Skycoin.net Hack | Incident Report
Only Trust Domains/Accounts on our TRUSTED LIST
Over the past two weeks, Skycoin has withstood a series of sophisticated cyber attacks from internal and external sources. During this time, several of our accounts have been or may have become compromised. Just to be safe, here is a list of Trusted Skycoin Accounts:
Website: https://skycoin.com (including incoming emails from @skycoin.com)
Skywire Telegram: https://t.me/Skywire
Skycoin Telegram: https://t.me/Skycoin (The pinned message lists all the other trusted Telegram channels)
Skycoin Reddit: https://www.reddit.com/r/Skycoin
Below is the TL;DR of events that transpired over the previous two weeks. Read past that for a more detailed summary.
- Skycoin.net has been hijacked. We believe the wallet build server and wallet hosting on skycoin.net may be compromised. Anyone who has downloaded wallet binaries from skycoin.net over the last two weeks is potentially at risk of losing cryptocurrencies stored on their computer.
- Skycoin.com has become the official website for Skycoin, and all data is being migrated to the new site.
- Local wallet builds from source and skycoin.com are safe. It’s only wallets downloaded from skycoin.net that may be compromised.
- The hostile takeover of skycoin.net involves terminated Skycoin employees and known criminals that appear to have worked together.
- It appears they conspired with or were coerced into participating in the attack by a group of cybercriminals known to Skycoin.
- During a series of attacks, many domains have, or may have been compromised. (See below for a list of currently compromised domains.)
- In response to this attack, a new publicly verifiable deterministic wallet build process is being put into place. Verified and safe wallet builds will be available on skycoin.com as soon as possible.
- We are in the process of regaining control over the compromised accounts and, with legal counsel, deciding on how to best proceed.
Details of Events:
- We have performed an emergency migration to skycoin.com until we regain complete control over the skycoin.net domain. Skycoin.net is currently under a sophisticated hijacking attempt. We have already created new accounts with new access credentials and deployed Skycoin’s web services on the new domain/servers.
- We were saving the skycoin.com domain for a relaunch announcement but were forced to use the domain early due to this incident.
- We believed that the target of this hack was the S3 bucket hosting the Skycoin wallet builds. The purpose of hacking the S3 bucket would be to potentially inject a backdoored version of the Skycoin wallet and then steal cryptocurrency wallets from any user that downloaded the corrupted builds.
- We were able to detect the unauthorized migration of the S3 bucket for skycoin.net/downloads in less than an hour after it occurred, and immediately began an internal investigation. It was quickly determined that recently dismissed employees, one of them a senior developer, were involved in the attack.
- It quickly became evident that this former developer had locked the Skycoin employees out of the company Cloudflare and Amazon AWS accounts. We also lost SSH access to most of our SSH servers.
- We negotiated the return of control over our Cloudflare DNS however it was revoked again before we were able to take full control.
- Synth was locked out of his Twitter account and Skycoin employees were locked out of the Skycoin Twitter and Facebook accounts.
- This group then started to blackmail Skycoin with the stolen accounts. (We believe the blackmail attempt was due to the criminals realizing that they could not complete the backdoor injection successfully.)
- After Skycoin refused to pay the blackmailers, they switched to a mass confusion and FUD strategy, utilizing hijacked social media accounts and previously official support channels in attempts to split the community. This was likely an attempt at retribution for the former employees’ dismissal. They began to speak of perpetrating a “hardfork” of the project which we believe was just a distraction for what came next.
- The hackers used an email DNS MX record reset to hack Skycoin HR staff emails and trigger password resets. They appear to have subsequently gained access to the accounts and downloaded company records, then tried to remove traces of their actions.
- They then attempted to blackmail the team again, stating that if we paid them they would stop their efforts to confuse and divide the community with FUD. Many threatening messages were sent like the one below.
After questioning staff members and investigating the hacks, we established that the level of access exceeded that of the disgruntled IT employee.
A private investigator later determined that the source of some of the compromised passwords may have come from a hacked cell phone which enabled the hackers to bypass two-factor authentication protection on some of the accounts.
Based on all the information we currently have it is our belief that:
- Several disgruntled/fired Skycoin employees were contacted by cybercriminals with a history of attempting to extort Skycoin. The ex-employees then either knowingly worked together with or were manipulated by these criminals into participating in the attack.
- It is our belief that the wallet build servers were originally the target, but due to our swift detection and response, the focus shifted to blackmail by holding company accounts hostage. Then after failed extortion attempts, they chose to escalate by threatening violence and the release of internal messages and documents to the media.
The currently compromised accounts are as follows:
- Former homepage: https://www.skycoin.net
- Twitter: https://twitter.com/Skycoinproject
- Synth’s Twitter: https://twitter.com/NotSkycoinCEO
- Facebook: https://www.facebook.com/skycoinproject
- Facebook: https://www.facebook.com/SkycoinOfficial/?ref=br_rs
- Skycoin Support Telegram: https://t.me/skycoinsupport
- Skycoin Development Telegram: https://t.me/skycoindev
- Skycoin News Telegram: https://t.me/skycoinnews
- Youtube: https://www.youtube.com/channel/UCzLASufel2No4vSt4rudHSQ
We are investigating other accounts to determine if they need to be added to this list.
Response to the attack:
- We have migrated all servers and IT infrastructure to skycoin.com until we fully regain control over all of the stolen accounts and servers. We have already released a new, clean wallet build on skycoin.com.
- Wallets compiled from source code are not affected by the hack.
- Users who have not installed a new version of the Skycoin wallet in the last two-three weeks from skycoin.net are not affected.
- We recommend that users who installed wallets from skycoin.net in the last two-three weeks move all coins to an exchange or install a wallet from skycoin.com (or from source code) and generate a new wallet, then shift the coins to that wallet.
- The Skycoin mobile wallets (iOS/Android) do not appear to have been affected by the attack.
- We will continue to give you updates as the situation becomes resolved.
- We are currently pursuing all legal options against the attackers.
We are implementing a new deterministic build process:
- As part of improving our security policy, we are implementing a new deterministic build process.
- We will be publishing torrent files of the builds, automatic signed SHA256 manifests of all files in the builds, and implementing a deterministic docker build environment with independent third party validation of the builds before build publication.
- Ideally, several developers (both internal and from the community) will have independent docker build environments that will automatically compile the source code to binary on multiple independent computers. The purpose of this is to quickly raise an alert if there is a single bit difference between the validation build and the build published on skycoin.com.
- We will also be adding built-in validation of downloads from the website to automatically detect tampering.
- These measures are in addition to our existing security policies and monitoring systems, which were successful at automatically detecting the current security incident within the hour it occurred.
The silver lining from this hacking and extortion attempt is that our existing security policies performed well and we were able to minimize any possible damages. Without the early detection and our security protocols in place, the situation could have been significantly more severe. We are also now evaluating all of our security measures and tightening where appropriate so that we might prevent this type of attack in the future.
This was not the action of one person; it was an organized group working together to steal, defame, and extort the Skycoin company and team.
Everyone involved has been identified and due to the severity of the crimes committed, are likely to be held accountable for them.
We ask that you please be patient as we work through this situation. If you have any questions please consult the TRUSTED sources listed at the top of this article. We will regain the compromised company accounts soon. It is just a matter of consulting lawyers and law enforcement agencies to determine how and when we will be able to recover them.
Thanks to the Skyfleet for their continued support. Part of what makes Skycoin so great is the amazing community, which is something hackers and criminals can never take away!