skip to Main Content

Exchange Thefts, Fraud and Exit Scams May Tally More than $1.2 Billion

Exchange Thefts

New Zealand based Cryptopia suspended trading after cyber thieves stole $16 million from its platform in January (those losses were estimated by a third-party data analytics firm). This amount represented 9.4 percent of the exchange’s holdings. Cryptopia reopened its website in read-only form on March 5.

On March 27, 2019, ZDnet reported on a widely rumored hack on Singapore-based exchange CoinBene. At the time of the alleged cyberattack, the exchange went into maintenance mode, which undoubtedly fueled speculation. ZDnet cited a “cryptocurrency expert” who estimated robbers made off with more than $45 million in cryptocurrency—roughly $6 million in CoinBene Coin and $39 million in Maximine Coin—from the exchange. Coinbene Global, the parent company, responded to the allegations of a hack on Twitter with what appears to be a denial of an attack along with a vaguely worded attachment that says: “With the news sent by multiple exchanges of users (sic) asset theft recently, CoinBene security team took measures to upgrade the wallet immediately to help global users and partners avoid market risks and guarantee the security of all parties’ assets.” The statement went on to assure customers that “User assets on CoinBene platform are 100% secure, our platform promises that if any user assets will be lost, we will compensate 100%.”

CipherTrace researchers have been working to shed light on this event. Thus far, we have verified that during the period of the alleged hack, March 25th to 28th, massive amounts of funds flowed from the exchange’s hot wallets to known and unknown wallets, and those funds eventually ended up in other exchanges. The bulk of these transactions appear to have gone to the unregulated exchange Etherdelta. It seems inconceivable that if those wallets were, in fact, hacked that CoinBene could regain control those accounts—i.e., that the users’ assets were 100% secure.

Nonetheless, at the time of this report’s publishing, events are still unfolding. We can only confirm that during the period of the rumored “hack” US$105 million of Ethereum (CoinBene Coin and Maximine Coin are both Ethereum based) moved to other exchanges where it was being converted to various cryptocurrencies, so we are only tentatively classifying it as a possible theft or exit scam. The exchange CipherTrace reached out to CoinBene Global management for comment, but we have not yet received a response. Watch for further CipherTrace alerts with any updates on this research as we continue to monitor the situation.

DragonEx lost more than $1 million USD to a cyber theft, disclosing publicly that the attacker had transferred the funds to other exchanges. DragonEx published destination wallet addresses belonging to the hackers and requested help in freezing and recovering the funds.

Without being specific, the company said they were able to recover some but not all of the money. Authorities in Estonia, Hong Kong, Singapore, and Thailand are said to be assisting the Singapore-based exchange in its investigation.

The largest cryptocurrency exchange in South Korea, Bithumb, was hacked in March, and attackers made away with $14 million in EOS and XRP. According to Bloomberg, Bithumb said the incident was most likely caused by an “accident involving insiders” because an external intrusion path hadn’t been revealed after an inspection. This was the second major hack experienced by Bithumb. In June 2018, cybercriminals robbed the exchange of $30.8 million in cryptocurrency.

In South Korea, cryptocurrency exchange Coinbin declared bankruptcy on February 26th after suffering losses of approximately $26 million. The company cited embezzlement from an insider as the main cause of its downfall.

Exit Scams

On top of outright cryptocurrency thefts from infrastructure and wallets, investors lost almost 200 million dollars from inside threats such as “exit scams” in which founders and executives embezzled users’ custodial crypto funds, and then slipped away quietly.

While CipherTrace has categorized the $26 million losses in losses experienced by South Korean cryptocurrency exchange Coinbin as an exchange theft, the firm claimed the losses were the result of an inside job. According to Business South Korea, Chan-kyu, Coinbin’s CEO, told reporters in its Seoul office on Feb. 20th: “We are preparing to file for bankruptcy due to a rise in debt following an employee’s embezzlement.” The company also asserted that an executive in charge of managing cryptocurrencies, who previously served as the CEO of Youbit, the predecessor of Coinbin, had committed dereliction of duty and embezzled company funds. The executive reportedly claimed that he had removed hundreds of cryptographic keys to coin wallets containing hundreds of Bitcoin, and also lost the cryptographic key to a wallet containing more than 100 Ethereum coins last November.

During the first quarter, the cryptocurrency community was captivated by the implosion of what had been Canada’s largest cryptocurrency exchange. On January 14, 2019, QuadrigaCX customers learned the company’s CEO, Gerald Cotten, had died more than a month earlier. His widow posted an announcement on the QuadrigaCX website explaining that Cotten passed away in India while opening an orphanage. Around the same time, customers began having trouble getting their cryptocurrency out of the exchange. This unusual situation led to the immediate speculation that the exchange’s funds were gone along with the CEO. Then, on February 9 news broke that Cotten had, in fact, taken the passwords to all the firm’s crypto assets with him to the afterlife. QuadrigaCX’s customers were stunned to learn their crypto was inaccessible.

How much went with Mr. Cotten to the grave, crematorium, or elsewhere? In a sworn affidavit filed January 31 with the Nova Scotia Supreme Court, his widow, Jennifer Robertson, said the exchange owes its customers roughly 250 million CAD (US$195 million) in both cryptocurrency and fiat.

The enormous size of this case—coupled with an unfathomable lack of internal controls—will undoubtedly lead governments around the world to rethink regulation of cryptocurrency exchanges. Setting aside what was immediate speculation that Cotten had faked his own death and spirited away the funds, questions immediately arose as to how the passwords to all that crypto could have been in only one person’s possession with no backup.

QuadrigaCX’s customers were outraged to learn that on January 31 the exchange filed an application for creditor protection in the Nova Scotia Supreme Court, citing issues with locating “very significant cryptocurrency reserves held in cold wallets.” In the same affidavit, the widow stated that her husband had mostly run the company—Canada’s largest cryptocurrency exchange—on an encrypted laptop from “wherever he and his computer were located.” Ms. Robertson further claimed that she did not know the passwords or recovery keys, and she could not find them “despite repeated and diligent searches.”

In this report, CipherTrace has chosen to categorize the QuadrigaCX losses as a theft. While the details may never be known, based on the rather bizarre circumstances surrounding the demise of the exchange and its CEO, the facts suggest it was either theft due to foul play or an insider theft—i.e., an exit scam. For example, as the QuadrigaCX plot thickens, the auditor appointed by the bankruptcy court, Ernst & Young, revealed it had utilized public blockchain records to review the transactional activity of the six identified cold wallets set up by Cotten, where Ms. Robertson claims the assets were locked up without access to the password keys. However, instead of holding US$137 million, the wallets were empty. Moreover, they had been drained in early April 2018. Ernst & Young also found evidence of what appeared to be 14 fake accounts set up by the company under false names that had been trading large amounts of crypto to accounts on external exchanges.

In addition, citing court records in the U.S. and Canada, the Globe and Mail reported it believes the company’s co-founder Michael Patryn aka Omar Patryn is actually Omar Dhanani. Dhanani was arrested by the U.S. Secret Service in California as part of an identity theft, credit card fraud and money-laundering ring in 2004. He served time in a U.S. prison and was later deported to Canada. On top of that, Cotten had filed a will leaving everything to his wife just 12 days before he died, and the couple had amassed millions of dollars in real estate, a yacht, and an airplane. Perhaps further fueling the speculation, Mr. Cotten passed away in an area reputed for having a whole industry devoted to providing fake death certificates and fake doctor’s notes to tourists.

Cotten traveled to India in December 2018 for his honeymoon and to celebrate the opening of an orphanage, and while there apparently died from complications from Crohn’s disease involving a suspected perforation of the digestive tract. However, there seems to be no chain of custody account of Cotten’s body and no official coroner’s report. CipherTrace researchers reached out to Dr. Eduardo Peña Dolhun, a Mayo Clinic trained, board-certified family physician with internationally recognized expertise in the field of rehydration science. He has treated disaster victims with dehydration and digestive tract disorders around the globe. “The likelihood of an otherwise healthy 30-year-old dying of complications from Crohn’s, assuming reasonable access to adequate healthcare, would be a fairly rare event,” said Dr. Dolhun. “But what is highly atypical would be the lack of an autopsy. When an otherwise healthy person dies suddenly at that age, medical ethics and even prudent concern over legal liability dictate an autopsy take place to determine the cause of death and the appropriateness of care. This is especially so where signs of the cause of death are not visible externally. Someone would have demanded an autopsy. And this would be true anywhere, from a major city to a medical facility even in a third-world village. That is how we are trained as doctors.”

In addition, as more details emerged from the bankruptcy Monitor’s report released in early April, there is the appearance of severe financial stress at the firm. This is partly due to difficulty obtaining satisfactory banking relationships, which led to the use of numerous payment processors. These processor companies are currently refusing to return millions of dollars to QuadrigaCX or its creditors. Also of note, one of the payment processors used by QaudrigaCX, and mentioned often in Cotten’s leaked emails, was the same Panamanian entity at the core of the recent $851m Bitfinex debacle—Crypto Capital.

The Monitor also revealed that Ms. Robinson had been attempting to dispose of large personal assets left to her in Cotten’s will. The sale of these assets has been frozen as the Monitor discovered that the corporate and personal boundaries between QuadrigaCX and Cotten “were not formally maintained, and it appeared to the Monitor that QuadrigaCX funds may have been used to acquire assets held outside the corporate entity.”

So not surprisingly, it appears law enforcement is investigating the potential criminal angle. According to a March 4, 2019 report in Fortune, the CEO of Kraken, Jesse Powell, alleged in an interview that the FBI and the Royal Canadian Mounted Police are probing the QuadrigaCX implosion. The financial news publication reported that in response to its questions both law enforcement agencies said they do not confirm or deny the existence of ongoing investigations. According to the report, Powell told Fortune he did not speak to the law enforcement agencies directly but learned from Kraken’s head of compliance of the inquiries.

This saga involves very complex blockchain trails and inter-relationships among many individuals and entities. CipherTrace is actively working to uncover the true cause of this seemingly inexplicable loss of customer funds as well as any potential relationship to money laundering. Watch for updates on this investigation and recommendations to regulators on ways to prevent another such crypto financial crisis.

Fraud or Misappropriation and Material Misrepresentation

Bitfinex and Tether Accused by the NYAG
On April 26, 2019, the New York Attorney General (NYAG) alleged that cryptocurrency exchange Bitfinex had lost $851 million, and then secretly transferred funds from its sister company, Tether Limited, to cover the loss. The trouble began when Bitfinex placed funds with Crypto Capital, a Panamanian payment processor also used by QuadrigaCX. Crypto Capital subsequently says it did not have access to those funds because they were seized by Portuguese, Polish and US authorities. So according to the complaint, Bitfinex borrowed funds from Tether to continue as a going concern. In essence, Bitfinex is accused of misappropriating fiat currency from the pool of funds that Tether ostensibly uses to back the 1:1 US dollar peg of its stable coin.

Moreover, the OAG believes that neither the $625 million transfer of Tether reserves in November 2018, nor a subsequent $900 million “line of credit” established against Tether’s reserves have been disclosed to customers and investors.

According to the official press release, the Office of the Attorney General (OAG) obtained a court order against iFinex Inc.—which operates both Bitfinex and Tether—ordering they cease violating New York law and defrauding New York residents.

Key points from the OAG’s filings include funds lost to payment processor
Prior to February 2019, Tether represented that every outstanding tether was “backed” by and thus should be valued at one U.S. dollar. Then, on March 4, 2019, more than four months after the transfer of funds to Bitfinex from the pool of fiat funds that back tether, Tether Limited changed its disclosure, representing that “every tether is always 100% backed by our reserves, which include traditional currency and cash equivalents and, from time to time, may include other assets and receivables from loans made by Tether to third parties, which may include affiliated entities (collectively, ‘reserves’)”.

In 2014, Bitfinex began a relationship with a Panamanian entity called Crypto Capital Corp. (“Crypto Capital”) to act as one of its “payment processors.” But at no point known to the OAG has Bitfinex or Tether disclosed to clients that they have used third-party “payment processors” to handle client withdrawals. Moreover, by 2018, Bitfinex had placed over one billion dollars of co-mingled customer and corporate funds with Crypto Capital. Allegedly, no contract or similar written agreement was ever entered into between Crypto Capital and Bitfinex or Tether. Bitfinex and Tether have also used a number of other third-party payment processors, including various companies owned by Bitfinex/Tether executives as well as other “friends” of Bitfinex.

In mid 2018, the company began having trouble obtaining funds from the payment processor, leading to delays in resolving client transactions. On October 7, 2018, Bitfinex published a notice to investors ensuring them that the company was not insolvent. Then on October 15, 2018, Bitfinex published a notice to the market stating that “it is important for us to clarify that: All cryptocurrency and fiat withdrawals are, and have been. processing as usual without the slightest interference . . . All flat withdrawals are processing, and have been, as usual.” However, documents provided to OAG by Respondents show that during this time, Bitfinex was having severe problems processing client withdrawals.

Bitfinex/Tether Response
Tether issued a statement jointly with Bitfinex strongly disagreeing with the Attorney General’s allegations:

“The New York Attorney General’s court filings were written in bad faith and are riddled with false assertions, including as to a purported $851 million ‘loss’ at Crypto Capital. On the contrary, we have been informed that these Crypto Capital amounts are not lost but have been, in fact, seized and safeguarded. We are and have been actively working to exercise our rights and remedies and get those funds released.”

Bitfinex took an even stronger stance vis-a-vis the OAG, adding in a statement:

“Both Bitfinex and Tether are financially strong — full stop. And both Bitfinex and Tether are committed to fighting this gross overreach by the New York Attorney General’s office against companies that are good corporate citizens and strong supporters of law enforcement.”

CipherTrace observes parallels between the QuadrigaCX case and the Bitfinex case
Somewhat analogous to QuadrigaCX, which also had an intimate relationship with Crypto Capital, fast-paced and casual relationships with non-bank entities raises a number of issues regarding regulation. First, where these “intimate” relationships exist—i.e., there was no contract in the case of Bitfinex and leaked emails from the late CEO of QuadrigaCX show a similarly cavalier way of conducting business—sound anti-money laundering controls tend to go out the window.

Additionally, exchanges and other crypto asset that do business in less regulated countries, as is in the case of Tether and Bitfinex, typically have difficulty gaining traditional banking relationships. This forces digital asset businesses to deal with “shady” operators, and often in countries like Panama where fraud is sometimes de rigueur. In another recent example, in March 2019, Hong Kong based Gatecoin had to cease operations and liquidate due to what the company said was a problem with its payment processor withholding funds. The net result for cryptocurrency users and investors is risk. CipherTrace strongly believes that sound regulation—i.e., rules designed to keep bad actors out of the crypto economy—not only encourage banks to accept digital asset businesses as customers, but also benefits digital asset businesses, users, investors, and governments trying to build healthy and safe crypto economies.

ATM Double-Spend Attacks

Authorities in Canada are investigating double-spend attacks on Bitcoin ATMs throughout the country. Thieves seem to have taken advantage of ATMs accepting 0-confirmation transactions, which would require synchronized attacks. Suspects managed to make off with more than US$150,000 through the attacks, which involved 112 fraudulent transactions in seven cities in Canada, largely in Calgary. This brings to light the potential problems involving 0-confirmation transactions. While these types of transactions eliminate the need for ATM customers to wait for confirmations, they are not as secure as those that require confirmations on the BTC blockchain.

Rogue Regimes – Crypto Crimes, Exchange Theft, and Sanctions Evasion

North Korea Accused by United Nations of Stealing $571M from Exchanges
According to private-sector research cited in a UN Security Council Panel of Experts report released March 6, 2019, North Korean state-backed hackers successfully breached at least five cryptocurrency exchanges in Asia between January 2017 and September 2018, causing $571 million in losses. The largest was a January 2018 penetration of Coincheck, a Japan-based exchange. The UN panel also attributed the 2016 theft of $81 million from Bangladesh Bank to a North Korean sponsored cyberattack. In that case, the panel cited a U.S. indictment.

According to the report, targeting cryptocurrency exchanges is particularly useful for evading sanctions because the digital trail is difficult to trace. It also offers Kim Jung Un’s rogue regime numerous opportunities for money laundering, according to the report. The panel that created the report included UN analysts as well as experts from China, France, Russia, the United Kingdom, and the United States who advised the Security Council. Of course, North Korea has consistently denied conducting any such cyberattacks.

Iran Launches State-Backed Crypto Currency as Payment Rail to Evade Sanctions
On January 29, 2019, Iran took brazen steps to use cryptocurrency to evade global monetary sanctions by launching its own sovereign cryptocurrency. These sanctions included SWIFT banning some Iranian banks from access to its widely used cross-border payment services in November 2018. SWIFT is the Society for Worldwide Interbank Financial Telecommunication,, a global interbank funds transfer network used by most of the world’s banks to perform cross-border payments.

The move by SWIFT came after the United States re-imposed oil and financial sanctions against Iran in response to its alleged missile and nuclear programs. The SWIFT action, which was urged by the U.S. Treasury Secretary, was particularly painful for the Tehran regime as it effectively blocks Iran from receiving payments for oil exports.

The launch of a state-backed “Crypto-Rial” was long rumored to be the result of a collaboration among Iran, China, Russia, Venezuela, and Turkey. In fact, U.S. Senator Ted Cruz on December 13, 2018, introduced legislation (the Blocking Iranian Illicit Finance Act) that was designed to sanction Iran’s upcoming sovereign cryptocurrency. The bill called for “an assessment of the state and non-state actors that are assisting the Government of Iran in creating a sovereign cryptocurrency.”

By making use of blockchain technology and cryptocurrencies to facilitate transactions, Iran would be joining other blockchain-based payment networks, which many believe could make the traditional SWIFT network obsolete.

Last November, Iran signed a trilateral blockchain cooperation agreement with Russia and Armenia. Russian President Vladimir Putin later said that Russia is “actively working” with partners to establish financial systems that are entirely independent of SWIFT, without naming the partner countries

Mexican Cartels Using Chinese Money Laundering Networks — Bitcoin Mules
As has been widely reported, the U.S. Senate Judiciary Subcommittee, recently held a hearing on Border Security and Immigration that revealed that Mexican drug cartels are increasingly using Chinese cryptocurrency money laundering networks.

The relationship between China and Mexican drug cartels stems from China being a major supplier of precursor substances necessary to manufacture methamphetamine (meth). China is also a major source the extremely dangerous synthetic opioid Fentanyl. It is approximately 50 to 100 times more powerful than morphine and is now also used to boost the potency of illicit cocaine and heroin.

The Chinese money laundering network, also known as the Chinese Underground Banking Systems (CUBS) arose from the country’s strict controls on citizens moving money out of the country. Now it appears the Mexican cartels (as well as drug gangs in Europe and Australia) are leveraging CUBS cryptocurrency brokers.

Banks in Some Countries Face Legal Action for Refusing to Bank Crypto Businesses
Also, in Q1, banks in Israel and Brazil faced legal action that forced them to reinstitute banking relationships with exchanges and other money service business. It seems that as many MSBs in the cryptocurrency space have cleaned up their acts under the weight of strict regulations. Now some regulators and courts feel that banks should treat these crypto businesses as good corporate citizens. This has added to the needs for banks to monitor hidden crypto asset assets in their customer accounts and payment networks, and to also make it safe to accept crypto customers.

Banks in Some Countries Face Legal Action for Refusing to Bank Crypto Businesses
Also, in Q1, banks in Israel and Brazil faced legal action that forced them to reinstitute banking relationships with exchanges and other money service business. It seems that as many MSBs in the cryptocurrency space have cleaned up their acts under the weight of strict regulations. Now some regulators and courts feel that banks should treat these crypto businesses as good corporate citizens. This has added to the needs for banks to monitor hidden crypto asset assets in their customer accounts and payment networks, and to also make it safe to accept crypto customers.

Back To Top