Another inside job at Shapeshift cost the company nearly $1 million

Published at: Aug. 27, 2020

Following the theft and repayment of $900,000 in Bitcoin (BTC), Shapeshift is now pursuing damages in court against its former senior software engineer, Azamat Mukhiddinov. 

"There was significant time lost and legal costs associated with the clean-up," Shapeshift's chief legal officer, Veronica McGregor, told Cointelegraph, noting that customer funds were safe throughout the ordeal. "ShapeShift is non-custodial, so no customer funds were ever at risk," she said. 

Working in a high level position for Shapeshift, Mukhiddinov allegedly used his access to the exchange's backend to steal roughly 90 BTC, worth nearly $900,000 in May 2020 at the time of the theft, according to a legal complaint filed by Shapeshift on Aug. 26, 2020.

"Azamat began stealing bitcoin in November 2019 and continued until his theft was discovered on May 21, 2020," the document said. 

Mukhiddinov started his employment with Shapeshift on Sept. 4, 2018 as a senior software engineer for the company. Shapeshift gave Mukhiddinov access to much of its private and sensitive inner workings, described as "computer infrastructure" in the filing, which included aspects such as the company's software and servers.

Shapeshift tasked Mukhiddinov with overseeing its services' backend, which included fortifying its defenses against possible threats, the document detailed. Prior to the start of his employment with the company, Mukhiddinov reportedly signed documents, one of which noted that he was not to take advantage of these important private systems. 

The guidelines also specifically prohibited the employee from adding applications to the system without company consent, according to the filing. Mukhiddinov, however, put his own software in place within the system, disguised to operate unnoticed, in order to steal Bitcoin from Shapeshift.

The software allegedly exported roughly 0.5 BTC at a time into Mukhiddinov's possession, taking advantage of a security vulnerability in Shapeshift's backend.

Shapeshift's team eventually noticed the missing coins and, after an investigation led back to Mukhiddinov, they spoke with him on May 25, 2020. "Azamat admitted to installing and running the program that stole the Company’s bitcoin," the legal filing stated.

"Eventually, Azamat returned, in one form or another, all of the $900,000 in bitcoin he had stolen," the legal complaint detailed. "These payments, however, do not make ShapeShift whole for the damage caused by Azamat’s actions."

Shapeshift's claim against Mukhiddinov seeks damages for the lengthy investigation into the affair, including time and resources spent on the endeavor. The company also reportedly had to delay the release of its mobile application by several months. "The new ShapeShift mobile app launched in July," McGregor said, adding, "It is a self-custody crypto interface with integrated trading."

This is not the first occurrence of an inside job at Shapeshift. Another incident in 2016 amounted to hundreds of thousands of dollars stolen. McGregor noted no correlation between the 2016 incident and this year's affair.                    

"After the incident in 2016, we implemented significant monitoring, operational security, and procedural steps," she explained. "This work helped us catch the culprit, and we were able to retrieve all the directly stolen property."

Shapeshift has been active in the crypto space since 2013. It was founded by Erik Vorhees, who is listed by Cointelegraph as the 37th most important person in crypto and blockchain. 

Tags
Bitcoin
Fraud
Shapeshift
Related Posts
Microsoft employee sentenced to 9 years in first U.S. Bitcoin case involving tax fraud
A former Microsoft engineer has been sentenced to nine years for stealing more than $10 million in digital value from his past employer in the form of “currency stored value," or CSV, including gift cards. Volodymyr Kvashuk, a 26-year-old Ukrainian citizen residing in Washington, used the accounts and identities of his fellow employees to steal and then sell the CSV — making it appear as though his co-workers were responsible for the fraud. Kvashuk also used a Bitcoin (BTC) mixing service to further obfuscate the paper trail, telling the Internal Revenue Service that the $2.8 million worth of crypto that …
Bitcoin / Nov. 10, 2020
UK Crackdown Pulls Thousands of Crypto Scams Offline
Over the past four months, the National Cyber Security Centre, or NCSC, removed over 300,000 URLs pertaining to fake celebrity-endorsed investment opportunities. More than a half of these sites belonged to fraudulent cryptocurrency investment schemes. Per an announcement published by the NCSC on August 14, an increasing number of these scams utilized fake endorsements from national celebrities, such as Ed Sheeran and Richard Branson. This raised red flags for authorities, prompting the launch of a massive retaliatory campaign. Ciaran Martin, CEO of the NCSC, commented: “These investment scams are a striking example of the kind of methods cyber criminals are …
Bitcoin / Aug. 14, 2020
AMFEIX Threatens Users Who Share Coverage That Criticizes the Company
Last week Cointelegraph published a story about investors having difficulty getting their money back from a crypto fund called AMFEIX, which promised high-yield profits for investors who sent them Bitcoin (BTC). Our story described more than 500 pending withdrawals from users trying to get their money back, and AMFEIX’s unsatisfactory communication with those users. The company addressed its users via its official Telegram channel after the story was published, suggesting that the withdrawal delays were due to technical difficulties that had been an issue since May. It also stated that “members who show loyalty to AMFEIX will have priority” in …
Bitcoin / July 28, 2020
Crypto Firm Accused of Fraud, Duping Investor Into Buying $2 Million in Tokens
A lawsuit recently filed in a United States district court in New York claims that an investor was misled into investing $2 million dollars in the cryptocurrency MCash, a Feb. 1 court filing states. The filing alleges that the plaintiff Lijun Sun transferred $2 million to New-York based investment group Blue Ocean Capital Group, Inc. to purchase MCash tokens, stating: “Not only was the MCash Token not properly registered with the U.S. Securities and Exchange Commission (SEC), but more importantly, in connection with selling the MCash Token, Defendants made numerous misrepresentations and omissions that induced Plaintiff to invest $2 million.” …
Bitcoin / Feb. 6, 2019
FTX hacker reportedly transfers a portion of stolen funds to OKX after using Bitcoin mixer
Hackers who drained FTX and FTX USA of over $450 million worth of assets just moments after the doomed crypto exchange filed for bankruptcy on Nov. 11, continue to move assets around in an attempt to launder the money. A crypto analyst who goes by ZachXBT on Twitter alleged that the FTX hackers have transferred a portion of the stolen funds to the OKX exchange, after using the Bitcoin mixer ChipMixer. The analyst reported that at least 225 BTC — worth $4.1 million USD — has been sent to OKX so far. 1/ Myself and @bax1337 spent this past weekend …
Blockchain / Nov. 29, 2022