AllCrypt WordPress Exploit Theft

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

AllCrypt Logo/Homepage

AllCrypt was run by an administrator with a strong personality, and featured the ability to trade hundreds of different cryptocurrency assets. Unfortunately, the platform used WordPress, taunted hackers on Twitter, and stored funds in a live wallet. Hackers were eager to help themselves to the "small and insignificant" sum of customer funds on the platform. The platform shut down without reimbursing any affected customers.

[1][2][3][4][5]

About AllCrypt

“Ironically AllCrypt tweeted “Too small and insignificant to be a target of the hacks this week. Your coins are safe here because no one cares to hack us” on 2/16/2015 (twitter: All_Crypt/status/567551838719705091)”

Homepage Online:[6]

Twitter:[7][8][9][10][11][12][13][14]

The Reality

There is no evidence to support the notion that hackers will not target smaller platforms. It's simply a matter of how hard the platform is to hack compared with the potential gain from doing so.

What Happened

The AllCrypt platform was hacked through a Wordpress exploit, and 42 bitcoin were taken.

Key Event Timeline - Allcrypt
Date Event Description
March 26th, 2014 7:45:55 AM MDT Hack Resolution Reddit Post A representative of AllCrypt posts on Reddit that a hack has been stopped, repaired, and the coins have been recovered within 5 days[4]. This was roughly a year prior to the 2015 incident, and apparently they are "posting about the hack everywhere we can" in the spirit of "transparency and honesty"[4]. Said AllCrypt at the time "learning from these issues is just as important as how you handle it".
February 16th, 2015 Too Small Tweet AllCrypt complains to the world that they are too small so no one cares enough to hack them, complete with a crying face emoticon[14].
March 15th, 2015 WordPress Exploit A thief reportedly manages to get into the AllCrypt Wordpress administration using a marketing director login credential.
March 16th, 2015 5:55:00 AM MDT QNTRA.net Reports QNTRA.net reports that, following an announcement of its impending closure due to low trading volume, AllCrypt.com, a bitcoin/altcoin exchange, now reports the depletion of its hot wallet, allegedly losing around 37 BTC[15]. This incident occurred just a month after the exchange's Twitter account reassured users of their bitcoins' safety, citing the site's perceived insignificance. Of the stolen BTC, approximately 10.86 BTC belonged to AllCrypt.com, with the rest belonging to users and a charity fund. It remains unclear whether any altcoins were also compromised. The situation escalated with a tweet from the administrator expressing frustration, signaling potential turmoil within the exchange. Launched in early 2014 with promises of features like anonymous account creation, AllCrypt.com struggled to gain traction and ultimately decided to shut down last month[15].
March 18th, 2015 Post On Front Of Site Post is made on the front of the website[16] which links to a post on the AllCrypt blog[5]. AllCrypt reports that late on a Sunday night, the platform experienced a hack, triggering a thorough investigation involving log analysis, discussions with other exchange operators, and law enforcement[5]. The breach began with a password reset request for the marketing director's blog account, whose origin remains unknown. Suspected methods include an educated guess or an email account breach. The hacker accessed the tech assistant's email, possibly via brute force, as failed attempts weren't logged. Utilizing web-based tools, the hacker gained administrative access to the blog, allowing manipulation of user balances and unauthorized withdrawals. Despite safeguards like a secondary accounting system, the hacker circumvented them by creating fake balances through trades, leading to substantial losses of BTC, LTC, and DOGE[5]. The post acknowledges security flaws, addresses speculation, and outlines efforts to return remaining funds to users while contemplating the exchange's future[5]. IP tracing indicates activity from Iran, prompting law enforcement involvement[5]. A Q&A addresses criticisms and clarifies aspects of the incident, emphasizing the severity of the situation and the challenges ahead[5].
March 24th, 2015 2:39:44 PM MDT Hack Resolution Website Post AllCrypt reports that they recovered 55,685.92170221 BTCS which were stolen on Friday the 21st[17]. These coins were attempted to be cashed out through Mintpal where the thief was caught[17].

Technical Details

“Around 8PM on Sunday (all times EDT) our marketing director’s blog account requested a password reset. […] The MD saw this email come in, and forwarded it to myself, and another team member (a technical lead/temporary assistant support staff), letting us know what happened and that he did not request the password reset. I did not see the email at the time, as I was out, and it was not a huge red flag that would require a phone call. Once I returned home later, I saw the email, and logged into the server to double-check on things. That’s when I discovered the breach.” “The blog post goes on to describe how the attacker managed to upload PHP files to the WordPress site, install Adminer (a web based database management utility similar to PHPMyAdmin) and then create fake crypto currency balances in the system. From there, using a fake account, the attacker could then trade crypto currency and transfer earnings to a Bitcoin wallet owned and controlled by the attacker.”

Total Amount Lost

The total amount lost has been estimated at $12,000 USD.

Immediate Reactions

Notice On Website:[16]

“On March 18, 2015, AllCrypt, a small crypto currency exchange posted what may very well be one of their last posts on their blog. The Bitcoin exchange had been hacked, resulting in stolen crypto currency.” “42 BTC stolen by the hackers” “The stolen Bitcoins might not seem that much, but for a smaller alternative crypto currency exchange even such an amount is not small.”


“The owner, who appears to be anonymous according to WHOIS information, claims that the site cost him a total of $15,000, and further that they only netted roughly 10 BTC in profits after thirteen months of operation.”

“Between hardware and operating costs, I am personally down over $15,000. Believe me – I feel your pain as well. No one on the site had as much on the servers as I personally did. Not that I expect pity or compassion, but I think it’s important to know that I’m not retiring to a private island because of this. I also think it’s important to be as open as possible to assuage any fears of an inside job.”

In response to a customer after the hack - “I see you running an exchange successfully, I’ll take your advice. Wait, you don’t run an exchange? You’re unemployed? Thanks for the input.”

Ultimate Outcome

Funds were traced to a Mintpal wallet and ultimately the portion which remained there was returned[17].

Total Amount Recovered

55,685.92170221 BTCS were reportedly recovered[17].

Ongoing Developments

Multiple news articles continue to display inaccurate information on the amount of funds which were lost in the Allcrypt platform.

Individual Prevention Policies

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Lessons to Learn from the AllCrypt Hack - Acunetix (Mar 2, 2020)
  2. BTC-e Exchange Adds Dash And Ethereum Bitcoin Trading Pairs - CCN (Mar 2, 2020)
  3. Exchange Closure and Settlement - Google Docs (Mar 2, 2020)
  4. 4.0 4.1 4.2 AllCrypt.com hack resolution. Hacked, stopped, repaired, back up (in 3 days), coins recovered (in 5 days). - Reddit (Accessed Mar 2, 2020)
  5. 5.0 5.1 5.2 5.3 5.4 5.5 5.6 What happened, and what’s going on - AllCrypto Blog Archive March 24th, 2015 2:49:05 PM MDT (Accessed Feb 28, 2024)
  6. AllCrypt Homepage Archive February 6th, 2015 2:19:52 AM MST (Accessed Mar 12, 2024)
  7. AllCrypt Twitter Archive September 16th, 2014 8:14:22 AM MDT (Accessed Mar 18, 2024)
  8. AllCrypt Twitter Archive March 22nd, 2015 11:46:06 AM MDT (Accessed Mar 19, 2024)
  9. AllCrypt Twitter Archive March 24th, 2015 2:39:12 PM MDT (Accessed Mar 19, 2024)
  10. AllCrypt Twitter Archive March 24th, 2015 2:43:56 PM MDT (Accessed Mar 19, 2024)
  11. AllCrypt Twitter Archive March 24th, 2015 2:43:58 PM MDT (Accessed Mar 19, 2024)
  12. AllCrypt Twitter Archive March 24th, 2015 3:03:29 PM MDT (Accessed Mar 19, 2024)
  13. AllCrypt Twitter Archive May 14th, 2015 4:11:18 PM MDT (Accessed Mar 19, 2024)
  14. 14.0 14.1 AllCrypt - "AllCrypt: Too small and insignificant to be a target of the hacks this week. Your coins are safe here because no one cares to hack us " - Twitter Archive March 24th, 2015 2:52:49 PM MDT (Accessed Mar 18, 2024)
  15. 15.0 15.1 Amid Decision To Close, AllCrypt.com Reports Hot Wallet Theft - QNTRA.net Archive March 24th, 2015 3:31:13 PM MDT (Accessed Mar 19, 2024)
  16. 16.0 16.1 AllCrypt.com is down - AllCrypt Homepage Archive March 24th, 2015 2:52:54 PM MDT (Accessed Mar 12, 2024)
  17. 17.0 17.1 17.2 17.3 The Hack – The Resolution - AllCrypt Blog Archive March 24th, 2015 2:39:44 PM MDT (Accessed Mar 15, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=AllCrypt_WordPress_Exploit_Theft&oldid=5574"