Einstein Exchange

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Einstein Exchange Homepage/Founder

The small team at Einstein boasted "300,000 satisfied customers" on their website, and continued to take on more business through mounting withdrawal delays posted across social media.

Among the great features of this exchange was the ability to quickly convert credit card purchases and bank drafts into cryptocurrency which could then be withdrawn immediately, which was a hit among investors and fraudsters alike. In the boom periods in 2017, the company struggled to keep up with all the activity, and it seemingly failed to react adequately to the massive shortfall which was developing over time.

It seems like the company did their best to honour the withdrawals of those who desperately needed the money for as long as they could before the situation met its ultimate end. Victims were spared the stress of a long and grueling bankruptcy - there were no assets left.

This exchange or platform is based in Canada, or the incident targeted people primarily in Canada.[1][2][3][4][5][6][7][8][9][10][11][12][13]

About Einstein Exchange

The Einstein Exchange presented itself as Canada's fastest-growing digital currency exchange, offering a full suite of consumer and business solutions. Users could create accounts instantly using Facebook, Google, or LinkedIn credentials. The platform featured Einstein Convert, an app facilitating easy conversion to and from crypto, with referral earning capabilities. Einstein Payments enables the acceptance of cryptocurrency on online stores, while Einstein Institutional caters to corporate, institutional, and over-the-counter accounts and services[14].

The platform emphasized its mission to make cryptocurrency safe, simple, and efficient. With a focus on user-friendly portfolio management, quick deposits and withdrawals, and competitive fees, Einstein Exchange aims to provide a secure and supportive trading experience. The homepage highlights positive customer testimonials, and the platform claims to have exchanged over $600 million in digital currency, served 187 countries, and satisfied over 175,000 customers. The company was based in Vancouver, British Columbia, with an address reported as 717 W Pender St[14].

The Reality

The Einstein Exchange experienced a massive amount of trading and activity at the end of 2017 and early 2018, before temporarily suspending further deposits. Unfortunately, the platform was constructed such that customers could engage in credit card and bank draft fraud, and reverse payments after withdrawing the cryptocurrency. The platform developed a growing shortfall of funds over time, which eventually resulted in their collapse in November 2019.

What Happened

Credit card and bank draft fraud quickly accumulated with the Einstein Exchange, eventually causing its collapse in November 2019, with roughly $16m CAD owed to users.

Key Event Timeline - Einstein Exchange
Date Event Description
November 1st, 2019 12:01:31 AM MDT Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
November 14th, 2019 First Report To Court Interim Receiver’s First Report to Court
November 18th, 2019 Interim Receiver Discharge Grant Thornton Limited was discharged as Interim Receiver of Einstein Capital Partners Ltd., Einstein Exchange Inc., Einstein Law Corporation and Michael Ongun Gokturk pursuant to a Court order that was pronounced on November 18, 2019

Technical Details

The issue primarily can be attributed to a build-up of credit card and bank draft fraud over time.

Total Amount Lost

The total amount lost has been estimated at $12,000,000 USD.

Immediate Reactions

“On November 1, the BCSC applied to the Supreme Court of British Columbia for an order appointing an interim receiver to preserve and protect any assets of Einstein Exchange. The Court granted the application and appointed Grant Thornton Limited as interim receiver. Grant Thornton subsequently entered and secured the premises of Einstein Exchange on November 1.”

"The interim receiver assigned to oversee the company's finances and take control of any remaining assets, Grant Thornton, said in a report Monday that Einstein now has just CA$45,000 (US$34,000) left of CA$16 million-worth (US$12 million) claimed by users of the exchange."

Ultimate Outcome

“Grant Thornton Limited was discharged as Interim Receiver of Einstein Capital Partners Ltd., Einstein Exchange Inc., Einstein Law Corporation and Michael Ongun Gokturk pursuant to a Court order that was pronounced on November 18, 2019, a copy of which can be found below under “Court Orders”. A copy of the Interim Receiver’s First Report to Court, dated November 14, 2019, can be found below under “Court Reports”.”

“Gokturk attributed the losses to frauds with credit cards and bank drafts. He said that the majority of the loss was in cryptos.” "It was just madness," said Michael Gokturk, co-founder of the Einstein Exchange.

Total Amount Recovered

There do not appear to have been any funds recovered in this case. The platform collapsed with only $40,000 in assets.

Ongoing Developments

The case is believed to be concluded.

Individual Prevention Policies

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

The structure of Einstein was such that fraud was able to continue for much of it's existence without any critical reflection on what policies and processes might be done differently. Were any form of audit or Proof of Reserve process in place, it would have been apparent that problems were mounting years before the point of closing with $16m CAD$ lost.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References