Cryptocurrency exchange BTC-Alpha suffered a ransomware attack earlier this month, and the company's founder has blamed a competitor.
Reports of a potential attack surfaced last week when threat intelligence firm DarkTracer posted a screenshot to Twitter of a public leak site operated by the Lockbit ransomware group that claimed to have encrypted BTC-Alpha's data. Lockbit threatened to leak the stolen data if a ransom was not paid by Dec. 1. That same day, a press release on PRLeap from Alpha founder and CEO Vitalii Bodnar alleged the attack was the work of a competing cryptocurrency firm.
BTC-Alpha did not issue a public statement on its website.
In a Telegram chat with SearchSecurity, BTC-Alpha confirmed it was "hacked in the beginning of November" and that work at the U.K.-based cryptocurrency platform had already resumed. When asked about the PR Leap statement from Bodnar, Alpha told SearchSecurity that "Vitalii Bodnar feels like a competitor was responsible for the attack."
Though the company did not reveal which competitor it believes is behind the attack, further information on the incident was provided on the official Telegram channel of the exchange.
BTC-Alpha attack timeline
On November 1, Alpha's five-year anniversary, the cryptocurrency exchange alerted customers and partners through Telegram that technical maintenance was completed in the company's Velarium network. It is unclear if that was related to the attack, but three days later, the exchange issued another alert that it had "found all the vulnerabilities that made a hack possible." According to that alert, all funds were "safe and secure" and it estimated that the exchange would be back up in four to five business days.
[ALERT] LockBit ransomware gang has announced "Cryptocurrency Exchange" on the victim list. pic.twitter.com/pA2bh1Vmte— DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) November 17, 2021
However, in an update just hours later after "re-evaluating the readiness for safe resumption," the estimated downtime increased to up to 10 days. On November 16, a new Telegram message announced that the BTC-Alpha website was back, though the app remained down through the 20th.
In a separate Telegram post, BTC-Alpha referred to the incident as an "unsuccessful hacker attack." In the statement on PRLeap, Bodnar said cybercriminals tried to steal funds but "failed," and that after the attempted theft, he received threats of violence from anonymous individuals.
"These are the methods of our competitors, with whom we refused to cooperate and add their coins to our platform. They launch their exchange and on the same day there is a massive attack on us. I don't believe in coincidences like that," Bodnar said in the press release.
Bodnar said although hashed passwords were compromised, users' balances were not impacted and the company lost no money. However, users voiced concerns such as not being able to log into accounts using multifactor authentication and not being able to withdraw funds.
Once normal operations resumed, BTC-Alpha recommended a number of steps for users to take. That included updating the app, verifying the accounts and confirming the verification when withdrawing funds, as well as creating new API keys because the old ones were deleted.
In a video posted to Telegram, Bodnar said all users of BTC-Alpha will be "forced to use two-factor authentication" (2FA), which is now mandatory. Additionally, he said Alpha strongly recommends not using a former password because they "find it as compromised."
The U.S. government has been cracking down on cryptocurrency exchanges recently in an attempt to fight back against ransomware gangs, which rely on exchanges and mixers to move and hide ransom payments. For example, sanctions were issued against another exchange, Suex, in September.
While it does not appear common for cryptocurrency exchanges to be the victims of a ransomware attack, Emsisoft threat analyst Brett Callow said this is not the first instance. Callow also said many questions around the BTC-Alpha case remain, including whether file-encrypting ransomware was deployed and what types and quantities of data were stolen.