On the night between 4 to 5 June, according to preliminary information, the exchanger bithub.im was hacked. During several night hours, fraudsters managed to get an equivalent of 70,000 USD. The threat actors acted thoughtfully and carefully, without revealing in any way the fact of interception of control of the service, thus bypassing the automatic protection systems of monitoring and the protocols of the moderators' actions.
As Sarkis Darbinyan, managing partner of the law firm Digital Rights Center, which represents the interests of the exchanger, comments on the situation:
“On the night of June 5, 2021, from 00:00 to 08:00, as a result of malicious actions by unknown persons, access to the management of the bithub.im service was illegally obtained. The cybercriminals bypassed all means of protection and notifications about security breaches, both from the side of the service and from the side of users. They were able, among other things, to disable the notifications of exchange requests sent to the exchanger administrator via Telegram, as well as completely delete all information about all exchange requests received during the above period. The bithub.im administration was forced to turn off the service at 07:00 on June 5, 2021, and immediately notify the representatives of the monitoring.”
We received the first letter from the administration of the exchanger about the hack of their resource already at 7:09, after which their account on the monitor was immediately suspended from the listing to prevent worsening of the situation.
Afterwards, the representatives of the exchanger placed their message on different resources, having confirmed the fact of the hacking.
“Any statements, guarantees, promises, commercial proposals, as well as any information that you could have received by sending requests to bithub.im between 00.00 and 08.00 on June 5, 2021, were provided by persons who have absolutely nothing to do with the bithub.im administration. <...> If you sent funds for the exchange through the bithub.im service during this period of time, these funds were received not by the administration of the service, but by attackers," the service representatives noted.
Soon after the incident, the administration of the monitor advised the administrator of the bithub service to contact law-enforcing authorities for the prompt investigation of the incident. Meanwhile, our moderators together with lawyers and the administrator of the hacked services launched their own independent investigation.
Later we received confirmation from the legal firm that with their help an application was drawn up to the police with a requirement to initiate an investigation of the incident and it has already been registered with the Ministry of Internal Affairs.
“The administration of the bithub.im service turned to the law firm Digital Rights Center (DRC) for professional assistance in connection with the incident. At the moment, we have submitted an application, which is registered in the register of reports of crimes (KUSP), a pre-investigation check is being conducted on it. Acts committed by unidentified persons or a group of persons may fall under the signs of corpus delicti under Art. 272 of the Criminal Code of the Russian Federation (Illegal access to computer information), art. 273 of the Criminal Code of the Russian Federation (Creation, use and distribution of malicious computer programs), as well as Art. 159.6 of the Criminal Code of the Russian Federation (Fraud in the field of computer information), ” Sarkis Darbinyan comments on the situation. “Recently, the number of such cases has become much more frequent. Therefore, it is especially important to report such incidents. Of course, law enforcement agencies are not very good at investigating such cases. Therefore, we are now helping them in every possible way and collecting evidence that will help to catch and punish the attacker.”
Despite that we are not to blame for what has happened with the exchanger, and also the fact that legally we are not bound for such cases, we could not leave our users in trouble, who trusted our service for many years, therefore, from the first hours after the incident, we began to negotiate on behalf of the victims with all parties to the conflict
During investigation, we found possible bottlenecks in the security of the hosting and the hacked service. Based on the received data, mechanisms of check for suspicions operations were improved, as well as abnormal behaviour for exchangers with non-round-the-clock service. Recommendations for other exchangers were developed, and their owners were informed about the imperfection of the security system of the hosting center of the reg.ru service.
As of now, both investigations are not completed yet, however on the 5 August 2021, with the assistance of the investors who wish to stay anonymous, we initiated the first wave of payouts. The administrator of the exchanger returned users funds which were lost due to the incident. In the first queue, there were those victims who provided complete irrefutable information about their losses. As of now, 28,700 USD has been paid out which is about half of the total amount of damage (according to preliminary data).
We would like to thank everyone who assisted in the investigation and provided us with full information, thanks to which we managed to solve this issue faster than we thought we would.
Both the administration of the exchanger and we received a large number of requests with information about unpaid orders. Unfortunately, a portion of these requests has false information, which has significantly complicated the analysis.
In the second queue of payouts, there are users that have not provided all the necessary evidence, but who do not raise serious suspicion. However. due to the fact that among those affected there were unscrupulous users who, during the incident, claimed unreasonable payments from the exchange office, solving the problem in relation to them will take more time.
Despite the partial payouts, we still face a colossal volume of work to eradicate consequences and establishing all the circumstances of the hack. The investigations are ongoing, we need more information to objectively evaluate the responsibilities of all the sides to the incident. We also hope that law=enforcement authorities will manage to identify scammers and catch them.
From our side, we would like to thank all the victims for their patience and understanding. We are glad that the majority of the victims managed to receive the funds lost as a result of the hack of the exchanger, the rest will also receive them. Our special thanks go to the lawyers of the Digital Rights Center, and specifically Sarkis Darbinyan, as their firm is working as a mediator in this complicated situation, as well as provides necessary legal consultations connected with the ongoing investigation.