84.5 BTC Worth of Verge Coins Stolen, Lead Developer Blames CoinPouch
Verge coins worth 84.5 BTC were stolen from CoinPouch wallet users and Verge developer Justin blames CoinPouch for security lapse.
On November 21, it appears that a hacker compromised the CoinPouch wallet service and stole over 126 million Verge (XVG) coins, a privacy-centric cryptocurrency that rebranded in early 2016 from DogeCoinDark.
The stolen Verge coins were, according to CoinPouch, moved over a period of two and a half hours, to this wallet: DM5Esw71BnTdJzX1FWpNLvdnrLuCS91v4N – and haven’t been moved since.
CoinPouch issued an official statement following the hack, which seemed to insinuate that Verge’s lead developer, Justin (aka Sunerok) gave them the green-light in terms of their Verge node’s security:
“...for security reasons we contacted Verge’s Lead Developer Justin to set up a Verge Specific Node for Coinpouch...Justin agreed...on November 9, 2017, a user contacted us regarding missing Verge tokens...we immediately contacted Justin, and he walked us through some procedures to check the integrity of the Verge Specific Node. Based on the results of the procedures that Justin asked us to perform on the Verge Specific Node, Justin concluded it did not look like a hack...”
They followed this up with an update stating that they have requested a forensic analysis of the server which hosted the Verge node and have also reported the matter to local authorities.
However, when we got in touch with Verge developer Justin, he blamed CoinPouch, and particularly Kirk Ballouh for the security lapse. According to him, it appeared that CoinPouch does not have any dedicated technical resources and no team:
“I blame CoinPouch for the hack. I simply compiled the Verge source code, that’s it. They set up the API and connected the app. What I believe happened is that they did not secure the API at all.
CoinPouch called me yesterday morning. The main guy doesn’t seem to know anything about programming and the strange thing to me was that when they called, they started talking about PR and how to make sure “we” don’t look bad. That wasn’t my concern, because this had nothing to do with Verge.
I believe the API they built was connected to the daemon and was wide open. I think someone found the API and moved all the coins because it did not require a login.”
As proof of his claims, Justin also provided screenshots of conversations, which can be found here.
Additionally, new information seems to suggest that the wallet address provided by CoinPouch may not belong to the hacker(s). Justin, the Verge developer shared a message he received on Bitcointalk, where a user claimed that the wallet belonged to him, and the Verge coins in them were not hacked, nor stolen – but were moved from Bittrex to his wallet.
“That 126138145.82999299 $XVG in the DM5Esw71BnTdJzX1FWpNLvdnrLuCS91v4N address was NOT stolen. It's my ******* address. Now I read CoinPouch is deleting transaction logs? It sounds like they are doing some kind of cover up around the other addresses and trying to use mine as a scapegoat.
Anyway, I prefer to keep my privacy, so please, take care of this **** accordingly. Why the **** did they choose my address anyway? Just because it's big?
They are pointing this away from themselves. Anyway, that's about all I can do to help. All I can say is I definitely didn't hack something. I wouldn't even know how.”
If true, this would mean that the hacker(s) already sold the stolen Verge coins on Bittrex, which were then bought by the person whose wallet is now being flagged.
At this point in time, there seems to be no other choice for the affected users but to wait for CoinPouch to conduct the forensic analysis and issue an update.
Verge currency is not as popular as mainstream coins, but it has a very strong, passionate community, along with an active development team, led by Justin, aka Sunerok.
At the presumed time of the hack, XVG was trading at around 70 Satoshi, down from a high of around 120 Satoshi on November 6, the expected release date of the project’s much-hyped Wraith Protocol. However, delays in the launch, attributed to miscommunication between marketing and development teams, resulted in a price slump. Currently, Verge is trading at around 67 Satoshi, with a total market cap of just over $78 million.