Fraud Management & Cybercrime , Incident & Breach Response , Managed Detection & Response (MDR)

Bitcoin Heist Steals Millions from Exchange

Cryptsy Faces Potential Bankruptcy Over Just-Revealed 2014 Hack
Bitcoin Heist Steals Millions from Exchange

Cryptocurrency exchange Cryptsy, which trades bitcoins as well as more than 100 types of "altcoins" such as litecoin and namecoin, disclosed Jan. 15 that it was robbed in 2014. As a result of the breach, the exchange has now suspended all trades and says it will file for bankruptcy unless the stolen bitcoins are returned.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

Florida-based Cryptsy says the attacker stole 13,000 bitcoins, worth $5 million today, as well as 300,000 litecoins, worth $970,000 today. The exchange says the theft was not related to the recent phishing and distributed denial-of-service attacks that it's suffered. It suspects that the most recent developer behind Lucky7Coin - LK7 - is the culprit behind the attacks, based on a backdoor that it found inside its network.

"About a year and a half ago, we were alerted ... [to] a reduction in our safe/cold wallet balances of bitcoin and litecoin, as well as a couple other smaller cryptocurrencies," Cryptsy says in a blog post. It says its investigation ultimately found that the developer of the Lucky7Coin cryptocurrency "had placed an IRC backdoor into the code of [its] wallet, which allowed it to act as a sort of a Trojan, or command-and-control unit."

The exchange adds: "This Trojan had likely been there for months before it was able to collect enough information to perform the attack," which was executed on July 29, 2014. A user of code-sharing site GitHub in March 2015 detailed that apparent backdoor in the Lucky7Coin IRC code, noting that it would give an attacker "the ability to run arbitrary commands on the victim's host."

Cryptsy suspects that whoever originally developed Lucky7Coin isn't responsible for the backdoor, but rather someone named "Jack," who claimed to have taken over development of the cryptocurrency codebase and related code, and who contacted Cryptsy on May 22, 2014. "You're the only exchange for this coin and I hope you will let me take care of it. I'm responsible," Jack claimed.

Message From New Lucky7Coin Developer

Cryptsy says it fell for a Trojan attack initiated by "Jack."

Connection to Jailed 'Silk Road' Secret Service Agent

Cryptsy is not the first exchange to have faced insolvency after hackers stole its bitcoins (see Bitcoin Exchange Hacked With Word Macro). But why didn't the exchange come forward sooner? Officials at Cryptsy couldn't be immediately reached for comment. But in the blog post, Cryptsy says it initially tried to cover the missing funds using its exchange profits and appears to suggest that everyone would have been worse off, had it gone to authorities, because its U.S. Secret Service contact was none other than Special Agent Shaun Bridges. "I think we all know what happened with him," the Cryptsy blog post notes.

In August, Bridges pleaded guilty to both money laundering and obstruction of justice. He was accused of abusing his position while a member of the Secret Service's Electronic Crimes Task Force that was investigating the notorious darknet narcotics marketplace called Silk Road (see Former Secret Service Agent Pleads Guilty to $800K Bitcoin Theft).

Cryptsy, which is a member of the Financial Crimes Enforcement Network, also says it attempted to contact the FBI Miami field office recently, but was redirected to the Internet Crime Complaint Center. IC3, as it's also known, is run by the FBI, the National White Collar Crime Center and the U.S. Bureau of Justice Assistance; it deals with Internet crime complaints (see Hackers Claim FBI Information-Sharing Portal Breached). The exchange says it has yet to hear back from IC3.

Will Missing Bitcoins Come Home?

Cryptocurrency news site CoinDesk reports that declining trading volumes have undercut the exchange's profits and that the exchange has halted trading twice in the past two weeks, blaming one of those outages on a phishing attack that employed users' email addresses and phone numbers.

But a class-action lawsuit filed Jan. 13 against Project Investors - doing business as Cryptsy - and Paul Vernon, who it says is the founder, operator, and CEO of Cryptsy, alleges that since November 2015, "certain Cryptsy users started having difficulties and inabilities withdrawing any and all forms of currency from their accounts." The plaintiff, Virginia-based Jinyao Liu, "seeks damages based upon the unlawful conduct of defendants in denying account holders the ability to obtain funds in their accounts and in misappropriating funds held in the Cryptsy accounts," according to the lawsuit.

In its Jan. 15 blog post, Cryptsy says it now faces a 10,000 bitcoin ($3.8 million) shortfall and identifies three available business options: It shutters the website and files for bankruptcy; someone purchases the exchange and makes good on the requested withdrawals; or the attacker returns the stolen bitcoins - no questions asked.

While that might sound far-fetched, Cryptsy says that after the July 29, 2014, theft, based on the bitcoin wallet address tied to the theft, "those bitcoins have not moved once since this happened" which "gives rise to the possibility they can be recovered."

To help, Cryptsy has offered a reward of 1,000 bitcoins ($380,000) for "information which leads to the recovery of the stolen coins."

Bye-Bye, Litecoins

Cryptsy doesn't reference the fate of the missing litecoins. But they appear to have been cashed out: On July 2, 2014, someone dumped exactly 300,000 litecoins - quite a coincidence - onto an exchange all at once, which was such a large volume of coins that it temporarily drove down the price of each individual litecoin from $8.50 to just $2.

As noted on a related Reddit conversation: "The volume was so high that he basically chewed through the entire buy side of the order book, all the way down to someone who had (probably on a lark) put in a buy order at $2," reports Reddit user FreeJack2k2. "After clearing out the ask side of the order book, the new sell orders only dropped to the low $7 range (the recovery from $2 was immediate) and eventually got bought back to where we are now, at around $8. Whoever had that $2 buy order in the books made out like a bandit."

This story has been updated to clarify and update the information relating to the class-action lawsuit filed against Cryptsy and Vernon.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.