WeExchange Ripple Gateway Hacked
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
WeExchange was an Australian-based exchange which offered trading in CAD, USD, and AUD for a limited set of cryptocurrencies. The platform operators spent investor funds on personal expenses and in the summer of 2013 the platform was hacked. The exact details of the hack have limited details being reported, though roughly 6,000 bitcoins went missing. The platform didn't disclose the hack, and investors appear to have lost their funds.
[1][2][3][4][5][6][7][8][9][10][11]
About WeExchange
"We provide a place for Bitcoin users to trade Bitcoins to or from USD, AUD or CAD currently."
"The exchange emerged from its limited (invite-only) operations on December 8, 2012. The exchange is operated in Australia by WeExchange Australia, Pty. Ltd and in the U.S. by WeExchange, Inc of Texas."
"JON E. MONTROLL operated two online bitcoin services: WeExchange Australia, Pty. Ltd. (“WeExchange”) and BitFunder.com (“BitFunder”). WeExchange functioned as a bitcoin depository and currency exchange service. BitFunder facilitated the purchase and trading of virtual shares of business entities that listed their virtual shares on the BitFunder platform."
"Between the launch of Bitfunder, in or about December 2012, and at least in or about July 2013, MONTROLL converted a portion of WeExchange users’ bitcoins to his personal use without the users’ knowledge or consent. For example, MONTROLL exchanged numerous bitcoins taken from WeExchange into United States dollars, then spent those funds on personal expenses, such as travel and groceries."
"Beginning on or about July 18, 2013, MONTROLL promoted a security referred to as “Ukyo.Loan.” As described by MONTROLL in a public post about Ukyo.Loan, MONTROLL encouraged investors to “think of [Ukyo.Loan] as a sort of round-about investment” in BitFunder and WeExchange and, at the same time, described Ukyo.Loan as “a personal loan” and “for private investment purposes.” MONTROLL further promised to pay purchasers of Ukyo.Loan daily interest on their investment and promised shares could be “redeemed at face value anytime upon request.”"
Homepage Captures:[12][13][14][15][16]
The Reality
The WeExchange platform was vulnerable and able to be exploited. This exploit took approximately 6,000 bitcoins from the platform. The CEO promoted Ukyo.loan as a way to gather the funds needed to handle withdrawals while the platform itself was fully insolvent.
What Happened
"During the summer of 2013, one or more individuals (the “Hackers”) exploited a weakness in the BitFunder programming code to cause BitFunder to credit the Hackers with profits they did not, in fact, earn (the “Exploit”). As a result, the Hackers were able to wrongfully withdraw from WeExchange approximately 6,000 bitcoins, with the majority of those coins being wrongfully withdrawn between July 28, 2013, and July 31, 2013. As a result of the Exploit, BitFunder and WeExchange lacked the bitcoins necessary to cover what MONTROLL owed to users."
| Date | Event | Description |
|---|---|---|
| December 8th, 2012 | WeExchange Launches | The WeExchange platform launches in a limited, invite-only form. "The exchange is operated in Australia by WeExchange Australia, Pty. Ltd and in the U.S. by WeExchange, Inc of Texas." |
| July 18th, 2013 | Ukyo.loan Promotion Starting | CEO Montroll starts promoting Ukyo.loan as as a personal loan for investment purposes[2]. |
| July 28th, 2013 | Wrongful Coins Withdrawn | "Hackers were able to wrongfully withdraw from WeExchange approximately 6,000 bitcoins, with the majority of those coins being wrongfully withdrawn between July 28, 2013, and July 31, 2013."[2] |
| July 31st, 2013 | Wrongful Coins Withdrawn | "Hackers were able to wrongfully withdraw from WeExchange approximately 6,000 bitcoins, with the majority of those coins being wrongfully withdrawn between July 28, 2013, and July 31, 2013."[2] |
| October 13th, 2013 | Falsified Screenshot Supplied | Montroll provides the SEC with a document falsifying the total number of bitcoins which are available in the WeExchange wallet[2]. |
| November 14th, 2013 | False Statements Captured | In sworn testimony, Montroll provides false statements about such information as the timing of discovery of the exploit[2]. |
| October 6th, 2015 | False Statements Captured | In sworn testimony, Montroll provides false statements about such information as the timing of discovery of the exploit[2]. |
| July 12th, 2019 9:33:21 AM MDT | Department Of Justice Press Release | The Department of Justice issues a press release highlighting information about the misuse of customer funds, failure to disclose details of the exploit, and false statements provided to regulators[2]. |
Total Amount Lost
The total amount lost has been estimated at $590,000 USD at the time of the hack.
Immediate Reactions
"MONTROLL failed to disclose the Exploit to users of BitFunder and WeExchange, or investors in Ukyo.Loan. Instead, MONTROLL continued to promote and sell Ukyo.Loan to customers and, on at least one occasion, falsely represented to customers that BitFunder was commercially successful. As a result of his omissions and misrepresentations, MONTROLL raised approximately 978 bitcoins through Ukyo.Loan after his discovery of the Exploit."[2]
Users of the platform unaware of the exploit.
Ultimate Outcome
"The SEC’s New York Regional Office began an investigation into BitFunder and the Exploit. During the course of the investigation, MONTROLL provided the SEC with a falsified screenshot purportedly documenting, among other things, the total number of bitcoins available to BitFunder users in the WeExchange Wallet as of October 13, 2013. Additionally, during sworn investigative testimony on both November 14, 2013, and October 6, 2015, MONTROLL provided materially false and misleading answers to certain questions about, among other things, the timing of MONTROLL’s discovery of the Exploit."
"The operator of a shuttered bitcoin-denominated exchange was arrested on Wednesday on federal charges that he lied to U.S. securities regulators to avoid taking responsibility for the theft by hackers of virtual currency now worth nearly $70 million."
"MONTROLL, 37, of Saginaw, Texas, pled guilty to one count of securities fraud and one count of obstruction of justice. Each charge carries a maximum penalty of 20 years in prison. The maximum potential sentences in this case are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge. MONTROLL will be sentenced by Judge Berman at a date to be determined."
"Jon Montrol, the operator of defunct bitcoin-denominated trading platform BitFunder and WeExchange deposit service, was sentenced for securities fraud and obstruction of justice, according to a statement from the Southern District of New York.[17]
Montrol, of Saginaw, Texas, also known as Ukyo, will serve 14 months in prison for defrauding investors of his “Ukyo.Loan” scheme, transferring funds without investor’s knowledge or consent, and lying to Federal Bureau of Investigation (FBI) and Securities Exchange Commission (SEC) agents during their investigation."
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
Ongoing Developments
In 2019, "Montrol was also ordered to three years of supervised release and to pay a $167,480 forfeiture."[17]
Individual Prevention Policies
When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ WeExchange - Bitcoin Wiki (Feb 3, 2022)
- ↑ 2.0 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 Former Operator Of Bitcoin Investment Platform Sentenced For Securities Fraud And Obstruction Of Justice - Justice.gov (Accessed Feb 10, 2022)
- ↑ Operator Of Bitcoin Investment Platform Pleads Guilty To Securities Fraud And Obstruction Of Justice - Justice.gov (Accessed Feb 11, 2022)
- ↑ SEC to finalize its recommendation in case against BitFunder operator following restitution determination - FinanceFeeds (Accessed Feb 11, 2022)
- ↑ U.S. arrests operator of shuttered bitcoin investment platform - Reuters (Accessed Feb 11, 2022)
- ↑ What the New DOJ Cryptocurrency Enforcement Team Means for Crypto Exchanges and Other Entities That Facilitate Digital Asset Transactions - Blank Rome LLP (Accessed Feb 11, 2022)
- ↑ Bitcoin Stock Exchange Operator Pleads Guilty to Securities Fraud - Yahoo Finance (Accessed Feb 11, 2022)
- ↑ Founder of Two Closed Cryptocurrency Services Pleads Guilty to Federal Charges - Bitcoinist.com (Accessed Feb 11, 2022)
- ↑ "Re: WeExchange" - BitcoinTalk (Accessed Feb 11, 2022)
- ↑ Bitcoin Historic Prices - CoinMarketCap (May 16, 2021)
- ↑ "WeExchange" - BitcoinTalk (Accessed Mar 7, 2022)
- ↑ WeExchange Homepage Archive October 13th, 2012 8:41:36 AM MDT (Accessed Feb 11, 2022)
- ↑ WeExchange Homepage Archive December 13th, 2013 11:48:55 PM MST (Accessed Feb 12, 2022)
- ↑ WeExchange Homepage Archive April 15th, 2013 12:04:03 PM MDT (Accessed Feb 12, 2022)
- ↑ WeExchange Homepage Archive April 2nd, 2013 11:22:35 AM MDT (Accessed Feb 12, 2022)
- ↑ WeExchange Homepage Archive August 29th, 2018 5:48:53 PM MDT (Accessed Feb 12, 2022)
- ↑ 17.0 17.1 CEO of BitFunder Exchange Gets 14 Months in Prison for Fraud, Obstruction - CoinDesk (Accessed Aug 13, 2024)