Verge coins stolen from CoinPouch wallet: CoinPouch Statement on stolen Verge XVG coins

verge hack

A specific node that was used by CoinPouch wallet was hacked and due to that, millions of Verge (XVG) coins were stolen. Hacker routed the coins through affected node and stole the coins. The Verge was added back in August 2017 when Coinpouch asked its users what crypto they would like to add next. It is very important to note that it was most likely a node that was setup to process Verge as connected to Coinpouch that was hacked. This does not mean Verge was hacked nor does it mean Coinpouch was hacked. At this moment neither Coinpouch nor Justin, the founder and lead developer of Verge, are clear how the hack occurred.

Here is the official statement:

At that time, all coins on Coinpouch were (and all non-Verge coins still are), connected to Blockcypher nodes.  Blockcypher does not carry Verge.  Accordingly, for security reasons we contacted Verge’s Lead Developer Justin to set up a Verge Specific Node for Coinpouch so that we could accommodate Verge XVG in Coinpouch.  Justin agreed to set up the Verge Specific Node for Coinpouch and we rented the necessary server at Vultr to host the node.

On November 9, 2017, a user contacted us regarding missing Verge tokens from his Coinpouch wallet.  We immediately contacted Justin, and he walked us through some procedures to check the integrity of the Verge Specific Node.  Based on the results of the procedures that Justin asked us to perform on the Verge Specific Node, Justin concluded it did not look like a hack.  At that time, there were approximately 117 million Verge tokens in the Verge Specific Node.

After the review, Justin was helpful in suggesting an additional step we could take to make the Verge Specific Node setup more secure, including:

1.  Instead of routing through Heroku which uses an AWS array of white listed IPs, we routed to a single instance server which had 1 IP to white list.  We also took the following steps:

1.  We reset the Verge Specific Node and server passwords;

2.  If a Coinpouch user had more than one address associated with their account ID, it would block sending out funds and notify them to contact our support.

A few days later, we started getting additional reports from users stating their Verge wallets in Coinpouch were not working correctly.  So, we contacted Justin again to investigate the issue.  During that investigation, it was discovered that most Verge tokens on the Verge Specific Node had been transferred out which prompted us to immediately shut down the Verge Specific Node once we were able to confirm that it was a hack.  Afterwards, we initiated the following action plan:

1.Notify the public via the Coinpouch Twitter.
2.Release this public statement regarding the Verge Specific Node hack.
3.Contact the company that hosted the Verge Specific Node to report the hack and ask them to assist us in securing the server for forensics analysis.
4.Contact a computer forensics lab to initiate a forensics analysis of the hack.
5.Establish a contact for questions and inquiries about this Verge Specific Node hack.  Those inquiries can be directed towards support@getcoinpouch.com
6.Report this incident to the proper law enforcement authorities and cooperate with them to investigate this matter.
7.Contact the exchanges listing Verge and attempt to have them blacklist the stolen Verge tokens based on the addresses provided by Justin which are suspected of holding the stolen Verge tokens

Verge is privacy focused crypto currency that has shown excellent growth over the past few months. It will be interesting to see what steps are taken and if the holders holding Verge (XVG) in the CoinPouch wallet will be reimbursed with their investment.