ShapeShift Lost $230k in String of Thefts, Report Finds

ShapeShift has published new details about recent digital currency thefts from the online exchange following an investigation.

AccessTimeIconApr 18, 2016 at 4:25 p.m. UTC
Updated Aug 18, 2021 at 4:46 p.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Digital currency exchange ShapeShift lost as much as $230,000 in three separate thefts over the course of a month, according to an incident report prepared by the service and obtained by CoinDesk.

The report comes days after ShapeShift was taken offline following a then-undetailed security incident that resulted in the loss of funds held in the exchange’s connected wallets.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • ShapeShift later said that it believed the theft was an inside job.

    According to the report, that employee stole $130,000 from ShapeShift in mid-March. The employee, who was not identified, later sold sensitive security information to an outside hacker after being fired from the exchange. Another $100,000 in funds denominated in bitcoin, ether and litecoin were stolen on 7th and 9th April.

    The report goes on highlight the steps taken by the hacker to obscure his or her tracks. It also details two conversations between the hacker and CEO Erik Voorhees, during which it was claimed that the employee had sold key security data .

    ShapeShift has since moved to rebuild the service, and it says it expects to reopen by 20th April, or this Wednesday. In the wake of the attack, the exchange says it has implemented new security protocols, developed in partnership with Toronto-based consultancy Ledger Labs.

    “To reiterate, no customer money was lost or at risk, and ShapeShift will be back online soon. Thank you to the community and our customers for your patience,” Voorhees said in a statement.

    Inside job detailed

    According to the report, the first incident took place on 14th March, the company said, resulting in the loss of 315 BTC. It was soon established that a ShapeShift employee was behind the incident.

    The employee was fired the next day, ShapeShift told CoinDesk. Work was then begun on moving the service onto safer hardware.

    Yet according to ShapeShift’s report, the thefts continued. On 7th April, 97 BTC, 3,600 ETH and 1,900 LTC in funds were stolen. Within two days of that theft, after the site was taken offline and steps were taken to beef up security, an additional 57 BTC and 2,200 ETH were taken.

    Analysis would later show that two servers used to house the exchange were targeted in the incidents, though direct evidence of any intrusion appeared to be scrubbed by whoever was behind it.

    The report stated:

    “Since direct evidence of a specific attack vector was not found during the digital forensic investigation, an analysis of the available facts was performed to identify all possible attack vectors that fit the facts. It was noted that the attacker was not only able to compromise both infrastructures fairly quickly, but they were able to identify their IP addresses equally as fast.”

    Amid a subsequent investigation conducted in partnership with Michael Perklin of Ledger Labs, a hacker contacted the exchange claiming to have purchased information, including the IP address of ShapeShift’s office and access details for the exchange’s admin interface, from that former employee.

    Next steps

    The exchange says it has improved its security procedures, including how it goes about transmitting secure information between employees and manages access to its servers. In the wake of the hack. ShapeShift has also moved to draft and put in place formal security policies.

    "Ledger Labs has worked with ShapeShift on new infrastructure for a vastly more secure platform going forward," Perklin told CoinDesk by email. "Even with internal sabotage from an employee, the company avoided any customer funds being lost."

    Legal action in the form of a civil lawsuit has also been taken against the former employee, though ShapeShift declined to comment on where the suit has been filed, citing privacy reasons.

    The exchange says it believes it can recover a “significant” amount of the lost funds.

    The full incident report can be found below.

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.