Coinsecure's search for stolen bitcoins begins, writes to 42 exchanges

Firm ropes in US-based blockchain investigative firm Chainalysis to track the movement

Delhi-based cryptocurrency exchange Coinsecure's search for stolen bitcoins has begun. The firm has written to 42 global exchanges and roped in US-based blockchain investigative firm Chainalysis to track the movement.

Last week, Coinsecure reported to the police 438 bitcoins worth Rs 190 million were siphoned off to an unknown address on the internet, blaming one of its top executives for the heist.

Chief Executive Officer Mohit Kalra told Business Standard almost 90 per cent of the exchange’s bitcoins were stolen, as all the private keys — the password keeping the virtual wallets secure — were shared online. The cryptocurrency exchange had around 500 bitcoins.

"We are expecting an audit report from Chainalysis on Monday that will help us in tracing the funds," Kalra said, adding the company is also in touch with firms that had helped recover stolen cryptocurrency from global exchanges, such as Mt. Gox, Pocket Bits and Bitfinex, which reported similar incidents in the past.

The exchange can only offer refund to its 200,000 customers in cash and not in bitcoins since no legal framework is in place on cryptocurrencies in India at present. Since Coinsecure managed to secure 10 per cent of the bitcoins, it will refund 90 per cent in cash and the remaining value of bitcoins.

Initial audit reports suggest the bitcoins might have found their way into the 'dark web' or the hacker might have used tools, such as coinmixer, to avoid detection of the bitcoins on blockchain. All cryptocurrency transactions are traceable along the blockchain — a technology that drives the virtual currencies. However, a few firms offer a bitcoin mixing service and charge a premium to make the transactions private.

Even as experts have argued that sharing private keys with a third party makes recovery impossible, Kalra offered some hope. "We know the address to which the bitcoins were transferred. We have alerted the exchanges and the moment there is a transaction that takes place through those bitcoin addresses, including trading of cryptocurrency and withdrawing cash, we will get to know. If a hacker is trying to exchange or spend the bitcoin legally, we will be informed."

Coinsecure issued a detailed statement on Saturday, listing the sequence of events since Monday when the bitcoin was stolen from its own virtual wallet to an unknown destination. The private keys of Coinsecure's wallet - supposed to be kept in offline mode - were leaked online and the company has blamed its chief scientific officer, (CSO) Amitabh Saxena. Coinsecure said only two executives -CEO Kalra and CSO Saxena had access to the private key. The alleged theft took place when Saxena was following some technical process, known as extraction, related to cryptocurrencies. Saxena, on the other hand, had informed the management the system he was working on was hacked.

"The private key is supposed to be kept in the cold storage i.e. offline mode. We always do it that way. The private keys are not meant to be accessed while you are online, as a safeguard measure," a chief executive of a cryptocurrency exchange in India said.

"This is the first time our private keys were exposed to the online world," Kalra said.

Coinsure has announced a bounty of Rs 19 million - 10 per cent of the bitcoins stolen - for recovery. After the incident came to light, Coinsecure shut its website. It will soon go online again after securing a go-ahead from the authorities, the company informed customers.

Coinsecure has promised to fully refund to 200,000 customers, irrespective of funds being recovered. "If recovery of siphoned BTC is not possible, we will apply the lock-in rates as of April 9. Ten per cent of the coin holding balance will be refunded in BTC and 90 per cent will be returned in rupees," Coinsecure said on Saturday.

Experts say cryptocurrency after the private key is shared with a third party is extremely difficult. "The private key must remain secret at all times because revealing it to third parties is equivalent to giving them control over bitcoin secured by that key. The private key must also be backed up and protected from accidental loss because if it's lost, it cannot be recovered and the funds secured by it are forever lost, too," Bitcoin expert Andreas M Antonopoulos said in his book 'Mastering Bitcoin: Unlocking Digital Cryptocurrencies.'