Crypto firm ShapeShift filed a civil action against a former employee of its engineering team who allegedly stole over 90 Bitcoin from company accounts, court documents show.
Employee steals Bitcoin over six months
Azamat Mukhiddinov, a former senior software engineer hired by ShapeShift in August 2018, was accused by his ex-employer to have installed an illicit program that siphoned off Bitcoin from ShapeShift’s corporate accounts to an external, private wallet.
The act was committed between November 2019 and May 2020, documents said. Azamat made away with 90 Bitcoin during the time but was caught after ShapeShift used “a tremendous amount of its internal and external resources” to catch the culprit.
Azamat was finally confronted by ShapeShift on May 25 and reportedly admitted to the theft. But he confessed to having already spent some of the stolen Bitcoin and converting it to US dollars.
“Eventually, Azamat returned, in one form or another, all of the $900,000 in bitcoin he had stolen,” said ShapeShift.
While all is said and done, the company is now seeking restitution for the upfront costs it took for tracking Azamat down. ShapeShift said its employees had to rewrite code, secure ShapeShift’s software, and “undertake thorough remediation of the Company’s computer networks, software, and infrastructure,” justifying the amount sought.
The firm said:
“In total, ShapeShift’s costs and expenses relating to the investigation of Azamat’s theft and the repair of its effects totaled tens of thousands of dollars, if not more.”
Security expert weighs in
Jonathan “Duke” Leto, the founder of privacy protocol Hush and a software security engineer, told CryptoSlate the very act of an employee stealing 0.5 Bitcoin daily for months was a red flag that should have been caught at the first instance.
The most senior tech people in your organization can install malware as easily as protect from it.
How can you ensure employees won’t steal all the #bitcoin ?@ShapeShift_io was taking duffle bags of cash as repayment ?
Not your keys, not your coins.https://t.co/NnwMjX4imm pic.twitter.com/kACokZaWCl
— Duke Leto (@dukeleto) August 27, 2020
In a note to CryptoSlate, he added the crime showed that ShapeShift had “very little backend monitoring because Azamat was stealing Bitcoin every day for months,” and that the firm was lucky to find the culprit before he “emptied all their funds and disappeared.”
Meanwhile, Erik Vorhees, the founder of ShapeShift weighed in with his statement to Leto’s comments, confirming that all user funds on ShapeShift funds are stored in non-custodial wallets and such a security feature has been implemented by design.
thanks for the update, and agreed, non-custodial services are the only way! Setting aside *user funds* were not at risk, obviously controls for employees to steal *company* funds were sub-optimal and I am sure being greatly increased as we speak
— Duke Leto (@dukeleto) August 28, 2020
At press time, the case is ongoing.
(Author’s note: Any additional comments from Erik Vorhees will be updated in the story.)