Recently, our team had discovered a breach in the LocalBitcoinCash platform and the hacker was attempting to steal a large amount of cryptocurrencies. Fortunately, due to the designs of our infrastructure, all funds are safe. This article is to provide information based on our investigation of the breach and also our actions moving forward.
When LocalBitcoinCash was first designed, it was designed with the assumption that a hack will happen eventually. With that assumption, we made certain decisions such as separating our servers entirely, so that a breach in the front end server will not cause any loss of funds, not even from the hot wallets. Our staff are also in separated networks, so that if their machines were compromised, it will not affect the servers.
However, that came at a price which affected user experience very badly. Nonetheless, our top priority was not to lose our money to hackers, which is usually only a matter of time. All operating systems are vulnerable to 0 day exploits and we are aware our limited resources will not be able to compete against the well funded private and government entities. Today, that decision, made 4 years ago, was vindicated by recent events.
How did we know there was a security breach? We have built in multiple intrusion detection functionalities, which we call traps and honeypots. Using these traps and honeypots, we were able to gain information about such events. During the breach, our intrusion detection system has notified our team of such an event taking place, which leads to the investigation.
Here’s what we know.
- The attacker gained access to an administrator account.
- The attacker did not use the reset password functionality to gain access to the administrator account.
- The administrator’s machine seems to remain uncompromised. We made this assumption because we have a significant amount of cryptocurrencies in that machine but none was taken. That was one of our honeypots.
- Based on the audit logs, the attacker had bypassed the login system to access the platform. The password of the administrator remains unchanged.
- Based on what we know, the attacker doesn't appear to be using phishing techniques to gain access to the network.
- The attacker is most likely using a VPN because the IP addresses tagged to the intruder came from multiple geographic locations.
- We know the email address of the attacker because it was verified (necessary for withdrawals). The attacker was using a gmail account.
- Our server patches were up to date.
- Users passwords were hashed using sha256 and stored inside our database.
- Based on the honeypots setup on the different machines, we have information about the constraints in which the attacker is operating in. We believe the attack was confined to a single machine at this point in time.
- Based on the server logs, it seems the hacker has been trying to probe for vulnerabilities for almost a year. If they had spent those time working a legit job, they would have earned more money. In fact, they would have earned more money working minimum wage for a single day than spending all these time trying to break in to our platform.
Based on the above information, we believe that the vulnerability is either on the front end codes (eg. SQL Injection) or the front end server was compromised.
Here’s our actions moving forward.
- We will be returning the capital to our main investors for this project. They were the ones who fronted the entire operation right from the start. We are super grateful for their faith in us. We will still be working on other Bitcoin Cash projects.
- Given that Local.Bitcoin.com provides better user experience for the users, we will be recommending everyone to use them instead of LocalBitcoinCash.
- LocalBitcoinCash hasn’t been profitable since the early days and now, our operation is just breaking even (after drastic cost cutting). With recent events, the risk/reward ratio of operating the platform has shifted dramatically and we have decided to shut down this platform by end of October 2020 and divert users to Local.Bitcoin.com instead.
- We will continue to monitor the attacker activities and learn more information about them. All withdrawals remain unaffected but will be closely monitored under tight scrutiny.
- We will update this article if we have more information later.