Important Note: please see the bottom of the post for updates.
ClearCoin is announcing a fork from its old symbol CLR to a new symbol XCLR. To be crystal clear, this is a change of only the token name and nothing else will change, except for the new smart contract which will be identical to the CLR smart contract. You will have control over XCLR immediately when we finish the forking process, just as you did before the fork. All holders of CLR will be given a 1:1 distribution of XCLR for the amount of CLR they were holding – this fork is not a new sale or offering of tokens, as XCLR tokens will become the main and only token to be used on ClearCoin’s network and the utility of XCLR will be the same as the utility of CLR. To avoid any confusion: XCLR will fully replace CLR and holders will be given the amount of XCLR they were previously holding in CLR. There will not be any impact on fees or transactions times because both CLR and XCLR were built on the Ethereum blockchain.
Theft and criminal activity are unfortunate events in today’s worldwide utility-token economy. With over $1 billion of crypto heists reported in recent years, we were not expecting to be another statistic on the list. Despite our best efforts and commitment to secure CLR utility tokens, we have unfortunately become a victim of cyber crime.
On May 26, our company’s cold storage hardware Trezor wallet was the subject of a malicious action by an external attacker compromising 430 million CLR tokens, which were transferred out of the wallet to an unauthorized address. A few of those tokens were promptly sold on exchanges causing the price of the token to take a significant drop. The 430 million CLR tokens were being held for the development fund and for usage in the ClearCoin network of blockchain related products.
The tokens that were transferred from company wallets were obtained by theft and the event is being treated as a cyber crime. The hardware wallet was not moved from its secure location. It’s unclear how access to the wallet was gained, and no person at the company is considered a suspect. While there have been stories recently about vulnerabilities with hardware wallets. At this time, it appears to be a form of malware attack that gained remote access to our sensitive data that had information on how to recover the Trezor wallet (update: please see the bottom of the post for more details on the results of the investigation.) As a guideline, we’ve seen great innovations in the crypto economy, but we’re also aware there are many unsavory acts taking place. Given the malicious activity against the company, we are implementing protocols going beyond industry security protocols – which, for the sake of protecting our business – we are not publicizing entirely. The company will keep its future holdings in multi-signature wallets which will require a number of people to sign off on transactions before they happen. While multi-signature wallets come with their own pros and cons, we’ve decided it’s the best option going forward.
We are notifying the appropriate authorities, and our investigation remains ongoing.
Because all holders of CLR will be given XCLR in a 1:1 ratio to their holdings, we are working hand in hand with the exchanges to facilitate the distribution on this 1:1 ratio. The current platforms that we are listed on include HitBTC, YoBit, and IDEX. The company has decided, after much deliberation and discussion with industry experts, that the fork is the best option because the amount of tokens stolen from the company is expansive.
The world’s #2 crypto also went through a fork with Ether Classic (ETC) and Ethereum (ETH). This was after the DAO hack of $50 million. As Ethereum has recovered into a strong future, we believe this fork continues the strong future for ClearCoin.
We plan to complete the fork within one week and give CLR holders XCLR in a 1:1 ratio to their holdings. However, for those that are holding CLR in exchanges, the conversion may take longer than a week in order to coordinate with the exchanges who are holding balances of CLR tokens. We expect they should be able to move quickly as well, but we need to work with them to ensure everything is executed properly. Any inquiries related to the distribution of XCLR to CLR should be directed to firstname.lastname@example.org
While the company is completing the fork, we’re providing you with the following security best practices as reminders:
- You will not have to do anything during the fork from CLR to XCLR.
- Do not respond to any emails or communications except from authorized individuals from the company.
- We will never ask for your private key or any other password for your wallets or account. If someone asks for such information, please immediately report it to email@example.com.
- The company’s official email addresses are from the domain: “clearcoin.co” Please be make sure emails from the company come from the domain: “clearcoin.co”.
- Please wait for the fork to be completed before moving or attempting to move your XCLR utility tokens.
- Follow best practices for for private key management to reduce your risks.
It is worth noting this event did not affect the native ClearCoin wallet. The native ClearCoin wallet encrypts information using FIPS 140-2 validated hardware security modules. This event only affected the company’s cold storage hardware Trezor wallet and no user personal information was obtained or compromised.
The development of the company is going very strongly and we are excited about the future of the company and its suite of products. We have a team of dedicated individuals who have been working around the clock to build an enduring company in this space. There have been significant advancements to the Bidder, Explorer, and Wallet products. We are ahead of schedule on the Explorer product which is slated for December 2018 and we are excited to share more positive, exciting updates over the next few months.
Our managed services capability for media and advertising allows us to bid on 30 ad platforms. The user interface of this platform remains scheduled for June 2018.
Moving forward we will continue to improve security. We are incredibly focused on building the company and the products we have committed to building, for we know ClearCoin is positioned for great success. There is a bright future ahead at ClearCoin.
If you have any questions related to this please remember to submit support tickets using firstname.lastname@example.org
We are overwhelmingly appreciative of our community and the support they have given us since day one and are committed to the long-term success of ClearCoin. We will continue to post updates in the weeks ahead as we work to resolve this and in the longer-term with more frequent product updates and other exciting news.
Frequently Asked Questions related to the fork:
If I have CLR in a MEW wallet or any other Ethereum Wallet, will I receive XCLR?
Yes you will. You may need to add the XCLR contract address and there will be more details on this to come soon.
If I bought CLR after the hack, will I be reimbursed for those CLR?
Yes we will work this out with the exchange platforms.
Do I need to move tokens anywhere to participate in the fork?
For non exchange users – no. For exchange users – please see the forms on this post.
Update 6/12: Further analysis of the breach revealed that the malicious addresses involved also breached the smart trading app known as Taylor. The hack of Taylor involved addresses that also made malicious transfers in connection to the breach of CLR. The management team at Taylor mentioned the malicious addresses were also involved in other similar hacks. Similar to the Taylor situation, it appears that a remote attacker gained access to encrypted information on a password manager which contained information on how to access wallets. Given the breach of that information, the attackers were able to take control of the wallets. Given our implementation of multi signature wallets for future transactions, this situation will be prevented. The trade volume of CLR in the 24 hours after the hack was less than $25,000 so the attackers were not able to sell a significant amount given our prompt announcement of the breach.
Update 7/3: In speaking with cyber security experts they cited a Remote Access Trojan (RAT) as the culprit for how the attackers were able to access the password manager which contained the seed phrase for the Trezor. The company is no longer storing information like this in password managers and the company has moved on to using multi signature wallets which are a far safer alternative. The report was submitted to IC3 as it is the organization with jurisdiction on this matter.