Picking Up the Pieces: Erik Voorhees Speaks on ShapeShift Hack

Recently, popular cryptocurrency exchange ShapeShift was hacked twice. The first time, an employee was behind the theft. Then, the employee, “Bob,” sold information to a second hacker, who stole from ShapeShift again. After publishing a play-by-play article on Bitcoin.com, CEO Erik Voorhees sat down with us to talk about what his company is doing in the aftermath of the attacks, as well as sharing the personal side of the ordeal.

Also read: Looting of the Fox: The Story of Sabotage at ShapeShift

Erik Voorhees Speaks

Voorhees discussed several different things with us, including updates to ShapeShift’s security policies, and his personal reactions to things that happened during and after the two security breaches. Read the interview in its entirety below.

Bitcoin.com (BC): ShapeShift went back online very recently, are things running smoothly so far?

Erik Voorhees (EV): So far, so good. We planned to go up this past wednesday (20th) and we soft-launched the site the night prior. It’s amazing to see volume return immediately upon going live, without any kind of announcement or notice. It’s humbling and inspiring to realize there are people and machines out there initiating exchanges constantly. We’ll be getting other coins back on the platform over the coming days, and the hardening of our infrastructure is a continuing process.

BC: In the comments section of the article you published on Bitcoin.com, a commenter said that “your infrastructure was in really bad shape” even without a man on the inside. I think you did a pretty good job rebutting him in the comments, but would you care to elaborate on the position you took there? What actions will ShapeShift take moving forward to ensure it has more reliable security?

EV: I’ll revert to the cliché: hindsight is 20/20. We absolutely made mistakes, but that’s always easy to see when looking backward. Security is not a black and white thing, it is a process, a continual journey. When we first launched back in summer 2014, the amount of funds held in our wallets really was trivial, and did not warrant extensive security hardening.

Nothing in our system was technically ‘breached’ … the doors were opened by someone on the inside.

Over time, of course, as volumes and wallets grew, we found ourselves holding enough funds that we should’ve taken a step back and realized it was time to really scrutinize our structure. That was my fault. And indeed, the biggest mistake of all was trusting an untrustworthy individual. Nothing in our system was technically “breached”… the doors were opened by someone on the inside. Once [sic] of the most important lessons is to secure against those on the inside just as intensely as against those on the outside.

BC: Since we’re talking about security: will ShapeShift be changing its policies on personal computers in light of Bob installing an RDP client on an employee’s computer?

EV: Of course. Nobody steps away from a computer now without locking their screen. Keys and access are being much more compartmentalized, and 2-factor is being integrated in every possible manner, among other things.

BC: Did you feel conflicted by paying the second hacker for information? I imagine it would be difficult paying someone to tell you about how they stole from you.

EV: Not really. Ironically, exchanging money for information is a legitimate trade, and while the hacker stole from us and deserves to be punished for that (and our funds returned), the subsequent action of selling useful information is both helpful and valid. I must say it was pretty ridiculous when the hacker came back to ask us to exchange the Ethereum he stole for Bitcoin (since some of the stolen ETH was getting frozen at exchanges). Again, we were content to exchange for further information. The irony was unavoidable.

BC: When that hacker told you that Bob had done a “shitty” thing by stealing from his own employer, how did you react? It’s pretty ironic to see a thief judging the moral fiber of a fellow criminal.

EV: If I said we didn’t laugh when we saw that, I’d be lying. I have to say, while it’s unambiguously unethical (not to mention criminal) to steal from someone, there is a whole new level of sinister when that someone had trusted you and invited you into a privileged position. You know you’re probably not a good human being when even other bad human beings look down on you.

BC: Even though no ShapeShift customers were affected in the hacks, some people will be understandably apprehensive about returning to your exchange. Do you have anything to say to ease their anxiety?

EV: We’ve designed ShapeShift such that users don’t need to trust us for more than a moment during the exchange, and anyone doing the math can see there is no plausible game-theory scenario under which it would ever make sense for ShapeShift to withhold a customer order. Whether before or after this hack, that dynamic doesn’t change.

[I]f ShapeShift had complied with the immoral BitLicense in New York State, we would have had to extract and store private information of customers.

Users can trust ShapeShift in the same way they trust the retail store as their paying for goods. They needn’t know the cashier, nor the owners, to have considerable assurance that they can walk in and make a purchase, and walk out. Contrast this to legacy exchanges and traditional financial institutions, which do require trust, because they hold at all times a vast trove of not only customer money but private customer information, which is similarly valuable and vulnerable. ShapeShift is designed to make trustworthiness an irrelevant concept.

BC: Are you able to give us an update on the legal situation with Bob at the moment?

EV: Not at the moment, but I’m sure the story for him is just getting started.

BC: Any closing comments?

EV: With hacks of Bitcoin companies, the money aspect is generally the focus. However, it needs to be stressed that personal information is similarly valuable and shouldn’t be endangered from hacks. Suffice to say, if ShapeShift had complied with the immoral BitLicense in New York State, we would have had to extract and store private information of customers. It’s likely all such information would have been compromised in this incident.

Far from “protecting consumers,” which is much of the alleged justification for the BitLicense, such backward legislation endangers people, and should be resisted and condemned. Bitcoin, blockchains, and the mechanisms which can be designed upon them, do a far better job bringing both transparency and real consumer protection to the marketplace than do the deleterious edicts of bureaucrats.

Erik Voorhees also sat down with Bitcoin.com podcast host Zach Doty and gave a detailed description of the ordeal. That interview can be viewed here:

It is always sad to see such a popular entity in the Bitcoin space become the victim of an attack. Luckily, no customer funds were lost in the two ShapeShift hacks, and the team assures customers that the exchange’s security will only get better from here. Bitcoin.com will continue following this saga, providing updates on the legal fate of “Bob” as they become available.

Are Erik Voorhees and ShapeShift doing a good job recovering from the hack? Let us know in the comments below!

Images courtesy of Shapeshift.io