Scott Purcell, the founder and CEO of Fortress Trust, a custodian that protects clients’ crypto, said Fortune that his company lost $12 million to $15 million worth of crypto in a recent hack. Most of it was Bitcoin, but small amounts of USDC and USDT, the two largest stablecoins by market capitalization, were also stolen.
“It was $12 to $15 million out of billions, and we covered it right away,” he said Fortune, referring to the total amount of stolen cryptocurrency compared to the amount Fortress Trust holds in custody for clients. “It was actually only four customers out of 225,000 customers.”
Purcell’s previously unreported confession follows a report from The block that crypto giant Ripple reimbursed customers affected by the hack as part of its recently announced acquisition of Fortress Trust. The crypto custodian had previously said that the security breach resulted in “no loss of funds.”
A Ripple spokesperson declined to comment on the extent of the security breach, but said that “the amount used to cover customers’ funds was baked into the deal.”
On September 7, Fort revealed that four “Fortress customers were affected by a third-party vendor whose cloud tools were compromised” and wrote that “affected accounts were fully restored.”
The next day, Ripple announced the acquisition of Fortress, with CEO Brad Garlinghouse saying in a statement that the company has “built an impressive business with recurring revenue and a strong roster of both crypto-native and new crypto customers.”
At the time of the announcement, neither Ripple nor Fortress Trust disclosed that Ripple had agreed to cure customers as part of the deal. In The blockIn its report on the added wrinkle to the partnership, a Ripple spokesperson said the talks were “accelerated through a third-party analytics vendor last week after the security incident, but this opportunity makes sense for Ripple in the long term.”
Purcell, the former CEO of Prime Trust, another crypto custodian that filed for bankruptcy after allegedly misusing customer funds amid a security breach, declined to identify the four customers affected by the hack or the “third-party vendor whose cloud tools were compromised.”
“As you can imagine, the first few days were complex and involved (and continue to involve) the FBI, Secret Service, regulators and others,” Purcell said. Fortune in an email. “We have brought in cybersecurity teams that are very experienced with these things to go through the system and make sure nothing else is affected.”
Purcell repeatedly emphasized that the blame for the security breach lay with the third-party vendor, not Fortress Trust, or the company’s custody partners, Fireblocks or BitGo.
A spokesperson for Fireblocks did not confirm the extent of the security breach Fortune. “We can confirm that the breach occurred on a third-party service with a pre-configured automated authorization and that the Fireblocks platform behaved according to the configuration,” she said in a statement.
BitGo CEO Mike Belshe previously Posted on X (formerly Twitter) that the incident “had nothing to do with BitGo.” He added: “The real victims here are Fortress’ customers who deserved enough respect to find out the whole truth. They cannot be blamed.”
Purcell, the CEO of Fortress Trust, said this Fortune that BitGo had also been in the running to acquire his company: “As you’ve seen in his sour grapes tweets, Mike Belshe chose to violate our NDA to essentially whine about me not giving him the trust company sold.”