Bitcoin exchange founder charged with covering up hack

It’s one thing to launch cryptocurrency businesses with programming weaknesses that lead to them getting hacked and hoovered.

But lying to the Securities Exchange Commission (SEC) about it during sworn testimony, as you try to cover up the fact that all the Bitcoins have gone bye-bye?

Oh, dear – that’s a coin that will buy you nothing but trouble.

And those are the charges facing Jon Montroll, 37, of Saginaw, Texas, the operator of a now-defunct cryptocurrency investment platform who’s been charged with lying to cover the fact that hackers made off with more than 6,000 of his customers’ Bitcoins.

Montroll, also known as “Ukyo,” was charged with two counts of perjury and one count of obstruction of justice in a complaint unsealed by the office of Manhattan US Attorney Geoffrey Berman on Wednesday. The US Securities and Exchange Commission (SEC) also filed a lawsuit accusing Montroll of violating securities laws.

According to prosecutors, before Bitcoin shot up to nearly $20,000 in December, Montroll operated two online services: facilitated buying and trading of virtual shares of businesses listed on its platform, while WeExchange Australia Pty. Ltd. served as a Bitcoin depository and currency exchange.

The Bitcoins belonging to users of both businesses were held in one, common account.

During 2013, one or more hackers exploited a vulnerability in BitFunder and credited their accounts with profits they never earned. They withdrew around 6,000 Bitcoins between 28 and 31 July 2013, which would now be worth more than $60m, according to prosecutors’ estimate. (For what it’s worth, according to the Coinbase exchange, Bitcoin was worth $10,165 and falling when I checked this morning, which puts the estimate of disappeared Bitcoin at a current value of $60.9m.)

Any way you slice it, the hackers got away with more Bitcoin than could cover what Montroll owed the platform’s users.

But that’s not how Montroll framed the hack in sworn testimony to the SEC in November 2013. According to the complaint, Montroll denied that the hack was successful:

When [the hackers] went to withdraw, the system stopped them because the amount was obviously causing issues with the system.

[The software issue] was corrected immediately, whenever the system started having the problems, and I caught on to what was happening I’d say within a few hours.

Then he came up with evidence to back up his claim: Montroll reportedly gave the SEC investigators a screenshot purportedly documenting, among other things, the total number of bitcoins available to BitFunder users in the WeExchange Wallet as of 13 October 2013. This supposed balance statement showed that there were 6,679.78 BTC on hand as of that date. Prosecutors say that in his sworn testimony, Montroll explained that it represented…

The collective pool of BTC held for users on BitFunder – users who transfer bitcoins to BitFunder, this is the total amount that’s being held by BitFunder of those users.

Well, that would have been nice. Unfortunately, the balance statement was cooked, prosecutors allege. Investigators looked at the digital evidence – including chat logs and transaction data – that showed that the balance statement was “a misleading fabrication.”

They noted that three days into the hackers bleeding off the Bitcoin, Montroll was on an internet relay chat with an unnamed person – “Person-1” – looking for help to track down the stolen coins. That didn’t work, so he allegedly transferred some of his own bitcoins into WeExchange to cover up the hole that had been ripped into the balance.

But still, the hacking and hoovering continued. Prosecutors say that by the time shown on the fabricated balance statement, WeExchange held thousands of bitcoins less than it claimed. Prosecutors say it held just 40.

In subsequent testimony, when confronted with that evidence, Montroll allegedly lied to SEC staff again. He admitted that he’d cooked up the balance statement, but he claimed that he only discovered the success of the hack after the SEC asked him about it during his first day of testimony.

As for the chat with Person-1? Don’t know anything about it, Montroll allegedly claimed.

Maximum penalties are rarely handed down, but for what it’s worth, the perjury charges each carry a maximum of penalty of five years in prison, while the obstruction of justice charge carries a maximum penalty of 20 years.

In a separate, parallel lawsuit, the SEC charged Montroll with operating an unregistered securities exchange; defrauding users; and making false and misleading statements, including failing to disclose the hacking attack. He also sold unregistered securities that purported to be investments in the exchange and misappropriated funds from those investors, the SEC said.