Shapeshift came back online April 20th following a detailed security post by CEO Erik Voorhees that laid out what happened during the breach. Three separate incidents—one involving a now-fired employe
Shapeshift came back online April 20th following a detailed security post by CEO Erik Voorhees that laid out what happened during the breach. Three separate incidents—one involving a now-fired employee identified as "Bob" and two carried out by outside attackers who used information Bob supplied and malware he installed on a colleague's machine—had forced the service down.
The resurrection began with Bitcoin and Ethereum support only. Litecoin joined today. The service lets people convert between cryptocurrencies without setting up an account, a distinctive model that put Shapeshift on the map. At its peak, the platform supported 40 different coins.
Rolling back to full support will take time. Voorhees explained the reasoning in correspondence with us. "Each coin adds complexity and development time, and many coins have special attributes that need to be cared for. They are like baby animals, running around the yard in various states of disarray. [. . .]We'll have many of the other top assets back within a week or so, and everything that was supported before will be supported again soon."
The staged approach makes sense given the breach's impact. Shapeshift's own reserves took a massive hit—thousands of bitcoins representing several hundred thousand dollars in total value. But the structure of the attack revealed something important about how the business works. Shapeshift holds no customer funds. When a user sends coins through the service, Shapeshift converts them on exchanges and routes the requested cryptocurrency to the customer's wallet. Users put nothing at risk.
That architecture protected everyone's holdings. The company absorbed the loss. We tested the Bitcoin-to-Ethereum conversion and confirmed it executes as expected. Voorhees said the initial two-coin launch came down to customer behavior. "Our biggest market is Bitcoin <-> Ether, so we decided to focus purely on getting that back for our customers. It's all about market demand. The Ethereum exchange volume has been consistently 10-20% of Bitcoin, which is to say, pretty significant."
The breach puts pressure on a business that hasn't reached profitability yet. Still, the fact that attackers stole company capital rather than customer deposits means Shapeshift can operate with upgraded security measures without affecting anyone's assets. The company faces the usual startup challenge of building toward sustainable margins, but the underlying business model came through the crisis intact.
