Shapeshift’s website currently states it is upgrading its infrastructure and will be down for a few days. A Reddit post noted that the company decided to scrap its infrastructure and build a new and safe environment.
"By design, ShapeShift doesn't hold customer balances, so even in the case of a security breach, there is no customer money at risk," Voorhees noted in a Reddit post. "However, a portion of our own hot wallet inventory funds were taken, but nothing that will interfere with operations once our new environment is online. This is also by design.”
For the few customers who had pending orders processing when the site went offline, ShapeShift will return the funds within 24 hours.
Forensic Audit Report
Shapeshift’s forensic auditor, Ledger Labs, is preparing a report of the technical findings of the incidents in which about $230,000 was lost from three hacks within a month. Some personal and system identifying information has been redacted from the report that will be made public.
An employee who has since been terminated carried out the first theft while a hacker to whom the employee sold information carried out more thefts. Some of the funds have been recovered, and no customer funds were lost or at risk.
ShapeShift discovered a theft of 315 bitcoin on March 14. The company quickly determined an employee committed the theft and reported the incident to law enforcement and filed a civil suit against the individual.
ShapeShift was able to keep the site running without interruption. The company believed it would be able to recover the stolen property.
A Second Theft Occurs
ShapeShift spent two weeks working on new infrastructure and was about to move the service to a new host on April 7 when it noticed three hot wallets were hacked: bitcoin, Ethereum and Litecoin (approximately 97 BTC, 3600 ETH and 1900 LTC). Because ShapeShift was initially unable to find out how the hacks occurred, it took the site offline.
The company cycled all the keys and in 24 hours put up new infrastructure on an entirely new host.
In the course of the rebuild, ShapeShift established communication with the hacker, who said the rogue employee from the prior month’s theft had provided the information to carry out the second attack.
A Third Infrastructure
ShapeShift redeployed on a third infrastructure on a Friday evening. The next morning, Ethereum and bitcoin had again been stolen from the new hot wallets: 2200 ETH and 57 BTC. This theft occurred less than 48 hours after the prior theft. None of the keys used in the theft had been shared with the previous infrastructure.
Michael Perkin of Ledger Labs initiated a forensic audit.
In the next few days, the hacker, using the name Rovion Vavilov, explained via two chat sessions how both breaches occurred using information purchased from the former employee.
ShapeShift decided to re-architect the infrastructure with enhanced security methods and protocols under Perkin’s direction. The service was kept offline during the infrastructure rebuilding and the investigation.
ShapeShift has recovered some of the funds and believes there is potential to recover more from the person responsible.
More To Come
Voorhees said he will publish a longer narrative detailing the entire event.
“Existing in Bitcoinland is a pioneering struggle against many threats and challenge,” Voorhees noted on Reddit. “We'll use the opportunity to build even bigger, better, and more resilient infrastructure. We've been inspired by the immense growth ShapeShift has seen over the past several months, and will get this beast back online ASAP.”