Bitcoin Heist Steals Millions from Exchange

Data Breach , Fraud

Cryptsy Faces Potential Bankruptcy Over Just-Revealed 2014 Hack Bitcoin Heist Steals Millions from Exchange

Cryptocurrency exchange Cryptsy, which trades bitcoins as well as more than 100 types of "altcoins" such as litecoin and namecoin, disclosed Jan. 15 that it was robbed in 2014. As a result of the breach, the exchange has now suspended all trades and says it will file for bankruptcy unless the stolen bitcoins are returned.

See Also: Exploring the Security Requirements for Virtual Machines

Florida-based Cryptsy says the attacker stole 13,000 bitcoins, worth $5 million today, as well as 300,000 litecoins, worth $970,000 today. The exchange says the theft was not related to the recent phishing and distributed denial-of-service attacks that it's suffered. It suspects that the most recent developer behind Lucky7Coin - LK7 - is the culprit behind the attacks, based on a backdoor that it found inside its network.

"About a year and a half ago, we were alerted ... [to] a reduction in our safe/cold wallet balances of bitcoin and litecoin, as well as a couple other smaller cryptocurrencies," Cryptsy says in a blog post. It says its investigation ultimately found that the developer of the Lucky7Coin cryptocurrency "had placed an IRC backdoor into the code of [its] wallet, which allowed it to act as a sort of a Trojan, or command-and-control unit."

The exchange adds: "This Trojan had likely been there for months before it was able to collect enough information to perform the attack," which was executed on July 29, 2014.

Cryptsy suspects that whoever originally developed Lucky7Coin isn't responsible, but rather someone named "Jack," who claimed to have taken over development of the cryptocurrency codebase and related code, and who contacted Cryptsy on May 22, 2014. "You're the only exchange for this coin and I hope you will let me take care of it. I'm responsible," Jack claimed.

Message From New Lucky7Coin Developer

imageCryptsy says it fell for a Trojan attack initiated by "Jack."

Connection to Jailed 'Silk Road' Secret Service Agent

Cryptsy is not the first exchange to have faced insolvency after hackers stole its bitcoins (see Bitcoin Exchange Hacked With Word Macro). But why didn't the exchange come forward sooner? Officials at Cryptsy couldn't be immediately reached for comment. But in the blog post, Cryptsy says it initially tried to cover the missing funds using its exchange profits and appears to suggest that everyone would have been worse off, had it gone to authorities, because its U.S. Secret Service contact was none other than Special Agent Shaun Bridges. "I think we all know what happened with him," the Cryptsy blog post notes.

In August, Bridges pleaded guilty to both money laundering and obstruction of justice. He was accused of abusing his position while a member of the Secret Service's Electronic Crimes Task Force that was investigating the notorious darknet narcotics marketplace called Silk Road (see Former Secret Service Agent Pleads Guilty to $800K Bitcoin Theft).

Cryptsy, which is a member of the Financial Crimes Enforcement Network, also says it attempted to contact the FBI Miami field office recently, but was redirected to the Internet Crime Complaint Center. IC3, as it's also known, is run by the FBI, the National White Collar Crime Center and the U.S. Bureau of Justice Assistance; it deals with Internet crime complaints (see Hackers Claim FBI Information-Sharing Portal Breached). The exchange says it has yet to hear back from IC3.

Will Missing Bitcoins Come Home?

Cryptocurrency news site CoinDesk reports that declining trading volumes have undercut the exchange's profits and that the exchange has halted trading twice in the past two weeks, blaming one of those outages on a phishing attack that employed users' email addresses and phone numbers. The phishing attack triggered a class-action lawsuit filed this week in federal court on behalf of affected customers. The suit alleges negligence, unjust enrichment, conversion and violation of Florida's Deceptive and Unfair Trade Practices Act, CoinDesk reports.

In its Jan. 15 blog post, Cryptsy says it now faces a 10,000 bitcoin ($3.8 million) shortfall and identifies three available business options: It shutters the website and files for bankruptcy; someone purchases the exchange and makes good on the requested withdrawals; or the attacker returns the stolen bitcoins - no questions asked.

While that might sound far-fetched, Cryptsy says that after the July 29, 2014, theft, based on the bitcoin wallet address tied to the theft, "those bitcoins have not moved once since this happened" which "gives rise to the possibility they can be recovered."

To help, Cryptsy has offered a reward of 1,000 bitcoins ($380,000) for "information which leads to the recovery of the stolen coins."

Bye-Bye, Litecoins

Cryptsy doesn't reference the fate of the missing litecoins. But they appear to have been cashed out: On July 2, 2014, someone dumped exactly 300,000 litecoins - quite a coincidence - onto an exchange all at once, which was such a large volume of coins that it temporarily drove down the price of each individual litecoin from $8.50 to just $2.

As noted on a related Reddit conversation: "The volume was so high that he basically chewed through the entire buy side of the order book, all the way down to someone who had (probably on a lark) put in a buy order at $2," reports Reddit user FreeJack2k2. "After clearing out the ask side of the order book, the new sell orders only dropped to the low $7 range (the recovery from $2 was immediate) and eventually got bought back to where we are now, at around $8. Whoever had that $2 buy order in the books made out like a bandit."