84.5 BTC Stolen: Verge Developer Blames CoinPouch

Published on November 9, 2017 by Cryptovest Staff

On November 21, it appears that a hacker compromised the CoinPouch wallet service and stole over 126 million Verge (XVG) coins, a privacy-centric cryptocurrency that rebranded in early 2016 from DogeCoinDark.

The stolen Verge coins were, according to CoinPouch, moved over a period of two and a half hours, to this wallet: DM5Esw71BnTdJzX1FWpNLvdnrLuCS91v4N– and haven’t been moved since.

“...for security reasons we contacted Verge’s Lead Developer Justin to set up a Verge Specific Node for Coinpouch...Justin agreed...on November 9, 2017, a user contacted us regarding missing Verge tokens...we immediately contacted Justin, and he walked us through some procedures to check the integrity of the Verge Specific Node. Based on the results of the procedures that Justin asked us to perform on the Verge Specific Node, Justin concluded it did not look like a hack...”

They followed this up with an update stating that they have requested a forensic analysis of the server which hosted the Verge node and have also reported the matter to local authorities.

However, when we got in touch with Verge developer Justin, he blamed CoinPouch, and particularly Kirk Ballouh for the security lapse. According to him, it appeared that CoinPouch does not have any dedicated technical resources and no team:

“I blame CoinPouch for the hack. I simply compiled the Verge source code, that’s it. They set up the API and connected the app. What I believe happened is that they did not secure the API at all.CoinPouch called me yesterday morning. The main guy doesn’t seem to know anything about programming and the strange thing to me was that when they called, they started talking about PR and how to make sure “we” don’t look bad. That wasn’t my concern, because this had nothing to do with Verge.I believe the API they built was connected to the daemon and was wide open. I think someone found the API and moved all the coins because it did not require a login.”

As proof of his claims, Justin also provided screenshots of conversations, which can be found here.

If true, this would mean that the hacker(s) already sold the stolen Verge coins on Bittrex, which were then bought by the person whose wallet is now being flagged.

At this point in time, there seems to be no other choice for the affected users but to wait for CoinPouch to conduct the forensic analysis and issue an update.

Verge currency is not as popular as mainstream coins, but it has a very strong, passionate community, along with an active development team, led by Justin, aka Sunerok.

At the presumed time of the hack, XVG was trading at around 70 Satoshi, down from a high of around 120 Satoshi on November 6, the expected release date of the project’s much-hyped Wraith Protocol. However, delays in the launch, attributed to miscommunication between marketing and development teams, resulted in a price slump. Currently, Verge is trading at around 67 Satoshi, with a total market cap of just over $78 million.