On April 8, the Indian exchange lost 438.318 bitcoins, approximately Rs 20 crore from a digital wallet that was holding users’ funds. Coinsecure promised to use its own funds to reimburse Rs 20 crore to customers who lost their bitcoins.
Some 11,000 customers are said to be affected by the reported theft which is the biggest cryptocurrency theft in India. The company said it will start returning monies to the affected parties within the next 15 days.
“We will announce the refund process in the next 5-10 days. We are working to get the website back up and allow customers to log in and withdraw funds,” said Mohit Kalra, chief of bitcoin exchange Coinsecure in an interaction with ET.
On April 10, the exchange filed a complaint with the Delhi Cyber Crime department about the theft of virtual currencies worth 438.318 bitcoins. The police is currently investigating the case.
The exchange claims an insider job in the theft and suspects its chief security officer, Amitabh Saxena, of playing a role in siphoning off the money. Coinsecure also requested Delhi police to seize Saxena’s passport, fearing that he may leave the country.
How did it happen?
The alleged hack seems to have occurred when the company CSO Saxena was extracting bitcoins to distribute it to its customers.
The funds lost were kept in a ‘cold wallet’ where funds are stored offline, as opposed to a ‘hot wallet’ which is a part of the exchange connected to the Internet.
“There was no need to be online while extracting the bitcoin. The private keys which was never exposed to the Internet for the past 4 years was exposed,” Kalra said. “Funds were lost during the extraction of private keys.”
“The hack that happened is also too good to be true. Almost like offering the password to your bank account in a platter to a hacker. The time he exported the private key, it was after 5 minutes the hack started,” he added.
It was on April 9, that Saxena informed others at the exchange that all the bitcoins that were stored offline had vanished.
It is still unclear why the private key – a password that is kept by the company and stored offline — were leaked online, leading to the hack.
“In this case, the primary problem is there was lack of perhaps technical expertise or maybe transparency in the way each of these processes is handled,” said Joel John, a cryptocurrency analyst with Outlier Ventures, a venture firm that invests in decentralised technologies.
“If there was a more community-oriented thing, some best practices would have been discussed and things would have been done accordingly. Right now there is a fragmentation between exchanges with regards to best practices,” John added.
Is the money being traced?
Coinsecure with over two lakh users across the country, has currently stopped all deposits and withdrawals. The company says it has the digital address of where the assets were sent after the hack.
It has shared the wallet address to which the 438 odd bitcoins were transferred to, on their website.
The stolen amount of 438.318 bitcoins was transferred to the hacker’s wallet over a span of two days in small tranches.
Now, the hacker seems to be sending the stolen bitcoins to multiple addresses. Now, the amount left from the stolen wallet is 139.420 bitcoins. This essentially means only Rs 7.39 crore still remains of the Rs 20 crore that was siphoned off.
Interestingly, the wallet address to which the initial amount of 438 bitcoins was transferred to was created on the day of the hack and not an old account that had already been around for some time.
“At the end of the day, these are some of the oldest exchanges — the gatekeepers to the token economy in India. If they are the ones who are messing up, it is really difficult to go back to the government and say you need to be more relaxed,” John said.
These developments come in the backdrop of a crackdown on cryptocurrencies in India. Finance minister Arun Jaitley, said in February that bitcoins and other virtual currencies are not legal tender and compared virtual currencies to Ponzi schemes.
Last week, the Indian central bank Reserve Bank of India (RBI) put out a notice that mandated banks, e-wallets, and payment gateway providers to withdraw support for cryptocurrency exchanges and other businesses dealing with virtual currencies in India.
Note: The bounty amount is Rs 2 crore not Rs 20 lakh as indicated in an earlier version of the article. The error is regretted.
thanks you RSS link