
The ShapeShift Hack - mdelias
http://hackingdistributed.com/2016/04/25/shapeshift-hack-simply-incredible/
======
ikeboy
Erik responded:
[https://www.reddit.com/r/Bitcoin/comments/4gdxe9/cornell_pro...](https://www.reddit.com/r/Bitcoin/comments/4gdxe9/cornell_professor_doubts_shapeshift_story/d2gy4iz)

------
btilly
So we've got three potential theories here.

1\. ShapeShift has the right version of events.

2\. Rovion is Bob who is having fun mocking and misleading the CEO, safe in
the belief that he will never be caught.

3\. Rovion is another insider who is providing himself with cover to blame Bob
and an outside hacker if he's ever caught.

This post criticizes the first theory on Rovion's interaction not making much
sense. And indeed it doesn't unless Rovion is a fairly weird guy.

The second theory makes some sense. By telling this yarn, Bob managed to steal
two more times, while having all evidence of how he did it the second 2 times
not being taken as leads to who he is now or what he is doing.

The third theory makes a ton of sense. Rovion can either be someone who was
already planning to steal. Or just an insider who saw how easy it was and was
motivated to do the same.

One interesting detail is that Bob's initial theft is just sitting in a
wallet, untouched. So apparently he didn't need that money. The first theory
would say because he got paid by Rovion and can wait. The second theory would
say because he made 2 other withdrawals that he can use. The third theory
leaves that open.

Based on human nature I'd rank them 3, 2, 1. Based on his leaving a bunch of
money untouched, and my opinions about criminals, I'd rank the theories 2, 1,
3. Either way the CEO should be dubious about the story he was fed by
"Rovion".

~~~
blakeyrat
I think you missed the insinuation at the end of the article:

4\. The CEO faked the entire story (perhaps using Bob or Rovion or both as
patsies-- or perhaps taking the money for himself) because the same money-
stealing "we learned our lesson" thing happened at Paypal, and Paypal became
hugely successful shortly afterward.

~~~
btilly
Yeah, I did miss that insinuation.

The CEO has already made enough on previous companies that I find that one a
stretch.

~~~
bnb
Someone who has made a lot of money using one-off tactics to make a lot more
money? Why would they do that!

------
kcorbitt
I agree that ShapeShift's account has holes in it and the CEO seemed a little
too willing to take Rovion at his word, but this rebuttal swings too far in
the other direction. Some comments:

> Red Flag #1. Bob is somehow able to connect with a hacker who has been
> hiding in their systems for some time.

Actually, in the original article Rovion says "We contacted Bob." Which makes
total sense -- if Rovion eg. had access to the email account of a ShapeShift
employee, he would have seen the drama with Bob unfold and been able to
contact him easily.

> Red Flag #2. Rovion identifies Bob by his real life name "Bob," without a
> moment of hesitation. > Why on earth would Bob run a criminal business under
> his real name?

If Rovion had access to some internal communications at ShapeShift, he would
of course have "Bob"'s real name and no reason not to use it.

> Red Flag #3. Bob chooses to sell his backdoor access to Rovion instead of
> using it himself. > Red Flag #4. Bob demands only 50 BTC for a backdoor.

There's a lot more risk in stealing something yourself vs just providing
information that can be used for theft. Letting someone else do the dirty work
could definitely be a rational decision. And anyway, the hot wallet at no
point after the original hack had 315BTC again, so the expected value of the
second/third hacks were a lot lower.

> Red Flag #6. Rovion is a moralistic individual who not only is a thief
> himself, but wants to see Bob, another thief from whom Rovion supposedly
> obtained credentials, severely punished

It's not surprising to me that someone could adopt a moral framework that let
them steal from poorly-secured foreign companies while still considering it
wrong to steal from your own employer.

> Orange Flag #9. Voorhees talks derisively about Bob's competence during the
> period of time when Bob was employed prior to the hack.

Many countries, possibly including Switzerland, do have a very high standard
you have to meet to fire someone with cause. This process could be especially
delicate if Bob is of an ethnic or racial minority.

------
rdtsc
Isn't this the standard scam -- crypto-currency exchange gets cleaned out by
an insider/owner and then a there is a story of an disgruntled employee or
other evil hacker. Everyone is supposed to hate this made up hacker instead of
suspecting the owners themselves.

Maybe it is just the news bias, but crypto-currency seems to attract shady
characters. I understand the sentiment about the central banks and global
cabal of money controlling plutocrats and all that, but then the same people
turn around and hand money to a bunch of amateurs with a website and trust
them instead.

~~~
rm_-rf_slash
"I'm an investment banker. I...move money from one place to another." -Michael
Douglass as Nicholas Van Orton, _The Game_ , 1997

Finance is a cutthroat industry where the common denominator for success is
ruthlessness. Fortunes await the hungry. The hoodied crypto-currency hacker
may not strike you as the Wall Street suit, but rampant greed is clear as day.

------
Ontheflyflyfly
Didn't know

"Who here remembers the story of a bank called X.com? It was a tiny, little-
known online bank, until it was hacked and covered in the mainstream press
during the first dot-com boom. Its popularity absolutely soared after the
hack. I actually had an account on X.com, but if you didn't and never heard of
it, you may perhaps have heard of X.com's founder, a fellow who goes by the
name of Elon Musk."

------
braderhart
It seemed to me like Rovion is Bob, but just taking on a different identity,
hence the "Let me know when you plan to arrest Bob" comment.

~~~
felixgallo
occam's razor suggests that Rovion, Bob and Voorhees are all the same person.
Any other reading would, as the article points out too-obliquely, involve too
much strain on reality.

~~~
btilly
Given the information in
[https://en.wikipedia.org/wiki/Erik_Voorhees](https://en.wikipedia.org/wiki/Erik_Voorhees),
there is every reason to believe that Voorhees has more to lose here than to
gain. He already has personal wealth well in excess of the amounts stolen, and
his personal cost from continuing to run the business in a shut down mode
likely also exceeds the thefts.

~~~
felixgallo
if I had a bitcoin for every free-state-believing tax-hating wannabe-
nationless pseudonymous SEC-fined bitcoin founder who's taken the money,
concocted a fabulous cockamamie story and run, I would have enough to buy a
really nice vape pen and a fedora

------
buttershakes
Finally, someone who took a stab at this. Ever since I read Shapeshift's
version of events I couldn't help but think the entire thing was bullshit.
Wild incompetance, improbable alliances, its just weird.

------
cubano
I'm just kinda glad that my old-school, been-burned-100-times, cynical self,
who also saw red flags galore into the original narrative, wasn't _completely_
nuts.

It's a pretty solid takedown of all the issues in ShapeShift's sketchy story.

~~~
homero
My no shitcoin rule avoids many messes

------
AgentME
>By definition, Rovion was in deep undercover mode. How would Bob have gotten
a hold of Rovion? Did he know of Rovion's partial penetration? If so, how? If
not, then how did they meet up? In any case, how did the two hackers exchange
messages?

If the attacker didn't have root or wasn't using a fancy rootkit, it's not
surprising at all that his hack could have been discovered. Discovering the
hack could be as simple as finding an unfamiliar php file that hosted a
reverse shell in some directory. The attacker might've had some scripts in a
folder. Communication could be started by editing one of the scripts to print
a message instead.

A friend of mine as a student sysadmin once found a server was part of a
botnet, figured out the bots communicated via an IRC channel, joined the
channel himself, lurked for a while, found the operator connect one day, and
talked. The server never had anything worthwhile on it, the server was re-
imaged, the school never bothered pursuing legal action as the guy was in
Russia, and I'm told they've played counter-strike together sometimes since
then.

>Why wouldn't Bob take advantage of the backdoor himself? It's not like he had
much to lose. He'd already been ousted from ShapeShift and was already the
target of an investigation.

Because he could get a bunch of money now and have someone else do most of the
work probably.

>Red Flag #4. Bob demands only 50 BTC for a backdoor. ... Why not split the
proceeds in half, for starters?

If Bob has Rovion do all the work with the backdoor access, why would Bob
trust Rovion to split the proceeds once he's hit the motherlode? Much easier
to get some money up-front and be done with it.

>Red Flag #5. Rovion pays 50 BTC for a backdoor. ... How would Bob, then,
demonstrate to Rovion that he wasn't just a scammer, or a honeypot operator,
but indeed had a legitimate backdoor to sell?

It probably wasn't a single 50 btc transaction. Start it slow. (Just like how
Erik managed to work out some trust with Rovion later.) Bob probably offered
to not boot Rovion's original access into the system for a few btc to start
with, and they found somewhere to go from there.

>Red Flag #6. Rovion is a moralistic individual who not only is a thief
himself, but wants to see Bob, another thief from whom Rovion supposedly
obtained credentials, severely punished, for being a thief.

Seriously, this is just grasping for straws. That doesn't seem so strange. Or
hell, maybe Rovion just wants to try to throw someone else under the bus
morally. People trying to justify themselves is nothing new.

