Digital currency
exchange ShapeShift lost as much as $230,000 in three separate thefts over the
course of a month, according to an incident report prepared by the service and
obtained by CoinDesk.
The report comes days after ShapeShift was taken offline following a then-undetailed security incident that resulted in the loss of
funds held in the exchange’s connected wallets.
ShapeShift later said that it believed the theft was an inside
job.
According to the
report, that employee stole $130,000 from ShapeShift in mid-March. The
employee, who was not identified, later sold sensitive security information to
an outside hacker after being fired from the exchange. Another $100,000 in
funds denominated in bitcoin, ether and litecoin were stolen on 7th and 9th
April.
The report goes on
highlight the steps taken by the hacker to obscure his or her tracks. It also
details two conversations between the hacker and CEO Erik Voorhees, during
which it was claimed that the employee had sold key security data .
ShapeShift has since moved to rebuild the service, and it says it expects
to reopen by 20th April, or this Wednesday. In the wake of the attack, the
exchange says it has implemented new security protocols, developed in
partnership with Toronto-based consultancy Ledger Labs.
“To reiterate, no
customer money was lost or at risk, and ShapeShift will be back online soon.
Thank you to the community and our customers for your patience,” Voorhees said
in a statement.
Inside job detailed
According to the
report, the first incident took place on 14th March, the company said,
resulting in the loss of 315 BTC. It was soon established that a ShapeShift
employee was behind the incident.
The employee was fired
the next day, ShapeShift told CoinDesk. Work was then begun on moving the
service onto safer hardware.
Yet according to
ShapeShift’s report, the thefts continued. On 7th April, 97 BTC, 3,600 ETH and
1,900 LTC in funds were stolen. Within two days of that theft, after the site
was taken offline and steps were taken to beef up security, an additional 57
BTC and 2,200 ETH were taken.
Analysis would later
show that two servers used to house the exchange were targeted in the
incidents, though direct evidence of any intrusion appeared to be scrubbed by
whoever was behind it.
The report stated:
“Since direct evidence of
a specific attack vector was not found during the digital forensic
investigation, an analysis of the available facts was performed to identify all
possible attack vectors that fit the facts. It was noted that the attacker was
not only able to compromise both infrastructures fairly quickly, but they were
able to identify their IP addresses equally as fast.”
Amid a subsequent
investigation conducted in partnership with Michael Perklin of Ledger Labs, a
hacker contacted the exchange claiming to have purchased information, including
the IP address of ShapeShift’s office and access details for the exchange’s
admin interface, from that former employee.
Next steps
The exchange says it
has improved its security procedures, including how it goes about transmitting
secure information between employees and manages access to its servers. In the
wake of the hack. ShapeShift has also moved to draft and put in place formal security
policies.
"Ledger Labs has
worked with ShapeShift on new infrastructure for a vastly more secure platform
going forward," Perklin told CoinDesk by email. "Even with internal
sabotage from an employee, the company avoided any customer funds being lost."
Legal action in the
form of a civil lawsuit has also been taken against the former employee, though
ShapeShift declined to comment on where the suit has been filed, citing privacy
reasons.
The exchange says it
believes it can recover a “significant” amount of the lost funds.
The full incident report can be found below.
0 Komentar untuk "ShapeShift Lost $230k in String of Thefts, Report Finds"