The servers the Altilly Exchange platform utilised were provided by an independent hosting provider.

Earlier this week on the 23rd December 2020, we were alerted to suspicious activities/monitoring alerts on our servers. Three servers suspiciously rebooted around the same time. After checking the servers, we noticed some unusual activity and a new system user was created.

With the servers being constantly rebooted and being unsure about what exactly happened at that time, we took the preventative action of beginning to move our servers to a new host.

Late on the 25th or early morning on the 26th December 2020, we were being alerted to another system reboot at our original hosting provider. It was now clear that someone had access to our servers. It appears that these systems were accessed at an Admin portal level using rescue mode during the server reboot. We then took an additional step by adding code to prevent anyone from accessing the servers externally and changed the rescue system.

While we were still investigating the root cause, we lost access to all of our servers, this includes production web servers, the databases and exchange cryptocurrency wallets, and it appears that a request came in via the hosting client portal to delete all servers on the linked to the attacked account.

On a number of occasions, we attempted to upload backups to our servers. Unfortunately, the attacker(s) had also gained access to our offsite storage account. This was compromised using API keys from the backup software on the affected servers. The attacker removed all backup files from that location.

The attacker(s) appear to have downloaded copies of the backups before destroying them.

The Exchange had two accounts at the original hosting provider. One of them was created three years ago during the setup at the hosting provider. This email was no longer used, as we had another email account using our altilly domain address. The active email had 2FA, the non-active email did not and provided an attack vector for the attacker(s).

*** Update 7th of January 2021 ***
During our investigation, we came to the conclusion that the cause was created by negligence from our hosting provider.
During the account creation at our hosting provider in 2018, we created an account using an email, username and password.
A second email was added to the same account. Both emails gave access to the same user account.
The hosting provider changed their portal which essentially separated the emails into separate users for the same portal.
This action created a second user that was not secured by 2FA authentication.
This change was made 6 months ago without notification.
We are working on a settlement with the hosting provider without using any legal actions at this stage.
Legal actions may slow down any settlements. We will continue to update our users with the latest information.
Please be aware that we can not share any details that could affect the settlement or the investigation.

The attacker(s) was/were able to gain full access to the Administrator console/panel and as well as taking control of our servers, was also able to steal high-value assets from the exchange cryptocurrency hot wallets.

It was an unforgivably simple mistake to make and a lesson with likely repercussions for many years to come.

At this point, we are still unaware of how the attacker(s) obtained the password to access the administrator account of our servers or knew which provider we were using.

This investigation is still ongoing and more information will be released in due course.

We are still working with the hosting provider to see if we can restore data. The hosting provider has a “secure removal” policy on the servers, using industry-standard procedures. Once deleted, it can not be recovered, but we are still looking at ways to recover this.

At the time of writing, we are unable to share specific details about the hosting provider or about the account details that were used for the attack. It would decrease our chance of finding the attacker(s), tracking stolen funds and valuable information.

As a matter of precaution, we are auditing all of our own account details and adding additional layers of security to our other platforms and services.

For the avoidance of doubt, none of our other platforms or services (for e.g. Qredit blockchain) was hosted on the same servers or with the same hosting provider.

Users KYC information has never been stored externally (i.e. hosting providers) and was only used temporarily during the verification process. Therefore no KYC data/ documents/ personally identifiable information was put at risk during this attack.

The attacker(s) was gained access to and stole 30 BTC and 12,000 USDT while they had control of our servers.

Without access to the servers or backups, the team has very limited information to assess the full impact of the attack. This makes the process of understanding which users were impacted by the attack even more difficult, but not entirely impossible.

The Altilly team were able to save about 90 assets during the migration, these assets are mainly bitcoin and cryptonote clones, that have been listed in the last 30 days, prior to the attack. (please see Appendix 1 - List of Assets Saved)

Only in the last month, Altilly began generating a surplus/profit and running at 1mln USD daily volume.

We had free listings and extremely low fees. For that reason, we were not able to create a buffer/insurance fund to cover losses in case of an attack or something similar.

Due to the attacker deleting the backups and production servers the remaining funds within the Exchange cryptocurrency wallets are effectively inaccessible/lost.

Not only to Altilly but also the attacker, due to database and server encryption.

We do not have access to the exchange database or backups, making assessing the scale of the attack, which coins and the number of coins affected more challenging, but not impossible.

From the assets that were saved during the migration, we are working closely with teams and project owners to create an audit trail of users and their balances on Altilly.

Some of the teams and projects of these assets have shown a willingness to help recover the balances/assets of these users.

The team understands that people will clearly be concerned, angered, upset and frustrated with this news. The team have spent three years building the platform, the community of users and the trust, just to have it taken away.

To be very very clear, the Altilly team will continue to support users/teams/coin developers through this extremely challenging time.

We know that a small number of people are already beginning to call the attack an exit scam, and suggestions of the attack being an inside job are totally untrue and unfounded.

Altilly has always prided itself on its transparency and user-friendly approach to customer service. There is absolutely nothing to be gained from Altilly destroying its reputation, user base and trust, for a short term gain.

The leadership team responsible for Altilly have always been visible and transparent and will continue to be so.

The Altilly team are monitoring all major stolen crypto currency addresses, and are ready to contact other exchanges with a view to stopping those funds being cashed out, or exchanged.

The total amount stolen is circa 1mln USD. This is a large sum, but not impossible to repay.

One possible solution would be to repay the stolen funds by utilising profit created by a number of other projects, completely unrelated to Altilly. Although to be clear, we are unable to make any cast-iron guarantees at this stage. More detail will be provided in due course.

First, we must complete the audit required to understand which users have had funds stolen, this could take up to three months, due to lack of access to backup information.

Second, we aim to repay everyone within 6 months, this timeframe is subject to change.

As we have already highlighted the team has no access to funds or exchange data. The Altilly team have lost everything they have worked hard for over the last 3 years.

We take full responsibility for what has happened.

Altilly was an unregulated exchange, that was just months or weeks away from becoming an official regulated cryptocurrency exchange. The exchange was acquired in 2019.

We are aware that a number of users may choose to pursue legal action, you are clearly within your right to do so. But given the unregulated status of the exchange, any legal action and their implication may be limited by this fact.

Looking at previous Exchange attacks it is unlikely that a government agency is going to repay any of the affected users due to country-specific regulatory provisions.

It would be more beneficial to gain support from teams and projects that were listed at Altilly and anyone in the same industry or another exchange.

It took the team three years to build Altilly. While we still have access to the exchange platform base code, recreating the exchange database will take months. If we would ever launch an exchange. It would be with an exchange license, directly from the start with a good insurance in place. At this moment we doubt that we will have the same trust and confidence as before to operate an exchange.

Our sole focus now is to repay the users affected by this attack.

The Team is deeply saddened and embarrassed at what has transpired. Words can not describe how the team feels and the pain and suffering this news brings to everyone.

You have our word that we will not rest until we have repaid affected users.

The leadership team would also like to apologise to the wider Altilly team, the communities, developers and projects that were listed at Altilly.

To continue with our offer of transparency, the Altilly team will provide a number of live stream events beginning January 2021 to give everyone affected updates and provide the opportunity to ask questions.

The Team will provide regular updates via the Altilly.com website, Altilly Telegram channel and Discord server (details provided below).

Please ensure you do not send anyone details of your transactions.

Anyone claiming to be Altilly Support is most likely a fake.

We will keep communication channels open and we will be most of the time active on Telegram and Discord.

Altilly Website: Click here
Telegram: Click here
Discord: Click here

We have contacted the Swedish Data Inspection agency and reported the breach according to GDPR rules within 72 hours of the breach.

Please check here: Detailed Asset Information