Indian cryptocurrency exchange Coinsecure said it would pay a bounty of Rs. 2 crore to anyone who helps them recover the lost bitcoins.
On April 8, the Indian exchange lost 438.318 bitcoins, approximately Rs 20 crore from a digital wallet that was holding users’ funds. Coinsecure promised to use its own funds to reimburse Rs 20 crore to customers who lost their bitcoins.
Some 11,000 customers are said to be affected by the reported theft which is the biggest cryptocurrency theft in India.
The company said it will start returning monies to the affected parties within the next 15 days.
“We will announce the refund process in the next 5-10 days. We are working to get the website back up and allow customers to login and withdraw funds,” said Mohit Kalra, chief of bitcoin exchange Coinsecure.
On April 10, the exchange filed a complaint with the Delhi Cyber Crime department about the theft of virtual currencies worth 438.318 bitcoins. The police is currently investigating the case.
The exchange claims an insider job in the theft and suspects its chief security officer, Amitabh Saxena, of playing a role in siphoning off the money. Coinsecure also requested Delhi police to seize Saxena’s passport, fearing that he may leave the country.
How it happened?
The alleged hack seems to have occured when the company CSO Saxena was extracting bitcoins to distribute it to its customers.
The funds lost were kept in a ‘cold wallet’ where funds are stored offline, as opposed to a ‘hot wallet’ which is a part of the exchange connected to the internet.
“There was no need to be online while extracting the bitcoin. The private keys which was never exposed to the internet for the past 4 years was exposed,” Kalra said. “Funds were lost lost during the extraction of private keys.”
“The hack that happened is also too good to be true. Almost like offering the password to your bank account in a platter to a hacker. The time he exported the private key, it was after 5 minutes the hack started,” he added.
It was on April 9, that Saxena informed others at the exchange that all the bitcoins that were stored offline had vanished.
It is still unclear why the private key — password that is kept by the company and stored offline — were leaked online, leading to the hack.
“In this case, the primary problem is there was lack of perhaps technical expertise or may be transparency in the way each of these processes is handled,” said Joel John, a cryptocurrency analyst with Outlier Ventures, a venture firm that invests in decentralised technologies.
“If there was a more community oriented thing, some best practices would have been discussed and things would have been done accordingly. Right now there is a fragmentation between exchanges with regards to best practices,” John added.
Is the money being traced?
Coinsecure has currently stopped all deposits and withdrawals. The company says it has the digital address of where the assets were sent after the hack.
The company says it has the digital address of where the assets were sent after the hack.
It has shared the wallet address to which the 438 bitcoins were transferred to on their website.
The stolen amount of 438.318 bitcoins was transferred to the hacker’s wallet over a span of two days in small tranches.
Now, the hacker seems to be sending the stolen bitcoins to multiple addresses. The amount left from the stolen wallet is 139.420 bitcoins.
This essentially means only Rs 7.39 still remains of the Rs 20 crore that was siphoned off.
Interestingly, the wallet address to which the initial amount of 438 bitcoins was transferred to was created on the day of the hack and not an old account that had already been around for sometime.
“At the end of the day, these are some of the oldest exchanges — the gatekeepers to the token economy in India. If they are the ones who are messing up, it is really difficult to go back to the government and say you need to be more relaxed,” John said.
These developments come in the backdrop of a crackdown on cryptocurrencies in India. Finance minister Arun Jaitley, said in February that bitcoins and other virtual currencies are not a legal and compared virtual currencies to Ponzi schemes.
Last week Indian central bank Reserve Bank of India (RBI) put out a notice that mandated banks, e-wallets, and payment gateway providers to withdraw support for cryptocurrency exchanges and other businesses dealing with virtual currencies in India.