ShapeShift loses $230,000 in digital currency, insider sells security information to hackers

Digital currency exchange ShapeShift lost $230,000 worth of digital currency in three separate thefts over the course of a month, according to an incident report obtained by CoinDesk.

ShapeShift is down after a bizarre security incident, causing wallets connected to the exchange’s servers to lose funds.

ShapeShift has since stated that this was a case of embezzlement.

According to the report, in mid-March, the employee stole $130,000 in Bitcoin from ShapeShift, and after being fired, the employee sold the exchange's sensitive security information to an external hacker. On April 7 and April 9, another 10万美元in Bitcoin, Ethereum, and Litecoin funds were stolen.

The report also highlights the measures taken by the hacker to cover his tracks and details a conversation between the hacker and ShapeShift CEO Erik Voorhees, during which the hacker claimed that a fired ShapeShift employee had sold him the critical security data.

ShapeShift has been forced to rebuild its services and is expected to reopen the exchange on April 20. Following the attack, the exchange said it had partnered with Toronto-based consulting firm Ledger Labs and implemented new security protocols.

“To reiterate, no customer funds have been stolen or are at risk, and ShapeShift will be back online soon. Thank you to our community and customers for your patience,” Voorhees said in a statement.

Theft details

According to the report, the first hack occurred on March 14, causing ShapeShift to lose 315 BTC. The company quickly determined that the mastermind behind the incident was an employee of the company.

The next day, the employee was fired by ShapeShift, and ShapeShift then urgently moved the server to more secure hardware.

However, the theft did not stop. On April 7, ShapeShift lost another 97 BTC (Bitcoin), 3,600 ETH (Ether) and 1,900 LTC (Litecoin). Two days later, the ShapeShift website crashed and another 57 BTC (Bitcoin) and 2,200 ETH (Ether) were stolen.

The report states:

"Since no direct evidence of a specific attack was found during the digital forensic investigation, (investigators) analyzed the available facts to identify all possible attack vectors that fit the facts. It was noted that not only were the attackers able to compromise the infrastructure, they were also able to quickly identify the IP addresses of the servers."

When approaching the exchange, the hacker claimed that he had purchased the sensitive information, which included the IP address of ShapeShift’s office and access details to the exchange’s administrative interface, from a former employee of the company.

Next step

The exchange said it has improved its security procedures, including understanding employees and managing security information about how its servers are accessed. ShapeShift also formalized its security strategy after the hack.

ShapeShift has filed a civil lawsuit against the former employee, but the company is not disclosing where the lawsuit was filed out of respect for privacy.

Original article: http://www.coindesk.com/digital-currency-exchange-shapeshift-says-lost-230k-3-separate-hacks/
By Stan Higgins
Translation: Overnight porridge
Source (translation): Babbitt Information (http://www.8btc.com/shapeshift-lost-230k)