The ShapeShift Hack: Simply Incredible

There was a complicated series of thefts at ShapeShift, a cryptocurrency exchange that calls itself the "safest asset exchange on Earth" and is used to convert between different virtual currencies. Thieves broke in three separate times over a time span of two weeks and cleaned out the hot wallets each time, totaling around $200K USD.

ShapeShifter (wikimedia)

ShapeShifters are dangerous.

Erik Voorhees, founder and CEO of ShapeShift, recently offered a play-by-play of how the attacks supposedly unfolded. It's a long read, so if you haven't read it already, let me summarize it.

According to Voorhees, a sysadmin with the pseudonym Bob first installed a backdoor on another developer's machine, then used his own credentials to empty out the Bitcoin hot wallet, then initially hid and subsequently destroyed his keys to cover his tracks. ShapeShift wiped Bob's access and moved its service to a cloud provider, hoping that this would stop Bob's attack. Bob bailed out of Switzerland, where ShapeShift is based, and left his dog behind, but started throwing accusations of racially motivated persecution at Shapeshift. Then a second attacker (with the handle Rovion) bought backdoor access from Bob, who had previously compromised his co-worker's laptop and kept it hidden. Rovion then cleaned out the hot wallets in multiple currencies when the ShapeShift service was not even open to the public. ShapeShift moved its service to a different hosting platform, assuming that the third time is the charm, that a change of scenery would magically fix whatever might have been the vulnerability, and that they would examine what went wrong later. Rovion broke in again and emptied out both the Bitcoin and the Ethereum hot wallets. In the meantime, it turned out that Bob was white all along, rendering his claims of racially-motivated persecution ludicrous in Voorhees's eyes. ShapeShift then paid a bounty to Rovion. In return, Rovion told a story involving Bob, which ShapeShift wholeheartedly believed.

Incredible, As In, Not Credible

ShapeShifter

ShapeShift's story is about as credible as rumors that our financial system is run by shapeshifting lizard-men.

Frankly, I found this story incredible. While I commend Voorhees for his transparency, this account suffers from naïveté and displays huge gaps of reason.

Now, we should not arm-chair-quarterback ShapeShift's various security failures. They failed to establish a perimeter, had too large a trusted computing base coupled with an inadequate response to the hacks, and paid dearly for it. Now that they brought in a computer security expert, what led up to the heists isn't nearly as important as how they deal with the aftermath.

But in the aftermath, it's critical to understand what took place. As the story itself demonstrates all too clearly, it's difficult to take effective measures without pinning down what exactly happened. Sadly, there are more red flags surrounding Voorhees's current explanation than at a Swiss slalom course, more holes in the story than Swiss cheese.

Flag Day

ShapeShifter

I kissed an exchange and I liked it, but it did not ShapeShift into something trustworthy.

Red Flag #1. Bob is somehow able to connect with a hacker who has been hiding in their systems for some time.

It seems extremely unlikely that Bob would be able to figure out how to communicate with a covert hacker who has partially penetrated a system and is laying in wait to complete his hack. By definition, Rovion was in deep undercover mode. How would Bob have gotten a hold of Rovion? Did he know of Rovion's partial penetration? If so, how? If not, then how did they meet up? In any case, how did the two hackers exchange messages? Is there a public slack channel where people who have partially or fully penetrated ShapeShift all hang out? Which universe am I in where this is normal and does not require some explanation?

Red Flag #2. Rovion identifies Bob by his real life name "Bob," without a moment of hesitation.

Why on earth would Bob run a criminal business under his real name? Did he want to reuse his existing business cards? Was he worried that the Reservoir Dogs took all the good colors, and he'd be sued by the MPAA if he reused Mr. White? Even assuming that Bob is keeping a diary of his criminal enterprise (this has already happened in the Bitcoin space) and operating under his real name (which would be a first), why would Rovion believe him? Wouldn't Rovion's counterparty just as likely turn out to be someone who had compromised Bob's account? Or ShapeShift trying to trap Rovion? What are the odds that Bob and Rovion, who found each other online hacking into the same exchange, in the same way a rising comedian might find himself starring in a rom-com wooing the same woman as Adam Sandler, would turn out to be the types of people who'd use their real names and mutually trust each other? Are we talking about a bunch of criminals who are so inhuman as to abandon their dogs, or a bunch of nice people at a Quaker gathering?

Red Flag #3. Bob chooses to sell his backdoor access to Rovion instead of using it himself.

Why wouldn't Bob take advantage of the backdoor himself? It's not like he had much to lose. He'd already been ousted from ShapeShift and was already the target of an investigation.

Red Flag #4. Bob demands only 50 BTC for a backdoor.

The fair market price for information that leads to a pile of cash worth $X ought to be $X, minus a little bit. In this case, the pile of cash is the ShapeShift hot wallet, which held around $200K. Why would Bob sell the backdoor for 50 BTC ($20K)? Why not split the proceeds in half, for starters? What kind of a person starts out his criminal career as a thief, and then turns into a saboteur, out to wreak havoc at any price?

Red Flag #5. Rovion pays 50 BTC for a backdoor.

At the point where the sale took place, Bob's account and identity were effectively purged out of ShapeShift's network. Per the points above, Bob wanted to sell the backdoor because he did not want to exercise it himself. How would Bob, then, demonstrate to Rovion that he wasn't just a scammer, or a honeypot operator, but indeed had a legitimate backdoor to sell? The only way he could get in was through the backdoor he had planted, the very same backdoor he wanted to sell because he did not want to exercise it. Given that Bitcoin payments are irreversible, on what basis would Rovion pay Bob? If there is a slack channel where thieves like Rovion hang out, wouldn't it be more profitable for ShapeShift to stop running their exchange in all but name, and start running sting operations on Rovion-like thieves for 50 BTC a pop?

Red Flag #6. Rovion is a moralistic individual who not only is a thief himself, but wants to see Bob, another thief from whom Rovion supposedly obtained credentials, severely punished, for being a thief. All it took for him to adopt this righteous and godly path was a 2 BTC bounty payment and some bro-talk from Voorhees.

That makes no sense. This is not how people work.

Yes, there are value systems and codes of conduct among prisoners that are harsher than regular laws. And yes, competing hackers may have rivalries. None of that is at play here between Rovion and Bob, two free individuals who presumably had never met before but came together and carried out an amicable exchange. Rovion has no motivation to want to see Bob punished. If anything, Rovion should rate Bob, in EBay parlance, "A+++++, fast and responsive seller, would trade bitcoin for passwords and SSH keys again."

Rovion could just as likely, or even more likely, be a second insider who is actively pointing the finger at Bob to mislead the investigation.

Rovion and Bob, together, have one mark: ShapeShift. And that mark seems all too willing to believe any offered explanation, no matter the source.

Red Flag #7. Bob carries out the initial theft using his keys, even though he could have trivially used the backdoor he installed, which he later sold for 50 BTC, to carry out the same theft of 315 BTC using the credentials of his co-worker.

Is Bob a thief with malice aforethought or a complete idiot? The story needs to decide this once and tell us one way or the other, because the switches throughout the narrative are very confusing.

It could well be that Bob was negligent. For instance, he may have kept his keys on the same computers where he downloaded hacked games from the Internet. So he may have felt like he messed up, without being the actual perpetrator. In fact, the perpetrator could be a co-worker who is actively working to frame him. When he sensed that the witch hunt at the office was turning on him without any firm reason, he bailed and left his dog and his possessions behind -- someone who planned a theft would not have done that. The racism accusation could be Bob's way of pointing out that Voorhees is fixating on Bob without firm evidence.

Orange Flag #8. Bob's racial background is a point of contention. Voorhees et al. spend their time in between hacks tracking down whether Bob is white.

Call me crazy, but I'd first figure out where all the backdoors were planted at ShapeShift before scouring through Bob's family tree. Or more likely, I would do absolutely nothing about Bob's racial background, because (1) the law doesn't care, (2) not that it matters as far as the law is concerned, but Bob might be racially white and ethnically a minority, and (3) I'd be firm in my knowledge that there was nothing racially or ethnically motivated in any process I have ever followed.

Orange Flag #9. Voorhees talks derisively about Bob's competence during the period of time when Bob was employed prior to the hack.

Without knowing the intricacies of Swiss employment law, we can go on a limb and assume that Bob was not his own boss at ShapeShift, that the ShapeShift org chart is indeed acyclic like every other org chart, and that the Swiss nanny state did not force ShapeShift to extend an employment contract to Bob. Snide remarks about Bob's competence reflect on ShapeShift management, who actively decided to hire and retain Bob until the point of alleged robbery.

Orange Flag #10. Bob, who had access to the entire ShapeShift infrastructure as their sysadmin, turns out to have a criminal record in Florida.

It's surprising that ShapeShift hired an IT administrator and entrusted him with all the keys to the kingdom without uncovering his prior rap sheet in Florida. Every libertarian into Bitcoin derides the government for being slow and incompetent, but even the government learned its lesson from Snowden. What's holding back this modern Swiss exchange? Do they expect a handwritten note from the invisible hand of the market?

Orange Flag #11. Voorhees is offering "pro-tips" to the public on how to converse with hackers. While it doesn't matter that he is condescending towards the people who turned his exchange into their own personal piggy bank, it's a security vulnerability that he believes himself to be in command of a situation that has clearly outrun him.

If you're in charge of an exchange that got hacked three times in the space of two weeks, if you're writing odes to hackers to appease their egos and paying bounties to figure out how they broke into your system and stole from you, if you're getting your "facts" from the very people who scammed you multiple times, perhaps it's time to be humble and contemplative instead of offering pro-tips to the public. For there is indeed a learning opportunity afoot, but it's not for the public.

The orange flags do not poke holes in the story, but they indicate cause for concern in the aftermath of the hack.

Takeaway

ShapeShifter (CC licence, deviantart)

Unrelated but important: How many kids have kissed a frog to turn it into a prince/princess, but have had a hallucinogenic trip instead?

Overall, it is clear that ShapeShift got cleaned out three times and that Bob may have been somehow involved in some capacity, perhaps through negligence or perhaps as an active participant. Overall, the entire account is what's known as a "just-so story." It fits the facts, by the skin of its teeth, but there are tons of holes at almost every level. A reasonable person would have no reason to believe any of it.

The thought that the whole dramatic story could have been made up for publicity did cross my mind. Who here remembers the story of a bank called X.com? It was a tiny, little-known online bank, until it was hacked and covered in the mainstream press during the first dot-com boom. Its popularity absolutely soared after the hack. I actually had an account on X.com, but if you didn't and never heard of it, you may perhaps have heard of X.com's founder, a fellow who goes by the name of Elon Musk. While X.com's rise in popularity was an unexpected accident in an era when the term guerilla marketing had not yet been invented, things are different now -- the ShapeShift story may have been created by an Internet marketing firm. A virtual currency exchange that is hacked but survives to tell the tale would perhaps be seen as battle-hardened and attract customers. There are a few elements that are sprinkled around the story to raise this suspicion: the mixed metaphor in the title that associates an animal known for its cunning with ShapeShift (first of all, foxes cannot be looted, the word does not apply, and second, no fox would be this gullible), the gratuitous reference to how fat Voorhees's bank account balance is (what is it with Bitcoin personalities that makes them want to flash their bling at every opportunity?), the fantastic way in which Voorhees gains Rovion's trust and turns him to the one true path of law-abiding behavior by essentially bribing him, and the fact that there is little that is remarkable about ShapeShift's technology even though it is pumped up by the post at every opportunity (it uses a cold wallet, like every other merchant, but the hot wallet is at risk, and case in point, was cleaned out. It's not like ShapeShift used actual new tech like vaults). Yet, despite all these signs, I don't think what happened was just a cynical marketing ploy.

So, I'm convinced that Erik Voorhees is genuine and believes every word he wrote. Which makes everything worse. The three hacks should have taught everyone involved to not jump to the first offered explanation, but to methodically uncover, painstakingly secure, and carefully ascertain every device, every person and every part of every story. That didn't happen, twice, and there are signs that it still is not happening.

Let's also be clear that I'm not claiming the story to be false. As incredible as the story sounds, the events may even have unfolded as told. Truth can be more convoluted and complicated than fiction.

The point is that we, and ShapeShift, have absolutely no reason to believe this story, or any story, where the sources are the thieves themselves, but especially this particular story because there are many gaps in it. ShapeShift management already made some bad calls by jumping to conclusions, and is once again too eager to believe any offered explanation.

While there's much we do not know about what happened at ShapeShift, one thing is certain: if things proceed along their current vector, there is much more drama to come.

P.S. I hope Bob's dog is OK.

Share on Linkedin
Share on Reddit
comments powered by Disqus