ShapeShift Lost $230k in String of Thefts, Report Finds

Digital currency exchange ShapeShift lost as much as $230,000 in three separate thefts over the course of a month, according to an incident report prepared by the service and obtained by CoinDesk.

The report comes days after ShapeShift was taken offline following a then-undetailed security incident that resulted in the loss of funds held in the exchange’s connected wallets.

ShapeShift later said that it believed the theft was an inside job.

According to the report, that employee stole $130,000 from ShapeShift in mid-March. The employee, who was not identified, later sold sensitive security information to an outside hacker after being fired from the exchange. Another $100,000 in funds denominated in bitcoin, ether and litecoin were stolen on 7th and 9th April.

The report goes on highlight the steps taken by the hacker to obscure his or her tracks. It also details two conversations between the hacker and CEO Erik Voorhees, during which it was claimed that the employee had sold key security data .

ShapeShift has since moved to rebuild the service, and it says it expects to reopen by 20th April, or this Wednesday. In the wake of the attack, the exchange says it has implemented new security protocols, developed in partnership with Toronto-based consultancy Ledger Labs.

“To reiterate, no customer money was lost or at risk, and ShapeShift will be back online soon. Thank you to the community and our customers for your patience,” Voorhees said in a statement.

Inside job detailed

According to the report, the first incident took place on 14th March, the company said, resulting in the loss of 315 BTC. It was soon established that a ShapeShift employee was behind the incident.

The employee was fired the next day, ShapeShift told CoinDesk. Work was then begun on moving the service onto safer hardware.

Yet according to ShapeShift’s report, the thefts continued. On 7th April, 97 BTC, 3,600 ETH and 1,900 LTC in funds were stolen. Within two days of that theft, after the site was taken offline and steps were taken to beef up security, an additional 57 BTC and 2,200 ETH were taken.

Analysis would later show that two servers used to house the exchange were targeted in the incidents, though direct evidence of any intrusion appeared to be scrubbed by whoever was behind it.

The report stated:

“Since direct evidence of a specific attack vector was not found during the digital forensic investigation, an analysis of the available facts was performed to identify all possible attack vectors that fit the facts. It was noted that the attacker was not only able to compromise both infrastructures fairly quickly, but they were able to identify their IP addresses equally as fast.”

Amid a subsequent investigation conducted in partnership with Michael Perklin of Ledger Labs, a hacker contacted the exchange claiming to have purchased information, including the IP address of ShapeShift’s office and access details for the exchange’s admin interface, from that former employee.

Next steps

The exchange says it has improved its security procedures, including how it goes about transmitting secure information between employees and manages access to its servers. In the wake of the hack. ShapeShift has also moved to draft and put in place formal security policies.

"Ledger Labs has worked with ShapeShift on new infrastructure for a vastly more secure platform going forward," Perklin told CoinDesk by email. "Even with internal sabotage from an employee, the company avoided any customer funds being lost."

Legal action in the form of a civil lawsuit has also been taken against the former employee, though ShapeShift declined to comment on where the suit has been filed, citing privacy reasons.

The exchange says it believes it can recover a “significant” amount of the lost funds.

The full incident report can be found below.