Last Thursday, yet another cryptocurrency exchange was hacked. Italian crypto exchange BitGrail announced it had a shortfall of 17 million Nano, each one worth $11.90 at the time of the announcement. The total value of missing coins is approx. $200M. Other cryptocurrencies were not involved. The price of Nano dropped steeply and is now trading at $9.8, according to CoinMarketCap.
The exchange immediately suspended all operations, including withdrawal and deposits. Bitgrail offered its apologies to those affected and to all users for the interruption of service, saying that the hack was now under police investigation. Unlike in the recent $400M hack of Japanese exchange Coincheck, Bitgrail has not yet announced if it will restore the stolen coins from its own pockets.
Speculation is swirling that all is not it seems, and industry insiders and journalists are even wondering if the hack may in fact be an inside job to rescue the exchange from insolvency.
Mashable reported that “The BitGrail hack is a bit more complicated” than it seems on the surface. On the day following Bitgrail’s announcement, the core team of Nano developers posted their own announcement, claiming that the owner and operator of BitGrail, Francesco “The Bomber” Firano, had contacted them, suggesting they modify Nano’s ledger to cover BitGrail’s losses and accusing them of allowing double spending to occur. As Fortune reporter, Frances Coppola wrote yesterday, “Cryptocurrency software typically has built-in checks to prevent this, so accusing a cryptocurrency of permitting double spending is a serious criticism of its developers.”
The Nano team hit back saying, “No double spending was detected on the ledger” and insisted there had been no technical issues related to its underlying ledger, but rather, “The problems appear to be related to BitGrail’s software”. Furthermore, while stating that it has no visibility into the BitGrail organization, the Nano core team wrote, “We now have sufficient reason to believe that Firano has been misleading the Nano Core Team and the community regarding the solvency of the BitGrail exchange for a significant period of time.” They say they are “preparing all information we have on the matter, such as blockchain entries, screenshots, and chat logs, and [will be] presenting them to law enforcement”.
Firano hit back on Twitter, saying that his team would be pressing charges against the Nano team due to its “libelous announcement”, and in private correspondence Nano shared, accused the Nano developers of “not cooperating” with his request “to fork the chain and get xrb from burned address?” In 2016, this is effectively what the Ethereum developers did when the DAO was hacked in order to help retrieve the funds and put an end to future thefts. Firano likely had this in mind when he made his request to Nano.
Coppola also points out that Nano may have been partially at fault due to a software update its development team did shortly before the hack, which affected all exchanges trading Nano at the time. Timestamps visible through the explorer on transactions were arbitrarily set, instead of reflecting the actual date of transactions, which may have helped prevent BitGrail’s operators from identifying suspicious transactions at that time; in which case, “the Nano devs would bear some responsibility”.
However, Coppola also says that BitGrail kept most of its funds in a “cold” (offline) wallet, and it was this wallet, which was hacked, not the “hot wallet” linked to the Internet. Coppola says that this, along with the fact that the fraudulent withdrawals occurred on days when withdrawals from BitGrail were suspended for normal users, leads him finally to suspect that the Nano theft was an inside job.
One Reddit user asked similar questions, also throwing into question the veracity of BitGrail, plus cryptoexchange Mercatox, asking, “Why were MILLIONS worth NANO being sent from Mercatox AND Bitgrail to the SAME addresses at the SAME time while withdrawals were either frozen or closed by both exchanges?”
BitGrail users have been taking to Twitter to complain about poor performance on the exchange for some time; and the service made it harder for users to withdraw coins from their accounts, starting in December 2017. This is what leads Fortune’s Coppola to conclude that BitGrail was likely “insolvent since about last November”, and points out that “in the cryptocurrency world, liability is unlimited”. Coppola concludes, “as so often with corporate insolvencies, the signs were there long before – for those who had eyes to see”.