Instant multi-currency exchange ShapeShift was the victim of a security breach led by a previous team member, company CEO Erik Voorhees has revealed.
Voorhees 'Confident' Ex-Team Member Involved
Posting an update on ShapeShift's homepage, which has been offline since the breach was discovered on April 7, Voorhees wrote:
Since the investigation into the ShapeShift hack last week started, we had suspicion that someone previously on the team was involved, and that this person assisted an outside hacker. We are confident now that is is indeed the case.
Voorhees reiterated that no customer funds were at risk, and those who had pending trades at the time of the shutdown are urged to contact ShapeShift in order to secure their funds.
In the update, he added that "evidence continues to be revealed", and that his team was working with a forensic specialist from LedgerLabs to determine exactly what had happened.
ShapeShift has scrapped its previous server infrastructure and is now rebuilding its entire system from scratch – an extra-mile safety approach seen as necessary for a more trustworthy service. So far, details regarding the scale of the hack and what exactly was stolen remain unavailable. It is also uncertain exactly when ShapeShift will be back online and available for trading.
Bitcoin.com contacted Voorhees for additional comment, but had not received a reply at publication time. He promised to release a more detailed post-mortem after the investigation is complete, adding:
Our team continues to revise and rebuild infrastructure, hardening not only prior vulnerabilities, but future potential attack vectors. It has been inspiring to see anti-fragility in action as ShapeShift gets stronger.
Shapeshift's exchange, which offers near-instant exchange between numerous cryptocurrencies without the need for registration or customer accounts, has proved popular with users. It does not hold customer balances, meaning only funds from the company's own hot wallets were at risk of loss.
Security at the Forefront
Prices of most cryptocurrencies other than bitcoin took a dive earlier this week, a move that some have attributed to ShapeShift's troubles.
Internal security controls are proving as much of a headache for bitcoin exchanges as external threats. A technically skilled, highly-mobile and mostly contract-based workforce – along with law enforcement that lacks the necessary abilities to investigate, and a grey legal environment – makes companies in the cryptocurrency industry particularly vulnerable to heists.
Most, however, have preferred not to speculate openly about the nature of hack attacks. The most notorious example of an alleged "inside job" was also the largest – Tokyo's Mt Gox, which lost at least 650,000 bitcoins from its storage wallets.