On September 26, 2019, former Algo Capital GP LLC (“Algo Capital”) Chief Technology Officer Pablo Yabo informed David Garcia and Arul Murugan, the Managing Partners of Algo Capital, that several wallets he administered had been compromised. The unfortunate incident resulted in a theft of $1.9 million — $1.5 million of which were held in wallets owned by an Algo Capital sponsored venture capital fund (the “Fund”), and the remainder of which were held in other Algo Capital wallets and Yabo’s personal wallet.
The Algo Capital team has prepared this report to provide more details of the security breach and the steps taken to mitigate further damage and remediate losses suffered by the Fund’s Limited Partners. Our goal is to openly communicate to the community at large and to positively contribute to ongoing and necessary conversations about security in our space.
Defining Algo Capital
Founded by David Garcia and Arul Murugan, Algo Capital is a financial institution focused on building modern financial products to power Algorand’s borderless economy. Our goal is to accelerate the access, adoption, and liquidity of the Algo, the native digital currency of the Algorand blockchain.
Our products include the Algo Capital VC Fund, the Algo Tracker Fund, and Special Purpose Vehicles (SPVs) that run multiple Algorand relay nodes. The Algo Capital VC Fund provides an opportunity for investors to invest in companies that are building on Algorand’s protocol or contributing to the development of the Algorand ecosystem.
Algo Capital is a separately owned entity from Algorand Inc. and Algorand Foundation.
The rest of this post will focus solely on the Algo Capital VC Fund, which suffered the effects of this incident.
Algo Capital Custodianship Overview
The majority of the Fund’s assets under management (“AUM”) are held in cold storage by Coinbase Custody, a secure, independent, and NYDFS-regulated provider of offline institutional storage. Qualified custodianship through Coinbase Custody offers a robust protection infrastructure and rigorous standards of security and control, including adherence to SOC 2 Type I financial security and controls and also insurance coverage of up to $250 million USD.
Note: 100% of the assets in the Algo Tracker Fund are held in cold storage by Coinbase Custody and were not impacted by this incident.
Fund Administration and Auditing
The Fund is professionally administered by Trident Trust, a third-party fund administrator. Trident Trust provides independent corporate, fund, and trust administration services to many of the world’s top hedge fund and private equity funds, and in 2018 Trident secured the highest rankings for global funds in an evaluation by Global Custodian magazine.
The Fund is also audited by Cohen & Co., an experienced provider of accounting, consulting and auditing services. Cohen & Co. is recognized for its technology experience and in-depth expertise providing services to the cryptocurrency and blockchain space.
The Security Breach
In the early morning hours of September 26th (UTC), a hacker or group of hackers gained access to some recovery seed backup data that was kept in an encrypted file in an offline device. The recovery seed backup of the cold wallets allowed access to Algo wallets, a USDT Trezor wallet, and a BTC Trezor wallet.
The cold wallets were holding:
- Algos and Tether USDT associated with the Fund;
- Algos held by Algo Capital but unrelated to the Fund; and
- Algos and Bitcoins personally held by Yabo.
The hackers were able to access the recovery seed backup through a sophisticated remote access attack on Yabo’s mobile phone, which had evidently been compromised prior to this incident. Because of this exposure, the cold wallets become hot wallets, and the hackers took control of the funds held within. At this time, Algo Capital is engaging with cybersecurity forensic services to understand how the phone was compromised. Schedule A below lists all of the wallets impacted by this attack.
The impacted Fund assets had previously been held in cold wallets administered by Yabo, in accordance with Algo Capital’s security practices. However, through regrettable human error, the hackers were able to access a temporary decrypted file that enabled access to the recovery seeds backup and therefore to the funds held in these wallets.
In a short period of time, the hackers presumably transferred the stolen Algos to a number of Binance wallets in an apparent attempt to liquidate the assets. Schedule B, below, lists all of the destination wallets involved in this incident, which Algo Capital identified as Binance depositing addresses. Algo Capital suspects that the USDT funds were also transferred to unidentified exchange deposit addresses and was unable to identify where Yabo’s personal Bitcoins were transferred.
Algo Capital Response and Law Enforcement Involvement
Yabo immediately informed the Managing Partners of the security breach once he noticed it. He also notified local law enforcement and filed a report in his home country of Argentina.
The Managing Partners immediately informed our fund administrator, Trident Trust, which provided advice and also connected us to several key security experts. Trident is also working closely with our auditor, Cohen & Co.
We also promptly informed the Fund’s Limited Partners of the security breach, as well as informed the security team at Binance, which is collaborating and conducting its own investigation of the incident. According to Binance, all the accounts related to the incident have been quarantined.
We reported the incident to the Federal Bureau of Investigation and are working with the local Atlanta FBI office, which is investigating the case. At this point in time, the FBI is also in contact and working with the Binance security team.
In response to the incident, Yabo voluntarily chose to resign from the company, and we have accepted his resignation. He also agreed to reimburse a significant portion of the loss to the Fund. You can read his statement in his blog post here.
Reimbursing 100% of the Loss to Limited Partners and Investors
The Managing Partners of Algo Capital have committed to reimbursing 100% of the impacted funds. This reimbursement accounting will be administered by Trident Trust. Cohen & Co. is auditing the accounting to ensure full compliance in accordance with U.S. Generally Accepted Accounting Principles (GAAP).
External Support and Collaboration
In the hours and days since the incident, we have received significant counsel and support from a number of security experts within the cryptocurrency and blockchain communities. We want to give special thanks to Uri Stav, the Chief Security & Development Officer of Genesis, who spent considerable time with the Managing Partners and also provided many valuable insights. We also would like to acknowledge the following individuals and organizations for their help, including:
- Trident Trust and its team
- Cohen & Co. and its team
- The Binance security team
- BitGo’s Chief Security Officer Tom Pageler and his team
- Brandon Caruana from Cartan Group
- The Coinbase Custody team
- Misha Hanin and Boris Heismann from DeepDive.Tech
- Eric Freeman from Cyzen, a Friedman LLP company
- The Federal Bureau Investigation (FBI) team
There are additional security experts from other large organizations who have also helped us that we cannot name at this time. The team at Algo Capital is immeasurably grateful for the support offered by all of these parties. We look forward to continuing to work with these partners, as well as a select group of security services companies, to remedy this incident and make Algo Capital a stronger organization.
Reinforced Security Measures
Moving forward, Algo Capital is viewing this unfortunate incident as an opportunity to institute stronger security measures in our organization and contribute to the industry at large. As an immediate measure, we have moved 100% of our funds to Coinbase Custody. Coinbase also acted swiftly to create many additional cold wallets so we can have all our digital assets directly managed within Coinbase Custody.
We intend to implement enterprise-grade security and best security practices through new partnerships with best-in-class security service providers. Algo Capital is in the process of hiring DeepDive.Tech, a world-class cyber security service company, to provide a risk assessment and an enterprise-grade security infrastructure. Our goal is to examine and redesign our existing security processes from top to bottom to find potential risk points, and institute new processes that will address these gaps. We also are looking to engage with Cyzen, a Friedman LLP company, one of the most well-recognized security and forensic auditors, to ensure that our new reinforced infrastructure meets the highest standards.
We will continue to engage with top security experts on an ongoing basis to evaluate our processes and hold our organization to the highest possible financial management standards.
We will also look to engage with the industry at large and play a key role in helping other organizations avoid what has become a serious problem in our industry. We are committed to investing resources and time to fight cybersecurity risks in blockchain.
We regret that this incident occurred and hope that through our thorough efforts to resolve the impact to our Limited Partners and to gird our infrastructure against future attacks, we will earn the trust of our investors, Limited Partners, stakeholders and the greater blockchain community.
Algo Capital is a private fund and it is not required to publish these details publicly. Still, we decided to share these details to demonstrate the commitment of transparency with the Algorand ecosystem and the blockchain community at large. In the following week, Algo Capital is also looking to publish a comprehensive report detailing its investment strategy, the Fund’s vision, the Algos it is holding (we are holding almost all the Algos in the fund) and its role in the ecosystem.
Thanks to the community for their understanding and support, and to all the people who make the industry better and safer.
David Garcia & Arul Murugan
Founders and Managing Partners
Algo Capital GP LLC
- Algo VC Fund wallets compromised in the attack: https://docs.google.com/spreadsheets/d/1VX_Oo_kuSAQfYxTCf9tFC6BeNut5QnB6z_hV8UNmQYQ
- Non-Algo Capital VC Fund wallets compromised in the attack: https://docs.google.com/spreadsheets/d/1GIU2COi70Uc_d0TzP1g7U2lvrR1ZtAKG3nREzWlF9q0
- Compromised wallets owned personally by Pablo Yabo: https://docs.google.com/spreadsheets/d/1i39T3n5T4CYGR3mKHc6DIivHvDOfGEMstX3_TuRS1Ps
- Main attacker address split into multiple accounts: https://docs.google.com/spreadsheets/d/1IvvCBem3oKSnr7lB0QvnWAhQ2elOfrD3M5zPQC-kdPc
- Stolen Algos deposited into Binance accounts https://docs.google.com/spreadsheets/d/1eGTH3fG50fVGXKk2X8xuDLbMNEk3GWCePuHKX7G9zQA
Disclaimer: Algo Capital is not related to or affiliated with Algorand Inc, Algorand LLC, Algorand Foundation, or any of their subsidiaries. The views, opinions, and communications of Algo Capital are generated independently by the General Partners of Algo Capital, and are not endorsed or approved in any way by Algorand Inc, Algorand LLC, Algorand Foundation, or any of their subsidiaries or affiliates.