Libertyreserve: $110.000 stolen

[Originally posted on Mar 5, 2009]

We are a few Libertyreserve users and our common point is that we own accounts with a large amount of money. At the beginning of February 2009, our money was stolen by a mysterious transfer order sent by, according to the account histories, the Libertyreserve API.

One screenshot for a hack of about $40k can be seen here
Another one for about $70k can be seen here

Neither of us never registered an API in our LR account, and either a LR bug that was exploited by hackers, either an internal job from a LR staff Member, could allow first to register an API ((The usual way for this is to enter the LR account, then registering the API; the process requires the account number, the password, and 2 PIN code, one of 5 digits, one of 3 digits).

Moreover, the fact that only accounts with a large balance were wiped, as far as we know, can make think that somebody inside the LR company could scan the accounts and see which ones had largest balances, to then wipe them.

Quite immediately after this happened, the Libertyreserve API system was turned off, officially for a small bug. Some hours later, the whole Libertyreserve system was turned off, officially for a SSL certificate update, then for a Cisco update, then to upgrade some functions, then to publish some party photos, then to allow using debit cards, etc. The full downtime was about 4 days.

As soon as the website came back online, both of us contacted Libertyreserve through their Online "Support", asking an explanation about our money, and our money back. None of us, more than 48 hours after, received any reply. The only reaction from Libertyreserve was a message on their blog saying "[xxx] You may be introduced to some quite bizarre rumors during this outage and false information that was cooked up by an unfriendly and dishonorable competitors [xxx]"

The Libertyreserve team seems to hide, as they do not publish any phone number on their website, nor in their whois. We then couldn't do anything but wait that they would reply to our messages.

In the same time, we learned that 2 of the biggest Libertyreserve accredited exchangers, Swapgold and WM-Center, were instructed by Libertyreserve to not process any of the pending SELL orders, and to not accept anymore SELL orders. We know that at least one of this exchangers is still waiting an update from Libertyreserve after 4 days, as his business suffers from this. So far, Libertyreserve did not reply to him too.

Because of this silence, we decided to make the case public, and in the same time to launch a legal action against Libertyreserve, a Costarican company if on Monday 9th March, Libertyreserve has not either refunded our money, either at least replied to give serious explanations. We are able to understand that a sophisticated software may have backdoors, but in this case the company must take its responsibility and compensate the loss of the clients. In the case of a legal action, we will ask for the payment of our money back, plus large penalties, plus the payment of our fees. We will *not* give up.

Some updates will be posted here, as long as they do not interfere with the juridical process.