ShapeShift has become one of the most popular digital currency exchange platforms. The brainchild of bitcoin early adopter and entrepreneur Erik Voorhees, the company is widely considered to be at the fore in facilitating transactions between the exploding numbers of cryptocurrencies now dotting the global landscape.
When ShapeShift suffered a breach on April 7, 2016, Voorhees immediately went into damage control. In a website response issued the following day, he announced that there were “several pieces of evidence indicating that our server infrastructure was compromised and threatened” and that the decision had been made “to scrap that infrastructure, and rebuild in a wholly new and safe environment.”
While the theft from the company’s hot wallet amounted to approximately $230,000 USD, “not a cent of customer funds was lost,” said Voorhees.
“Hacks may be inevitable, but customer losses should not be.”
The immediate priority, according to Voorhees, was to address all pending orders that were being processed through ShapeShift when the site went offline. ShapeShift also publically promised to return these funds to affected customers within 24 hours of the date of the breach discovery.
From early information gathered during the subsequent investigation, Voorhees made the somewhat surprising announcement that a former ShapeShift team member had been involved and had assisted an outside hacker in the heist.
Calling in the Cavalry
The results of a digital investigation were released on April 18 in a report entitled ShapeShift Cyberattack Postmortem, drafted by Michael Perklin, head of Security and Investigative Services at Ledger Labs, a Toronto-based consulting firm focused on blockchain development. Perklin is an information security expert with over a decade of experience in performing digital forensic examinations, cyber investigations, and incident response post-mortems.
“I’ve known Michael as an upstanding member of the Bitcoin community for a couple years now, and he comes highly recommended by others whom I respect,” Voorhees told BTCMANAGER. “His decade of experience in digital forensics prior to becoming skilled in blockchains was the relevant expertise we needed.”
Perklin, whose company Bitcoinsultants merged in 2016 with LedgerLabs as a part of an expanded operation, knows this broader digital currency landscape. He has testified about blockchains at the Canadian Senate’s Committee on Banking, Trade, and Commerce and has been qualified as an Expert Witness in the courts of Canada and other nations around the world.
According to the report, ShapeShift contacted Ledger Labs on April 9 to request digital forensic assistance following two data breaches in the previous three days. Perklin flew to ShapeShift headquarters to work on the investigation.
Besides determining exactly how the series of events unfolded, the primary goal was to determine how the security breaches happened and then to assess ShapeShift’s infrastructure and security protocols according to the CryptoCurrency Security Standard (CCSS), in order to prevent future incidents. Ledger Labs will continue to work closely with ShapeShift’s team to initiate a number of critical changes prior to the site being re-launched to ensure the highest quality of security for the exchange moving forward.
Perklin is a member of the CryptoCurrency Certification Consortium (C4) Board of Directors, along with Andreas Antonopoulos, Vitalik Buterin, Joshua McDougall, and Pamela Morgan. C4 is responsible for publishing the CryptoCurrency Security Standard.
“Ironically, we’d been talking to the CCSS folks for about a month prior to the incident. One of many things that was on our ‘to do list,’” said Voorhees. “With the upgrades we’ve made in the wake of the hack, we are most of the way there already, so taking the final steps to get L3 with CCSS is an obvious and wise choice. We’ll get certified by Q3 this year.”
According to the CCSS Github document:
An information system that has achieved Level III security has proven by way of audit that they exceed enhanced levels of security with formalized policies and procedures that are enforced at every step within their business processes. Multiple actors are required for all critical actions, advanced authentication mechanisms ensure authenticity of all data, and assets are distributed geographically and organizationally in such a way to be resilient against compromise of any person or organization.
“ShapeShift has already implemented some controls that help them score as Level I, Level II, and even Level III, in certain aspects,” Perklin told BTCMANAGER. “They plan on completing the remaining controls over the next few weeks so that all aspects are unanimously compliant with CCSS Level I.” From there, the company will continue to complete all controls necessary to achieve Level III.
Even though the company has some security measures still left to implement, the report noted that no usernames, passwords or email addresses were compromised, due to ShapeShift’s unique information-less exchange architecture.
Learning Moments for the Cryptocurrency Community
While immediate media attention around breaches of this nature can often become mired in speculation and negativity, it is important to step back and wait for facts to emerge. Now that the forensic report from the ShapeShift incident has been released, the community is able to benefit from some key insights and better understand how these scenarios can be handled in the most prudent manner possible.
What has ShapeShift learned from this experience?
“Lots,” said Voorhees. He specifically listed the following three lessons:
- Do background checks on employees
- Reformat/replace all computers and data lines after any breach of trust from an insider
- Don’t leave computers open or unlocked. Be paranoid.
Furthermore, the rest of the community can also learn from the approach that Voorhees has taken to secure his company and its reputation. The ShapeShift platform has been taken down and is being rebuilt. This slow, deliberate approach on the part of the company is arguably a wise move given the significance of this breach and the importance of getting the fix right. Voorhees noted that while the company hates having the service offline, it is indeed a safer path until everything is secure and back in good working order.
Says Perklin: “Never before have I witnessed a breach which has been publicized so transparently, either in the Bitcoin space or elsewhere. Most companies hide when they’re hacked often out of embarrassment, to protect their reputation and to keep their investors happy. Erik and his team at ShapeShift should be commended for the way they are addressing this daunting scenario.”
According to the Report to the Nations: On Occupational Fraud and Abuse: 2016 Global Fraud Study by the Association of Certified Fraud Examiners, in 40.7% of all cases, victim organizations elect not to refer their fraud cases to law enforcement, with “fear of bad publicity” being the most-cited reason.
The immediate response on ShapeShift’s part will go a long way toward restoring customer and industry confidence. The fact that customer data and funds remain intact, and that all necessary precautions are being taken to ensure top-notch security in the future represents a “feather in the cap” for blockchain technology in general, especially amid growing public concerns around identity theft and overall consumer protection. This, no doubt, is a hopeful sign for digital currency enthusiasts, given the myriad exchange platforms that have been breached in recent years, often with massive amounts of user funds having been stolen.
“ShapeShift is going above and beyond normal protocol to publicize this as much as they can. They even provided transactions IDs of the thefts beforehand, which the bitcoin community has been begging other exchanges which have experienced hacks to do for years, particularly MtGox and its current administrators.”
As the digital currency movement continues to advance toward global adoption, this breach signifies a profound learning moment — one that, if thoughtfully considered, has the potential to offer a model for preventing and mitigating criminal acts that could otherwise have a chilling effect on the advancement of digital currency worldwide.
With notes from Christie Harkin