Cryptsy, a website for trading Bitcoin, Litecoin, and other smaller crypto-currencies, announced a security incident, accusing the developer of Lucky7Coin of stealing 13,000 Bitcoin and 300,000 Litecoin, which at today’s rate stands more than $5.7 million / €5.2 million.
According to a blog post penned by the Cryptsy team, the incident took place on July 29, 2014, at 13:17:36, when funds started being moved from the company’s wallets to new locations.
After an internal investigation, the Cryptsy team concluded that the “the developer of Lucky7Coin had placed an IRC backdoor into the code of [a] wallet, which allowed it to act as a sort of a Trojan, or command and control unit.”
Lucky7Coin developer contacted Cryptsy before the robbery
Before this incident, on May 22, 2014, the Cryptsy team received an email from a man named Jack that informed the Bitcoin trader that he was taking over development of the Lucky7Coin (LK7) from its original creator.
Jack was begging the Bitcoin trader not to drop his newly-acquired crypto-currency and was informing the team of his good intentions, a new GitHub repository where the crypto-currency was being developed, along with a series of upgrades and changes he was planning.
“Some may ask why we didn’t report this to the authorities when this occurred, and the answer is that we just didn’t know what happened, didn’t want to cause panic, and were unsure who exactly we should be contacting,” the Cryptsy team explained.
Irony has it that Cryptsy was in touch with Secret Service Agent Shaun Bridges on an unrelated matter just around the time of their own robbery. A few months later, Bridges was arrested and pleaded guilty to stealing a large sum of Bitcoin from the Silk Road investigation. He was later sentenced to 71 months in prison.
The FBI didn’t want to investigate
As time went by after their investigation and with no other clues on hand, Cryptsy then contacted the Miami FBI office, who redirected them to I3C (Interoperable Informatics Infrastructure Consortium), who in turn never responded to their contact attempts.
Cryptsy managed to limp along for another year and a half thanks to a customer liabilities reserve of 10,000 Bitcoin ($3.7 million / €3.4 million).
Nevertheless, site users started experiencing withdrawal delays. Things turned bad on October 4, 2015, when an article on CoinFire (now 99Bitcoins) said the site was under a federal investigation, which Cryptsy’s CEO quickly denied.
Most users believed the accusations that Cryptsy was trying to pull a bank-run, and rushed to pull out funds. By that time, most of the Bitcoin reserve was gone, and because Cryptsy didn’t have any Litecoin reserve, the site’s operators realized their impending doom and tried to delay the inevitable for as long as possible.
Cryptsy puts out a reward for information about the robber
With no help from authorities, Cryptsy is now appealing to the Bitcoin community for help. The site has put up a 1,000 Bitcoin reward for information about the perpetrator of this attack (tips at firstname.lastname@example.org).
Additionally, the site is still pondering if to file for bankruptcy or to wait for someone to purchase their service and refund users.
A third scenario would be if the man behind the attack would “realize” it was all a mistake and return the stolen funds, the site promising no legal action against him.
While the stolen Bitcoin have never left the wallets to which they were assigned after being taken from Cryptsy’s own wallet, the stolen Litecoin are almost surely gone for good. Two days after the attack was carried out, exactly 300,000 Litecoin were dumped on the BTC-e exchange, driving Litecoin price down from $9.5 to $2.
Until the situation is resolved, Cryptsy announced that trades and withdrawals are suspended indefinitely.