Shopin — a universal shopper profile that delivers personal shopping experiences through retailers’ apps, websites and stores — says one of its token distributors has been hacked and roughly $10 million in a variety of cryptocurrencies has been stolen.

Representatives of the platform have released the following statement:

“On Wednesday, May 30, 2018, Shopin distributed tokens to one of its leading partners in Japan, who runs a large Japanese syndicate. A few day later, her wallet was hacked, as she was not storing it in cold storage or in a hardware wallet. This is a very sad moment; the Shopin team has a lot of empathy for the situation and the wonderful Japanese people who have participated. We are investigating what can be done to help with the situation.”

Eran Eyal is the founder and CEO of Shopin. Speaking with Bitcoin Magazine, Eyal explained that the syndicate in question is a group of participants that pool their funds together to get access to better deals in TGEs and ICOs. Typically, the syndicate is represented by one or a few individuals that the group entrusts to handle funds, send them to varying projects and then distribute project tokens back to respective members.

“Usually, this is done via prima-block, which enables the participants to pool their funds into a smart contract which handles all the parameters and distribution,” he explains. “This was a methodology that we urged the Japanese syndicate head to use, but it was unheeded. Instead, the syndicate lead decided to store the funds and tokens they received in a wallet like MyEtherWallet.”

Eyal insists that executives spent weeks urging those involved to be cautious and to use only cold storage for housing tokens.

“At one stage, we even recommended other wallets for receiving the tokens and sent instructional videos,” he assures. “The only things that could have brought this to bear, in our minds, is that someone had access to the syndicate lead’s passwords, devices or mnemonic key. The actual vulnerability is the negligence of keeping this all in a hot wallet.”

The Shopin team is working extensively to get the funds back. Eyal says they’ve even tried pleading with the hacker and have offered a reward for returning the funds.

“Our tokens were distributed by an airtight smart contract and was audited by three external top-of-class firms,” he claims. “176 hackers couldn’t find bugs or flaws in our bug bounty program, so we take this matter very seriously.”

Shopin is now working with Blockseer — which tracks cryptocurrency transactions — to see if the stolen funds hit an exchange that can be locked down. Eyal says the team has left comments on various wallets informing users not to interact with the tokens, though this isn’t a fool-proof plan.

“We are investigating other technical solutions as well, such as a token swap, where all existing token holders send their tokens to a smart contract that converts the tokens into a new token, except for the stolen ones,” he says. “If our legal team and community approves this solution, we would thwart the thief, and the syndicate would get its tokens back.”

Overall, Shopin claims to have put approximately 200 hours of time into trying to locate the stolen funds.

“From a legal standpoint, Shopin’s responsibilities ended when we delivered the tokens to the syndicate and they acknowledged successful reception,” Eyal states. “However, the moral and ethical ramifications are the real issues. Shopin takes a very thoughtful and balanced approach to decisions we make as a company. We are sparing no effort in examining every solution possible.”

Stationed in Brooklyn, New York, Shopin was recently voted “Best ICO” at the North American Bitcoin Conference of 2018. It was also labeled “Best ICO and Startup” by CoinAgenda Global and given the number five “Top ICO” spot at Davos d10e.