Altilly Hot Wallets Hacked And Cold Wallets Lost

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 14:47, 7 March 2025 by Azoundria (talk | contribs) (Azoundria moved page Altilly Assets Hacked to Altilly Hot Wallets Hacked And Cold Wallets Lost)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Altilly Logo/Twitter

The Altilly exchange left all user funds in a hot wallet managed through their platform. They also kept copies of key information in "hot" backups.

While their hosting provider had 2FA on logins, there was a second login without 2FA which the hosting provider had erroneously left open to access the account, which the hacker was able to breach.

Since wallets were online, the funds were quickly taken.

This exchange or platform is based in Sweden, or the incident targeted people primarily in Sweden.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18]

About Altilly

"Altilly was an unregulated crypto exchange, launched in mid-2018." "Altilly is a cryptoasset exchange located in Sweden." "The platform of the next generation uses advanced technologies and programming techniques not to overload the system and makes the operations faster and more secure. The exchange employs numerous layers of firewalls and internal networking for enhanced security." "Altilly is a Hodler Enterprises owned, secure, reliable and advanced digital asset trading platform, developed by professionals and built on cutting-edge technology."

"Were are here for the long run!"

"Altilly was initially a side project, an idea that grew into fruition. It is now a fully functioning enterprise grade system. If you see a problem, then let us know immediately. We've built the core parts of altilly from the ground up, using newer methods to make the system fast and secure."

"Currently, altilly maintains physical presence only in the form of computer server equipment and data storage. We take great lengths to ensure a complete security lockdown of our systems using multiple layers of firewalls and internal networking. Our safe storage is completely off network and stored in a secured facility. Each time we move cryptocurrency funds to safe storage, we use a new address/private key. When and if we need to move funds from safe storage to the live wallets, we will only retrieve the key with a balance that matches the demand. All of our safe storage and withdrawal wallet public keys (addresses) are signed and available on our system status page for you to monitor and verify. For deposit and withdrawal wallets, each daemon is run by an uniquely assigned non-rootable user. This gives each wallet it's own operating environment that can not disturb or read information from other wallets. We use long random strings for wallet usernames and passwords that are unique to each wallet and this information is stored as encrypted data. Our system will automatically lockdown any wallet which reverses it's chain and we scan posted transactions for reversal as well."

"Altilly believes that users of cryptocurrency should be able to trade easily and quickly with other users. Currently there are no pre-set limits on how much you can exchange, deposit, or withdrawal; however very large withdrawals may require additional time if those funds are stored in the safe or require manual approval. At this time there is no need to get verified unless we request it from you."

"Altilly does not transact in any government issued currency (fiat currency). We do not offer any services to buy or sell with a credit card or your bank account. All exchange transactions in our system is strictly between digital currencies. We do not own or maintain any bank accounts and all employees are paid in cryptocurrency."

"Altilly believes that collection of personal information should be kept to a minimum. To open an account, you only need to provide your name and an email address. We do request that you use your real name, which will make it easier for us to restore your account in the event you lose access to your login. We do not share any information we collect with any outside parties or government agencies. Any requests made from any agencies will be posted publicly."

"Altilly will strive to be as transparent as possible with regards to your cryptocurrency deposits held on account. You can view our system status page for a detailed overview of where and how we store cryptocurrency."

"We use industry standard methods for preventing SQL Injection & XSS attacks on our website. In addition, all passwords & sensitive data are encrypted along with a static & random salt. Encryption keys and salts are NOT stored in the database nor in the codebase. If we ever detect a possible intrusion, we will immediately lock down the entire system and re-encrypt all sensitive information with new keys."

"We have automated systems in place to check for inconsistencies in transactions and our wallets. The system will automatically shutdown a wallet if something appears incorrect, and immediately inform a technician. The system status page will always have the most up to date information on any service outages or suspensions for an asset."

"The cryptocurrency venue has gained 65K users, almost 200 listed assets, and 550 trading pairs within just 2 years of its existence and still continues to grow. The main principles emphasized by the developers are transparency, security, and reliability." "It was announced in 2019 that Altilly was acquired by the Qredit team." "[T]he platform hope[d] to complete licensing and official incorporation in Estonia. When the process [wa]s over, the venue w[ould] enable fiat trading pairs, fiat deposits, and withdrawals."

The Reality

There is speculation that the Altilly exchange was actually run by Paul Vernon[16].

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Altilly Assets Hacked
Date Event Description
December 26th, 2020 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
January 7th, 2021 12:30:00 AM MST Update On Claims Process Altilly posts an update on their Twitter/X account which notes that they have "updated the refund process on [their] website"[5]. They provide a new deadline of January 9th, 2021 for any claims to be filed[5].

Technical Details

"The servers the Altilly Exchange platform utilised were provided by an independent hosting provider." "The Exchange had two accounts at the original hosting provider. One of them was created three years ago during the setup at the hosting provider. This email was no longer used, as we had another email account using our altilly domain address. The active email had 2FA, the non-active email did not."

"During the account creation at our hosting provider in 2018, we created an account using an email, username and password. A second email was added to the same account. Both emails gave access to the same user account. The hosting provider changed their portal which essentially separated the emails into separate users for the same portal. This action created a second user that was not secured by 2FA authentication."

"While being in the phase of incorporation and acquiring the needed licenses to operate an exchange, Altilly got hacked in December 2020. Only a few months away from official company registration in Estonia."

"The Altilly Exchange platform was attacked by legally authorized access. According to the official weighing, the attacker gained access to 30 BTC and 12,000 USDT and stole them while controlling the server." "The Altilly Exchange platform has been attacked via unauthorised access and user funds have been stolen."

"Earlier this week. We've noticed suspicious activities on our Altilly servers. After rebooting and checking the servers, we've noticed the same activity and a new system user being created on our servers. Meaning that the system was hacked above OS level most likely using re[s]cue mode during the reboot."

"Earlier this week on the 23rd December 2020, we were alerted to suspicious activities/monitoring alerts on our servers. Three servers suspiciously rebooted around the same time. After checking the servers, we noticed some unusual activity and a new system user was created."

"With the servers being constantly rebooted and being unsure about what exactly happened at that time, we took the preventative action of beginning to move our servers to a new host."

"Late on the 25th or early morning on the 26th December 2020, we were being alerted to another system reboot at our original hosting provider. It was now clear that someone had access to our servers. It appears that these systems were accessed at an Admin portal level using rescue mode during the server reboot. We then took an additional step by adding code to prevent anyone from accessing the servers externally and changed the rescue system."

"During the process, we've lost access to our servers at our previous hosting provider, including the database, wallets and codebase of Altilly. We are investigating what is going on and what has been saved so far. We are not sure yet if funds are lost. We are still waiting for final analysis from the current hosting provider. We will keep you posted."

"While we were still investigating the root cause, we lost access to all of our servers, this includes production web servers, the databases and exchange cryptocurrency wallets, and it appears that a request came in via the hosting client portal to delete all servers on the linked to the attacked account."

"The attacker(s) was/were able to gain full access to the Administrator console/panel and as well as taking control of our servers, was also able to steal high-value assets from the exchange cryptocurrency hot wallets." "At this point, we are still unaware of how the attacker(s) obtained the password to access the administrator account of our servers or knew which provider we were using."

"Since the hack, a lot of funds were lost, unsaved or stolen. Only a handful of assets were saved from the hack. While Altilly was an unregulated exchange, without any official ownership by either of the 2 parties and while the ToS and Disclaimer mentions that no claims can be made in case of a hack, the team behind Qredit takes full responsibility to make sure that all former users will be recovered from their losses."

Total Amount Lost

"According to the official weighing, the attacker gained access to 30 BTC and 12,000 USDT and stole them while controlling the server."

The total amount lost has been estimated at $6,700,000 USD.

Immediate Reactions

Altilly describes their reaction to the situation:

"Late on the 25th or early morning on the 26th December 2020, we were being alerted to another system reboot at our original hosting provider. It was now clear that someone had access to our servers. It appears that these systems were accessed at an Admin portal level using rescue mode during the server reboot. We then took an additional step by adding code to prevent anyone from accessing the servers externally and changed the rescue system."

"During the process, we've lost access to our servers at our previous hosting provider, including the database, wallets and codebase of Altilly. We are investigating what is going on and what has been saved so far. We are not sure yet if funds are lost. We are still waiting for final analysis from the current hosting provider. We will keep you posted."

"While we were still investigating the root cause, we lost access to all of our servers, this includes production web servers, the databases and exchange cryptocurrency wallets, and it appears that a request came in via the hosting client portal to delete all servers on the linked to the attacked account."

Ultimate Outcome

Multiple users in the community have alleged that the Altilly exchange collapse was an inside job. While the Altilly platform promised to repay users, it does not appear that any such repayment actually occurred.

Allegations Of Inside Job

"We know that a small number of people are already beginning to call the attack an exit scam, and suggestions of the attack being an inside job are totally untrue and unfounded."

"First, we must complete the audit required to understand which users have had funds stolen, this could take up to three months, due to lack of access to backup information. Second, we aim to repay everyone within 6 months, this timeframe is subject to change."

"The Altilly team are monitoring all major stolen crypto currency addresses, and are ready to contact other exchanges with a view to stopping those funds being cashed out, or exchanged." "We have contacted the Swedish Data Inspection agency and reported the breach according to GDPR rules within 72 hours of the breach."

"The total amount stolen is circa 1mln USD. This is a large sum, but not impossible to repay."

"One possible solution would be to repay the stolen funds by utilising profit created by a number of other projects, completely unrelated to Altilly. Although to be clear, we are unable to make any cast-iron guarantees at this stage. More detail will be provided in due course."

"First, we must complete the audit required to understand which users have had funds stolen, this could take up to three months, due to lack of access to backup information."

"The Team is deeply saddened and embarrassed at what has transpired. Words can not describe how the team feels and the pain and suffering this news brings to everyone."

Unable To Access Backup Wallets

"On a number of occasions, we attempted to upload backups to our servers. Unfortunately, the attacker(s) had also gained access to our offsite storage account. This was compromised using API keys from the backup software on the affected servers. The attacker removed all backup files from that location." "Due to the attacker deleting the backups and production servers the remaining funds within the Exchange cryptocurrency wallets are effectively inaccessible/lost. Not only to Altilly but also the attacker, due to database and server encryption."

User Repayment/Claims Portal

"You have our word that we will not rest until we have repaid affected users."

"Click on the button below to fill in the form so we can establish the users affected by the Altilly Exchange hack. Please note. You will have 60 days from today, to fill in the form. You can no longer claim your funds once these 60 days have passed. Final date is: 26th of February 2021 - 23:59 CET."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

Ongoing Developments

Investigation continues into the Altilly platform, given the suspicious nature of the backup wallets being inaccessible. There are present allegations that the Altilly platform was actually run by Paul Vernon, who previously ran Cryptsy[16]. There are allegations that Paul Vernon is also behind the most recent exchange collapse of Xeggex[16].

General Prevention Policies

The Altilly platform stored all their funds online in a hot wallet. They did not set up a multi-signature wallet.

The theft could have been prevented if the funds were stored offline or if signatures from multiple trusted parties were required to release assets.

Individual Prevention Policies

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (Accessed Jun 26, 2021)
  2. ZKSwap - ZKSwap - Layer-2 for All (Accessed Aug 2, 2021)
  3. ZKSwap price, ZKS chart, market cap, and info | CoinGecko (Accessed Aug 2, 2021)
  4. Altilly Crypto Exchange - Volume, Market Prices & Listings, Trading Pairs | Nomics (Accessed Aug 2, 2021)
  5. 5.0 5.1 5.2 Altilly - "Dear users, We have updated the refund process on our website. The deadline for submitting the form (for saved assets) is on the 9th of January 2021. Contact us directly if you have any questions. We are mostly online on Telegram. @altilly" - Twitter (Accessed Aug 2, 2021)
  6. Altilly (Accessed Aug 2, 2021)
  7. Altilly Cryptocurrency Exchange | CryptUnit (Accessed Aug 2, 2021)
  8. Altilly.com Cryptocurrency Exchange Review : Step By Step Guide (Accessed Aug 2, 2021)
  9. [ANN][EXCHANGE]Altilly Next Generation Crypto-Asset Exchange (Accessed Aug 2, 2021)
  10. [ANN][EXCHANGE]Altilly Next Generation Crypto-Asset Exchange (Accessed Aug 2, 2021)
  11. @PACcoinOfficial Twitter (Accessed Aug 2, 2021)
  12. Crypto Exchange Altilly hacked (Accessed Aug 2, 2021)
  13. Altilly Services Website With Suspicious Activity Report (Accessed Aug 2, 2021)
  14. Altilly (Accessed Aug 2, 2021)
  15. https://www.publish0x.com/dailyfaucets/altilly-exchange-hacked-update-xerrewz (Accessed Mar 5, 2025)
  16. 16.0 16.1 16.2 16.3 Rekt - Plant a Red Flag (Accessed Mar 5, 2025)
  17. Altilly Exchange - Revain (Accessed Mar 7, 2025)
  18. Altilly Homepage (Accessed Mar 7, 2025)

Cite error: <ref> tag with name "zkswapofficialtwitter-2127" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "zkswapmedium-2128" defined in <references> is not used in prior text.

Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Altilly_Hot_Wallets_Hacked_And_Cold_Wallets_Lost&oldid=6597"