Fortress CEO Clears the Air on Security Breach and Stolen Funds

Since acquiring financial technology firm Fortress four days ago, Ripple said it was forced to fill a hole in some of the crypto custodian’s customer accounts after a security breach two weeks ago.

Upon briefly disclosing the breach last Thursday, Fortress claimed that impacted accounts were “fully restored,” and that there had been “no loss of funds.”

The confusing explanations from both companies stoked community concern around Fortress’s transparency, its client safety, its partners’ involvement—and who, exactly, was at fault. Amid the uproar, Fortress CEO Scott Purcell said the whole situation has been overblown.

“We were not hacked, Fireblocks was not hacked, and BitGo was not hacked,” the co-founder confirmed to Decrypt via email on Tuesday.

Fortress is a custody, compliance, and infrastructure provider for blockchain companies that manage billions in assets. Fireblocks specializes in regulated digital asset custody for institutions, as does competitor BitGo. Fortress uses wallets from both companies.

Throughout the incident, the latter two firms “performed perfectly,” according to Purcell, who instead pinned the blame on a “major” third-party cloud database tool as responsible for the breach.

“Fortunately (and surprisingly, honestly) within 48 hours we got an email from the tool company admitting the breach on their end, and we are in the process of holding them accountable,” Purcell said.

While Fortress serves 225,000 accounts, Purcell claimed less than a dozen of them actually used the tool. That tool has now been blocked, leaving 100% of accounts using APIs. The amount stolen in the hack wasn’t disclosed, but was “relatively small” compared to Fortress’s total assets, Purcell said.

The incident has since prompted investigations from the FBI, Secret Service, regulators, and cyber security teams.

“We had to do these things before a general announcement could be made, though of course, we were working with the affected customers immediately,” added Purcell.

He also clarified that most affected clients were made whole by Fortress’s own balance sheet within 48 hours, with Ripple contributing to cover one larger client’s balance by September 5.

Following reports of stolen funds and Ripple’s support, BitGo CEO Mike Belshe expressed frustration with Fortress’s seeming lack of communication on the matter.

“My heart reaches out to the real victims of the hack here: the individual investors and the companies who are having their brands tarnished all because one other company didn’t have the courage to tell the truth,” he wrote in a Twitter post on Monday.

Belshe’s post, which summarized the incident as he understood it from BitGo’s perspective, was “riddled with flat-out lies and half-truths,” according to Purcell, who claimed Belshe was kept informed of the incident from the first day it occurred.

“The last thing our industry needs is more theater and FUD,” said Purcell. “For us, yes, shit happened—we, along with Ripple and along with our partners, stepped up and handled it.”