Fortress Trust victim of $15 million crypto fraud: third-party provider Retool to blame

Related

Share

Last week Fortress Trust had reported on Twitter that one of its third-party providers had been hit by crypto fraud, though it reassured its investors given that, according to the company, its internal security systems had not been breached.

It was only later discovered that the provider in question was the software development company Retool, and that in fact Fortress had lost $15 million as a result of the attack.

Ripple promptly announced that it had cured the blockchain infrastructure startup’s losses as part of a deal to acquire Fortress Trust itself.

An uproar broke out on Twitter with various people involved in the matter who did not hesitate to lash out at each other.

The issue also opened a debate on the importance of trustless blockchain systems in which there is no counterparty risk, which is often the main cause of massive losses of funds in crypto.

Let’s take a look at all the details together.

Several Fortress Trust accounts compromised amounting to $15 million: Retool provider fallen for phishing fraud with Fortune 500 customers

Fortress Trust, a web3 financial infrastructure startup, announced Thursday 7 September on Twitter that four of its customers fell victim to crypto fraud after its third-party provider’s cloud tools were compromised.

The company did not initially reveal the name of the provider, while reassuring its stakeholders that there would be no breach of Fortress Technology’s internal systems and that the users did not lose their funds.

However, the following day came the shocking news of Ripple‘s purchase of Fortress Trust as part of a bilateral deal.

It was later discovered that there had been losses of funds for the startup that amounted to $15 million and that Ripple’s intervention was to restore the company’s debts to its customers.

The name of the infamous third-party vendor that caused the incident also surfaced, namely the well-known software development company Retool, which enjoys (or rather enjoyed) a very good reputation given that it has Fortune500 companies as clients.

The latter was hit by a phishing attack that led to the compromise of some of Fortress Trust’s internal accounts with the loss of $15 million in crypto.

Most of the stolen crypto money was in BTC, with a small portion in stablecoins such as USDC and USDT.

The incident happened exactly on 29 August, when 27 Retool customers notified the company that “there had been unauthorized access to their accounts” following a phishing attack.

After a full 9 days, Fortress Trust, which was directly involved in the matter since the hacked accounts fell within their fund, did not tell the full story to its community hoping that Ripple’s patch would avoid the media buzz of fraud.

However, the lack of transparency on the part of the startup’s executives did not please Mike Belshe, CEO of BitGo, another Fortress provider that was not affected by the cyber breach, who strongly criticized the way the crisis situation was handled.

Kevin Lehtiniitty, co-founder of Fortress as well as Chief Technology Officer and Chief Product Officer, responded to this criticism by stating that Belshe was also aware of the incident and is now trying to trigger fear in his customers through misleading descriptions

The counter-response from BitGo’s CEO was timely, who iconic said verbatim to his colleague:

“Hey, if you think being hacked and having to sell the company isn’t something your customers should have known, I’m not sure what to say.”

Fortress acquired by Ripple after crypto hack

With Ripple‘s acquisition of Fortress Trust, it became known that crypto fraud had caused a loss of funds to the startup, sparking a wide debate from stakeholders in the affair.

To quell the uproar, Fortress CEO Scott Purcell stated verbatim that:

“We were not hacked, Fireblocks was not hacked, and BitGo was not hacked.

Fortunately (and surprisingly, honestly) within 48 hours we received an email from the tools company admitting the breach on their part and we are in the process of holding them accountable.”

In any case, although Fortress is not to blame for the incident, the fact remains that after such a hack, the company did not communicate everything it knew to its customers, leaving them in the dark about the loss of crypto money.

A spokesperson for Ripple, said that speculation about a purchase of the startup had been on their minds for several weeks and that the two parties were working together to find an agreement.

The cyber theft against Fortress’ customers was just the icing on the cake that “accelerated” this process. 

In fact, it appears that Fortress is managing a total investment value significantly higher than that stolen in the phishing attack, and that the real motivation for buying Ripple is not solely related to restoring corporate debts.

The same spokesman for the historic crypto payments company went on to say that:

“Fortunately, Ripple was able to act quickly to intervene and satisfy customers, and there was no breach of Fortress technology or systems. Fortress immediately informed customers of the incident as soon as it occurred, as mentioned in their tweets.”

Ripple financed the acquisition with a mix of cash and equity. The deal, still amid regulatory scrutiny and due diligence activities, would expand Ripple’s collection of regulatory licenses, as Fortress Trust, a subsidiary of Fortress Blockchain Technologies, holds a Nevada Trust license.

Ripple plans to strengthen FotressPay services, which will soon begin leveraging the crypto firm’s payment technologies.

Brad Garlinghouse’s company’s shopping spree continues apace after $250 million was spent in May to buy Swiss custody startup Metaco, as well as a stake within the exchange Bitstamp. 

Counterparty risk in the financial services industry on blockchain

The story of Fortress and the fraud against provider Retool served as a reminder to the entire crypto investment community of all the risks associated with entrusting their funds to third-party financial services.

Unlike fully regulated investment markets, in the far west of crypto there are no guarantees (except through rare insurance funds) and everyone has to deal with all the counterparty risks that arise when one decides to delegate one’s private keys to centralized companies.

Unfortunately, in this context there are numerous points of vulnerability that often emerge due to some unexpected flaw in the systems of different providers.

Although this story ended with a happy ending as Ripple covered the 15 million loss entirely with its intervention, avoiding repercussions for investors, it is clear that there are still trust issues in this delicate financial world.

The CEO of Bitgo himself, who serves as a third-party provider for Fortress, pointed out that this whole situation represents exactly why we need decentralization.

Even though he was not affected by the cyber attack with his company being unharmed, he wanted to remind his Twitter audience that:

“We cannot continue to depend on the honesty of custodians, bankers or ‘trusted third parties’ acting with integrity when bad things happen. 

Bad things will happen and most human beings will not have enough courage to be honest. BitGo, as a decentralized wallet platform and also a centralized custodian, we will continue to fight to take humans out of the mix, to ensure that our financial system does not depend on anyone’s integrity, and to ensure transparency wherever possible.”

His words are reminiscent of the founding philosophy of Bitcoin, which was created precisely with the intention of being able to overtake any kind of financial intermediation so that we can run a decentralized economy that does not depend on the success or failure of individuals, but is based on the principles of collective money sovereignty.