2014 1:55:52 PM MDT (Accessed Apr 9, 2024)
  7. 7.0 7.1 Vircurex Homepage Archive March 25th, 2014 2:36:39 PM MDT (Accessed Apr 9, 2024)
  8. https://web.archive.org/web/20140715000000*/https://vircurex.com/welcome/ann_reserved.html
  9. Bitcoin Address 16cDeEFn6sraUEJrDCt2Yg3r7j2oazSYEd - Blockchain.info
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Vircurex_Second_Exchange_Hack&oldid=5641"