ShapeShift Exchange Hacked for $230000
Summary
Between March 14 and April 9, 2016, the Swiss-based cryptocurrency exchange, ShapeShift, experienced three security breaches. The initial compromise was an insider threat, where an employee responsible for the platform’s security and infrastructure misappropriated funds. Subsequently, this individual provided an external threat actor with critical assets: the source code of ShapeShift’s core system, the IP address of the primary server, an SSH private key, and deployed a Remote Access Trojan (RAT) on a colleague’s workstation. Utilizing the acquired SSH credentials, the external attacker gained access to the primary server which, due to its permissions, had subsequent access to the server storing the cryptocurrency. Despite efforts to re-establish a secure environment, the exchange faced another intrusion. This time, the threat actor leveraged the previously installed RAT, obtaining new SSH credentials, leading to further unauthorized access.
Attackers
The security incident at ShapeShift was attributed to an internal exchange employee, whose identity remains undisclosed, in collaboration with an external threat actor operating under the pseudonym “Rovion.”
Exchange employee wallet:
Hacker wallets:
- BTC: 14Kt9i5MdQCKvjX6HS2hEevVgbPhK13SKD
- ETH: 0xC26B321d50910f2f990EF92A8Effd8EC38aDE8f5
- LTC: LL9jqgXVqxUbWbWVaJocBcF9Vm8uS3NaTd
Losses
ShapeShift lost approximately $230000:
- 469 BTC
- 5800 ETH
- 1900 LTC
Timeline
- March 14, 2016, 02:13:17 AM +UTC: Exchange employee stole 315 bitcoins
- April 07, 2016, 07:11:25 PM +UTC: Hacker makes the first malicious transaction
- April 09, 2016, 12:17:57 PM +UTC: Hacker commits a second malicious transaction
- April 16, 2016: The CEO of the exchange wrote an article about hacking
- May 10, 2016: An interview with the CEO of the exchange about hacking was released
Security Failure Causes
- Insider threat: An exchange employee stole a cryptocurrency and left a backdoor in the system.
- Weak operational security practices: The backdoor was not detected in time, which allowed 2 more hacks.