Cybercrime , Fraud Management & Cybercrime

Head of Hacked Bitcoin Exchange Pleads Guilty to US Charges

After Theft of 6,000 Bitcoins, Joe Montroll Obstructed FBI's Investigation
Head of Hacked Bitcoin Exchange Pleads Guilty to US Charges

Cryptocurrency exchanges remain all too easy to hack, often leading to users losing their cryptocurrency and exchanges potentially facing bankruptcy. Operators of cryptocurrency exchanges, however, should never compound the problem by attempting to cover up when they've been hacked and suffered losses.

See Also: Ransomware Demystified: What Security Analysts Need to Know

That's one obvious takeaway based on the criminal indictment of Jon E. Montroll, 37, of Saginaw, Texas, who from December 2012 to November 2013 operated two online bitcoin services: WeExchange and BitFunder. WeExchange was a bitcoin depository and exchange service, while BitFunder was a platform that listed virtual shares for various entities, which users could buy and sell via WeExchange, where all of the BitFunder assets were exclusively stored.

On Monday, Montroll pleaded guilty in federal court before U.S. District Judge Richard M. Berman to one count of securities fraud and one count of obstruction of justice. Each charge carries a maximum penalty of 20 years imprisonment.

As part of his plea, Montroll admitted to failing to disclose to investors that hackers were able to exploit a flaw in the BitFunder code to withdraw about 6,000 bitcoins - at the time, worth about $560,000 - from WeExchange between July 28, 2013, and Aug. 27, 2013. He also admitted to later lying to investigators.

Just two weeks prior the hack, Montroll had begun to promote a security he called "Ukyo.Loan," which, according to court documents, he marketed as "a sort of round-about investment" in BitFunder and WeExchange, while also referring to it as "a personal loan" that was "for private investment purposes." He also reportedly promised that anyone who invested in Ukyo.Loan would receive daily interest based on the value of their investment and promised that all shares could be "redeemed at face value anytime upon request."

After BitFunder was hacked, however, investigators say that "BitFunder and WeExchange lacked the bitcoins necessary to cover what Montroll owed to users," including Ukyo.Loan participants.

Nevertheless, authorities say Ukyo.Loan raised a further 978 bitcoins after BitFunder was hacked.

Guilty Plea

Montroll also pleaded guilty to defrauding investors following the launch of BitFunder in 2012 by taking bitcoins that users had deposited into WeExchange, withdrawing them in dollars and then using them on personal expenses "such as travel and groceries," according to court documents.

His case was investigated first by the U.S. Securities and Exchange Commission, which previously filed civil charges against him in a separate action, as well as by the FBI.

The SEC alleges that Montroll "operated BitFunder as an unregistered online securities exchange and defrauded exchange users by misappropriating their bitcoins and failing to disclose a cyberattack on BitFunder's system that resulted in the theft of more than 6,000 bitcoins," according to a March litigation release from the regulator. "The SEC also alleges that Montroll sold unregistered securities that purported to be investments in the exchange and misappropriated funds from that investment as well."

Montroll advertised BitFunder online as a way for bitcoin holders to put their dormant cryptocurrency to work, earning interest and dividends. (Source: Indictment)

"Jon Montroll deceived his investors and then attempted to deceive the SEC," says Manhattan U.S. Attorney Geoffrey S. Berman. "He repeatedly lied during sworn testimony and misled SEC staff to avoid taking responsibility for the loss of thousands of his customers' bitcoins."

Hacked Exchanges Often Face Bankruptcy

Other cryptocurrency exchange operators have also found themselves short of the funds they need to keep operating following a hack attack. One of the most famous examples dates from 2014, when Tokyo-based exchange Mt. Gox dramatically shuttered after its CEO, Mark Karpeles, said that a hacker had exploited "weaknesses in our system" to steal 850,000 bitcoins, then worth about $480 million, as well as $28 million in cash from the exchange's bank accounts. Karpeles quickly declared bankruptcy, and Japanese authorities launched an investigation (see Greece Will Send Russian Cybercrime Suspect to France).

Unlike Karpeles, however, Montroll chose to not declare bankruptcy.

Meanwhile, the SEC's New York office launched an investigation into the hack attack against BitFunder.

According to court documents, Montroll - in sworn testimony - twice lied to SEC investigators about when he discovered that BitFunder had been hacked. In addition, "during the course of the investigation, Montroll provided the SEC with a falsified screenshot purportedly documenting, among other things, the total number of bitcoins available to BitFunder users in the WeExchange Wallet as of Oct. 13, 2013."

Exchange Hacks Continue

Last month, two different exchanges - Coinrail and Bithumb - in South Korea reported that they'd fallen victim to hack attacks.

Coinrail, a relatively small exchange based in Seoul, said on June 10 it had lost 30 percent of all of the cryptocurrency tokens - or coins - it was storing, but said it had successfully frozen two-thirds of the missing coins and hoped they could be recovered. Some industry watchers estimated that the stolen coins had been worth $50 million (see Coinrail Cryptocurrency Exchange in South Korea Hacked).

On June 20, Seoul-based Bithumb reported that hackers had stolen about $31 million in cryptocurrency that it was storing.

All figures in South Korean won. (Source: Bithumb)

Subsequently, however, Bithumb revised its estimate of losses to 18.9 billion South Korean won ($16.8 million). The exchange promised to cover the losses via its cold wallet, which is an offline cryptocurrency repository.

Investors, Regulators Eye ICOs

Compared to Montroll's Ukyo.Loan offering in 2013, in recent years investors' fervor has largely shifted to initial coin offerings, or ICOs, which attempt to raise funds for new cryptocurrency ventures. Many of these virtual currencies tie into the blockchain called Ethereum.

Last year, ICOs raised at least $3.9 billion, according to CoinSchedule, which tracks a subset of all ICOs. The first half of this year has already exceeded that amount by a factor of four, with ICOs having raised more than $16 billion, CoinSchedule reports.

As the ICO craze has continued, the SEC has begun taking a closer look, including bringing enforcement actions against some operators. The regulator continues to warn that ICOs must comply with federal securities laws, and has cautioned investors to be wary of fraudsters (see SEC Reportedly Launches Cryptocurrency Probe).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.