Mintpal Exchange Exit Scam

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 17:43, 8 November 2024 by Azoundria (talk | contribs) (COMPLETE 30 Minutes. Update construction template. Added caption to logo/homepage image. Reviewed and integrated information from two different Bitcoin News articles. Information from about section spread around rest of article. Continued review of wiki article.)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

MintPal Logo/Homepage

After previously learning a valuable lesson in why funds shouldn't be stored online, Mintpal decided that they'd allow the new (non background-checked) manager Alex Green full access to customer funds, and not maintain full reserves.

This exchange or platform is based in United Kingdom, or the incident targeted people primarily in United Kingdom.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23]

About MintPal

"The fast, efficient and secure cryptocurrency exchange." "MintPal Limited is a UK based private company (registered UK company #09009856) that focuses on the exchanging of cryptocurrencies. Launched in early 2014, we aim to provide the best user experience matched with quick support times." "Our team is made up of talented developers and network engineers who know how to build a fast, efficient and secure system that takes advantage of the latest web technologies. Check out our security page to find out more about the security precautions we have in place."

"Our beautiful interface allows you to trade in real-time with live updating prices so you never miss the action. At just 0.15% per trade for both BUY and SELL orders, we have some of the lowest trading fees in the industry. MintPal has been built with strong security principles in mind. We utilise COLD storage and strict firewalls. Our support team handle customer queries throughout the day, never will you experience a long wait for a reply."

"A secure and reliable trading environment. A fast matching engine that executes trades within milliseconds. The latest market data available to all users as fast as possible. A highly scalable architecture that can handle spikes of activity. An appealing and responsive user interface that is easy to use. Fast support responses, typically within 24 hours. Full DDoS protection with a leading provider. CDN Caching for all static content. Distributed wallets and Hot/Cold wallets. Tiered design from day 1 to improve scalability. Push instead of pull to deliver all market updates as fast as possible. 2 Factor Authentication as standard for all staff."

"We store the majority of our customer's funds in a secure offline wallet, with only a portion available in a 'hot' wallet for instant withdrawals. This method vastly improves security at a minor expense of large withdrawals requiring manual processing. We utilize a leading DDoS provider for all public facing content and cache all static content on a CDN to provide the fastest possible load times. All website components are logically separated and protected by physical firewalls for increased security. All employees are required to connect to a secure VPN before gaining access to any systems. All interaction with the website is required over HTTPS so all communication is encrypted via SSL. Customers can set up two-factor authentication for accounts with Google Authenticator to provide an extra layer of security. We use an industry recognised PCI (credit card provisioning compliance) scanning service to routinely scan the website to aid in locating any potential security issues. We use industry standard methods for preventing SQL Injection & XSS attacks on our website. In additional, all passwords & sensitive data are encrypted along with a static & random salt."

"[T]he cryptocurrency exchange gaining a lot of publicity recently for events such as the attack with Vericoin, requiring it to fork." "MintPal accepts no liability for any loss however so arising suffered as a result of any failure or fault in the service provided by MintPal. Any compensation shall be at the discretion of MintPal."

"MintPal will not be responsible for any damages that you may suffer. MintPal makes no warranties of any kind, expressed or implied for services we provide. MintPal disclaims any warranty or merchantability or fitness for a particular purpose. This includes loss of data resulting from delays, non-deliveries, wrong delivery, and any and all service interruptions caused by MintPal and its employees."

"At one time the cryptocurrency exchange Mintpal was one of the top trading platforms. Many traders used the service to exchange bitcoins and altcoins as the exchange processed large digital currency trading volumes."[24]

Acquisition By Moolah

"Moolah has recently picked up Mintpal." "In the fall of 2014 customers were told Mintpal was going to have new ownership and rebrand as “Mintpal 2.0.”[24]

"Our first action to take regarding MintPal, is to beef up the security, make a number of performance tweaks; do a formal audit and review of operational procedures. Once this is done, we will focus on introducing new features to both platforms. They already have a great platform, we just need to make sure that all the doors are locked, and that none of the windows are open."

Charitable and Random Giving

"Operating under the alias Alex Green, Kennedy gave away dogecoin on Reddit and other forums. He often tipped people hundreds and even thousands of dollars worth of dogecoin to strangers for no reason. He apparently gave liberally to the Dogecoin charity campaigns. Kennedy gave $2,450 worth of dogecoin to a cancer charity and $2,927 to support the Dogecoin branded NASCAR."[23]

"Kennedy then asked Dogecoin supporters to invest in Moolah. He offered investors a “slice of  pie” in his startup in exchange for dogecoins.

“Moolah’s sales pitch involved projected Doge dividends over the course of a couple years. They also claimed that the company was rapidly expanding and that their development team was working on a prototype Doge ATM,” one of Moolah’s investors  told Motherboard. “Because the Dogecoin community was based so wholly on generosity, we were like sheep to the slaughter.”[23]

The Reality

"The exchange was acquired by Moopay executive “Alex Green” who many believe was a shady scammer."[24]

"Luckily for some Mintpal users, the warning signs came early as the platform’s transformation to “Mintpal 2.0” was a complete disaster"[1]

What Happened

"A total of 3,894 BTC was stolen from Mintpal customers and never returned."[24]

Key Event Timeline - Mintpal Exchange Exit Scam
Date Event Description
October 1st, 2014 12:00:35 AM MDT Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
August 5th, 2016 2:51:20 PM MDT Ryan Kennedy Arrested The Moolah founder Ryan Kennedy/Alex Green is arrested based on unrelated charges[23]. "Kennedy worked as an office worker in Bristol at the time of his arrest in February."[23] “The phrase ‘coercive control’ was coined to describe a situation where one person in a relationship, over a period of time, overshadows and eventually takes over control of the other person,” Judge Jamie Tabor QC said. “The premiere feature is that the victims are made to feel guilty if they don’t do as they are told.”[23]
February 3rd, 2017 10:00:04 AM MST Bitcoin News Article Mintpal is included in a data article by Bitcoin News[24]. At this time, "Alex Green (also known by another alias, Ryan Kennedy) had fled the cryptocurrency scene. Green has since been arrested by the authorities, but for rape charges, as reported by Bitcoin.com. The Moopay executive was not convicted for the Mintpal theft and has yet to claim responsibility."[24]
October 20th, 2017 5:30:47 AM MDT UK Investigation Underway "[U]sers of the now-defunct cryptocurrency exchange Mintpal have received an email from the UK’s Avon and Somerset Economic Crime Team. The team’s detective constable, Charlotte Suter, has stated the police force is currently investigating the trading platform’s demise."[1]

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

"A total of 3,894 BTC was stolen from Mintpal customers and never returned."[24]

The total amount lost has been estimated at $1,300,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?


"Alex Green (also known by another alias, Ryan Kennedy) had fled the cryptocurrency scene."

Ultimate Outcome

"With partners fronting money, Kennedy purchased Mintpal, a crypto-currency exchange, but immediately it and Moolah had financial difficulties. Kennedy took Mintpal online citing a critical bug. Soon thereafter – as the internet began uncovering Kennedy’s darker side, which includes spying on women’s dressing rooms- users were out $2-$4 million in funds. Kennedy cited critical bugs. He then disappeared."[23]


“A total of 3,894 BTC was stolen from Mintpal customers and never returned. Alex Green (also known by another alias, Ryan Kennedy) had fled the cryptocurrency scene. Green has since been arrested by the authorities, but for rape charges, as reported by Bitcoin.com”

"Thanks to all of you who have already donated, @CryptoCobain has sent the first 22 BTC raised directly to @Selachii_LLP to start proceedings"

“How messy [the process] gets really depends on how cooperative Ryan is. The altcoins that didn't migrate to MintPal V2 – we estimate that to be around 1,000 BTC worth – we can return to users. The other missing amounts, including missing bitcoins, are still with Ryan and hopefully we can get him to cough up those as well. Then, we can return the bitcoins to customers and rebuild, rebrand from there.”

Arrest Of Alex Green/Ryan Kennedy

"Green has since been arrested by the authorities, but for rape charges, as reported by Bitcoin.com. The Moopay executive was not convicted for the Mintpal theft and has yet to claim responsibility."[24]

Investigation By UK Authorities

“Operation Sparrow is an ongoing UK fraud investigation into the activities of Moolah and its former CEO Ryan Kennedy, also known as Alex Green,” explains the email’s author, detective constable Charlotte Suter. “The investigation focuses on Kennedy’s acquisition of Mintpal in 2014 and the subsequent disappearance and dispersal of customers’ funds from the exchange. Kennedy has been charged with a number of fraud offenses in relation to these matters and is due to face trial at Bristol Crown Court.”[1] Affected users were provided with a survey to gather data[1].

Total Amount Recovered

There do not appear to have been any funds recovered in this case[24].

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

Mintpal is one of those rare cases where all 3 prime causes of platform losses were present. Funds were stored online in the case of Vertcoin, there was no multi-sig employed, and full reserves were not maintained.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 1.3 1.4 UK Police Force Investigate the Defunct Mintpal Exchange and Owner - Bitcoin News (Accessed Feb 3, 2020)
  2. 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents (Jan 25, 2020)
  3. List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses (Feb 15, 2020)
  4. Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Mar 5, 2020)
  5. SlowMist Hacked - SlowMist Zone (Jun 26, 2021)
  6. The Guy Who Ruined Dogecoin (Oct 4, 2021)
  7. Remembering the Mintpal Hack - October 2014 $3.500.000 Loss in Crypto Assets | Ledger (Oct 2, 2021)
  8. https://www.ccn.com/alleged-moolah-fraudster-ryan-kennedy-faces-first-court-hearing/ (Oct 2, 2021)
  9. @MintPalExchange Twitter (Oct 2, 2021)
  10. @MintPalExchange Twitter (Oct 2, 2021)
  11. Mintpal Hacked 'Considerable Amount' Of VeriCoin Stolen (Oct 2, 2021)
  12. CoinDesk: Bitcoin, Ethereum, Crypto News and Price Data (Oct 3, 2021)
  13. MintPal (Oct 3, 2021)
  14. MintPal (Oct 3, 2021)
  15. MintPal (Oct 3, 2021)
  16. MintPal - Operation Sparrow : Bitcoin (Nov 13, 2021)
  17. Mintpal is acquired by Moolah.io – Bitcoinist.com (Nov 13, 2021)
  18. We’re taking over MintPal, here’s what you need to know. | Moolah (Nov 13, 2021)
  19. VeriCoin's 'solution' to Mintpal hack - a dangerous precedent? : reddCoin (Oct 3, 2021)
  20. Blockchain Aids Investigators as Ex-Mintpal CEO Arrested in the UK (Nov 29, 2021)
  21. Dogecoin Started as a Joke and Became a Scam (Mar 26, 2022)
  22. Worldwide crypto & NFT rug pulls and scams tracker - Comparitech (Dec 15, 2022)
  23. 23.0 23.1 23.2 23.3 23.4 23.5 23.6 Infamous Crypto Scammer Ryan Kennedy Is Now a Convicted Rapist - Bitcoin News (Accessed Nov 8, 2024)
  24. 24.0 24.1 24.2 24.3 24.4 24.5 24.6 24.7 24.8 The Bitcoin Exchange Thefts You May Have Forgotten - Bitcoin News (Accessed Jan 29, 2020)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Mintpal_Exchange_Exit_Scam&oldid=6338"