Token Tax API Key Breach SPT0615-JD

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Token Tax Homepage

Reddit user SPT0615-JD accidentally provided his token tax software with a full authorization to transfer assets from his exchange account, rather than a view-only access key. This key was later breached and used to withdraw funds from his exchange account. Neither the exchange nor the amount lost are mentioned. It does not appear he was able to recover any funds.

This exchange or platform is based in United States, or the incident targeted people primarily in United States.^[1][2]

About Token Tax

^[3][4]

"TokenTax’s first version was created by co-founder Alex Miles back in 2017. This initial product imported data directly from Coinbase, and it won the Product Hunt Global Hackathon. Soon after, co-founder Zac McClure joined. Before starting TokenTax, Alex worked as a product designer for Readmill and Dropbox. Zac worked in impact capital, nonprofit corporate and legal structuring, investment banking, and as a mathematics teacher.

In 2019, TokenTax acquired Crypto CPAs, a cryptocurrency tax accounting firm led by CPA Andrew Perlin.

Now, TokenTax calculates cryptocurrency taxes and provides tax and accounting services for thousands of crypto investors around the world."

"Crypto taxes can be complex. But they don’t have to be painful. We‘re crypto tax calculation software, but we’re also a full-service crypto tax accounting firm."

"Crypto tax software + Crypto tax experts. When technology and human expertise combine, even the most sophisticated crypto tax cases can be stress free."

"People don’t love taxes. But they do love us."

"Big or small, we’ve seen it all. Our team has the experience to support every exchange or wallet and tackle crypto tax situations that range from HODLers to hedge funds."

"We offer advanced cryptocurrency reconciliation services. That means we can analyze your transaction history to backfill missing or incorrect data."

The Reality

TBD

What Happened

SPT0615-JD held an account at a major US exchange, and set up an API key on their platform which had "all three permissions" were enabled^[5]. The provided this API key to the TokenTax software. The API key was breached, and his funds were stolen from his exchange account.

Technical Details

Based on the available information, it appears that SPT0615-JD provided an API key which had access to "all three permissions" within his unspecified major US exchange account to TokenTax. The TokenTax service was subsequently breached, and malicious actors used the API key to drain funds from his account.

"Major US exchange, I've generated keys for other tax software before and used read only. For some reason all three permissions were enabled on this key, but it is extremely unusual as I never would have done this. It was in 2020 so maybe my brain was fried and I just made a mistake."

Yeah I've worked directly with the investigations team and we determined that it was the key and that apparently it had those permissions set from creation. I was really baffled when I heard that because I know way better than to do this and given I've set things up properly before it just feels unlikely.

Are you aware of any possibilities that a hacker could somehow change permissions to a key after it was created? I've been told there isn't. Also there was zero evidence that anyone actually got into the account.

^[5]

Total Amount Lost

The total amount lost is unknown. SPT0615-JD did not provide any details on how much funds were lost in this case.

Immediate Reactions

SPT0615-JD posted their experience to Reddit to obtain community feedback and warn others about the risks.

Original Post To Reddit

"I recently got hacked through my exchange API key linked to a popular tax service, all my funds were drained overnight. I somehow had transfers enabled on the API key which was my goof, but the fact of the matter is that the tax service seems to have lost control over their API keys or it was an inside job.

The API key had been copied from exchange and pasted into tax service on a clean corporate computer, and was never documented anywhere else. The exchange account was also highly secure (google auth, unique and regularly rolled password, clean devices), and there is no chance this was an issue with the exchange itself. This was a 100% verifiable loss of funds due to a compromised API key deriving from the tax service itself, whether through an inside job or through a leak.

I'm trying to connect with other victims as we may have stronger possibility of winning a case against the service if we can work together. There is strong evidence of another affected user. Please DM or comment if you were affected!! Even folks with read only keys may also be at risk of their data leaking from this site if this is confirmed.

Thanks for reading, also please don't disparage me for having the wrong permissions enabled in the first place, I know I already done goofed and I feel terrible about it.

Ps: I'm not naming the tax service for now as there is no reason to yet and I don't want to get hit with a stupid libel suit in the meantime."

Reactions To Reddit Report

Several users attempted to assist and get more details on Reddit^[8][9].

OP you really end to mention what this tax service is for everyone's sake. Doesn't matter who's at fault, if it was the tax service people deserve to know so they can shut [things] down before they get done.

"Are you able to get transaction details of where the stolen crypto ended up . Try trace it to a exchange and reach out to them ."

Ultimate Outcome

Further Investigation With Team

^[5]

"Yeah I've worked directly with the investigations team and we determined that it was the key and that apparently it had those permissions set from creation. I was really baffled when I heard that because I know way better than to do this and given I've set things up properly before it just feels unlikely. Are you aware of any possibilities that a hacker could somehow change permissions to a key after it was created? I've been told there isn't. Also there was zero evidence that anyone actually got into the account."

Reported CEO Dismissive Reactions

"The CEO asked me to call him directly and was extremally dismissive and refuses to commit to investigating anything. He made claims that they "prevent API keys with the wrong permissions from being added in the first place", which isn't true. All he would say is "we haven't seen anyone access your key or anything else". It really feels like he isn't taking it seriously that this has wide implications to his overall customer base."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

Ongoing Developments

TBD

Individual Prevention Policies

This problem came about as a result of the individual storing their funds on a third party exchange platform, setting up an API key with unnecessary withdrawal permissions on the third party exchange platform, and then providing this API key to the TokenTax software. Avoiding any one of these decisions would have avoided the loss.

Risks On Third Party Platforms

Most third party platforms do not have adequate ability to detect the unauthorized withdrawal. The best practice is to avoid storing funds on third party platforms unless necessary.

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

Care Regarding API Keys

The API key was set up with authority to withdraw funds, similar to a private key. Therefore, a similar level of protection needs to apply to keeping it safe.

Private keys can be obtained through seed phrases, mnemonics, private key files, mobile synchronization screens, wallet export features, wallet backups, etc... Never ever send these to anyone else who you do not intend to allow to take all of your money. Attackers will use a wide variety of tactics to convince you like pretending to be your wallet software, pretending they work for the wallet software, or asking you to screen share. Don't fall for them.

Set up separate email addresses for each service, and avoid providing your phone number whenever possible. Any received emails or phone calls must be viewed with scrutiny, especially if unsolicited. Interact with companies only through their official websites and confirm anything with the company directly via multiple official sources, especially if it promises a significant incentive to take an action or threatens access to your funds if an action is not taken. It would be recommended to also establish a network of multiple trusted individuals who use the same services and have a strong level of security knowledge.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

There are a number of policies which could have been implemented to prevent this loss. Having a third party review the procedures of a service could have provided greater insight into the options.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Warnings On API Key Generation

Further warnings when generating the API key could have alerted SPT0615-JD to the possibility that they had generated an API key with extra permissions.

API Key Generation Review

Prompting users to periodically review their API keys could have increased the change that SPT0615-JD would have discovered the permission issue.

Blocking First API Key Withdrawal

When an API key has been set up and never used for a withdrawal for a long period of time, a large withdrawal seems like an odd behaviour, and it makes sense to confirm that withdrawal with the end user. This type of check would likely be caught with withdrawals being reviewed by a multi-signature wallet.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Industry Insurance Fund

An industry insurance fund could be established to assist affected users.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

The incident could have been prevented through a combination of increased user education, requiring greater security review and oversight for platforms, and working with the industry to set up an industry insurance fund.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References