ShapeShift experienced a series of three security breaches between March 14, 2016, and April 9, 2016. The first breach occurred on March 14, followed by a second on April 7, and a third on April 9. These incidents involved unauthorized access to ShapeShift’s core exchange infrastructure, leading to the installation of a rootkit on critical servers.

The initial breach on March 14 was attributed to an internal employee. Subsequent attacks were carried out by an individual using the alias “Rovion Vavilov,” who gained access by purchasing sensitive information from a former employee. This information included network access details, router credentials, and an SSH key. ShapeShift’s infrastructure lacked sufficient logging and auditing, and its security controls were uncertified against the CryptoCurrency Security Standard (CCSS), contributing to the attacker’s success and hindering forensic investigation.

The breaches resulted in the theft of cryptocurrency, as evidenced by coins being sent to attacker-controlled addresses and the attacker later requesting to exchange stolen Ether for Bitcoin. The lack of robust security measures and the compromise of employee credentials facilitated these unauthorized transactions.

In response, ShapeShift, guided by Ledger Labs Inc., undertook extensive corrective actions. These included replacing all employee computing hardware, communication channels, and cryptographic keys. The entire production environment was rebuilt using new cloud accounts, different operating systems, and automated deployment scripts with enhanced firewall rules and off-site logging.

Furthermore, a bastion server was implemented to control access, and outbound firewall rules were tightened. New employee and infrastructure security policies were drafted and enforced. Future plans include implementing multi-signature architecture, deterministic keys, improved key backups, and a data sanitization policy to achieve higher CCSS compliance levels.