Kronos.io Pre-Launch Bitcoin Heist

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 19:48, 11 October 2024 by Azoundria (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Kronos.io was an Italian cryptocurrency exchange. It looks like one of the developers deliberately made the withdrawal wallets hackable so that they could withdraw the entirety of the funds. The rest of the team had incredibly weak or no insight into security.

[1][2][3][4]

About Kronos.io

Kronos.io was a margin trading platform founded by Jonathan Ryan Owens[4], who at the time had recently founded other projects including Ringcoin and Zipconf[4].

"Kronos.io [was] a Bitcoinica-esque startup" "Kronos.io hired several well-known Bitcoin personalities to do work with HTML and coding."

The margin trading platform was ultimately never completed and launched for the public[5].

GLBSE Funding Round

Kronos.is applied for funding on the GLBSE. A description of the project is as follows[6]:

Kronos is Bitcoinica on steroids - a leveraged trade platform built with security and urgency in mind. Kronos does not handle USD and leverages ZipConf for immediate deposits and GoxBTC withdrawals. That is, instead of waiting ~2h to be credited with BTC you deposit, you’ll be credited in 10-15 seconds. ZipConf has been extensively tested, and were a double-spend to successfully be executed, ZipConf is insuring the loss, so it wouldn’t affect Kronos. While it only uses BTC, you are still able to open positions shorting and going long with BTC due to the infrastructure behind Kronos.

The Reality

"One of the[ hired individuals] was Alberto Armandi, who was related to Bitscalper, a scam earlier that year."

What Happened

"Kronos.io was hacked in an event shrouded in mystery even today. Led by Jonathon Ryan Owens, who was simultaneously running other new startups on GLBSE (an upstart Bitcoin “stock exchange”)"

Key Event Timeline - Kronos Hack
Date Event Description
May 14th, 2012 7:45:58 PM MDT Kronos Website Sign Up Page The Kronos website is captured by the Internet Archive[7]. The exchange simply has a Sign Up text and a log in form. From the Internet Archive, it appears that the Sign Up link may not even be functional[7].
May 2012 Alberto and Jonathon Meet "Now, fast forward to around April/May 2012 : I happened to get in touch with Jonathan Ryan Owens, who since the start of our relationship pictured himself as a sort of "Mr. Big" in the Bitcoin world and shown to be able to use language fluenty, and to be able to convince anybody that he's actually skilled and a serious business man."
May 21st, 2012 4:16:15 PM MDT Initial Thread On BitcoinTalk This is the first time a thread is found on BitcoinTalk which discusses the anticipated kronos.io launch[8]. There are some questions about the security and team of the new project, and the relationship to RingCoin.
May 23rd, 2012 10:17:59 PM MDT Kronos.io BitcoinTalk Account Set Up The Kronos.io BitcoinTalk account is first set up on the BitcoinTalk forums. This account would later be sometimes used to provide support to Kronos users[9].
May 24th, 2012 7:20:18 AM MDT First Impressions BitcoinTalk Thread A thread is started on BitcoinTalk by the user tbcoin, who was given beta access to the Kronos.io platform. They find multiple bugs on the platform, however the support is ultimately able to restore and return their funds during the testing phase[10].
May 24th, 2012 12:40:29 PM MDT Invite Codes By Lottery Only A user posts on BitcoinTalk to try to request an invite code, and is told that there's a limited opportunity to get them and they are being distributed on a lottery basis[11].
May 26th, 2012 8:26:27 PM MDT Mt. Gox USD Voucher Redemption User chsados notes that they attempted to deposit a $15 USD code from Mt. Gox on the Kronos website, which is apparently live and functional. Unfortunately, their code is used and they are not credited with the $15 USD, however the Kronos support team provides them with a $15 reimbursement[12].
May 27th, 2012 6:17:08 PM MDT Kronos Bonds Public Offering A thread on BitcoinTalk announces a public offering of shares issued by one of the Kronos investors (with username Kluge)[6]. These will pay out a small yield based on the profitability of the Kronos platform once it launches. The publis offering is scheduled for June 15th[6].
May 28th, 2012 9:03:30 PM MDT BitcoinTalk Post By Ichthyo A post is made by BitcoinTalk user Ichthyo seeking detailed information about Kronos.io, which is currently in alpha/beta testing[13]. Ichthyo acknowledges that the site hasn't officially launched yet and that more precise details will emerge soon. They note that Kronos.io is expected to offer better security than Bitcoinica but are more concerned about understanding its financial structure and business model. They ask a number of questions around liquidity, position backing, risk management, trade execution, exchange rates, margin calculations, and dynamic adjustments[13].
May 29th, 2012 1:46:39 PM MDT Open Beta Period Closed The website reportedly closes the open beta period, and all beta accounts will be closed. "We're moving into phase two of our launch plan, which is a security hardening phase. We'll be going incognito for the rest of our development timeline so we can move to dedicated hardware, initiate penetration testing, and complete our comprehensive security audit."[14]
May 30th, 2012 12:05:18 PM MDT Kronos Bonds Fall Through A thread mentions that the issuance of the Kronos bond on the GLBSE has fallen through and is no longer allowed[15]. There is some optimism of sorting out the issues with GLBSE, however the thread also discusses alternative methods of raising funds which Kluge intends to employ, including launching his own fundraising platform[15].
May 31st, 2012 7:20:44 PM MDT Interview Shared On Reddit An interview with Jonathan Ryan Owens, the founder of Kronos.io, is conducted and posted on Reddit[16].
June 6th, 2012 7:14:52 PM MDT Ellet Plug-In Integration A thread suggests that the Ellet, a new hardware wallet device, may feature a plug-in for kronos.io trading[17].
June 14th, 2012 12:36:26 PM MDT Kronos Website Redirect Capture The Kronos website is again captured, however in this case it's a redirect (3xx status code). It's unclear what the state of the website was at this point in time[18].
June 15th, 2012 10:01:18 PM MDT Armando Makes Announcement A BitcoinTalk thread is posted apparently by Armando, "Kronos.io Lead Developer & co-founder". In this thread, he announces the launch of the platform shortly[19].
June 20th, 2012 6:04:16 PM MDT Armando Announces BitDayTrade Armando announces a new project named BitDayTrade, which is reportedly going to be similar to Bitcoinica. This suggests that, at this point, he may have transitioned away from the Kronos project[20].
July 3rd, 2012 6:37:23 AM MDT Follow Up Post On Update Thread BitcoinTalk user hazek posts an reply on the Kronos development thread asking for an update, as it's been a month since there has been any news about the platform[21].
August 4th, 2012 11:33:47 PM MDT Alberto Not Associated It is noted that "Bitdaytrade is Alberto's project, he used to do development work for kronos' group but he's no longer associated with them"[22].
August 8th, 2012 2:24:30 PM MDT Kronos Not Loading For Over A Month The kronos.io website has reportedly not been loading for over a month at this point. Other users corroborate that they have been similarly unable to access the website[23].
August 16th, 2012 5:33:09 PM MDT Sock Puppet Theft Accusations A BitcoinTalk user reports that there are a bunch of "sockpuppets" on Reddit which are accusing Alberto (referred to as "BDT", the name of his platform BitDayTrade) of being a thief responsible for stealing bitcoin[24]. MNW refers to founder Matthew N. Wright, and this user suggests a conspiracy the he is responsible and attempting to shift the blame to Alberto.
August 16th, 2012 6:17:46 PM MDT Alberto Response Widely Posted Alberto posts his personal details and story accusing Jonathan Ryan Owens of using a small hack to justify the theft of the remaining bitcoins[24]. He continues to post this same post throughout BitcoinTalk in various places related to the matter[25].
August 27th, 2012 7:15:47 AM MDT BitDayTrade Funds Withdrawal Request Multiple users request their funds back from BitDayTrade, which is Alberto's other platform[26]. There is no clear word to confirm that these funds were returned.
August 28th, 2012 3:34:50 AM MDT hazek Mention Of Events In a forum response, BitcoinTalk user hazek mentions a summary of what happened - "AFAIK they went into open beta with some serious security holes that may or may not have been put there intentionally by one of the owners(code writers) which led to a 4kBTC hack right off the bat which was too much damage for them to recover from."[27].
November 22nd, 2012 9:15:22 PM MST Mention By Vitalik Buterin In an article, Vitalik Buterin mentions the kronos.io project, which was never completed. "Since then, there have been a number of disparate efforts to bring margin trading back. Almost as soon as Bitcoinica fell, a company named RingCoin announced Kronos.io, a product which looked like it could be a superior upstart competitor that would not suffer from the security faults of its predecessor. However, kronos.io was never completed, and RingCoin is now defunct."[5]
January 4th, 2013 7:57:39 AM MST Kronos Website Definitely Offline The Kronos website homepage displays a page which states that "It works" and "This is the default web page for this server" because "no content has been added, yet"[28]. It would appear certain that the exchange is offline at this point.
February 1st, 2022 4:50:36 PM MST Kronos.io Login At BitcoinTalk The Kronos.io account logs into BitcoinTalk for the final time[9].

Technical Details

Alberto Armandi developed the platform, and was accused of deliberately allowing a vulnerability, which he could exploit to take the funds. However, others were accused of taking funds and exaggerating the amount which was originally taken.

Total Amount Lost

The total amount lost has been estimated at $43,000 USD.

Immediate Reactions

"Alberto Armandi reportedly hacked into the website he himself helped code. The vulnerability was in the withdrawal script that Alberto coded, reportedly intentionally as a backdoor. Although incredible, Armandi has also released a story denying he hacked the website. Instead, he blamed the theft on Jonathon Ryan Owens intentionally pocketing the majority of the funds with only 1000 BTC being stolen by an unknown hacker."

Ultimate Outcome

There still appear to be many aspects of the situation which are unknown.

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

Ongoing Developments

There still appear to be many aspects of the situation which are unknown.

Individual Prevention Policies

This case does not appear to have resulted in a loss to any individual.

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

The storage of all cryptocurrency in a proper offline multi-signature wallet prevents theft by any individual party, since such a party would need the approval or breach of multiple other members of the team to spend the funds. Given operators properly educated in the protection of funds, such an attack would be entirely limited to the balance in the hot wallets in the worst case. Stronger education for exchange operators can also help ensure that they are aware of the risks.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

While this situation took place prior to the launch of the platform, it happened after the platform had already launched for a beta release, where users were playing around to test things out. Therefore, it is likely that some additional risk assessment prior to that launch could have prevented the ultimate hack/theft from occurring. The platform's setup could have been assessed to determine that the funds were not being stored securely.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses [Old] - BitcoinTalk (Accessed Jan 28, 2020)
  2. Jonathan Ryan Owens locked Rebate, Zip.A, Alberto & BDT thread - BitcoinTalk (Accessed Feb 15, 2020)
  3. List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses - BitcoinTalk (Accessed Feb 15, 2020)
  4. 4.0 4.1 4.2 An Interview with Jonathan Ryan Owens of Kronos.io, Hermes and Ringcoin. - Atlas & Bitcoin Archive June 3rd, 2012 5:11:25 PM MDT (Accessed Sep 3, 2024)
  5. 5.0 5.1 BitFinex: Bitcoinica Rises from the Grave - Bitcoin Magazine (Accessed Sep 17, 2024)
  6. 6.0 6.1 6.2 [GLBSE] Kronos Floating Bond, IPO on June 15th - BitcoinTalk (Accessed Sep 17, 2024)
  7. 7.0 7.1 Kronos Homepage Archive May 14th, 2012 7:45:58 PM MDT (Accessed Sep 17, 2024)
  8. www.kronos.io - "bitcoinica" replacement? - BitcoinTalk (Accessed Sep 17, 2024)
  9. 9.0 9.1 Summary - Kronos.io - BitcoinTalk (Accessed Sep 17, 2024)
  10. First impressions-Kronos.io - BitcoinTalk (Accessed Sep 17, 2024)
  11. kronos.io invite code please? - BitcoinTalk (Accessed Sep 17, 2024)
  12. Kronos.io deposit problem! - BitcoinTalk (Accessed Sep 17, 2024)
  13. 13.0 13.1 Kronos.io questions and properties - BitcoinTalk (Accessed Sep 17, 2024)
  14. Kronos Development Update - BitcoinTalk (Accessed Sep 17, 2024)
  15. 15.0 15.1 BDK, BDK.BND, REBATE, Zip.A, Kronos.BND, Hermes Update Thread - BitcoinTalk (Accessed Sep 17, 2024)
  16. An Interview with Jonathan Ryan Owens of Kronos.io, Hermes and Ringcoin. - Reddit (Accessed Sep 17, 2024)
  17. [ANN] The world's first handheld Bitcoin device, the Ellet! - BitcoinTalk (Accessed Sep 17, 2024)
  18. Kronos Homepage Captures - Internet Archive (Accessed Sep 17, 2024)
  19. Coming soon - Gold and commodities trading with bitcoin - BitcoinTalk (Accessed Sep 17, 2024)
  20. https://bitdaytrade.com Bitcoin Gold & Commodities margin trading - BitcoinTalk (Accessed Sep 17, 2024)
  21. hazek - "It's a month later, do you guys have any news?" - BitcoinTalk (Accessed Sep 17, 2024)
  22. Meni Rosenfeld - "Bitdaytrade is Alberto's project, he used to do development work for kronos' group but he's no longer associated with them." - BitcoinTalk (Accessed Sep 17, 2024)
  23. AsymmetricInformation - "For the past month or so, kronos.io website has not loaded for me at all (just times out)." - BitcoinTalk (Accessed Sep 17, 2024)
  24. 24.0 24.1 "There are a bunch of sockpuppets on reddit accusing BDT of being the thief responsible for the Kronos hack.  One previously promoted Yoon Yeonghwa's launch of posadoll.  Could MNW (a known sockpuppeter) be trying to sling mud on BDT?" - BitcoinTalk (Accessed Sep 18, 2024)
  25. bitdaytrade - "My name is Alberto Armandi, i was born in Italy, 19/09/1983. I'm an internet entrepreneur who got caught in the Bitcoin phenomena about one and a half year ago." - BitcoinTalk (Accessed Sep 3rd, 2024)
  26. tbcoin - "I still waiting that reimburse me my deposit made to test this nonsense platform" - BitcoinTalk (Accessed Sep 18, 2024)
  27. hazek - "AFAIK they went into open beta with some serious security holes that may or may not have been put there intentionally by one of the owners(code writers) which led to a 4kBTC hack right off the bat which was too much damage for them to recover from." - BitcoinTalk (Accessed Feb 15, 2020)
  28. Kronos Homepage Archive January 4th, 2013 7:57:39 AM MST (Accessed Sep 17, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Kronos.io_Pre-Launch_Bitcoin_Heist&oldid=6218"