Epicenter - Learn about Crypto, Blockchain, Ethereum, Bitcoin and Distributed Technologies - Erik Voorhees: Fooling the Fox – The Story of the Shapeshift Hack
Episode Date: May 9, 2016In the short history of the Bitcoin industry, there has been an impressive amount of high profile hacks, ranging from a few hundred thousand to many millions of dollars. In all of these, customers, Bi...tcoin users, where robbed of their funds because poor security policies, negligence, incompetence, or plain old scamming. Recently, the cryptocurrency conversion service ShapeShift fell victim to a hack in which over $200,000 of company funds were stolen, initially by an employee, and then by a hacker to whom this employee had sold sensitive company information. Luckily, no customers lost any money as ShapeShift does not hold any funds on behalf of users. We talked to ShapeShift CEO Erik Voorhees who walks us through this captivating ordeal, which sounds like it could be the plot of a movie. He speaks about how the company is trying to recover and what he has learned from this unfortunate event. Topics covered in this episode: How the ShapeShift hack went down What steps the company has taken to avoid this from happening again What he learned from the hack ShapeShift’s long-term vision as a company and product Ethereum’s role in their recent growth His history as an entrepreneur in the Bitcoin space His views on libertarianism and the long-term impact of Bitcoin on that movement Episode links: Looting of the Fox: The Story of Sabotage at ShapeShift Bitcoin.com podcast - Details of the Shapeshift.io Hack The Slaying of Bearwhale Erik's Blog This episode is hosted by Brian Fabian Crain and Sébastien Couture. Show notes and listening options: epicenter.tv/130
Transcript
Discussion (0)
This is Epicenter Bitcoin episode 130 with guest Eric Voorhees.
This episode of Epicenter Bitcoin is brought you by high.combe.
Protect yourself against hackers and safeguard your identity online with a first class VPN.
Go to hide.combe slash epicenter and sign up for a free account today.
Hi, welcome to Epicenter Bitcoin.
The show has talks about the technologies, projects, and people driving decentralization
and the global cryptocurrency revolution.
My name is Sebastanku, and my name is Brian Krohn.
We're here today with Eric Voorhees,
Eric Gordhys, probably most people have heard of, and he's, of course, the founder of Shapeshift,
who longtime podcast listeners will know very well because they were a long time at one of the first sponsors of the show.
And he's been well known in the industry for being involved in Bitcoin very early on,
being a sort of a very great advocate for Bitcoin and also for libertarianism and sort of Bitcoin and Lipitarianism.
So thanks so much for joining us, Eric.
Thanks for having me on the show today.
It's sort of coincidental that, like, you all like right now,
because I think we invited you before,
but then there's all this news around shape shift.
And so recently you've been,
a big story around you guys getting hacked.
Can you talk a little bit about what happened there?
Yeah.
So about a week and a half or two weeks ago,
we put out basically all the details of what happened.
And I wrote up a like 15 page piece about the whole story from start to finish because
it's quite a...
Which, it was a great story, by the way.
And I'm not one to read really long blog posts, but I read this one and I couldn't
stop reading it.
It was really fascinating.
It reads like some kind of novel, you know.
Yeah, well, when I sat down and I sat down.
and decided to write about what happened.
I thought it might be like four or five pages.
And I got through four or five pages just, you know,
talking about the first incident.
So basically what happened,
we brought on a guy to be our head,
sysadmin, basically our head of security,
our server DevOps person.
Because we knew that as we were growing,
we needed both, you know, to start scaling larger
and also to be more secure because we're handling cryptocurrency.
And so that was all fine.
But about a little, a month and a half ago, in the middle of March, March 14th,
we wake up and discover that 315 Bitcoin had been stolen from our hot wallet.
And it's important to mention that none of the funds that were lost were customer money
because we don't hold any customer money.
But it was our money, and that's still a lot of funds.
So we started investigating right away.
We were pretty upset and confused about what had happened.
And within a couple hours, we realized that it was actually stolen by an employee
and the very employee who we had hired to set up all the servers safely and be our sysadmin.
So we
There were a number of smoking guns
But the biggest one was that while we were
While we were in the office
Trying to figure everything out
Investigating
We see in the logs he deleted
The keys that had accessed the server
Where the coins were restored that morning
So while we're all sitting there he's deleting keys
And then
he left during sort of the middle of the afternoon, said he got a call from his mother to take her to the hospital and he had to leave.
We had been getting very suspicious by that point, and so we didn't try to stop him because we kind of wanted to start working without him near us.
And as soon as he left, I was told about what we'd seen in the logs.
So basically, we never saw him again, and we knew that he did it.
and the Bitcoin hadn't left the address that he stole it to.
It's still there.
The addresses are shown in the blog post so people can go see.
The Bitcoin's are still there today?
Yep.
Yeah, we have quite a few notifications set up if funds ever moved from that address.
So since we caught him so quickly, we knew where he was.
We had a lot of his personal information and the funds hadn't moved.
We thought, okay, fine, we'll, we'll,
proceed with a case against him.
We'll get the funds back one way or another,
but basically it's fine in case closed.
But then about that we were working on brand new infrastructure
because we assumed that the stuff he had been working on for us
was largely compromised.
So we had to divert lots of our resources into rebuilding things.
And a couple weeks later,
as we're getting ready to launch that new infrastructure,
the hot wall is in that new infrastructure,
got Bitcoin, Lycoin, and Ethereum stolen from them.
And this was April 7th.
It was a Thursday.
So again, just like a terrible feeling of dread and panic and what the hell happened.
Obviously, this former employee wasn't with us.
We saw no immediate evidence that he was involved,
although, of course, he was on the top of our concern list.
But we tracked some of the coins that were
stolen to an exchange. We got information about the account holder at that exchange.
This is one part of the story where I thought was sort of interesting. So you contacted
this exchange and they just handed over the information of the account. They don't just
hand over information, but if you show a direct link of your coins leaving your hot wallet and going
into a wallet that they control and they know who you are and they trust you, then yeah,
It's not just going to proceed unimpeded.
So a lot of the exchanges work with each other on these theft cases, and sometimes they can find out quite a bit of information.
So we got basically the account details of this guy.
His name was Rovion, and we assumed it was all fake information, but there was an email there, and I contacted the email, and I said, nice job on the hack, how'd you do it?
basically just trying to see if he would, you know, want to boast and give some details on what he had done.
And the next day, we had taken the site down.
We're trying to figure out what had happened and rebuild again and a wholly new infrastructure once again.
And it was just a horrible, like, panic mode situation.
And we get, I get an email back the next day from the guy.
And to my question, how he did it, he responded with the email saying,
just quote unquote one word Bob.
And Bob is the student name we're giving to the former employee.
So when we got that email, it was just one of those like, holy shit moments.
And at first you're like, okay, does that mean that the hacker is Bob?
But that didn't seem likely because that would mean just he's implicating himself in the prior hack even further.
So then we started realizing that like what it probably meant was that Bob had sold
our information or giving it away online to some hacker who had used that to infiltrate and get in and carry out another hack.
So I tried to chat with him and just get some more details.
In the meantime, the next day we got the site back up on wholly new infrastructure with brand new keys and should have been as safe as can be.
And this would have been Saturday, April 9th.
And then that morning, we're hacked again and more Bitcoin and Ethereum stolen from hot wallet on this new infrastructure.
And this was boggling our minds because we were not sharing any keys.
These were fresh wallets created on the new servers.
There should not have been any way for this to happen.
So just to sort of explain, like you're building this new infrastructure.
Of course, all your employees have.
I mean, maybe all your employees, but some of your employees, strategic ones, have SSH keys to
get onto this infrastructure.
I mean, we're not talking about, you know, Bitcoin wallet private keys here.
We're talking about SSH keys to connect to your servers.
And if you generate these new keys, yeah, I mean, you're generating new wallet keys.
But if you're generating new keys, what's where you're being confused is like, how is he
getting these new keys if Bob's no longer here?
and how is he accessing this server that were the only ones that we're supposed to have access to?
Exactly.
It was very confusing.
And so immediately I decided to bring in the big guns.
I called Michael Perklin at Ledger Labs.
They're a blockchain forensics company.
And Michael's fantastic.
I highly recommend him.
He flew out right away and we started investigating.
The site was down for several days, about 10 days total after it was all sudden done.
But during all the investigation, we found a number of things.
We found that the guy had deleted a bunch of logs.
We actually recovered a bunch of the logs in the empty disk space, which was just pure luck,
because it just meant that the bits hadn't been overwritten.
So that was all helpful when we started piecing together a lot of things.
We found a malware that had been installed that gave a backdoor to hack the funds.
And that same malware was found on both the infrastructure on April 7th and the infrastructure on April 9th, which was a whole new infrastructure.
So the third hack was also by Bob because he had these, or you know.
We know that the first hack was by Bob.
And then the second hack, the hacker said that Bob was responsible.
And the third hack was also done by the second hacker.
So basically there are two people that are relevant.
Bob was the employee in the first hack.
And then Rovion, who was the hacker on April 7th and the same hacker on April 9th.
And he sent me a smiley face email like two minutes after the hack on the 9th, just being a dick.
but uh
so anyway
I ended up having some chats with
rovion
he he popped into our public slack
and we we talked
just over chat
the first chat was
was light on details but it gave us
he basically said that he had bought
information about how to
to break in from Bob
so that confirmed was he was like
was he like on the Republic
like Slack channels or just talking
came into our public Slack
channel but it was a PM between him and me.
Okay.
In the Slack.
So are you able to,
is Slack able to help?
I was using some like tour
or something like that or
you don't know?
We're pursuing all leads so I won't get into
that further. But
okay.
Unlike Bob, Rovion,
Bob made a lot of really stupid
mistakes. Rovion seemed to be a little more sophisticated
so I wouldn't
be surprised if he was fairly well.
hidden. We still know some things about him now and we're finding out more. But basically, the first
chat with him was light on details. The second chat with him was because he came back to me
on like the Wednesday following the second hack or the third hack. And he asked if he could
exchange the Ethereum that he had stolen for Bitcoin because we were tracking some of the
Ethereum and it had gotten frozen at several accounts. So he had been trying to
to convert his Ethereum into Bitcoin.
It was getting stuck at the exchanges in Frozen.
So he comes back to me and asks if I will exchange the Ethereum that he took for Bitcoin.
So I feel like...
I mean, you have to be fairly well connected with exchanges.
Like, is it like some exchange mailing list where you just like send an email and all the exchanges?
Like they have this...
It's more personal than that.
I mean, obviously I know a lot of the exchange.
operators personally.
And they all have an interest in stopping, you know,
legitimate crime and fraud and theft.
And some of them really like kind of diving into these investigations
and trying to find these people because these thieves like have really poisoned the
entire industry continually.
It's like a constant problem.
And, you know, for those who don't tend to rely on,
government, quote-unquote, services to help stop these things because they generally don't.
What that requires is that industry participants step up and figure it out themselves.
So there's a lot of that that goes on.
He gets back to you and then now offers, proposes that you buy back this Ethereum for him.
Yeah, at market rate, so we wouldn't lose any value from it.
We'd just be converting one coin for another, which ironically is what we do for business.
So I was like, well, okay, but you need to tell us a lot more details about how this all happened.
And he did so.
And basically, in that conversation, he revealed that he got, he was sold SSH keys.
He was sold IP addresses of servers.
He was sold IP addresses of the land passwords to routers on the local network.
And most importantly, Bob had installed like a, not back.
door is not the right word, but a remote access terminal on one or more of our employees'
computers while he's here.
Like a VNC or something like that.
Remote desktop.
Yeah.
Remote desktop thing.
Right.
While he was here.
So, which means that when he stole the money on March 14th, it wasn't just a quick, like,
opportunistic, oh, there's some funds I'm going to take it.
He basically set up a whole bunch of malicious software in the network and then used and then stole the funds and then used all that malicious stuff to sell and get more money from other people.
So he had access to our computers.
So he sold him just so we can understand maybe how.
So he sold him access to so IPs to your server, IPs to your router.
in your office and admin access to those routers and then installed VPN software.
So basically the guy, Rovion, he gets into your local network, can connect to a VNC, actually
like he's sitting behind a desk at one of your employees' desks looking at the computer.
And then with those SSH keys, can log into the information.
structure. That's really fascinating.
So one thing I didn't quite understand is at what point did Bob and Rovion like cross paths?
Who was it the initiator? Was it Rovion that contacted Bob or was it Bob that sold that
went to seek out Rovion?
So what Rovion said and of course like he he's a hacker here and we don't trust him so we have
to take everything he says with a grain of salt.
but what he said is that he learned of the of the hack that Bob had done.
He contacted Bob and offered to buy the information, and then Bob obliged and sold it to him.
He showed us an email from Bob basically stating that he had received the funds,
and he, in that email was the IP addresses and the passwords and stuff that only someone in this office would have known,
all that kind of thing.
How would
How would Rovion
learn about Bob's hack?
We're unclear on that.
We have a couple of suspicions,
but we think we know how,
but we haven't given out that detail.
Let's take a short break to talk about hide.me.
Look, when you're choosing a VPN provider,
you want to make sure that your privacy is protected.
If a government agency tries to force the VPN provider
to hand over some of your traffic or browsing information,
will they be able to do that?
And is your payment information attached to the account?
These are all things that you want to consider
when choosing a VPN provider.
With hide.comi, all that's taken care of.
For starters, they're based in Malaysia,
and Malaysian laws don't require them to keep any logs.
In fact, hide.comi has no logs of your traffic
or browsing history.
So even if a government agency was trying to force them
to hand over some information,
they would be straight out of luck
because hide.comi has nothing to give them.
In addition to that,
they use a third party payment provider
which doesn't give them any of your payment information,
so they have no way to link an account to like a credit card or a PayPal account.
So even if you're paying with PayPal a credit card,
there's no way for Hyde.Me to know which account paid for what.
And of course, if you're paying with Bitcoin, then you're completely transparent.
So what we suggest is if you're creating an account with Hyde.me,
if you want that extra level of privacy,
just make a fake Gmail address and use that to sign in.
So that way you're completely anonymous.
You can give Haithomi a try with their free plan.
Their free plan includes two gigabytes of data at unthuddled bandwidth.
You can use any of their free exit nodes, which are in Amsterdam, in Singapore, and in Montreal,
and you can sign up for that at Haithomi slash epicenter.
Now, if you use R URL, and if you decide to go premium down the line,
it's going to get you 35% off.
And the premium plan gives you a lot.
It gives you unlimited data.
you can use as much as you want.
You can connect up to five devices,
so your whole household fits on the plan,
and you can use any of their exit nodes
all over the world, and they've got like 30 of them.
And of course, you can pay with Bitcoin.
So give it a try.
We would like to thank Haight.
me for their support of WebSend and Bitcoin.
So let's say now Rovian bought from Bob this information,
do these people use escrow in any way?
Or like, how does that work?
Or similarly, when you exchange
the Bitcoin for the ether.
Yeah.
Like, was that sort of on trusts?
It's an interesting kind of social problem when two people that don't trust each other
are trying to exchange.
And you're trying to be quick.
Like, you don't want to set up an escrow account with some third party over time.
So when he wanted to convert the Ethereum to Bitcoin, obviously, we can't just send
him a huge chunk of Bitcoin and then expect him to send the Ethereum back to us.
So essentially what you do is you just break it into little pieces.
And one person goes first and sends a small amount and then the other person sends a small amount and you just do that over and over
And it's tedious, but it works and you know interestingly like there were there was a period where we were sending a bunch of the little pieces of Bitcoin
And he was sending the Ethereum to us and the Bitcoin wasn't confirming because all the blocks were full and
So there was like a period of just well about an hour where blocks had happened and and
And the transactions that I had sent to him weren't confirming.
And he started getting really suspicious, like, that I was trying to double spend him or something.
And so then we had to wait.
We just kind of sat there awkwardly for about 20 or 30 minutes until a block finally came along that confirmed those.
So that was a – and then him and I were joking about the block-sized thing.
So that was a little kind of a very tense situation.
It must be so weird.
weird to like you must be so angry and upset at this person you just but on the other hand you're
having some sort of really casual conversation with them about how they just stole like thousands
of thousands of dollars it wasn't really it wasn't really casual but there was just a brief
moment of levity during that period because he he started suspecting me of double spending him
and then it all came through fine it was okay but obviously he was an enemy and someone who i who i
detest, but at the same time, he was giving us useful information that we needed about, you know,
the true villain in this case, which was Bob, which essentially, you know, betrayed us completely.
And the hacker Rovion, he made this funny statement toward the end that he had said after we did
our exchange, he didn't want to have any more communication. And then at the end, he said,
Actually, I know I said that, but I do want you to tell me when Bob's been arrested or sued or whatever
because stealing from your employer is really shitty.
And so, like, even the hacker was pretty dismayed about Bob's character and behavior in this whole thing.
Okay.
And so, I mean, you've been back up now for a couple weeks, I think?
Yeah, two weeks, I think, at the end of a week, a week we can have.
So I think I was checking around that time.
You first started with Ethereum and then you brought on some other coins and now you're back up to the 50 or so coins that...
Not 50.
So at our max we had like 45 coins.
We have about 25 at this point.
So we're adding them chunk by chunk.
Each coin has its own little awkward behavioral issues.
and in the new infrastructure that we set up,
we locked it down to such a degree
that every little piece takes a lot of work
to make it connect and operate properly.
So trying to get the coins on as fast as we can,
but most of the big important ones are back online already.
And how much money did you lose in total,
including revenues lost from this whole thing,
being down for 10 days or whatever?
The amount that was directly hacked
was probably a little under a quarter million dollars over three hacks and lost revenues
I mean at least another 50,000 and then you know everything from like reputational damage and lost
customers and just all that I don't know how to put a figure on that but then there's the cost of
of all the security auditing, which is ridiculously expensive to do it well and to have good people
doing it. And then, you know, all the lawyer fees and just the opportunity cost of all the
engineers being diverted from productive work into scrambling to build secure infrastructure
in sort of panic mode for a period of time. It's a huge loss in terms of money and time and
resources and just psychologically it's incredibly difficult and defeating to go through multiple
hacks like that over time. But I was very impressed with the team. They totally rallied behind
the mission and put in ridiculous hours to make sure that we'd be back up and safe.
And I got to say, I mean, I was impressed by the level of support that you got from the community
and that was really nice.
Like on Reddit and on your Slack and I barely saw any negative comments or whatever.
Like people just, you know, just rooting for you to get through it and, you know, like bashing this hacker and Bob.
That must be really encouraging as well.
It was very encouraging and I got a lot of really nice emails and calls from people who were just there to offer their support and sympathy and to say that, you know, they had been through similar things and that they understood how horrible it was.
So that that was really helpful.
but of course a lot of people really liked how transparent we were being and so we got a lot of praise for that and a lot of goodwill.
Absolutely.
But fundamentally, I think the reason that the response was so positive and supportive of us was because no customer money got lost.
You know, not a dollar of customer funds was ever at risk or lost in the hack.
And I think it showed the community that like an exchange built in a certain way can be hacked, in this case three times by,
an insider, you know, that had like all the information and connection to do whatever he wanted.
And still, even in that case, not a single dollar customer money is lost.
And for an industry that has been plagued with this kind of thing since the beginning,
I think that was a relief for a lot of people to feel.
And while I theoretically understood that, like, that was a great advantage of shape shift,
this made it very real.
And I can't imagine having to go through this and also having lost, you know, 10 or 20 or 100 million
dollars of customer money.
So with how the infrastructure is now, do you feel like this could happen again if it's an
insider?
Because I mean, this is, I guess it's one thing to protect from the outsider, but when you
have an insider, that's such a insiduous threat.
What happened could not happen again, even if there was an insider.
So we've tried to harden it from many angles to prevent the same thing from happening again,
but also anything else that could possibly be fathomed.
and security can ever be 100%,
and you can spend an infinite sum of money
trying to become infinitely secure,
which is impossible.
But I'm pretty impressed with what we've built.
It's been amazing to see some of the technologies
that we've employed to make this kind of thing
not able to happen again.
And it was things that we should have done eventually anyway, of course.
Yeah, I mean, that's the thing, right?
I mean, when you're building a startup,
And of course, like, you know, you guys have been around for a while.
You've, especially around security a lot of times, it feels like, you know, like this is something we have to do.
You know, we'll do it at some point.
It's important that we do it.
But, you know, then you're caught off guard by something like this.
You know, obviously it could be, you know, this was an extreme case of that happening.
Yeah.
But so just to come back to the infrastructure we've built, so.
I presume that your hot wallets weren't multi-sig.
They weren't, but that wouldn't have prevented what happened.
What we've done with them now will prevent it.
A lot of the problem is that much of the good way to store Bitcoin is done putting in checks and balances
so that when funds move, they can't move without passing all those checks,
multi-sig being one check of a number that you can use.
And often those kind of checks start getting in the way of automation.
And so you get into the system where you're trying to find the right balance
between something that's automated and scalable and can handle lots of customer orders
without delaying them because our whole enterprise is built to make exchange easy and fast for people.
So if we clog it all up with a bunch of security checks, that starts defeating the point.
But at the same time, you can't just let things flow through without watching what it's doing.
So it's a very tricky balance.
And there's not a perfect answer.
It's just a process of learning.
So what's your takeaway from this?
Like what did you, what's a lesson?
A few lessons.
The most important theme is most people understand how dangerous, you know, hackers can be from the outside.
and that there is this world of hackers out there that'll get you if they can.
And so people try to protect themselves from the outside.
And they often do a pretty decent job of that.
But the threat from inside, the threat from an internal employee,
someone who's close through social engineering or anything in that realm,
has to be understood as an equal threat,
just as powerful and dangerous.
And while most people put a lot of effort into protecting from the outside,
they put minimal efforts into protect them from the inside.
And that was the most important lesson that we learned is to treat those two realms as
equal threats.
Because you can hire 100 people and 99% of them can be angels, but one person can totally
screwed up for everything.
And it's impossible to, it's impossible to know the character and intentions of everyone all the time.
Yeah, cool.
And so maybe one last question on this.
Is there any kind of takeaway about how you,
would deal with that threat in the future?
Because it's, I mean, it's one thing to understand that.
It's another thing to do something about it and prevent it from having an impact on the
business, right?
Yeah.
Well, the lowest hanging fruit is making sure the computers are always locked when you're
not next to it.
So what we think happened in our case is that, like, Bob found computers at the office
that were open and installed things on them.
and how he did it may have been pretty sneaky because again he was our cis admin guy right so
when your cis admin guy like says he needs to do something uh you're usually inclined to trust him
but i think in this case he actually just went to open computers and install things and that's like
if you go to the if you go to the bathroom during the day um just turn your screen off and make
sure it's locked like it's it's super easy it takes two seconds to do um and it can
In this case, we think it would have prevented all or at least the latter two of the hacks.
And, you know, after I read that blog post, like, immediately the next day, I went to the office and I told my co-founder, you know, we need to do security audit.
We're a remote to launch on beta.
You know, of course, we don't hold any funds except for maybe like, you know, a little bit of funds for Bitcoin transactions.
but because we do a completely different type of thing.
But regardless of that, in this industry, it feels that you can, you know, it's pretty easy
for people to have a grudge on you and to be sort of, yeah.
So for a startup that perhaps doesn't have a whole lot of funding and, you know, it doesn't
have like $100,000 to put in, to invest in a security audit with ledger labs, for instance.
What kind of things do you suggest that are really important that they do except for just
locking computers?
Yeah.
Well, for the record.
Or is it worth that investment?
Like, you know, should you put the money?
For the record, it didn't cost quite that much with them, but it was pretty expensive anyway.
I mean, it's often just proportional.
And one of our mistakes was that, like,
when the ShapeShift got started, you know, I sort of had in my mind, like, our security doesn't
really matter much at all because we're only holding, you know, 10K and in cryptocurrencies in
these various hot wallets. And that was probably a true statement back then when we were getting
started. But growth happens. And it's kind of like the frog in the boiling pot situation.
And before we knew it, we're not storing 10K. We're storing, you know, a few hundred K of still
our funds, not customer money, but still, you know, at that point, we needed to, we needed to
see that that had happened and reassessed our security and taken steps before this hack to
make that more secure. So that was, that was wholly my mistake. It doesn't mean that a startup
should spend 100 grand on security right when they're getting started. That's, it's probably a bad
business decision. But it does mean that there's probably a point at which you need to spend that much
to do it. And, you know, if we had done that before, it sounds expensive, but it would have saved us
a lot of money in this case.
Today's magic word is Bob, B-O-B. Head over to stock bitcoin.com to sign in, enter the magic word,
and claim you're a part of the listener award.
Where do you see the company and kind of the ecosystem, let's say five years for now?
What shapes you're going to look like?
So shape shift shift will look very similar, and that it's always and forever going to be in exchange for digital assets, an engine to convert between any blockchain asset to any other.
And so as the world of blockchain assets becomes richer and more intricate, shapeshift will have more and more roles to fill for various parties.
But I think the rise of Ethereum has shown that it's unlikely that we're going to live in a world.
with just one blockchain asset, being Bitcoin.
And that was my hunch when I got it started,
was that Bitcoin may forever be the biggest cryptocurrency used
or the biggest, most important blockchain.
But these software systems are so intricate enough
that they will have uses for different things.
And each blockchain is not going to be appropriate
for every other application.
The Bitcoin blockchain is not appropriate for every application.
And so that means,
there will be lots of these tokens.
And we're seeing lots of new tokens be built on top of Ethereum now.
So we have like the Digix gold token that was just released.
We have the Auger Reputation token that's coming out.
And all these things are built not to be competing monies with Bitcoin,
but they are valuable blockchain tokens.
And so ShapeShift is here to help this industry be able to convert any of those tokens
into any other one without any friction whatsoever.
So that brings up an interesting.
interesting topic, right? Ethereum. So when you have assets that are running like on top of a
blockchain, let's say you want to trade some Ethereum asset for Ether or for a different
Ethereum asset, does Shapeshiv still have a role in that? And is that a different role than
from, for example, just trading Bitcoin for Ether?
We're pretty agnostic when it comes to which tokens there are and how they're constructed.
we just know that there will always need to be a way to convert between them easily.
And because they are assets that have monetary value, it means there are lots of issues
surrounding liquidity and exchange.
And that's the kind of thing that can't necessarily just be programmed.
So ShapeShift is in many ways a service for the exchange of those things.
So you mean if you have, because it would be possible to do, let's say, for example, a decentralized exchange with, you know, let's say some Ethereum token and Ether, but then the issue might be, you may not have liquidity there, so it might still be better to use ShapeShift that leverages, some other exchange.
Yeah, I mean, and I'm a fan of decentralized exchanges, I'm glad to see them growing. We also will use them.
them because we plug into every exchange.
So the more exchanges out there in the world, the better our pricing becomes and the more
liquid we become as well.
But a lot of those trustless decentralized exchanges have sort of a capital cost, which is that
you have to put up escrow funds in order to hold balances or trade with people.
And so that means that they're in one dimension, it is less efficient to trade that way because
you're putting up sometimes double the capital per trade that you need to do.
And when you're talking about a small order, that's not a big deal, but when you're talking about
like industrial size financial operations, that starts to become a little unrealistic.
So, so shape shifts, you know, tries to provide the fastest and easiest way and probably
the most capital efficient way as well.
Okay, that's very interesting.
With decentralized exchanges, do you think that,
those problems are going to be solved, or do you think they will always have these kind of
disadvantages as opposed to centralized exchanges? I'm not sure. I think, as with many things in
this industry, decentralization is a really important goal and a fundamental principle of
what everyone's building, but not everything should always be decentralized all the time.
Decentralization comes with a certain set of features and costs to it, which are often great
and solve certain problems, but sometimes cause others.
And I think that the blockchain world is going to be nuanced enough
that there are going to be different times of services for different people,
just as the internet industry doesn't have just one company, you know, that runs everything.
There's a lot of different use cases for different things,
and so it'll be a healthy ecosystem.
And a lot of these tools help each other out.
So, you know, as I was saying, other exchanges provide us,
liquidity and they help make us better. I think the fact that Ethereum exists is good for Bitcoin.
I think it makes Bitcoin stronger and I think Bitcoin makes Ethereum stronger. And people are too
quick to jump to seeing all these things as competitors and there can only be one. But in reality,
the ecosystem I think will be very, very rich and dynamic. So another question that kind of goes into
the, you know, a little bit further future, right? So now we have
Ethereum and all kinds of smart contract chains, right?
So interactions between different blockchains might start to look a little bit different than simply moving a token around.
And you may have more complex type of interactions or contracts interacting with each other.
Are you thinking about the impact that will have on ShapeShift and whether Shapeshift will also be able to play a role in there?
Yeah. Sort of in the same way that we're coin agnostic, we're also technology agnostic. So the way that this whole industry evolves into the future, I think, is going to be unpredictable. There's no way to figure it all out today. So part of what we're building is a brand that people know, like, if I need to change one asset into another easily, shapeshifts the way to do it. The specific technology that shapeshifts using today is probably,
not the same that it's going to be using in five years.
And that's fine.
It doesn't matter to a user.
That's all things that our company has to work on to always stay competitive and always
be building things that are fundamentally useful to people.
In that vein, we have a cool new exchange that we're building right now, which isn't known
about yet, but which people will see later this year.
And I think it'll demonstrate that principle.
Can you talk about your product?
roadmap or of what extent are you willing to talk about some of the things that that you're
working on or that have in the pipe for um i don't want to i don't want to discuss it publicly without
you know getting the pass from our uh our team but suffice to say there are there's certain ways
of trading that are needed for large scale um operators and people who care a lot about price
and so we're building a tool to allow that without leaving our principles of non-custody.
So I know that's a vague answer and not helpful, but we'll let you guys know as soon as we're ready to talk about it.
Yeah, I think that was the definition of a vague answer.
Thank you very much.
At least I acknowledge it, though.
Yeah, no, but one thing you mentioned, which I thought was right on is that in terms of branding,
I think that you guys have been extremely successful at just really building that brand of shape shift is the one place where you can really simply and easily convert your coins from one to the other.
And I mean, we've said this many times on this show as a past sponsor.
And so, you know, really like good job for building that trust, not only the branding, but also being built sort of building trust in the ecosystem.
It's not easy.
And I think you're one of the companies in the Bitcoin space that really stands out in this regard.
Yeah, hopefully a lot of that just comes from like the customer service angle.
This is another one of those things that like a decentralized exchange is always going to have problems with.
Because to grow, you need to bring on new people.
And that necessarily means people who have not used the system before, who are not experts who have not read white papers on how things work.
And those people often need to have their hands held to one.
degree or another. And one of the principles that I think is really important for this industry
is to understand is that it will only grow to the extent that we make crypto stuff easy for people.
And that means, you know, being able to chat with them and walk them through these tools that
they're learning. This technology and these processes won't be ubiquitous for the next,
you know, for the next 10 years. And that means there's going to be a lot of work that has to be done
just to help people walk through it.
And so regarding the product right now,
like I'm on your website,
so you've got a couple of tools,
maybe focus on those for,
I mean, a lot of our listeners will know
about the lens extension,
the Shifty button, the skeleton plugin,
and all that stuff.
Specifically regarding the API,
what are the most common use cases
that people are using the API,
except for the obvious one,
which is having a shapeshift button
on your in your wallet that allows you to really easily exchange coins from one to another?
I think that as the world of, as the multi-token world proceeds, lots of wallets and services
will just buy their nature, support many tokens.
And for any customer that is using that service, they should be able to just snap their
finger and turn one into the other.
They should not have to withdraw one, send it to an exchange, sign up with that exchange account,
wait for the deposit to clear, putting that an ask a bid order, wait for it to be withdrawn,
and then send it back to where they came from.
That's a horrible user experience.
And so everything that has digital asset tokens in the future should allow immediate
conversion without friction between them.
That should be sort of a principle of the industry that all these things are immediately
liquid into each other.
And so to do that, you can plug in the shape shift API and have that ready to go immediately.
That's what we're building.
And that makes me think of something.
So one of the use cases that often gets thrown around in the blockchain space is fidelity points.
And one way in which blockchains can help optimize the way of the way.
fidelity point systems are built is by providing more transparency, et cetera.
But one of the things that people keep touting,
and I don't know if this is actually ever going to come to fruition,
is creating a liquid market for fidelity points where you can trade one type of fidelity
point for another.
Not sure if there's any incentive for brands to do that.
Do you see that as one potential use case for ShapeShift where, like,
brands and companies start issuing their asset and, yeah, like where you see that going
generally?
Yeah, we, and we've played around with this idea before.
I think another way that can look is with, like, access keys to an exclusive group.
So, ShapeShift has some number of users.
I mean, I guess we don't even know how many users we have by our nature.
But let's say we want to create a suite of special features and release 10,000 keys for those special features.
normally you would sell those as licenses to single people, but then those people are stuck with
them. And when they buy it, they're like, okay, if I buy this $100 thing, I'm spending $100 and I won't
ever get that back. So is it worth $100? If you tokenize it all and make it liquid, then if you
buy the $100 access key, you know that it will have a resale value and a very easy liquid resale
value. You don't have to post them on Craigslist and hope someone in your area will buy it for
30% of its value, you'll know that you'll always be able to check the price and you may well be
able to sell it for more than you bought it for if the service is growing. So it offers a whole new way
for people to engage with a company and a way to sell information that is both better for the
company because they can bring in revenue, but also better for the buyer of that information,
because when they're done needing that information, they can sell the rights onward to someone
else in a very easy liquid way. I think that is going to be a huge use case of blockchain assets,
but no one's doing it yet. So you've been involved in the cryptocurrency space for a long time,
and you've also quite experienced as an entrepreneur, and having started a whole bunch of projects.
Now, if you were to start something today, or what area would you look at?
There's a couple ideas that I won't mention because I may invest in them elsewhere, but
Someone still needs to build a way to go long or short any cryptocurrency immediately by just depositing Bitcoin.
So basically a website where if you have 10 Bitcoin, you can deposit that with that company.
And then go long or short any crypto asset that you want.
Something very easy with an easy user interface.
so that just by because there's so much hatred and anger for a lot of these alt coins,
people throwing out, you know, insults on Reddit forums about a certain asset,
they should be able to short that asset.
I'm a big fan of putting your money where your mouth is.
And if you make a service that's easy enough for people to do that,
then you don't need to argue about which assets are valuable and which are frauds.
If you know that if a certain asset is a scam, you go short the hell out of it and you'll make a bunch of money doing so.
And that both brings honesty to the industry and also I think would be just a really cool demonstration of the flexibility of Bitcoin.
So if I wasn't doing shape shift right now, that's one idea that I might pursue and someone needs to do it.
Wouldn't that be something that would be natural for you guys to build as well since you already have all the connections with the exchanges and you offer something?
that's somewhat similar?
Yeah. I mean, don't think we haven't thought about building it, but we have a list of like
20, 20 big projects that we want to work on. So I don't mind sharing that one with the community.
And it may well be something that someone can build and then use shape shift for the back end
to acquire or sell assets easily.
And what else? Are there some other areas where you feel like there's a lot of really exciting
innovation happening and a lot of opportunities sort of in the blockchain space?
Yeah, another area that's really that's going to take off, but is mostly stymied, I think,
by U.S. regulation is in, I don't know if there's a good term for it yet, but imagine like
a new artist, a new songwriter who has their fans, right? And those fans are super dedicated
and the fans know that this artist is going to be big in the future. But the artist doesn't
want to sign up with a big record label and go through all that stuff.
There should be a way that fans of a small project can buy, for lack of a better word,
equity in the future success of that project.
So let's imagine Taylor Swift is just getting started and she releases 10,000 Taylor Swift
tokens in her early days to her fans and then promises that future revenue from her work
will be paid out to those tokens, very much like investing.
in a business. That would be huge because people who know the artist is really good would love to both
support them financially, but also then reap the rewards if they're right about that. And this idea
came to me because my wife, Michelle, she's always, she always knows artists are going to be big
like two or three years out. And she'll have songs that are playing and she'll say that this person
is going to be huge. And I've seen this like 20 or 30 times where the artist a few years later is
really big. And if she could invest in those people, I mean, she'd be a multi-millionaire by now.
But there's no way to do it. And it would help the artist. It would help the users. It would be
really cool. But I think largely like U.S. securities regulation is going to prevent that.
So I don't imagine that's an innovation that will happen in the U.S., but it absolutely will
happen somewhere in the world. I feel like, you know, maybe a year or two ago, people were sort
of trying to experiment with this using things like counterparty or,
Yeah, mostly counterparty, I guess.
But what remains complicated is, like anything in cryptocurrencies,
is you have friction between the sort of fiat world and the cryptocurrency world,
because you need, I would assume you would need cryptocurrency to buy those types of tokens.
Or not.
I mean, imagine if the artist has a concert and can just give away or sell, you know,
cards to represent stakes in that person.
the friction at the start doesn't mean to be anything significant.
You can imagine them selling the Taylor Swift's shares for $10 a piece,
and that can be done in fiat at a concert.
The double-spend risk of a fan acquiring a share before it's worth a lot
is, I think, low enough that it would be completely doable.
But yeah, I think you write Samantzian that there was quite a few things around
that exploring that, I think Swarm was going in that direction as well.
And then with Adam Levine, some of the ideas there.
But it's a, I totally agree with you that it's a huge potential problem,
but it's also kind of a lot of things have to come together.
User experience is going to be a massive issue besides the regulations for sure.
Right.
And the big case of this, this goes back to the whole crowdfunding phenomenon.
which has gotten big.
And it's,
it almost goes against economic theory when,
when like people wouldn't contribute or invest in an early stage company,
but they would simply donate to it.
It's strange because in one,
you may get a big return and in the other,
you won't get any return.
But the better way to think of it is you're getting a certain return in sentiment
or in goodwill or something.
But with the Oculus,
everyone remembers it was like one of the first big crowdfunding successes.
And all these people contributed money to that project.
And they got like a T-shirt or maybe a free Oculus out of it.
And Oculus went on to become acquired by Facebook for like billions of dollars.
None of that money went to any of the people who originally contributed in the crowdfunding campaign.
I think that's terrible.
I mean, I think those early backers should have made huge returns on that contribution.
but largely because of securities rules, the company can't offer you potential returns.
They can only offer you zero returns.
That's essentially what the regulation has mandated.
So crowdfunding in general, that whole industry is growing really fast.
And I think if it could be tokenized and people could get an actual share of the future revenue of something in an easy, frictionless way,
not something where you're signing investment documents and hiring a lawyer to do due diligence.
But just if you have $20 and you like a project, you should be able to turn that $20 into $100 if two years later that project was a success.
It seems like something that's very possible now with frictionless payments.
But again, not in the US.
Yeah, absolutely.
So another interesting question about kind of your perspectives and views on the ecosystem, Bitcoin and blockchain.
Do you feel like there are some things that people aren't seeing clearly today and kind of,
people have the wrong convictions and beliefs in the industry?
The biggest area where people have wrong convictions is in vilifying each other
and on turning many opinions in the Bitcoin community into like a red team, blue team
polarization type thing.
The block size debate being the biggest example of this.
And it's been it's been really discouraging to see it because at this point it's gotten
to the extent that like, I would.
I was pretty disappointed with how, for example, Gavin was removed from his commit access due to the whole Satoshi thing.
And I, because basically the reasoning for removing him was that they thought he had been hacked.
And he, within a couple hours, came out and said he had not been hacked.
So what should have happened is the commit access was granted again.
And that should have been the end of it, regardless of what one thinks about him or Satoshi or anything.
And so I made that point.
And suddenly everyone starts thinking that, A,
I must think I must be on the bandwagon that Craig Wright was Satoshi and be that I'm against
core developers because I'm saying something in defense of Gavin on one specific point in one case.
And so it almost like stifles all sorts of opinion because you can't say anything without
the community pigeon holding you into a certain one team or the other.
And it's gotten so ridiculous because I have I have classic.
supporters that think I'm just a shill for core and I have core supporters who think I'm a
shill for classic and it's all a bunch of nonsense and I wish the community would realize that
like the real enemies are still very much out there in a traditional financial world and
it'd be really nice if people would stop vilifying each other who are all essentially other
core bitcoiners. Yeah, I couldn't agree more. I mean and I think that's been a really
sad thing to see how that's developed and just gotten worse and worse and worse.
Do you think there is some hope here, or do you see any way of that getting better?
I don't know.
It's probably a psychological or sociological phenomenon.
It's the same reason that in the U.S. you have Democrats and Republicans, and they are
largely the same in how they view government and what they think government should be
doing.
The amount of difference they have is actually quite small between them.
And yet each side thinks that the other is just the devil incarnate, totally horrible.
and it gets to the point where they don't debate policies or philosophy of politics and the role of government.
They talk about silly superficial things that are the easiest way of vilifying each other
and confirming their own suspicions that the other is the enemy.
And I guess it's just a human phenomenon.
And so if so, I don't really think it can be fixed,
but it's probably incumbent on each person to just try to not let themselves fall into the false narrative
that someone who disagrees with you is automatically an enemy and is automatically has bad intentions
and all that kind of thing.
Right.
And I certainly agree with you.
I think if one looks at the U.S., then it seems pretty clear that also we have seen a complete disintegration of dialogue and discourse, et cetera.
But the implications are interesting.
or if you look at something like Bitcoin or cryptocurrencies in general,
which are these projects managed by a community,
a little bit like a government or a nation in a way.
So if that's kind of the natural course of how these projects evolve,
what would that mean?
There is an important difference,
which is that anyone who's part of a country is essentially stuck in that country
and with that government as a citizen.
The friction to change your tax farm is very high.
Whereas in the Bitcoin and software open source world, it is really true that you can work on a different project if you want and leave.
And there's no capture there.
So I think it allows in a much smaller time frame for a good feedback effect where if the group is really going in the wrong direction,
people will move on to something else.
And that's an important lesson because there are a number of people in, I think, the Bitcoin
community who believe Bitcoin is the only way that you can do digital currency.
It is the best.
It will forever be the best.
Not because of its specific merits, but just because that's the flag they waive.
And so they dismiss anyone who's trying to point out like concerns or possible problems.
and if people become entrenched in that opinion,
then you really do run the project off the rails
and much of the community moves on to something else.
And then all those people are going to wake up someday and say,
well, what the hell happened?
Why did this fail?
And it's because they became isolated
and didn't try to listen to what other people were doing.
And all those times they told them,
well, if you don't like it, just leave.
They actually just left.
That's what I don't want to see happen with Bitcoin.
Yeah, I agree.
I mean, one of my points of view has been,
and this is probably something that couldn't have been done when Bitcoin was created, right?
Because Bitcoin was like complex enough,
so you couldn't really find solution for these problems that would arise like six years later,
seven years later, et cetera.
But I almost feel like you would need an explicit governance system
where people could kind of vote on protocols.
changes and things like that because even even though the the friction to maybe leave
big coins and go somewhere else is not that big it depends though right if you have a business
built on it it's very big and switching to a different version of the software is actually also
quite difficult right because you so so there is a huge kind of intrinsic thing where like
you know core has by being the different
false choice. It makes it actually really hard.
Yeah. There is there is friction, uh,
but it's important not to overestimate that friction.
It's important not to assume that just because Bitcoin is the biggest and most
important blockchain asset now that it will forever be. It, it may be, but it's not going
to be because it is now. It's going to be because it continues to become, it continues
to grow, um, as the market needs it to grow. If it doesn't, if it doesn't move along with how the,
what the market needs, then it will start to become marginalized.
And so it's important to be humble and realize that like Bitcoin is not perfect.
It should always, people that are involved in it should always be listening and talking and
just being polite to each other and trying to figure out, you know, a good way to move the project
forward without becoming hostile and isolated because that's a really good recipe for
the project to become the project to die. I mean, it's not going to die because of a government.
It's going to be died. It's going to die because the community itself, uh, poisons itself with,
with bad attitudes and bad behaviors toward each other.
The real value of Bitcoin is the community behind it.
And so if that gets sick, the technology won't be long behind.
Yeah, but I mean, the government's behind all this, you know,
the black size debate.
That's all.
So, you know, that's all good and everything.
And I think we can all agree that, you know, we need to be nice to each other and be humble.
But, you know, pragmatically, what you feel,
where you feel, you know, governments needs to go to, like, in what direction do we need to go in order to have, you know, proper governance around Bitcoin if we want this to continue, you know, to grow as a network?
I'm not sure. I'm not an expert on the best way to govern large groups and especially open source groups.
there are probably people in the open source software world who have some good opinions on that kind of thing.
But unfortunately, I don't know.
So one last brief topic.
You got involved in Bitcoin, I think partially also from coming from a libertarian background.
And it's pretty obvious to people.
I think the connection between liberty, you know, choice, having kind of, you know, control of your money.
and Bitcoin, right?
What do you see as the connection between maybe the larger concept of blockchain and liberty and libertarianism?
Do you see a strong connection there as well?
Well, the most fundamental connection is that like one of the, one of the biggest and worst powers
that states currently have is the ability to create and control money.
And money is such a large part of everyone's life that the fact that that sits within the seat of
government is really dangerous.
And so, like, my blog is called money and state.
And I often frame it as a, as I frame Bitcoin as, is the separation of money and state
in the same way that the church and state were separated.
And everyone today understands why that was so important and agrees that it was good,
that that happened.
And yet, we give an even more important institution, which is money over to the government.
So Bitcoin is proving that free market money can work.
it's proving the innovation.
One of the coolest things to see is that the security and consumer protection that is getting built, not by regulation, but by companies in this industry building products to serve consumers.
And ShapeShift is an example of that.
So we don't hold customer money and we don't take customer information.
And when we got hacked, we didn't lose customer information and we didn't lose customer money.
So we protected both people's finances and their personal identity.
And this is something that none of the regulations seem to appreciate is that the goals of regulation, which are often noble, which are protecting people and preventing crime, you know, actual crime, those things can be done without government being involved.
Those things can spontaneously emerge out of market processes.
And it's a little new, it's a nuanced argument that a lot of people don't appreciate because they always want this sort of top-down leader.
but the blockchain industry in general, I think, demonstrates that without a top-down leader,
order can still happen.
Innovation happens much faster.
The system is much more resilient and flexible.
And ultimately, it's more just.
Cool.
Thanks so much.
I think that's a great note to end on.
And I'm certainly very excited to see where this all leads and what this world will look like
because I think it will look quite radically different with all these different projects
and to see kind of roll.
the evolving role the little blue shape shift fox is going to take on and where on all the places
where it's going to jump out at you in the future well thanks a lot for having me on the show today guys
yeah thanks so much and and just one last thing so if you look at eric we do want to point out that
in the background there there is the bear whale i mean i saw that when he just went to the bathroom
before and i was like i know that one if if you're curious about that just
Google Bear Whale and it was quite a hilarious story I think we'll put there.
Who's the artist who made that?
The last name is Hable.
So after the Bearwell thing, ShapeShift basically put out a bounty to see if some artists would,
we wanted to commission some like artwork for the bear whale and the slaying of the
bear whale back in fall of 2014.
And we selected two of the best ones and this was one of the,
them. I think Matt Hable is the guy's name.
But if you go to shapeshift.io slash bearwale.html, the whole story is there, plus the other
artwork. There were so many great artists that they were also making bear whale artwork.
That's definitely one of the best parts of the community is just all the jokes that people
have with each other and the funny things that get built on top of it.
The bear whale is, I think, going to be a symbol in Bitcoin forever.
just like the honey badger and the alpaca yeah and of course dorian's lunch today as well
yeah and dorian dorian himself i mean he will forever be a symbol for the community okay well
eric thanks so much for coming on it was a pleasure uh finally meeting you like this as opposed to
via email and uh talking about shape shift i mean it's a really exciting project and we we are you know
I'm excited to see what the company will accomplish over the next few years.
Yeah, glad to be on the show.
And thank you guys for doing this show.
It's definitely something I try to listen to all the time.
You guys have been putting out great content for years now.
So keep up the good work.
Thank you.
And yeah, it's great to meet you as well.
Actually, this is the first time we've actually spoken, I think.
Because even before, like, when we were setting up the sponsorship with ShapeShift,
like way back when you guys weren't even sort of, it wasn't even public.
that you were the CEO and you were going to
or something like that.
Yeah, I was under my my alter ego.
Yeah.
And I mean, we've just been working with your team.
So we never actually got to speak.
So yeah.
Yeah, that's totally true.
I forgot that we were like that there was some fake name.
What was it again?
Bjorn.
Your is a character in Lord of the Rings.
He's the shape shifter.
Oh, yeah, yeah.
All right. Well, thanks so much and thanks so much for listeners.
So we're part of the Let's Talk Bitcoin Network.
You can find our show and lots of other shows on lessofbidcoin.com.
Of course, you can also subscribe to it in any podcast app or watch the videos on
YouTube.com slash episode of Bitcoin.
And if you'd like to, you can leave us a review and then email us and show at Episode of Bitcoin.com
and we'll send you a t-shirt.
So thanks so much and we look forward to being back next week.