The Cashaa Hack: Investigators Stay Silent as Inside Job Rumors Emerge

As 336 BTC get stolen from crypto-friendly bank Cashaa, there is still no clear explanation for what happened.

On July 11, fraudsters hacked into digital payment platform Cashaa’s over-the-counter desk, which serves Indian customers, and stole 336 Bitcoin (BTC), worth approximately $3.1million. Although Cashaa stated that there have been no users affected by this hack, they did put a hard stop on all crypto-related transactions for 24 hours to understand the incident better.

Cashaa is a United Kingdom-based crypto-friendly bank that deals with Bitcoin OTC operations and works with major traditional and crypto exchanges in India. According to an official statement, the incident took place with an OTC transaction manager based in East Delhi, India, whose personal computer was attacked with malware. Kumar Gaurav, founder and CEO of Cashaa, revealed to Cointelegraph more details on the underlying circumstances that led to this incident:

“On 8th July 2020, the employee had reported a machine malfunction with the computer provided to him by the company. Hence, he requested to operate from his personal computer to set up multiple alternative online wallets on various platforms like Blockchain.com, Huobi etc. We made an exception and allowed him to do so, keeping ‘customer experience’ in mind for the ongoing OTC deals/transactions.”

The circumstances leading to the hack

Cashaa presumes that malware was installed onto the employee’s personal computer, which was linked to a system enabling exchange transactions through the system. The targeted wallet was one that Cashaa used on Blockchain.com for Bitcoin transactions. Gaurav also added that following the mishap, the compromised device has been in the custody of the company’s investigation team with the employee being suspended until the end of the investigation. To further discussing the methods used to break into the Cashaa ecosystem, Gaurav revealed:

“Hackers got the control of our employee’s computer with active sessions opened in the browser. The hackers used a variety of techniques, including phishing, viruses and other attacks. We are still concluding all possible methods used.”

The firm states that it has filed an incident report with the Cyber Crime division of the Delhi Crime Bureau. Cashaa even shared the Bitcoin wallet address of the hacker in a tweet, tagging all the major exchanges, namely WazirX, Binance, CoinDCX and Bitbns and urging them to monitor all transactions related to the address and other wallets that have transacted with it since the incident.

Aftermath

Immediately after the incident, Cashaa called for a board meeting to decide if the company would be absorbing all the losses and how these incidents can be avoided in the future. Cointelegraph discussed the outcome of this board meeting with Gaurav, and he stated that an announcement will be made soon, adding: “This is a country-specific incident and hence the management of that subsidiary (Cashaa India OTC) will come up with some deliverables including standards of future operations, security and client relations.”

It would be essential for the firm to account and absorb these losses within their ecosystem, as hacks like these usually remain unsolved. However, top executives from exchanges like ZebPay, WazirX, CoinDCX and Bitbns have shown their support for Cashaa on Twitter, assuring the company that they will take all the necessary precautions to ensure that they do not allow the movement of those funds if they can be traced. 

Gaurav acknowledged this support and commented further on the possibility of recovery referring to the Upbit hack: “All our partners and customers have joined together to give out a strong message to hackers that cashing out hacked Bitcoin is not going to be easy.” He went on to add that many exchanges have “blacklisted the hacker’s address.” 

Community wary of such hacks

Amid several Twitter allegations that this hack seemed like a fraudulent exit scam, which even raised questions about the company’s CAS currency, a source, who chose to remain anonymous, told Cointelegraph that it is believed the theft was an inside job done by a high-ranking executive of the bank. Cointelegraph discussed this possibility Daniel Worsley, a co-founder and the chief operating officer of LocalCoinSwap — a peer-to-peer cryptocurrency marketplace — who stated:

“It is definitely plausible that this could be an inside hack. Cashaa will now begin an internal investigative process to try and determine how the malware ended up on the computer and who had access to the wallet that was breached.”

It is also important to note that 336 BTC was stored in a hot wallet with no multi signatures, which seems highly odd for a firm with payments expertise. With more than a week passing after the hack and despite having the affected computer in its possession, Cashaa still hasn’t announced what caused the attack. Cointelegraph discussed more on the specifics with Sidharth Sogani, the founder and CEO of CREBACO — a crypto research and analytics firm — who revealed:

“The funds were on a single signature legacy hot wallet, which is not apt for an exchange. The funds were moved to legacy wallets as well, usually planned hackers don’t use legacy anymore, they use bech32 as it’s faster, definitely the hack wasn’t don’t by a hacker, but someone naive on the tech.”

Pointing out how the funds were stored was also a breach of common protocol, Sogain further stated: “As per CREBACO benchmarks, any digital assets exchange having more than 100 BTC must have an HSM in place to protect the funds.” When Cashaa commented on the possibility of this being an inside job, the company wasn’t able to commit with confidence that it wasn’t. Gaurav stated:

“It does not seem like an Insider job. The investigating cybercrime company hasn’t given us a hint in that direction. Besides that, we cannot be sure of anything till the time those ‘hacked Bitcoins’ are encashed and the trail ends at an eventual beneficiary.”

Possibilities under proper regulation

As this hack affected the India entity of Cashaa, where there are little or no regulations around cryptocurrencies, there is no regulatory body that can step in to resolve the issue and help in recovering the lost funds. Worsley opined on the matter:

“I believe that regulation could help to reduce the risk of hacks like this. Alternatively, users can keep themselves safe by using decentralized exchanges where they are in control of their funds and private cryptographic keys throughout the trading and asset storage processes.”

For a perspective on ecosystem security, Cointelegraph reached out to Javvad Malik, a security awareness advocate at KnowBe4 — a web security awareness training platform. By elaborating on the systems that crypto platforms could adopt from traditional banks, he said:

“Even without regulations, though, cryptocurrency exchanges should look to implement stringent safeguards across processes, technologies and people to reduce the likelihood of fraud or theft. This would mean having controls similar to those of traditional banks, such as multi-factor authentication, segregation of duties, segregated systems and user awareness training, threat detection controls and response capabilities, to name a few.”

Regardless of the regulatory situation, Worsley feels that this hack could have been avoided if Cashaa wasn’t using Blockchain.com’s wallet — a third-party wallet — to manage its funds. He further commented: “Many of the most reputable exchanges utilize hardware wallets or hardware security modules to store and handle the crypto assets under management. Although no system is 100% secure, one set up like this would be much harder to breach.”

Insider job or not, such hacks in the crypto industry do not bode well for the overall reputation of the sector in the minds of investors and governing bodies alike. Especially in a country like India, regulators have only started to understand the nuances of crypto and blockchain technologies.