Everybody gets hacked: A cryptocurrency exchange's public meltdown
Earlier this month, a former employee of the virtual currency exchange CryptoRush posted a desperate letter online. ‟My hands shake as I write this," wrote the employee, who identified himself by the name Dogey McDoge. "These past two weeks have been hell for me. I have not been sleeping well. I get gut wrenching pains anytime I think about this.”
The letter, which quickly circulated around the cryptocurrency community, accused the exchange's operators of fraud, incompetence, and losing a very large amount of their customers’ money.
If true, the allegations would have hardly been unique in the world of cryptocurrency exchanges, where users buy and sell different forms of electronic money like Bitcoin. These sites, the central pivots on which the underground financial systems turn, are rife with security breaches and bitter infighting, which have in turn become one of the biggest roadblocks to widespread adoption.
Even so, what happened to CryptoRush yielded rare insight into the behind-the-scenes turmoil.
The unregulated world of libertarian entrepreneurs and idealistic programmers is smashing against the cold reality of an unregulated marketplace, where a few misplaced lines of code can equal disaster and hackers plunder seemingly at will.
Everybody gets hacked
In 2010, a Tokyo-based trading hub that specialized in Magic: The Gathering cards switched over to the virtual currency Bitcoin. Released in 2007 by a secretive programmer (or group) working under the pseudonym Satoshi Nakamoto, Bitcoin is a wholly electronic currency that uses a complex system of digital encryption to allow its users to transact with each other in a way that’s relatively anonymous and doesn’t require a third-party financial institution to act as an intermediary.
Since most business still don't accept Bitcoin as payment, and most people don't use it, the currency's users still need a way to transfer their digital coins into traditional, government backed currencies, like the U.S. dollar. That's where exchanges come into the picture. And MtGox, as one of first exchanges to specialize in bitcoins, quickly grew into the largest on the planet. Four years later, MtGox would declare bankruptcy and shut its doors after losing nearly half-a-billion dollars worth of customer money in a sustained, multi-year hacking attack.
In just the couple weeks following MtGox’s demise, Hong Kong-based exchange Crypto-Trade temporarily shut its doors following a major hack and the Canadian Bitcoin bank Flexcoin imploded into insolvency and police investigations when attackers got away with nearly 900 coins.
At this point, the biggest obstacle holding back cryptocurrency adoption isn't the threat of regulation, it's trust.
In the case of CryptoRush, the first sign that something was amiss behind the scenes was a warning posted to its home page earlier this month:
“Please be aware that at this time... all deposits and trades are to be considered at your own risk.”
Shortly thereafter, the entire exchange was pulled offline.
A few months prior, cofounders Kristian Thomson and Robert Christopher had announced the site's launch in a post on Reddit’s r/cryptocurrency forum. CryptoRush would be a place where people could buy and sell virtual currencies. The co-founders promised It would specialize in giving new alternative coins, or altcoins, a space to get off the ground.
Altcoins are cryptocurrencies that take Bitcoin’s decentralized, online nature as a jumping off point for new innovations. There are hundreds being traded back and forth across the Internet on a daily basis. Some—most notably the goofy, meme-themed Dogecoin—have broken into pop culture. But the majority exist in a world that rarely gets media attention.
This relative obscurity doesn’t mean that the altcoins aren’t big business. The cumulative value of the 30 largest altcoins on the market is over $1.3 billion.
For enthusiasts looking to make a killing by buying brand new currencies at dirt-cheap prices, CryptoRush aimed to be the place to go.
Dogey McDoge, whose real name is unknown, was one of those investors. He struck up a friendship with the site’s operators and was soon hired to help them with customer support. McDoge liked the work, which gradually became more intense as CryptoRush grew in popularity.
Around the beginning of March, however, McDoge got a message from one of CryptoRush’s founders informing him that the site ‟had something bad happen.”
He was told that a hacker had lifted 950 bitcoins and 2,500 litecoins—a haul valued at just under half a million dollars. But there was some good news. The operators claimed they'd identified the culprit and were confident they could get the coins back.
"Maybe it was shock,” McDoge recalled. “Maybe it was just me being naive. But I believed them.”
Hackers have looted dozens of cryptocurrency exchanges over the years, to the tune of hundreds of millions of dollars. But according to the lengthy whistleblower missive McDoge posted a couple weeks later, what happened next was something a little more out of the ordinary.
Despite CryptoRush's optimism, they never did manage to get the money back from the hacker. And this left them with a massive hole in their reserves. Their plan to fill it back up was unorthodox, to say the least.
They sold shares in the company, which were represented by units of a new cryptocurrency they would create, called CryptoRushShares. Selling shares in a company to raise money isn't unusual, but in regulated industries, corporations are required by law to publish thorough financial disclosures. CryptoRush, on the other hand, didn't tell anyone about its problems—essentially inviting people to invest in a company teetering on the edge of insolvency.
As a way to entice people to buy the shares, the owners did what companies often do when peddling a new product. They brought in a celebrity.
Fyrstikken is the nom de Internet of Kjetil Eilertsen, a Scandinavian video blogger who has amassed a following in cryptocurrency circles for a series of videos describing new altcoins as they are released onto the market. As a demonstration of faith in the currency, Eilertsen—who came up with the idea for CyrptoRushShares in the first place—announced he had purchased a large quantity of the shares. That made for a great marketing opportunity for Thomson and Christopher.
And at this point, their plan still had a chance of succeeding. The shares, which paid their holders regular dividends drawn from the organization’s weekly earnings, could have raised enough money for exchange to repair the massive hole in its balance sheet triggered by the hack.
Trouble with the fork
BlackCoin is a cryptocurrency first launched to the public in February, around the same time as CryptoRush. The currency, created by a Russian developer going by the handle Rat4, was designed to improve a weakness in the Bitcoin protocol. Due to the fundamental design of Bitcoin, it can take up to 10 minutes for a transaction to be confirmed on the network. BlackCoin, on the other hand, allows transactions to go through in a matter of seconds.
This type of innovation is what makes altcoins so interesting; enterprising developers are constantly looking for ways to improve on the currencies already on the market. The reward for successfully launching a successful currency is a large pile of virtual money that suddenly has significant real-world value.
Over the few weeks following the currency’s launch, adoption picked up and BlackCoin moved into the top 20 cryptocurrencies in the world. Ten online exchanges opened their doors to letting people trade the currency on their sites.
Eventually, Rat4 noticed a problem. BlackCoin’s ledger would occasionally get stuck and break down. He wrote up some new code fixing the bug and declared what’s called a ‟hard fork,” which means that, in order to say on the network, everyone running a BlackCoin wallet had to update to the new version of the software.
Nine of the 10 exchanges hosting BlackCoin trading moved to the new version of the software without a hitch. CryptoRush wasn’t so lucky.
Like most other software, cryptocurrencies don’t come out of the box functioning perfectly. Instead, they go through round after round of updates, tweaking certain features so they run more smoothly.
This is a situation most consumers are used to. Think of those updates that Adobe Reader adds just about every time you start it up. Missing a few of those patches isn't a huge deal. But not accepting an update for virtual currency programs can have disastrous consequences. In the case of CryptoRush, a lag of just a handful of hours cost the operators of CryptoRush a hefty chunk of change at the moment they could least afford it.
Since CryptoRush kept track of user balances using a different method than all the other BlackCoin exchanges, when the fork occurred, it triggered a major bug in the exchange’s system. Instead of displaying the correct BlackCoin balance in each account, CryptoRush suddenly started showing that users had 20 times the amount of coins in their wallets than they actually did. About 25 CryptoRush users realized they could withdraw funds from their their newly flush accounts and looted the exchange for everything they could.
Eilertsen, who now had a considerable personal monetary stake in CryptoRush, started to panic. He signed into an online chatroom with Rat4 and demanded immediate help to stem the bleeding. Rat4 refused and Eilertsen flew into a rage, accusing the developer intentionally designing the coin as a vehicle for theft, then threatening to kill him: "COOPERATE OR I WILL PAY SOMEONE TO BEAT YOU TO DEATH"
In an email to the Daily Dot, Eilertsen said this exchange came toward the tail-end of a frenetic, sleepless 36-hour attempt to stem the bleeding both from the BlackCoin fork and initial hack. He conceded that Rat4 didn’t personally make any money from CryptoRush’s troubles, but maintained that coin developers not being on call to troubleshoot issues that come up 24/7 poses some serious problems when actual money is on the line.
“[He] was just acting like ‛well, not my problem,’ and that piss me off,” Eilertsen charged.
“Where is common sense and common responsibility?”
CryptoRush was only affected by the problem for about seven hours, but the exchange’s losses topped $70,000.
Then, right when CryptoRush finally patched the problem and stopped users from bleeding the exchange dry, the site was hit was an eight-hour distributed denial of service (DDoS) attack that slowed its operation to a crawl.
“A moral obligation to the community”
These troubles weren’t happening in a bubble. Word of the problems spread quickly among the various cryptocurrency communities and reached its height after McDoge published his letter to text-hosting site Pastebin on March 26.
One person who took notice was Alex Green. The founder of Moolah.io, a popular cryptocurrency exchange that was one of the first to really embrace Dogecoin, Green is one of the most well-respected figures in the burgeoning Dogecoin community. And like much of that community, Green became worried that CryptoRush's decline would have a detrimental effect on Dogecoin. If CryptoRush collapsed in into a black hole of ignominy and lost coins, it would be do serious damage to the currency’s seemingly inevitable voyage to the moon.
Spurred on by the Dogecoin community, Geen contacted Cryptorush’s managers with a proposal. Moolah would take over the operation of CryptoRush, assume all of the exchange's liability, shut down the site, and slowly repay everyone who lost money.
‟We would be doing this solely to help the community and prevent people from being (quite bluntly) screwed over,” Green explained.
After learning a bit more about the situation, Green quickly retracted the offer. "I went to the owner and pointed out that he needed to suspend trading, probably file for bankruptcy, and urgently seek the help of a lawyer.
“His response was to threaten to ‛finish me and my company’ once he ‛regains his power’...if we did not immediately stop discussing CryptoRush.”
Green didn’t particularly appreciate being threatened—especially when the specifics of the threat involved revealing that Moolah’s ownership was based overseas, something that Green didn’t think his company was keeping secret in the first place. Green took to the Moolah company blog and slammed CrytoRush in a post that made the rounds on Reddit almost immediately.
With Green backing out, Eilertsen stepped in. He negotiated a deal upping his shares in the company to 100 percent, ‟[in exchange] for the net sum of not suing them for everything they have.”
Since he now owned all of the CryptoRushShares, Eilertsen went about saving the company. In an email to the Daily Dot on April 2, he recounted how he commissioned a full audit of the exchange’s finances and was embarking on a fundraising effort to refill CryptoRush’s depleted coffers.
However Eliertsen’s plan quickly fell apart. From the outset, he had difficulty actually getting control of the exchange. One of the original owners refused to hand over the private encryption keys that would let Eilertsen access the company’s online wallets.
“[He was] like a toddler stuck in a car with the keys and the brakes off on the edge of a cliff while grown-ups are doing what they can to save the situation,” Eilertsen wrote.
While Eilertsen did eventually manage to get those keys, his control of the exchange was short-lived. Writing nearly a week later, Eilertsen noted that he had since been locked out of the exchange by ‟pirates” who had been let in by the original Thomson and Christopher.
Jelle van Campen, one of the ‟pirates” now in control of the exchange, tells the story a little differently.
Van Campen, a Netherlands-based cyptocurrency trader and mining pool operator, insists that when the original owners got wind of Eilertsen’s plan to save the exchange, they decided against leaving him in charge. According to van Campen, Eilertsen wanted to withdraw money from the exchange into his own personal accounts and use those funds to arbitrage price differentials of altcoins across different cryptocurrency exchanges. In the eyes of the original owners, this strategy seemed simultaneously risky and easy for Eilertsen to use to skim money off the top. Instead, they opted to put a team that included van Campen in charge, effectively declaring the shares that Eilersten had bought meaningless.
And then, like clockwork, CryptoRush was hacked.
The scale of this third hack was massive, dwarfing the amount of money lost following the BlackCoin fork. It also may have been an inside job.
‟From what we can tell the person initiating that attack had to know the infrastructure and workings of CR to be able to use that exploit,” explained van Campen, who declined to go into further detail due to a possible pending investigation.
After the hack, van Campen took the exchange entirely offline, got to work creating a new website from scratch, and drafted a nine-page Debt Management Plan designed to get CryptoRush back on its feet.
Van Campen’s plan begins by slamming the CryptoRushShares strategy as ‟unethical,” since it would have effectively transferred the loses held by the exchange to the owners of the shares without informing shareholders about what they were truly buying. Instead, the company said it would freeze all the balances in the old exchange, launch a new exchange with fresh wallets, and divert all of the profits from the new site into paying back those who lost money on the old one. In addition, he noted that a handful of other crypto organizations have pledged to donate a portion of their earnings to help CryptoRush repay the stolen funds.
“We recognize we are starting from zero with our customers now, we can only hope to rebuild some that trust step by step, in the form of this plan. Reputation and trust are earned.”
CryptoRush's wild story shows the fundamental disconnect between the egalitarian promise of cryptocurrencies and the harsh challenges of managing other people’s money in an unregulated, anonymous digital world. The broad goal of cryptocurrencies as a movement is essentially to take finance out of the hands of the megabanks and give it back to the everyman.
But, in its empowerment of the amateur, cryptocurrency businesses also carry a new element of risk
Green put the responsibility for ensuring widespread confidence in virtual currencies on the shoulders of the exchange operators themselves. ‟I believe that each exchange has a moral obligation to the community to try to take preventative and reactive measures to this sort of situation. One thought is coming up with an industry wide ‛code of conduct,’” he said. Additionally, the community create a ‟hardship fund” to bail out troubled exchanges, Green said.
The team currently tasked with turning CrypoRush around, meanwhile, is working on implementing something similar. Five percent of its future revenue will go into an insurance fund to cover any losses from future hacking attacks.
The insecurity of exchanges, Green said "has the potential to do serious harm to the concept" of cryptocurrencies. ‟If people cannot trust in the security and stability of the financial institutions associated with the industry, then eventually your average user is going to pick up their ball and go elsewhere.”