On 14 January 2019, an unknown person or group of people successfully penetrated the digital vault of a Christchurch-based cryptocurrency exchange, Cryptopia.
They stole almost $4 million in cryptocurrency assets overnight.
Over the next few days, they would come back and steal another $19 million.
In dollar terms, this would turn out to be the largest theft in New Zealand’s history by a long shot. It would rank among the world’s greatest heists of all time. And it’s all happening right now…right here.
Let’s investigate how this grand crime came to be committed, how millions were siphoned away while the police helplessly looked on, and how the theft’s fallout continues to plague victims.
Founded on frustrations
In 2013, two coders and cryptocurrency hobbyists, Rob Dawson and Adam Clark, found themselves frustrated as they tried to navigate the budding crypto world.
They sought to buy and sell coins like most enthusiasts, but the exchanges at the time were rough around the edges, poorly designed, and hard to use. So, Dawson and Clark sought to create their own exchange website that solved a lot of the issues they were facing.
From December 2013 to December 2014, they developed the site and incorporated the company, Cryptopia. It took a full year to go live because the project was a hobby…something they did in their spare time with their own spare money.
Now, realise that Clark and Dawson were far ahead of the curve when they were starting Cryptopia. Bitcoin was an obscure concept, unknown in the mainstream. There were few buyers and sellers on the market. It could be bought under US$1,000 per coin at any point before February 2017.
By launching Cryptopia when they did, they were taking a leap of faith that their hours and savings were going to a trend that would one day explode.
And explode it did.
In early 2017, after four years of hard work and disappointing activity, Cryptopia began to pick up steam as the price of bitcoin (and other cryptos) passed the US$1,000 mark…then $2,000…then $4,000 by August of that year.
The mounting popularity and abnormal returns led Clark and Dawson to quit their full-time jobs and focus entirely on the exciting growth happening on their exchange.
By Christmas, Cryptopia had exploded to nearly 50 staff and almost a million worldwide users…and the price of a bitcoin had gone from roughly US$200 when they first started work on the exchange to almost $20,000 in the days before the holiday.
A 100-bagger…but not for long.
Blazing a path forward
It’s now January 2018, and the bitcoin speculation bubble had properly burst from a peak of almost US$20,000 back to $6,000.
Granted, that price ‘floor’ was far from erasing bitcoin from the map. If you had invested in bitcoin any time before mid-October 2017…as Clark, Dawson, and hundreds of thousands of others had (including yours truly), you’d still be sitting on a sweet positive return on investment.
The bitcoin story was certainly not over.
If anything, the rapid rise to becoming a household name only set the stage for other developers to improve upon the model and launch their own ‘alt-coins’.
It was an industry renaissance.
While many speculators bought in December and sold in January (like dum dums), millions of others held fast…seeking to diversify their coin portfolio and integrate improved technology.
Cryptopia’s relatively established exchange fit the bill nicely, becoming a hub of activity for global investors…many of which did so on a professional and institutional level.
The firm continued to expand their business, adding new faces to the team and upgrading the code that gave life to the exchange. Despite the softened demand for cryptos, the exchange remained a buzzing marketplace for true-believers and stubborn investors alike.
According to Dawson, their user count exploded from 500,000 on 1 December 2017…to 1.1 million on 3 January 2018…then held steady over the next year with users at 1.4 million in January of 2019.
Interest and adoption surged during this time…and Cryptopia became a well-respected pillar of the crypto community.
A thief’s mother lode
In January of 2019, the exchange was handling almost a quarter of a billion dollars’ worth of coins.
And not just bitcoin; much of the exchange’s assets were held in other crypto like ether (Ethereum) and dozens of tokens.
These assets were held in what are called ‘wallets’…which can be equated to vault rooms in a bank.
Millions and millions of dollars…sitting in mostly unregulated ‘wallets’ designed by crypto hobbyists. What could go wrong?
As we now know, unidentified hackers targeted these wallets in the early morning of Sunday, 13 January 2018…and began draining them of their ether and tokens.
This would represent the bulk of the stolen goods…and it took just under four hours to completely empty Cryptopia’s two core ‘hot wallets’. The coins and tokens were transferred out to various wallets and exchanges around the world.
In other words, the quarter billion dollar exchange was humming along nicely at breakfast…and well-depleted by lunch.
But the hackers weren’t done yet…after draining the two main wallets, they moved on to emptying funds from over 75,000 secondary wallets (like safety deposit boxes).
This process would continue over the rest of the week…even while Dawson, Clark, the Cryptopia team, and the authorities watched on…
At 6am on Monday, the exchange announced that trading was suspended for ‘unscheduled maintenance’.
The next day, they disclosed that they had been breached…and law enforcement stepped in.
By Thursday, the rest of Cryptopia’s vulnerable funds were drained…roughly $23 million in total.
Crypto investigators Elementus worked out that the stolen funds had come from a wide array of coins and tokens…
Elementus CEO, Max Galka, noted the odd nature of the heist:
‘The lack of urgency on the part of the thieves is striking. Rather than withdrawing the funds as fast as possible, as is the case in most crypto hacks, they took their time extracting the assets over the course of nearly five days.
‘After Cryptopia discovered the hack, they watched the funds continue to flow out of their wallets for four more days, seemingly powerless to stop it. As these wallets were not smart contracts, there should have been no technical complications preventing Cryptopia from securing the funds.
‘The only plausible explanation for Cryptopia’s inaction is that they no longer had access to their own wallets.’
A painful aftermath
In the six months that have followed the now infamous heist, the exchange has completely collapsed.
Dawson and Clark, who had actually left the firm in 2018, returned to help sort out the mess. Staff returned to work. Investors were vaguely told that they might get a ‘rebate’ of sorts to compensate for their lost funds.
In March, the site partially reopened to allow users to access their accounts but not buy or sell anything.
A couple weeks later, the firm was confident enough to open up trading for a few ‘secured’ coins…and it appeared that the ship may remain afloat.
However, on 15 May, Cryptopia announced that they were moving into liquidation. The press release reads:
‘Despite the efforts of management to reduce cost and return the business to profitability, it was decided the appointment of liquidators was, in the best interests of customers, staff and other stakeholders.
‘The liquidators are focused on securing the assets for the benefit of all stakeholders. While this process and investigations take place, trading on the exchange is suspended.’
As the liquidation and investigation process goes on, many investors continue to be left in the dark on if their assets are still there, if they’ll get them back and how much of their investment will be returned.
Does this mark doom for cryptos?
For such a heist to happen so close to home, it’s logical to wonder if this will become the norm rather than the exception for the ambitious crypto space.
- Will a lack of regulation and apparent lack of protection allow for future thefts to occur?
- What sort of precedent will the Cryptopia liquidation set for other major exchanges around the world?
- For some — will I get my money back?
The scary truth is that no one knows.
We’re in the Wild West period of cryptocurrency right now…and it may disappear like the Wild West did.
Or perhaps it learns from these painful lessons and evolves. It’s not hard to thousands of coders like Dawson or Clark who are currently developing new platforms based on their negative experience with Cryptopia…just as Cryptopia was formed in response to negative experiences with earlier exchanges.
But it is clear that the future of this emerging technology will be centred on the development of security and trustworthiness.
Editor, Money Morning New Zealand