Another inside job at Shapeshift cost the company nearly $1 million
An employee allegedly used his credentials at Shapeshift to steal from the company.
Following the theft and repayment of $900,000 in Bitcoin (BTC), Shapeshift is now pursuing damages in court against its former senior software engineer, Azamat Mukhiddinov.
“There was significant time lost and legal costs associated with the clean-up,” Shapeshift’s chief legal officer, Veronica McGregor, told Cointelegraph, noting that customer funds were safe throughout the ordeal. “ShapeShift is non-custodial, so no customer funds were ever at risk,” she said.
Working in a high level position for Shapeshift, Mukhiddinov allegedly used his access to the exchange’s backend to steal roughly 90 BTC, worth nearly $900,000 in May 2020 at the time of the theft, according to a legal complaint filed by Shapeshift on Aug. 26, 2020.
“Azamat began stealing bitcoin in November 2019 and continued until his theft was discovered on May 21, 2020,” the document said.
Mukhiddinov started his employment with Shapeshift on Sept. 4, 2018 as a senior software engineer for the company. Shapeshift gave Mukhiddinov access to much of its private and sensitive inner workings, described as “computer infrastructure” in the filing, which included aspects such as the company’s software and servers.
Shapeshift tasked Mukhiddinov with overseeing its services’ backend, which included fortifying its defenses against possible threats, the document detailed. Prior to the start of his employment with the company, Mukhiddinov reportedly signed documents, one of which noted that he was not to take advantage of these important private systems.
The guidelines also specifically prohibited the employee from adding applications to the system without company consent, according to the filing. Mukhiddinov, however, put his own software in place within the system, disguised to operate unnoticed, in order to steal Bitcoin from Shapeshift.
The software allegedly exported roughly 0.5 BTC at a time into Mukhiddinov’s possession, taking advantage of a security vulnerability in Shapeshift’s backend.
Shapeshift’s team eventually noticed the missing coins and, after an investigation led back to Mukhiddinov, they spoke with him on May 25, 2020. “Azamat admitted to installing and running the program that stole the Company’s bitcoin,” the legal filing stated.
“Eventually, Azamat returned, in one form or another, all of the $900,000 in bitcoin he had stolen,” the legal complaint detailed. “These payments, however, do not make ShapeShift whole for the damage caused by Azamat’s actions.”
Shapeshift’s claim against Mukhiddinov seeks damages for the lengthy investigation into the affair, including time and resources spent on the endeavor. The company also reportedly had to delay the release of its mobile application by several months. “The new ShapeShift mobile app launched in July,” McGregor said, adding, “It is a self-custody crypto interface with integrated trading.”
This is not the first occurrence of an inside job at Shapeshift. Another incident in 2016 amounted to hundreds of thousands of dollars stolen. McGregor noted no correlation between the 2016 incident and this year’s affair.
“After the incident in 2016, we implemented significant monitoring, operational security, and procedural steps,” she explained. “This work helped us catch the culprit, and we were able to retrieve all the directly stolen property.”
Shapeshift has been active in the crypto space since 2013. It was founded by Erik Vorhees, who is listed by Cointelegraph as the 37th most important person in crypto and blockchain.