Hunting the foxhunter: ShapeShift explains what happened

Thursday 21 April 2016

A recent post has shed light on how instant exchange service ShapeShift lost $200,000 to a hacker - and what it teaches us.

In a recent (and long, detailed) news article on, CEO Erik Vorhees explains how an employee stole hundreds of bitcoins and facilitated two further major thefts. The account, Looting of the Fox: The Story of Sabotage at ShapeShift, is well worth a read if you have the time. 

Hacks and thefts are nothing new in cryptoland, but this was something different. Vorhees details what happened, starting with the background of ShapeShift. Essentially, it was a new business model: an instant altcoin exchange that required no user details or customer funds to be held. You just send your crypto and the funds are delivered back to the specified address in the currency of your choice. In Vorhees’ words, ‘It is the Google Translate of cryptocurrency.’ Having used it, I can certainly say it's a great service. You'll pay slightly more on the spread, but the convenience makes it worthwhile for liquid pairs.


Shapeshift's logo is the fox - but they're not the ones being hunted now

ShapeShift grew fast with the altcoin boom - and particularly when ETH took off. Huge amounts of money were exchanged through its servers, and Vorhees admits that this put pressure on a system that was never designed for that kind of usage. But that’s not really what this story is about. It’s not about bad tech, or poor security - although improvements could have prevented some or all of the problems.

It was, quite simply, about betrayal.


The company hired several new employees, including one they wanted to create a secure, scalable system on which the company could grow. Charitably, they don’t use his real name, but simply call him Bob. It's a courtesy he doesn't deserve, but then, bitcoiners sometimes get carried away and hire bounty hunters and this is the kind of story that can end in blood.

Bob came with a glowing CV but didn’t remotely live up to it. His performance in the job was mediocre at best. He was, however, talented at deception. During his time at ShapeShift he laid the groundwork for a large theft. Shortly after emptying their hotwallet of 315 BTC he disappeared for good, leaving a trail of forensic and circumstantial evidence in his wake.

One of the interesting things about this story is that no customers' money were lost; it is inherent to ShapeShift’s business model that customer funds are not held, at least not for more than a few minutes. The other is that this was not an anonymous hacker, working his arcane arts over Tor: this was someone they knew in the flesh, who worked with them (albeit in a lacklustre fashion) for weeks before the theft. It is the worst kind of betrayal. It later transpired Bob had sold information to a hacker that enabled two further thefts, taking the tally of stolen crypto close to $200,000. That hacker was so uncomfortable about using the information gained in such a distasteful fashion that he later helped them gather evidence against Bob. 

Weakest link

It’s a truly illuminating story, and you really feel for Vorhees and his other team-mates, who never saw this coming. After all, they’d been stabbed in the back by the guy who’d been hired to take care of security. This is the stuff of a Hollywood espionage thriller. It’s not the normal pattern for a crypto theft.

‘Bob’s’ real identity is known to the authorities, and it’s likely he will be tracked down and brought to justice. From Vorhees’ account, Bob certainly wasn’t much good at covering his tracks. But it’s a salutary reminder that no matter how much trust you place in a supposedly trustless system, a chain is only as strong as its weakest link. In this instance, as in so many others, that weak link wasn't in the blockchain or even on a server: it was human.

ShapeShift is now back online. We wish you good luck in your business and your Bobhunting!

comments powered by Disqus