Vircurex Exchange Hack
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Vircurex was a virtual currency exchange which supported trading in bitcoin and various alternative blockchains. In January 2013, multiple wallets with customer funds were reportedly compromised. The platform reopened and went on to be breached again in May 2013. Customers were not provided with the full details of the platform's solvency, and large withdrawals which happened in March 2014 ultimately brought the platform to a close. It appears that legal actions continue, having been complicated by the operators providing false information about their location.
About Vircurex
Vircurex was a Beijing-based virtual currency exchange[1] which was operational since October 2011[1][2].
Vircurex was based in Germany(?). The exchange supported trading in different cryptocurrencies including bitcoin, namecoin, devcoin, litecoin, ixcoin, ppcoin, and terracoin[3]. The Vircurex platform enabled trading between BTC, USD or EUR, plus up to 18 other cryptocurrencies, however they've eliminated some less popular coins over time[1].
Vircurex gained popularity by offering interest to users holding multiple cryptocurrencies[2].
The exchange offered deposits and withdrawals in both USD and EUR[3]. The homepage of the website featured pricing tables for all supported coins[3].
Vircurex, the exchange platform for buying, selling and trading your Bitcoins and its various alt-chains. We currently support Bitcoin, Namecoin, Devcoin, Litecoin, Ixcoin, PPCoin, Terracoin
Homepage: vircurex.com[3]
The Reality
The Vircurex platform wallets were vulnerable.
False Information About Location
TBD
What Happened
The Vircurex wallets were breached and funds were stolen.
| Date | Event | Description |
|---|---|---|
| January 11th, 2013 5:19:25 AM MST | BitcoinTalk Thread Posted | An initial post is made on the BitcoinTalk forums "to announce that [the Vircurex] wallet has been compromised" and "DO NOT send any further funds to any of the coin wallets"[4][5]. |
| January 11th, 2013 6:58:50 AM MST | Attribution to Ruby on Rails Vulnerability | In a follow up response, the incident is attributed to a Ruby on Rails vulnerability[4]. TBD expand with more details.[6][7] |
| January 11th, 2013 | Date Of Incident | The widely referenced date of the incident[8][9]. |
| March 16th, 2013 4:11:48 AM MDT | BitcoinTalk Thread Editted | The BitcoinTalk thread is edited, however it appears that only the title was modified from "VIRCUREX !!! IMPORTANT !!!" to just "VIRCUREX"[4][5] |
| March 3rd, 2014 9:44:52 AM MST | Bitcoin Withdrawal Error Appearing | Users almightyruler and Littleshop report that they have received an error "Do you have a pop-up blocke[r] active or did you manually change the URL?" when attempting to withdraw bitcoin from the platform. It's mentioned that withdrawals are temporarily stopped at this time[10]. This is later included in a CoinDesk article[1]. |
| March 23rd, 2014 6:01:00 PM MDT | CoinDesk Reports Funds Frozen | CoinDesk reports that the Vircurex platform has announced a freeze on most of its digital currency withdrawals, including bitcoin, litecoin, feathercoin, and terracoin, citing a lack of reserves to cover customer requests. The article mentions the shortfall and freeze of BTC/LTC withdrawals in January 2013 after reporting compromised wallets. "The company pledged to cover the losses from its own income and had been doing so until yesterday, when "large fund withdrawals in the last weeks" completely depleted its cold wallet reserves." At this point, the company plans to create a new balance type called 'Frozen Funds' to cover affected balances and pledges to gradually pay back the losses, emphasizing that it does not intend to shut down. The recent freeze is attributed to large fund withdrawals depleting its cold wallet reserves. The incident raises concerns about exchanges operating fractional reserve systems, leading to calls for proof of reserves through secure cryptographic methods[1]. |
| April 18th, 2014 7:56:22 PM MDT | Included In BitcoinTalk List | A Vircurex exchange hack is featured in the BitcoinTalk "List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses" published by user dree12, although this list includes the second Vircurex hack which happened in May 2013, and not the January 2013 hack[11]. |
| January 2016 | Last Payment From Exchange | The exchange makes it's last repayment to affected users[2]. |
| January 12th, 2018 11:00:48 AM MST | CoinDesk Report Of Lawsuit | CoinDesk reports that former customers of the cryptocurrency exchange Vircurex are suing the platform four years after it froze their funds and allegedly failed to repay them. Filed in the U.S. District Court in Colorado, the lawsuit accuses Vircurex of breach of contract, conversion of funds, fraud, and unjust enrichment. The complaint details how only a few account holders received their funds after the exchange froze withdrawals due to claimed insufficient reserves, with approximately $50 million collectively frozen in accounts. Despite the loss, Vircurex has allowed customers to deposit funds over the past four years and continues to operate. The lawsuit alleges deceptive statements and false promises by Vircurex, accusing the exchange of attempting to evade accountability[12]. |
| January 15th, 2018 1:39:08 AM MST | Finance Magnate Article | Finance Magnate also reports details of the lawsuit[2]. Cryptocurrency exchange Vircurex is facing a class-action lawsuit for failing to return approximately $50 million worth of frozen assets to its customers. In 2014, the exchange froze withdrawals due to insufficient funds, exacerbated by major hacks in 2013 and increased withdrawal requests following the Mt. Gox incident. While assuring users they would eventually receive their funds, the last payment occurred in January 2016. The lawsuit, filed by customer Timothy Shaw in Colorado District Court, accuses Vircurex's founder, Andreas Eckert, and an unknown Chinese national of deceptive statements and false promises, seeking recovery for the frozen funds totaling 1,666 BTC, 124,763 LTC, and 78,782 TRC[2]. |
| February 27th, 2019 11:31:32 AM MST | Inclusion In Kyle Gibson Timeline | Kyle Gibson includes the incident in his "100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents"[9]. The incident is listed as a "Hack - Theft". References are provided to BitcoinTalk and CoinDesk. |
| May 7th, 2019 7:49:57 PM MDT | Inclusion In BitcoinExchangeGuide | The incident is included as a "Hack / Theft" in a published list by BitcoinExchangeGuide.com[8]. |
Technical Details
Further update: The system was not breached, no passwords were compromised (they are salted and multiple times hashed anyways). The attacker used a RubyOnRails vulnerability that was released yesterday (http://www.exploit-db.com/exploits/24019/) to withdraw the funds therefore.
Yet more of its reserve funds were depleted by large withdrawals by some of its customers." TBD - review more of the BitcoinTalk thread[4].
Total Amount Lost
BitcoinExchangeGuide reports the loss as "1.666 Bitcoin" or "$50.000k" USD[8].
Kyle Gibson reports the loss as "1666" and "50,000,000.00"[9].
The total amount lost has been estimated at $50,000,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
Vircurex representatives announced the breach on the BitcoinTalk forums[4].
BitcoinTalk Thread Posted
BitcoinTalk user Kumala posted a notice to the BitcoinTalk forums about a wallet compromise[4].
We sadly need to announce that our wallet has been compromised thus DO NOT send any further funds to any of the coin wallets, BTC, DVC, LTC, etc. We will setup a new wallet and reset all the addresses. This will most likely take the whole weekend.
TBD - review more of the BitcoinTalk thread[4].
Ultimate Outcome
TBD - Review more of the BitcoinTalk thread[4].
TBD - Review more of the lawsuit[13]
"In 2014, the exchange reported it was near insolvency after losing large amounts of its reserve funds. According to the lawsuit, part of this loss came from “two purported hacks the exchange experienced in mid-2013.”
“The freeze will affect all bitcoin, litecoin, feathercoin and terracoin withdrawals. A message on Vircurex’s site says it will create a new balance type called ‘Frozen Funds’ covering all balances in the aforementioned currencies. The company maintains it won’t be shutting down, saying it intends to “gradually pay back the losses”.”
“That Vircurex had a reserve shortfall had been known for some time, though not the exact amount. It froze BTC/LTC withdrawals in January 2013 after reporting that wallets had been compromised, but still allowed deposits in those currencies to continue.”
“In a lawsuit filed in the U.S. District Court in Colorado, a former Vircurex customer accuses the exchange of breach of contract, conversion of funds, fraud and unjust enrichment. The suit explained how only a few of the account holders had received their funds after the exchange froze all withdrawals due to a claimed lack of reserves. At present, the frozen accounts contain a combined $50 million.” “Vircurex’s steps to prevent its customers from suing included stating it was incorporated in Belize, which it is not, as well as indicating it might be based in Beijing. The lawsuit states the exchange is actually based out of Germany, but has never been legally incorporated in any jurisdiction, meaning it is not recognized as a formal business by any government.”
Hack Again Later In 2013
Vircurex was hacked again later in 2013[14].
Ultimate Freezing Of Funds
In March 2014, Vircurex announced a freeze on most of its digital currency withdrawals, including bitcoin, litecoin, feathercoin, and terracoin, citing a lack of reserves to cover customer requests[1]. The company announced plans to create a new balance type called 'Frozen Funds' to cover affected balances and pledges to gradually pay back the losses, emphasizing that it does not intend to shut down. Vircurex faced a reserve shortfall previously, freezing BTC/LTC withdrawals in January 2013 after reporting compromised wallets. The recent freeze is attributed to large fund withdrawals depleting its cold wallet reserves.
Legal Action Brought Against Owners
With an anonymous exchange operator, once the hacks occurred, neither hack was revealed until far later. The exchange even lied about where they were based in an effort to prevent a lawsuit from occurring.
Total Amount Recovered
Vircurex continued to pay out funds to affected users until January 2016[12], however the total amount fell far short of what had originally been lost.
Ongoing Developments
There is presently legal action being taken against the operators of the Vircurex exchange.
General Prevention Policies
Coming soon.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.0 1.1 1.2 1.3 1.4 1.5 Exchange Vircurex Freezes Withdrawals, Claims Lack of Reserves - CoinDesk - Archive September 18th, 2021 8:02:19 PM MDT (Feb 29, 2020)
- ↑ 2.0 2.1 2.2 2.3 2.4 Vircurex Faces Class-Action Lawsuit - Finance Magnates (Jan 4, 2024)
- ↑ 3.0 3.1 3.2 3.3 Vircurex Exchange Homepage Archive April 24th, 2013 1:13:56 AM MDT (Dec 11, 2023)
- ↑ 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 VIRCUREX - BitcoinTalk (Dec 12, 2023)
- ↑ 5.0 5.1 VIRCUREX !!! IMPORTANT !!! - BitcoinTalk Archive March 4th, 2013 3:46:10 PM MST (Dec 12, 2023)
- ↑ 6.0 6.1 https://web.archive.org/web/20130304224610/http://www.exploit-db.com/exploits/24019/ (Dec 12, 2023)
- ↑ 7.0 7.1 http://www.exploit-db.com/exploits/24019/ (Dec 12, 2023)
- ↑ 8.0 8.1 8.2 Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com Archive April 13th, 2020 7:45:28 AM MDT (Mar 5, 2020)
- ↑ 9.0 9.1 9.2 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents - Kyle Gibson (Jan 25, 2020)
- ↑ Re: closed - BitcoinTalk (Dec 14, 2023)
- ↑ dree12 - List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses - BitcoinTalk (Feb 15, 2020)
- ↑ 12.0 12.1 Former Customers Sue Crypto Exchange Vircurex Over Frozen Funds - CoinDesk (Feb 29, 2020)
- ↑ Shaw Vircurex Complaint (Jan 4, 2024)
- ↑ https://web.archive.org/web/20140323195552/https://vircurex.com/welcome/ann_reserved.html