Posted on

Liquidators of Hacked Cryptopia Exchange Release Report, Note $4.2M Owed to Creditors

Cryptopia’s liquidator Grant Thornton released an estimation on the financial state of the firm, reporting a total of $4.22 million owed to creditors.

The liquidators of now-defunct New Zealand crypto exchange Cryptopia have released the first report on the state of affairs of the firm, according to the documents published on May 31.

Cryptopia’s recently assigned liquidator, Grant Thornton, has released an estimation statement of the financial state of the firm, reporting that the hacked exchange owes a total of $4.22 million to its creditors.

According to the report, there are 69 unsecured creditor claims totalling $2.439 million, with the liquidators adding that they expect to receive further claims, thus raising the amount.

The report also indicates that the employee entitlements at the data of liquidation account for around $318,000.

In a press release accompanying the report, Thornton stated that the exchange liquidators, David Ruscoe and Russell Moore, are still in the process of securing and recovering the company’s crypto assets compromised from Cryptopia’s mid-January hack.

The report notes that liquidators were granted a court order from the New Zealand courts authorizing them to use certain crypto assets to recover and preserve assets. Thornton added that at the current stage of the investigation, they cannot forecast a date when the liquidation will be completed.

The legal expert wrote:

“We are aware of and understand the frustration of Cryptopia’s customers. As there is no legal precedent on crypto assets in New Zealand and worldwide, the distribution of those assets and the overall conduct of the liquidation will require significant direction from the New Zealand Courts.”

Cryptopia was the victim of a major hack in early 2019, with the stolen funds estimated to amount to about $16 million. Following the appointment as the exchange’s liquidator, Thornton warned that creditors would have to wait months, rather than weeks, to get their funds back.

Recently, analysts found that hackers have moved a portion of Cryptopoa’s stolen crypto assets to another crypto exchange.

Posted on

The Cryptopia Nightmare Drags on as Liquidators Struggle to Reimburse Hacked Users

As the Cryptopia liquidation saga continues, new questions emerge about how safe popular exchanges really are.

As the cryptocurrency market finds its legs in mid-2019, an unfortunate undercurrent persists vis-à-vis the floundering New Zealand exchange Cryptopia. Its one-time international popularity and solid reputation have already been ruined after the exchange dragged its feet on revealing a January hack, which cost its users somewhere in the region of $16 million in cryptocurrency drained from Cryptopia wallets. However, it was not long before new obstacles emerged in the way of an eventual settlement.

Optimism surrounding the reimbursement of these funds to customers is now dwindling, as appointed auditing and liquidation firm Grant Thornton recently indicated “the process of recovering data and determining how to make distributions to account holders will take some months at least.” With similarly guarded language, Grant Thornton executive David Ruscoe commented via a press release that his firm “will conduct a thorough investigation, working with several different stakeholders including management and shareholders, to find the solution that is in the best interests of customers and stakeholders.”

New information has been uncovered in the last week, however, and it’s now more apparent why the wait has been so interminable.

An international tangle

Despite the fact that the blockchain ledger’s open-book transparency has made it clear which cryptocurrency wallets hold the majority of stolen funds, the identities behind Cryptopia’s hackers are difficult to determine. Sadly, the same goes for the other side of the equation as well. Matching individual customers to the funds owed to them is proving harder than anticipated.

The filing from May 24 to the Bankruptcy Court in the Southern District of New York (SDNY)  clearly illustrates that liquidators don’t yet know who is owed money, nor do they yet have the ability to begin remunerations.

The filing for emergency provisional relief first of all asks the court to recognize the New Zealand liquidation process and furthermore to issue an order preserving a specific SQL database. Held exclusively on Arizona servers, this data contains vital information that can reconcile individual holdings with the currencies held by (and stolen from) Cryptopia.

Grant Thornton itself admits that the recovery of funds will be “impossible” without this data. These facts cater for a messy situation with many moving parts, in which the repayment of international customers of a New Zealand-based cryptocurrency exchange hinges on the willingness of a federal court in the United States to force a domestic data company to comply with data release requests. The chief communications officer for international noncustodial crypto swap platform ChangeNOW, Pauline Shangett, told Cointelegraph:

“The crypto market is still in its adolescence, and the traditional legal system is not sufficient when it comes to enforcing the rules. This problem has two possible solutions. Either the space moves on to being fully decentralized and self-regulated, or it adopts the best practices of regulators. The former might lead to anarchy as cases like Cryptopia’s have a chance to happen again, which would hinder mass adoption.”

The chaos that has ensued after Cryptopia’s hack evidences the incapacity of established legal entities to promptly respond to fraud in the cryptocurrency space. Cryptocurrency permeates borders and therefore easily creates problems that have international implications — but cleaning up after a negligent actor requires time and labor, and at a greater magnitude. Given the technology available for exchanges to secure their infrastructure, this would seem a moot point.

Kamil Gorski, CEO of smart contract auditing and blockchain security firm Blockhunters, spoke to Cointelegraph and noted:

“There are numerous tools exchanges could use to prevent these kinds of hacks, but they aren’t legally obligated to use them. These include blockchain analysis tools that track stolen funds, AI-based mechanisms that halt payouts when triggered, and even manual code audits that track bugs in software and address threats and vulnerabilities.”

By Gorski’s estimation, the lesson learned from Cryptopia is that over the long run, “this approach can end up biting them, and more importantly their users, in the a–.”

This blasé attitude toward security features creates a paradoxical situation that stems from the lack of investor protections that could otherwise be provided, for example, by an equity broker. However, centralized exchanges like Cryptopia are liable when their platforms are breached, even if they go to great lengths to avoid responsibility.

U.S. investors take the biggest hit

One notable circumstance that lends a new tint to the liquidation situation is the fact that Cryptopia’s holdings were largely made up of money of American users.

If anything, just because of that, the SDNY could be persuaded to assist Grant Thornton and New Zealand. U.S. account holders made up the largest slice of the Cryptopia userbase and also accounted for the majority of exchange’s revenues. This fact casts light on some often unaddressed issues with how cryptocurrency exchange services are administered worldwide.

Top-five countries that generated Cryptopia revenue

Firstly, a New Zealand exchange deriving most of its profits from Americans could be a sign for concern, as this may also be relevant to other exchanges (and regulators) as well. Second, it’s interesting that a white-shoe legal firm is the only safety net for a bevy of international customers participating in the “decentralized revolution,” but this irony is compounded by the third concern: Few have sounded the alarm about Cryptopia’s decision to host what is arguably its most sensitive data with an outside service — which is now asking for $2.6 million to release it. Crypto commentator Stephen Palley posted regarding this:

“A Chapter 15 filing is a way to get US bankruptcy court to give effect to a foreign bk/liquidation proceeding. This gives the company the ability to ask the BK Court to order the company’s AZ based database provider to preserve the data. It’s funny how easily this trustless decentralized narrative ends up in court with a white shoe law firm asking a federal judge to order preservation of a SQL database.”

This is what required the hiring of Grant Thornton in the first place, but it also draws attention to the very real fact that other supposedly safe exchanges may be practicing negligent data custody at the expense of customers.

The Cryptopia saga has pulled back the curtains on many of cryptocurrency’s weak points, especially the centralized model relied upon to build momentum for the bull markets today and in the past, and one that is still used. As the bull marches on, events like these provide a sobering contrast, but it’s now unarguable that investors and enthusiasts should be paying even greater attention to them — just as much as they do the charts.

Posted on

Cryptopia Liquidator Files for User Data Protection at US Court as Process Continues

Grant Thornton confirmed it was targeting databases in Arizona as part of its efforts to reconcile user holdings.

Liquidators of defunct New Zealand cryptocurrency exchange Cryptopia have applied to secure user data stored in the United States as part of refund proceedings, a statement confirmed on May 27.

Cryptopia, which suffered a hack in January, has spent months cooperating with law enforcement worldwide in an effort to control stolen funds worth around $16 million.

The exchange appointed Grant Thornton to lead the liquidation, which confirmed it had applied for urgent interim relief at the Bankruptcy Court in the Southern District of New York on May 24.

The filing further requests the U.S. recognize the New Zealand liquidation process.

“We took these steps to preserve the Cryptopia information that is stored and hosted on servers with an Arizona based business,” the statement reads. It continues:

“The interim order preserves the Cryptopia data, which includes a SQL database containing all account holders’ individual holdings of cryptocurrencies and the account holder contact details. Without this information, reconciling individual holdings with the currencies held by Cryptopia will be impossible.”

As Cointelegraph reported, Grant Thornton had previously warned that users awaiting to be reunited with their funds would need to wait months rather than weeks, a position the statement repeated.

“We expect that the process of recovering data and determining how to make distributions to account holders will take some months at least,” the company added. It noted:

“We understand that this delay will be frustrating for account holders. For that reason, we are working to resolve these issues as soon as reasonably practicable.”

In the meantime, observers have been tracing the stolen ether (ETH) as hackers moved it between addresses last week.

Posted on

Cryptopia Cracked: Are Centralized Exchanges the Way to Go?

Cryptopia liquidation provides food for thought for potentially unsafe exchanges and their users.

It goes without saying that exchanges command significant influence over the cryptocurrency market, being the exclusive portals for fiat into the world of blockchain. Exchanges are also the most significant winners of the cryptocurrency craze, and bank billions by raking in fees and maintaining custody over sizeable crypto wallets comprised of their own funds but also those of the customers. In a largely unregulated environment, the latter idea comes with its own set of implications and risks.

Not every exchange uses its capital to reduce these risks adequately. Instead of reinvesting in a more secure custody service or establishing carefully administered audits, some exchanges may begin to act in their own financial interests. Traders keeping their coins in exchange wallets understand that the direct connection to the market and ability to trade into and out of fiat demands a steep price — and familiarity with this compromise is universal.

For a sector that is moving gradually toward improved compliance, customer safety and access to the crypto market shouldn’t be mutually exclusive. This is why breaches like that of Cryptopia are vital to pay attention to, as they also highlight the often-adversarial role that exchanges play with their customers.

With the news that Cryptopia is now being liquidated, several months after two major hacks, the reality may be setting in for optimistic crypto traders. Despite their best intentions and ambitious statements, exchanges are not always friendly places to customers, for more than one reason. For early investors, this scary reality tempers investment enthusiasm and represents an anchor on the market that, in 2019, is past due to be cut loose. But is the future really that bleak?

Thanks to the transparency of the ledger, websites like Etherscan, and watchdog social accounts such as Whale Alert, have already tracked the stolen Cryptopia funds to a handful of wallet addresses that moved the funds over to an exchange. However, this is far from identifying the perpetrators of the hack or even preventing them from using the crypto they stole.

Cryptopia crushed

Exchange hacks are an unfortunate yet predictable occurrence in cryptocurrency and add to its notoriety as a “Wild West” marketplace. Cryptopia is just one instance in a long history of hacks, which, as of April 2019, totaled over $1.3 billion lost or stolen in crypto since the origination of bitcoin in 2009. Of that $1.3 billion, 61% was lost in 2018 alone — and 2019 seems to have the ambition to surpass that figure.

The hack of New Zealand exchange platform Cryptopia was reported in January after several days of on-and-off maintenance, when it finally announced on Jan. 15 that, at the time, around $16 million had been stolen from over 76,000 different wallet addresses. On Jan. 29 the hacker struck again, siphoning a further 1,675 ethers (ETH) from a variety of 17,000 Cryptopia wallets.

“What surprises me the most is the negligence in relation to security of the entire chain of work with wallets,” Codex Exchange CEO Serge Vasylchuk exclusively told Cointelegraph. “Maximum isolation is necessary both from external influences and from accidental internal interference — on the developer’s part or anyone else’s, because each change in the system may entail a security breach. That’s why backups should be done regularly. Private key backuhereumps must be on a well-protected physical copy with no questions. This hack would have been prevented if they would have taken these must-have measures seriously.”

Also, the founder of Cryptopia, Adam Clark has seemingly moved on from the failed project and is now working on a new cryptocurrency exchange called Assetylene. It claims to be “New Zealands most advanced crypto trading platform,” offering fast and secure service. It is unclear if the exchange is fully operational at this point in time, several pages like “About Us” are blank and “Market Summary” displays zero activity.

Badly run exchanges demonstrate the need for decentralization

So, why did it take so long for Cryptopia to acknowledge the threat and then to deal with it appropriately? How could it have let its customers’ private keys become exposed?

Answers are still inconclusive, but some are of the opinion that the hack was an inside job, meant to drain the exchange of its funds before a scheduled audit. Though this would be incomprehensibly malevolent, it’s already bad enough that a platform with over 1 million customers would expose their private keys to intruders.

According to Hacken’s blockchain security team, “The Cryptopia hack is quite different from other exchange and wallet hacks. First of all, the funds were transferred from ethereum accounts. Hackers need to sign the transaction with an account’s private key to be able to transfer ether or tokens to their personal account. It could have happened that hacker somehow gained access to Cryptopia’s private key storage. The fact that a hacker gained access to private keys is confirmed by the fact that transfers continued several days after the breach was discovered.”

The lack of transparency on the part of Cryptopia, which remains tight-lipped about the ordeal and willing to let customers flail, also seems questionable. Centralized exchanges are able to rely on the legal system to some extent when it comes to repaying stakeholders, but it isn’t always the most elegant or satisfying solution, given that they still exist on the fringes of traditional finance. The embrace of decentralized exchanges is partly due to the idea that traders own their own private keys and therefore exercise true ownership of their cryptocurrency.

This is clearly demonstrable in other exchange hacks, all of which occurred on centralized exchanges exclusively. The largest hack of all time, in January 2018, saw Japanese exchange Coincheck hacked for over $500 million in crypto at the time, which appeared to have resulted from a lazily managed custody model. Not only was Coincheck not registered with Japan’s Financial Services Agency (FSA), it was also revealed that it had kept the entirety of its NEM in a single hot wallet as opposed to the hybrid hot-and-cold solution deployed by most modern exchanges.

And it also seems that the New Zealand exchange took no action for several days while it was being drained. Blockchain forensics firm Elementus said at the time, “Despite the hack, many Cryptopia users continue depositing funds into their ethereum wallets. In just the two hours since these breaches took place, many of the very same ethereum wallets that were just drained have already been topped with more ether.” The lack of transparency meant users lost much more than they should have, had Cryptopia been forthcoming.

After the liquidation announcement, however, the company did take to Twitter, asking users to stop depositing crypto onto the soon-to-be-defunct platform.

Do exchanges remain vulnerable despite efforts?

The recent Binance hack to the tune of $40 million was also catalyzed by error, but these instances could also be preventable if exchanges didn’t insist on being responsible for keeping customer funds safe. In its purest form, blockchain removes this necessity anyway. However, in the interest of profit, exchanges have decided to become “funds” rather than just service providers, despite not being technologically or legally capable of doing so in some cases.

Moreover, regulation remains fuzzy, even though there is a growing consensus that it is necessary to increase security and safety of traders and their funds. Even the likes of Mike Novogratz have advocated for greater external and self-regulation. According to him, the industry is leaning that way regardless, noting that “we think all the exchanges should go to a process where they can almost self-regulate, right? They do what the regulators want beforehand,” as a way of creating more transparency and improving the overall ecosystem.

Regardless, there are simply too many attack vectors for hackers to explore when it comes to cryptocurrency exchanges. From weak smart contracts to phishing and insecure storage methods, it’s clear that centralized exchanges need to adjust their approach and, at the very least, pour their profits into a security apparatus that will hopefully keep the platform safe.

Some exchanges, like Binance, even put away 10% of funds into a dedicated wallet for the express use of reimbursing hacked customers. Initiatives like these, although very welcome, should not be the safety net for billions of dollars stored in crypto, and by themselves indicate that the expectation of a hack is always present.

The Cryptopia hack and subsequent liquidation have reawakened the conversation about how safe crypto really is. The hack itself resulted in millions being lost, and the company proved unable to manage the aftermath and to respond to its users’ very valid concerns.

However, the increasing emphasis on regulation and a stronger focus on security means that, at the very least, the problem is likely to be mitigated soon. As exchanges learn from their rivals’ lessons and the market matures, it will likely weed out those exchanges that refuse to improve and leave only those that prioritize transparency and user safety.

Posted on

ETH Stolen From Crypto Exchange Cryptopia Moved, Portion Deposited on Exchange

A portion of the ether stolen from hacked New Zealand-based cryptocurrency exchange has been moved.

A portion of the ether (ETH) stolen from hacked New Zealand-based cryptocurrency exchange Cryptopia has been moved and deposited to a different crypto exchange, according to an analysis. Crypto Anti-Money Laundering startup Coinfirm tweeted about their findings on May 20.

According to Coinfirm, 30,790 (over $7.778 million) of the stolen ether has been reportedly moved to a new address, and 10 ETH (over $2,500) moved to the hot wallet of another crypto exchange. A Twitter account dedicated to reporting on large transactions to and from cryptocurrency exchanges, Whale Alert, claims that 500 of the stolen ether (over $125,000) has today been moved to EtherDelta, and another 1,000 ETH to an unknown wallet (over $250,000).

Blockchain data crowdsourcing platform AMLT also claimed that almost all tokens other than ETH already landed on major exchanges. The news comes after Cryptopia appointed David Ruscoe and Russell Moore from consultancy and audit firm network Grant Thornton New Zealand as liquidators last week.

As reported in January, Cryptopia had initially told users that it was undergoing unscheduled maintenanceissuing several updates before officially reporting the breach. An analysis from blockchain infrastructure firm Elementus estimated in February that $16 million worth of ether and tokens were stolen during the attack — $3.2 million of which were later traced to liquidations on exchanges such as Etherdelta, Binance and Bitbox.

Earlier this month, major crypto exchange Binance was also hacked, losing over 7,000 bitcoin (BTC) in the breach.

Posted on

Hacked New Zealand Exchange Cryptopia Appoints Liquidators, Trading Suspended

Hacked New Zealand-based cryptocurrency exchange Cryptopia has gone into liquidation and suspended trading services.

Hacked New Zealand-based cryptocurrency exchange Cryptopia has appointed David Ruscoe and Russell Moore from consultancy and audit firm network Grant Thornton New Zealand as liquidators. The news was revealed in an official Grant Thornthon announcement on May 15.

Grant Thornton New Zealand (NZ) is the local network of Grant Thornton International — a major professional services network of independent accounting and consulting member firms.

As Cointelegraph has reported in mid-January of this year, Cryptopia revealed that it had been the target of a security breach resulting in significant losses, with the attack continuing for two weeks after its initial detection until the exchange managed to regain control of its wallets.

According to Grant Thornton NZ, Cryptopia has decided to go into liquidation as it has been unable to return the business to profitability, notwithstanding management’s reported efforts to reduce costs. The decision has been deemed to be in “the best interests of customers, staff and other stakeholders,” the announcement states.

The liquidators will reportedly conduct an investigation and focus on securing assets for the benefit of stakeholders, during which all trading services on the platform will be suspended. In a statement, David Ruscoe outlined:

“We realise Cryptopia’s customers will want to have this matter resolved as soon as possible. We will conduct a thorough investigation, working with several different stakeholders including management and shareholders, to find the solution that is in the best interests of customers and stakeholders.”

Ruscoe added that given the complexities of the case, Grant Thornton NZ expects the investigation “to take months rather than weeks.” The liquidators are said to be working alongside independent experts and the relevant authorities to determine the company’s obligations.

Grant Thornton NZ will publish an initial report to the New Zealand Companies Office website next week.

As reported in January, Cryptopia had initially told users that  it was undergoing unscheduled maintenance, issuing several updates before officially reporting the breach.

An analysis from blockchain infrastructure firm Elementus estimated in February that as much as $16 million worth of ethereum (ETH) and ERC-20 tokens were siphoned from the platform during the attack — $3.2 million of which were later traced in liquidations on exchanges such as Etherdelta, Binance and Bitbox.

Earlier this month, major crypto exchange Binance was the target of a major hack that resulted in the theft of around 7,070 bitcoin (BTC) from the exchange’s hot wallets — worth over $40 million at the time.