The Russian IT company was created by people from the magazine “Hacker”
Crypto exchange KuCoin, which is one of the ten largest in the world, accuses its IT contractor, Convexity, of “hacking into servers and misusing confidential information,” RTVI reports. At the same time, Convexity denies its guilt and accuses subcontractors of hacking the crypto-exchange – Wallarm, a well-known Russian company in the field of IT, which was created by Ivan Novikov and Stepan Ilyin, natives of the Hacker magazine. Wallarm also denies allegations of hacking.
Litigation between KuCoin and its information security contractor, Convexity, began back in 2019. All parties accused each other of violating the terms of the agreement on the provision of information security services. However, KuCoin went further and filed a lawsuit accusing Convexity of “violating privacy by hacking [KuCoin’s] server and misusing sensitive information.” Convexity denied these accusations, but filed a lawsuit against Wallarm, in which it stated that Wallarm and its founder and CEO Ivan Novikov were personally responsible for the KuCoin hack.
“KuCoin alleges that Novikov and Wallarm illegally, for several times, accessed the KuCoin system without authorization, downloaded sensitive user information, source code, trading data, user software, algorithms, methods, user database and other confidential information belonging to KuCoin and / or its users, and even tried to access customer funds – all this bypassing the law, the Convexity lawsuit says. “KuCoin argues that Convexity should be held accountable for the alleged wrongdoings of Novikov and Wallarm.”
Wallarm, in court filings, calls the hacking allegations “false,” “extremely damning allegations” made by companies local in the information security market, damage and adversely affect its business and professional reputation. The company also claims that the allegations are unfounded and are intended only to “clutter up the case file,” which aims only to “improperly obtain money.”
According to RTVI, in 2018, the KuCoin crypto exchange and Convexity planned to create a joint venture. It was assumed that KuCoin will contribute its technology platform for cryptocurrency trading to the joint venture, and Convexity will manage the operational and legal issues of the joint company. Before establishing the joint venture, we decided to conduct a comprehensive assessment of KuCoin’s business and its investment risks. Pentest became part of the process.
Convexity personally involved Ivan Novikov to conduct the pentest. In August 2018, he was verbally contracted by simply discussing the terms of the job in a messenger, and then provided him with a copy of the pentest agreement between KuCoin and Convexity, and explained that the work must comply with its terms.
After the pentest, Convexity decided to continue working with Novikov and in December 2018 signed a contract with his company Wallarm to provide information security services to KuCoin under the service agreement. Wallarm was supposed to provide KuCoin with its Wallarm WAF software, provide infrastructure audit, ongoing support and protection of services.
In September 2019, the service agreement between KuCoin and Convexity, and therefore the service agreement with Wallarm, was terminated. This was followed by appeals of all companies to the courts. In October 2019, Convexity filed a lawsuit with the Singapore International Court of Arbitration against KuCoin, the crypto exchange then filed a counterclaim. In April 2020, Convexity filed a lawsuit against Wallarm and Ivan Novikov personally in the Supreme Court of California for the District of San Francisco, and in March 2021, Wallarm responded with a counterclaim.
KuCoin claimed in court that it terminated the service agreement with Convexity, as the company I “materially violated my contractual obligations.” Additionally, the exchange filed a separate lawsuit alleging that Convexity “violated privacy by hacking [KuCoin]’s server and misusing the company’s confidential information.” KuCoin also noted that the agreement with Convexity was “concluded under pressure,” but there are no clarifications of what this pressure was in the open case materials.
Convexity, in a Singapore court, demanded that KuCoin pay a $2.8 million penalty for premature termination of the service agreement and denied allegations of hacking, and in a US court, the company blamed its subcontractors, Wallarm, for all the problems. “KuCoin has completely lost confidence in Wallarm and, as a result, in Convexity itself,” Convexity said in court filings. The reason for this, according to Convexity, was “extremely flawed” services from Wallarm, which consisted of “slow response, inattention, software misconfiguration, failure to detect or prevent security incidents experienced by the KuCoin team, as well as a high level failures of Wallarm software”.
In addition, Convexity filed claims regarding the conduct of the pentest: the company stated that it was not personally conducted by Novikov, but by Wallarm – and this was not agreed and authorized by either Convexity or KuCoin. “KuCoin alleges that Wallarm’s intervention in the pentest was a violation of the pentest agreement,” the case file says.
Litigation between KuCoin, Convexity and Wallarm is in its third year and is still ongoing.