Over the last few weeks, ShapeShift.io was the victim of several hacking incidents that ultimately resulted in us having to take down the website in order to fully investigate the hackings as well as rebuild infrastructure and securities. In order to provide you, our users, with a full breakdown of our reporting, we are releasing this post, which compiles all articles and updates that were released publicly to explain the scenarios. We compile this information for you, as it is of utmost importance to us that we are transparent with our loyal users.
To read the entire story, from beginning to end, check-out CEO Erik Voorhees's narrative on Bitcoin.com, to get all of the gory details:
Read the Postmortem written up by Michael Perklin at the bottom of this CoinDesk article:
April 7th, Update on Security Breach from CEO Erik Voorhees:
We wanted to provide a quick update on our status. Yesterday afternoon, we noticed several pieces of evidence indicating our server infrastructure was compromised and threatened. We made the decision to scrap that infrastructure, and rebuild in a wholly new and safe environment. This is what we are currently engaged in. While we hate having the service offline, it was the safer path. By design, ShapeShift doesn't hold customer balances, so even in the case of a security breach, there is no customer money at risk. However, a portion of our own hot wallet inventory funds were taken, but nothing that will interfere with operations once our new environment is online. This is also by design. We've built customer protection into our platform – hacks may be inevitable, but customer losses should not be. Not a cent of customer funds was lost, nor could they have been. For those few customers who had a pending order processing with us when we went offline, we'll get those funds returned to you within 24 hours. Customer support link is below. Existing in Bitcoinland is a pioneering struggle against many threats and challenges. We'll use the opportunity to build even bigger, better, and more resilient infrastructure. We've been inspired by the immense growth ShapeShift has seen over the past several months, and will get this beast back online ASAP.
Update on April 9th:
Our CEO, Erik Voohees announced on our subreddit that our systems were compromised on April 7th CLICK HERE TO READ. The team continues to undergo a active forensic investigation of its server infrastructure to plug all holes before fully relaunching the site. Once the investigation is complete ShapeShift does plan to release a post-mortem of its finding to the community.
Sunday Night Update, from Erik Voorhees, April 10:
We will provide more details later, and likely a full post-mortem of this incident for the public, but for now our forensic work continues.
And indeed, proper forensic investigation takes some time. ShapeShift's service will be offline for at least another 48 hours while we continue to work. There is no danger or risk that ShapeShift will not be coming back online, but it needs to be done with diligence. We are learning some interesting things.
I'd like to sincerely thank many in the industry who reached out to us, offering to help and providing valuable intelligence. It has been heartwarming, to say the least.
More details to follow within 48 hours.
Kind regards, -Erik Voorhees CEO ShapeShift.io
Update on Last Week's Hack, April 13th:
To our loyal foxes,
It's been a long week, and very instructive.
Since the investigation into the ShapeShift hack last week started, we had suspicion that someone previously on the team was involved, and that this person assisted an outside hacker. We are confident now that is is indeed the case.
The story continues to unfold, and evidence continues to be revealed. We have been working with a forensic specialist from LedgerLabs, who has been terrific. A civil suit is ongoing, as are multiple criminal investigations of the perpetrators.
Our team continues to revise and rebuild infrastructure, hardening not only prior vulnerabilities, but future potential attack vectors. It has been inspiring to see anti-fragility in action as ShapeShift gets stronger.
At this point, customer refunds for prior pending orders are in the process of being resolved. Again, no customer funds were ever at risk, by design.
A more detailed post-mortem will be released at the appropriate time, after forensic work is complete. Thank you again to everyone who has contacted us for the heartfelt support. We will be back in action very soon.
Update on Monday, April 18th on the ShapeShift Hacking Incident:
Update on the ShapeShift Hacking Incident April 18th, 2016
While work continues on the hardening of ShapeShift infrastructure, we have concluded our forensic investigation of the events last week. A report has been prepared by our forensic auditor, Ledger Labs, which details the technical findings. We've asked them to make this report public, though some personal and system identifying information has been redacted.
In tandem with the release of that report, below are the basics of what happened, in plain English. I will also be publishing a much longer narrative detailing the entire event, which is really quite a story.
Read the full posting "Basics" by clicking HERE.
After the April 18th posting, we continued to update our users with a series of articles printed by various publications as well as a release of our postmortem:
- CoinDesk, "ShapeShift lost $230K in a String of Thefts, Report Says"
- Bitcoin.com, "Looting of the Fox: The Story of Sabotage at ShapeShift"
- BTCManager.com, "Michael Perklin of Ledger Labs: ShapeShift has gone "Above and Beyond"