Security Experts:

Bitcoin Trader Cryptsy Robbed via IRC Backdoor

Cryptsy Robbed via IRC Backdoor

Cryptsy, a website used for trading Bitcoin, Litecoin, and other crypto-currencies, recently revealed that it had been robbed, accusing a $5.7 million theft and suspending trades and withdrawals.

According to Cryptsy, the theft took place on July 29, 2014, but they decided to go public with the incident only now, after unsuccessfully trying to involve the FBI. In an announcement, the Cryptsy team said that recent problems users have been experiencing are related to this incident and not to recent phishing or DDoS attacks.

The notice said the culprit was found to be the developer of Lucky7Coin (LK7), who placed an IRC backdoor into the code of wallet, and that the malicious code acted as a Trojan, or command and control unit. The Cryptsy team suggests that the Trojan was present in their system for months before the attack happened, most likely for about two months.

This specific period of time was mentioned because the team received an email on May 22, 2014 from a person claiming to have taken over the Lucky7Coin development, informing them that the IRC network has been changed so that clients could “synchronize blockchain,” and that they should update as soon as possible.

Since this person was not the original Lucky7Coin developer, the team suggests that they are responsible for the attack, and that the backdoor was introduced in this update. The GitHub repo for LK7 hasn’t been modified for the past two years, with the latest commit added on May 21, 2014.

Following the attack, Cryptsy discovered that the perpetrator stole around 13,000 Bitcoin and 300,000 Litecoin, amounting to roughly $5.7 million. After discovering the theft, the website decided to use its reserves of those cryptocurrencies and to pull from its profits to fill the wallets back up over time.

However, profits decreased due to low volume and low Bitcoin prices, and things started to crumble in October, after Coinfire published an article that, according to Cryptsy, “contained many false accusations.” Cryptsy’s Paul Vernon officially responded to the accusations, but they caused a bank-run, and the website’s problems started then.

According to the website, the stolen Bitcoins haven’t moved since the incident, which would suggest that there might be a small chance that they can be recovered. In fact, Cryptsy, which notes that their current customer liability is around 10,000 BTC, is offering a bounty of 1,000 BTC for information which leads to the recovery of the stolen coins.

Furthermore, the website claims that the perpetrator won’t be investigated and their name won’t be revealed if they return the stolen coins. “We will assume that no harm was meant” should the culprit returns the coins no questions asked, Cryptsy says, adding that the entire community might start looking for the perpetrator otherwise.

The website explains that they did not alert the authorities, as they did not want to cause panic, and were not sure who to go to, although they had communication with Secret Service Agent Shaun Bridges. Last year, however, Bridges was charged for stealing Bitcoins during an investigation of the Silk Road underground market.

Cryptsy also notes that they alerted the Miami FBI, but were redirected to report the issue on the I3C website and that no reply was received so far. For the time being, the website is suspending trades and withdrawals indefinitely until a solution to the problem is found, one of the options being to file for bankruptcy, letting users file claims via the bankruptcy process, and letting the court make the disbursements.

However, they are also willing to agree to an acquisition, under the terms that the entity acquiring Cryptsy would be making good on requested withdrawals.

For the time being, the website has decided to clear out the order books place all funds back into user accounts.

The website also prompted a force password reset for all user accounts after being hit by a phishing attack attempt last week. Cryptsy users will have to change their passwords on their next login to the website.

view counter