Since acquiring financial technology firm Fortress four days ago, Ripple had to fill a hole in some of the crypto custodian’s customer accounts after a security breach two weeks ago.
Upon briefly disclosing the breach last Thursday, Fortress claimed that impacted accounts were “fully restored,” and that there had been “no loss of funds.”
The confusing explanations from both companies stoked community concern around Fortress’s transparency, its client safety, its partners’ involvement—and who, exactly, was at fault. Amid the uproar, Fortress CEO Scott Purcell said the whole situation has been overblown.
“We were not hacked, Fireblocks was not hacked, and BitGo was not hacked,” the co-founder confirmed to Decrypt via email on Tuesday.
Fortress is a custody, compliance, and infrastructure provider for blockchain companies that manage billions in assets. Fireblocks specializes in regulated digital asset custody for institutions, as does competitor BitGo. Fortress uses wallets from both companies.
Throughout the incident, Fortress and BitGo “performed perfectly,” according to Purcell, who instead pinned the blame on a “major” third-party cloud database tool as responsible for the breach.
“Fortunately (and surprisingly, honestly) within 48 hours we got an email from the tool company admitting the breach on their end, and we are in the process of holding them accountable,” Purcell said.
A Ripple spokesperson told Decrypt that customers were aware (and made whole) in advance of Fortress publicly disclosing the breach on September 7, and that the statement from Fortress was shared on a public forum. The spokesperson also provided additional context on Ripple’s acquisition.
“We have been working with Fortress Trust for some time,” the Ripple spokesperson said. “Ripple is a minority investor, and there are some great long-term synergies between our businesses. Fortress has been entertaining acquisition conversations for a couple of months now with numerous parties as they look to hone in and grow their payments business (FortressPay).
“This wasn’t our first time speaking to them about a potential acquisition,” the spokesperson added.
The company says that the security incident prompted them to accelerate conversations about a deal, but that it also “makes sense for Ripple in the long term.”
“Luckily, Ripple was in a position to act quickly to step in and make customers whole, and there have been no breaches to Fortress technology or systems,” the spokesperson noted.
While Fortress serves 225,000 accounts, Purcell claimed less than a dozen of them actually used the compromised tool. That tool has now been blocked, leaving 100% of accounts using APIs. The amount stolen in the hack wasn’t disclosed, but was “relatively small” compared to Fortress’s total assets, Purcell said.
Ripple says it has since invited investigations by the FBI, Secret Service, regulators, and cyber security teams.
“We had to do these things before a general announcement could be made, though of course, we were working with the affected customers immediately,” added Purcell.
He also clarified that most affected clients were made whole by Fortress’s own balance sheet within 48 hours, with Ripple contributing to cover one larger client’s balance by September 5.
Following reports of stolen funds and Ripple’s support, BitGo CEO Mike Belshe expressed frustration with Fortress’s seeming lack of communication on the matter.
I can’t express enough how upsetting this Fortress Trust episode is to me. I really don’t want to talk about it at all, because it actually has nothing to do with BitGo. But because Fortress was not forthcoming about what actually did happen, we are now indirectly affected -… https://t.co/jXZYGBt93B
— Mike Belshe (@mikebelshe) September 11, 2023
“My heart reaches out to the real victims of the hack here: the individual investors and the companies who are having their brands tarnished all because one other company didn’t have the courage to tell the truth,” he wrote in a Twitter post on Monday.
Belshe’s post, which summarized the incident as he understood it from BitGo’s perspective, was “riddled with flat-out lies and half-truths,” according to Purcell, who claimed Belshe was kept informed of the incident from the first day it occurred.
“The last thing our industry needs is more theater and FUD,” said Purcell. “For us, yes, shit happened—we, along with Ripple and along with our partners, stepped up and handled it.”
Editor’s note: This article was updated with additional comments from a Ripple spokesperson and to clarify the timeline of events and other details.
