AllCrypt, the alt-coin exchange that was hacked some days ago, has posted a long explanation on their support blog. The explanation includes a Q & A, but mostly diverts responsibility away from the site’s owners.
The process of verifying the provenance of a hack is an arduous one indeed. Many times, hackers delete all logs on their way out, a wise move that makes it all the more difficult for the server administrator to figure out who ate his or her lunch. But the owner was able to determine what took place by reading the logs of the actual exchange, and was also able to get hold of an IP addresses linked to the attacks.
Around 8PM on Sunday (all times EDT) our marketing director’s blog account requested a password reset. […] The MD saw this email come in, and forwarded it to myself, and another team member (a technical lead/temporary assistant support staff), letting us know what happened and that he did not request the password reset. I did not see the email at the time, as I was out, and it was not a huge red flag that would require a phone call. Once I returned home later, I saw the email, and logged into the server to double-check on things. That’s when I discovered the breach.
Also read: AllCrypt.com Bitcoin Exchange Goes Down
Then, the plot thickens. It seems the “technical lead/temporary assistant support staff” was also compromised, and from there things get very confusing.
Apparently, the thief had gained access to the tech assistant’s email account. That email was hosted on a private server (not gmail, yahoo, etc). We have no idea how the password was acquired. We spent a lot of time this week downloading password lists from torrents, tor sites, etc, and could find his password in none of the lists. He assures us he did not use the password in multiple places, and that it was a secure password. Our best guess is that it was a brute force attempt.
Apparently the private mail server used by the “technical lead” does not log password attempts. Red flag number one, as people involved in technical work know to use only the best. A more serious approach to the whole thing would have been to have regular audits of the entire system. Indeed, outside e-mail should not have been used at all, and passwords should have regularly required resetting anyhow. This seems common sense, but as always, the hindsight view is 20/20.
WordPress In Itself was A Mistake
WordPress is a blogging platform. Using it for something as serious as handling the transfer of thousands of dollars, or potentially hundreds of thousands or more, is absolutely a failure in logic. Even if you had to begin with a WordPress platform to get off the ground, you should not have continued using it once money started flowing. Either a proprietary solution developed in-house or a solution licensed from a veritable vendor would have been more appropriate.
The culprit seems to be WordPress in every way, since the hacker was able to use it to upload adminer.php, a well-known database management tool which allowed him to modify the site’s database at will. He then sent MySQL calls for non-existent accounts to have their balances changed. At some point, the site’s “secondary accounting system” was able to stop him, but he was able to recover from this roadblock and continue by converting the fake balances to other coins, an obvious oversight in the architecture of the exchange.
What does this mean? Despite not being able to continually creating false BTC balances, he was able to buy Dogecoins using the fake BTC balances and then re-convert that to BTC again. Thus, he was able to withdraw the now adequately acquired Bitcoin to address 17B8qfaeNsv3TZbpycUs6dkzYiJGWNeCw5. It seems that when the DOGE buy orders dried up, he withdrew DOGE as well, to address DJiYqeXZBJXbmsWMefpRY7dEsJDASFAYxX.
AllCrypt Gone For Good
The owner, who appears to be anonymous according to WHOIS information, claims that the site cost him a total of $15,000, and further that they only netted roughly 10 BTC in profits after thirteen months of operation. We can guess that he lives on the east coast of the United States given that he times everything to EDT. The biggest contributor to their low-profit margin was consistently low volume. Also, they were often not quick enough to add high-value coins.
It kills me that this happened. We had a small hack a year ago, and we recovered near instantly. And we were secure and solid for a year, and decided to shut down because of lack of volume, and lack of profits. Our profits were lost as well. We only made 10.8 BTC over the course of 13 months of operation. Between hardware and operating costs, I am personally down over $15,000. Believe me – I feel your pain as well. No one on the site had as much on the servers as I personally did. Not that I expect pity or compassion, but I think it’s important to know that I’m not retiring to a private island because of this. I also think it’s important to be as open as possible to assuage any fears of an inside job.
He then goes on to answer some of the questions he’s allegedly received from angry customers whose money has been lost. It is important to note that this was inevitable. It seems the WordPress platform was wrongly used even after the previous hack, which is telling. His diffident air is essentially the nail in the coffin, ensuring that no one will want to do business with AllCrypt if they ever were to relaunch:
Q: Your security sucks!
A: I see you running an exchange successfully, I’ll take your advice. Wait, you don’t run an exchange? You’re unemployed? Thanks for the input.
As the song says, it’s not what you make, it’s what you leave. There’s no telling if anything in the blog post was true, if it was indeed an inside job done by his employees (who couldn’t have been making much), or if it was a genuine hack. What is evident is that running an exchange is a massive undertaking, and should not be taken lightly.
At the time of AllCrypt’s launch, exchanges were popping up left and right to absorb the volume vacuum left by the death of Mt. Gox. SwissCex is another which recently decided to shutter its doors for lack of volume. ShapeShift.io, which does not require users to create accounts at all and relies on the implicit security of block chain technology, has become more and more popular, and maybe for good reason.