Logo Distributed Networks Institute

ShapeShift Exchange Hacked for $230000

Summary

Between March 14 and April 9, 2016, the Swiss-based cryptocurrency exchange, ShapeShift, experienced three security breaches. The initial compromise was an insider threat, where an employee responsible for the platform’s security and infrastructure misappropriated funds. Subsequently, this individual provided an external threat actor with critical assets: the source code of ShapeShift’s core system, the IP address of the primary server, an SSH private key, and deployed a Remote Access Trojan (RAT) on a colleague’s workstation. Utilizing the acquired SSH credentials, the external attacker gained access to the primary server which, due to its permissions, had subsequent access to the server storing the cryptocurrency. Despite efforts to re-establish a secure environment, the exchange faced another intrusion. This time, the threat actor leveraged the previously installed RAT, obtaining new SSH credentials, leading to further unauthorized access.

Attackers

The security incident at ShapeShift was attributed to an internal exchange employee, whose identity remains undisclosed, in collaboration with an external threat actor operating under the pseudonym “Rovion.”

Exchange employee wallet:

Hacker wallets:

Losses

ShapeShift lost approximately $230000:

  • 469 BTC
  • 5800 ETH
  • 1900 LTC

Timeline

Security Failure Causes

  • Insider threat: An exchange employee stole a cryptocurrency and left a backdoor in the system.
  • Weak operational security practices: The backdoor was not detected in time, which allowed 2 more hacks.