GateHub, the cryptocurrency wallet to stay away from!

TL;DR (Summary)

  • My account balance disappeared, a substantial amount of my crypto stolen.
  • The thief stole 9.25 ETH and 17,917 XRP. Who knows where this can go one day, to the moon!
  • I am convinced GateHub was hacked (or a system glitch) and my wallet was compromised and accessed on GateHub’s side. Yet they decide to blame me.
  • GateHub security is extremely poor (example) and their customer service is atrocious (and here).
  • GateHub does not flinch an eye to attempt to help find missing funds or investigate the breach (see below).
  • I did not have 2FA enabled, however my password is very strong and 12 characters long; not used anywhere else bar my password manager.
  • I am 100% certain my devices were not compromised, and I was not a victim of a phishing attack. I did not click on any weird GateHub url, and had the correct one bookmarked. FYI – there fake GateHub websites going around some time ago and I just noticed they didn’t even bother to Blog about it or send their customers email notifications.
  • Historically GateHub sent me an email every time I logged in — regardless if it was from a known IP or device. I also got an email on the day the thief accessed my wallet. GateHub still allowed access with the thief’s IP address even though I did not “Allow Access” as requested by GateHub’s email, and I know for a fact my email was not hacked / compromised (see below image 1 for email). So why did GateHub allow access to my wallet from an unknown IP address without my approval?
  • I traced my funds, see this post **.
  • Do not use GateHub. Something suspicious is going on, read below.
  • I am not the only one. I know of other customers that lost 20,100, 62,500, 330,000 and 700,000 XRP to GateHub.
  • I have tremendous respect for Ripple (I would not have bought XRP if I didn’t, and I know a few Ripple employees personally) and to be clear, this is not about them — it’s about the bad practices of GateHub.

** Update (14 Dec): I know where my funds went, and no one can help me! The thief is still active and operating on the known platforms we know and love, Changelly, Poloniex and no doubt GateHub.

** Update (3 Jan): I just noticed in my account that the transactions history .csv download option renders an empty account statement… I downloaded a ‘statement’ before and I can see the history on-screen — so I am OK — but there is now no way you can download your transaction history. Something is seriously going on here!


Image 1

Lessons Learned

  • Individuals/Investors/Corporates: 1. Ensure you security is rock hard and store your crypto offline in a hardware wallet. 2. Use 2FA. 3. Trust no one.
  • Wallet Providers and Exchanges: 1. Know your risks. 2. Realise one thing, this crypto business is not some website or traditional software project. You are dealing with people’s hard earned money and investments. 3. Act like it and ensure your cyber security is hardened and business controls solid. 4. Call on experts if you need help, spend the money and do it properly. 5. Look at traditional financial services providers and learn from them in terms of security, customers service and treatment. 6. The regulators are coming, you won’t get away with this for long.

My Story

I accessed my wallet on 19 Sept 2017 at c.17:40 BST and realised my cryptocurrency is missing. Yes, GONE! Just simply not in my wallet.

I wondered immediately have I logged into the wrong account (I have two). I logged out, logged into the other one, and realise yes, my account balance is truly not there. Being an accountant, turned auditor, turned risk and regulatory specialist, you naturally are conscious of the big-bad world of cyber risk and have controls (even in your personal life, sadly!) to ensure your assets and investments are safe, safeguarded and independently verifiable in the offline world. As we know in the world of crypto, there are no paper bank statements in the post, and so I referred to my records in case I made a late night trade and forgot about it. But yes, my expected crypto balance is not reflected in my wallet.

First thing that goes through your mind, HACKED! So I check my devices for any unusual activity, thinking back could there have been an instance somebody got a hold of my credentials, also running through every possibility I can think of in my head, phishing, etc. Nothing suspicious or adverse presents itself. My password is strong, 12 characters long made up of upper case and lower case, letters, numbers and symbols. The only other place I use the password is for my password manager. In case you wondering, no, I did not have 2FA setup, but then with a strong password it is irrelevant really. Besides up until that day GateHub sent me an email every time I logged in from any device, which strangely they stopped doing now!.

Next up, I log in to my GateHub wallet, and download a statement. I could clearly see there were two unknown transactions, both on 19 Sept 2017 (15:08 BST).

The first transaction sells/exchanges all my ether (9.25 ETH/Ethereum) I owned for XRP (Ripple).

The second and last transaction then transfers all the XRP (32,000) to an unknown address (rHdNRDdqB1hSEHmPvCdnJvLU7W7oQsBGVq) leaving me with a measly 46.32 XRP.

I did not recognise these transactions which immediately put me onto my next action, I contacted GateHub Support for answers and of course restitution.


I contacted GateHub Support on 19 Sept.

GateHub Support reverted on 20 Sept. A cat and mouse game ensued with their first response being:

We suggest you to run our platform on Google Chrome browser, as it is optimised for it. This should fix your issue with wallet balance.

So I checked, and still no balance (I was on Chrome anyway). I went back to them the same day and they directed me to the Ripple XRP Charts website. Clearly this didn’t address my missing balance. So again, I went back to them on email and asked, where-are-my-coins?!

They decided to only get back to me on 25 Sept, a whole 5 days later despite me chasing them everyday via email and Twitter. Keep in mind when you look at their social network handles/accounts the most pertinent items on there are customers complaining about their atrocious customer service.

As most of us crypto fanatics know, in the crypto world time is money! But I digress. This is when they ask me: i) What wallet is affected (WTF?!), ii) Was that an unauthorised transaction? iii) Could you provide us with TX Hash? So I responded to all questions, and made it clear my answer to (ii) is not unauthorised, but unknown! It is then where within 7 mins of me providing this information, that they promptly come back with this well crafted response…

We must inform you that due to irreversibility of the ripple transactions, we unfortunately can’t refund your losses.
Please consider contacting your local law enforcement authorities.
Important! We strongly advise you to take the following measures to improve the security of your GateHub account:
1) Make sure to enable the 2FA for all your GateHub accounts:
More information available here. 
Please consider enabling 2FA for the email that account you are using as GateHub login address. Contact email service provider for assistance.
2) Reset your login passphrase:
(you will have to use the recovery key, which was generated during the registration process at gatehub.net)
Make sure to generate a long, unique passphrase which has never been and never will be used anywhere except at gatehub.net. Keep it safe and never disclose it anywhere!
3) Delete the wallets that were used for unauthorised transactions as they may have been compromised:
Before you delete said wallets, make sure to create new ones which will replace the deleted ones and transfer the funds to newly created wallets. More information available here.
As mentioned above, we strongly advise you to choose a unique passphrase specifically for GateHub only. Keep it safe.
4) Access log is available in wallet settings, security sub-tab. More information available here.
5) Bookmark GateHub.net to avoid Google Ad phishing site frauds.
Follow this thread for recent security updates.
Additionally, we kindly ask you for your cooperation to help us improve the security of GateHub and ripple network. Please answer the questions below.
a) have you ever received any suspicious emails that were emulating the email from GateHub and asking for any kind of personal information related to your GateHub account? If so, please forward it to security@gatehub.net
In future, note that we only use the xxxx@gatehub.NET domain, be wary of others. We never ask for any kind of personal information (e.g. login passwords, etc.) via email. Please keep that in mind for future reference. 
On the same note, please make sure to always keep your personal information safe and secure.
b) Have you ever used or are still using any other gateways besides GateHub and Ripple trade, or any other ripple network clients using the same ripple secrets?
c) Have you ever used the same login password on a website other than gatehub.net?
d) Did you have 2FA enabled for your account at the time of the unauthorised transaction?
If you have answered positively to the questions above we urge you to change your login password and enable two-step verification.

As I said, a cat and mouse game then continued (I laid out a day-by-day plan of my intended actions) and I continuously asked where are my funds, and they continuously responded with the same line:

We advise you to report the unauthorised transaction(s) to police.
We are willing to cooperate in the investigation.
Please obtain a legal request, so that we can share required information as per our Privacy Policy (available here).

So that is where we are. My crypto still not in my wallet, and they blame me. Taking zero accountability or responsibility — not even offering an investigation into my loss — and worst of all are adamant that I report the matter to the police.


I got to work trying to figure out why did they a) have such a well crafted ‘standard’ email, b) responded so quickly, and c) who is behind GateHub.

I started digging around online and found various instances where they told users to watch out for phishing scammers. Let me be clear: I was not a victim of this, as I have their correct url bookmarked and are very well aware of these risks.

I also launched a full blown shit-posting on Twitter to shame them and also to see if anyone else were affected. Low and behold, there were other individuals (welcome to go through my history).

All of a sudden this post appears on their Blog on 28 Sept…

In early August 2017, GateHub discovered that a criminal had exploited a flaw in an auxiliary deposit processing service, resulting in a net loss of $5 million. This represents a small fraction of GateHub’s total volume, the overwhelming bulk of which is held in secure offline cold storage.
We would like to assure all GateHub customers that their funds are safe and no client information has been compromised. Customer balances were not affected and all transactions will be honored in full.
GateHub’s shareholders, not its customers, absorbed this loss.

Complete bullshit. Funds are safe? Customer balances not affected? Honoured in full? Customers did not absorbed the loss? There is / was obviously a clear flaw or vulnerability somewhere in their infrastructure…

I dug further and found they operate from the capital of Slovenia and have a virtual office in Hatton Gardens, London, and their UK legal entity is GateHub Limited. Their statutory annual accounts are overdue! At the time of writing this by 2+ months.

I also found they decided to strike off the company dated 31 Oct. This means they are closing down the legal entity. Why you ask…?? All of the UK Companies House documents can be found here.

The directors and shareholders are quite surprising, the most notable names being:

George Frost
Greg Kidd 
Chris Larsen 
Nejc Kodric 
Damijan Merlek

I bet you these esteemed respected gentlemen are / will not be happy with the actions of the poorly qualified individual at the helm of GateHub, Enej Pungercar and co-founder Anzej Simicak.

I also searched the FCA’s register to see if they are registered as an exchange or something else, but found zero results. Clearly against good practice, and possibly illegal.


You ask how I got to hear from GateHub, and why I used them? In Apr 2017 I saw them mentioned on the Ripple website and I thought, surely a company like Ripple will not just list any wallet provider on their website…well, I was wrong!

I also saw this on their website, and thought all good!


So, what I have I done so far, bar writing this stropagram.

  • I reported GateHub to the FCA, SEC and UK Fraud Office.
  • Contacted George Frost (found his telephone number on the internet). He listened to my issue and asked to email him as he’d like to hear more. See below. This went nowhere!
  • Told as many people as I could, and continue to do so on Twitter and other crypto online publications.
  • Tracing my funds on my own.
  • Still keeping faith my crypto will be returned…

UPDATE 1:

I decided to remove the communication between George Frost and I. Just for the record — this conversation went nowhere and they completely denied any wrong doing.


UPDATE 2:

I noticed the Companies House posted on their website on 11 November the strike off action has been discontinued, with a document to follow. That either means GateHub retracted their request to dissolve (close) the company, or creditors or someone else with a vested interest objected to closing the company, either until liabilities have been settled or something else falls in place — or not at all and GateHub will continue to trade. Details to follow…


UPDATE 3:

I recently noticed the other directors of GateHub are founders and shareholders of Bitstamp. Here is an interesting article about Bitstamp from July 2015 when they got hacked and lost c.19,000 BTC (eye watering USD 209m at a BTC = USD 11k).


UPDATE 4: I have since established my ETH was sold for XRP and then all XRP drained, as opposed to previously thought where all ETH was drained (transaction a), and a separate transaction transferring XRP I did not own into my account (transaction b) before draining all XRP from my account including my own (transaction c). Disclosure: this post was edited to this effect.

I have done my own investigation, details to follow.


CALL TO ACTION:

If you have been affected by something similar by GateHub, please post below or get in touch. I’d love to hear from you.

Hopefully we can collectively take back what is ours, as well as warn those who want to do business with these scammers who clearly has no due care and respect when it comes to customer funds.