Scott Purcell, the founder and CEO of Fortress Trust, a custodian that safeguards customers’ crypto, told Fortune that his firm lost $12 million to $15 million in crypto in a recent hack. Most of that was Bitcoin, but small amounts of USDC and USDT, the two largest stablecoins by market capitalization, also were stolen.
“It was $12 to $15 million out of billions, and we covered it right away,” he told Fortune, in reference to the total amount of stolen crypto compared to the amount Fortress Trust holds in custody for customers. “It was only really four customers out of 225,000 customers.”
Purcell’s previously unreported admission follows a report from The Block that crypto giant Ripple reimbursed customers affected by the hack as part of its recently announced acquisition of Fortress Trust. The crypto custodian had previously said the security breach resulted in “no loss of funds.”
A spokesperson for Ripple declined to comment on the extent of the security breach but said that “the amount used to cover customer funds was baked into the deal.”
On Sept. 7, Fortress disclosed that four “Fortress customers were impacted by a third-party vendor whose cloud tools were compromised” and wrote that “impacted accounts were fully restored.”
The next day, Ripple announced its acquisition of Fortress, with CEO Brad Garlinghouse saying in a statement that the firm has “built an impressive business with recurring revenue and a strong roster of both crypto-native and new-to-crypto customers.”
At the time of announcement, neither Ripple nor Fortress Trust disclosed that Ripple had agreed to make customers whole as part of the deal. In The Block‘s report on the added wrinkle to the tie-up, a spokesperson for Ripple said that conversations “accelerated last week following the security incident via a third-party analytics vendor, but this opportunity makes sense for Ripple in the long term.”
Purcell, the former CEO of Prime Trust, another crypto custodian that went belly up after it was alleged to be misusing customer funds amid a security breach, declined to identify the four customers affected by the hack or the “third-party vendor whose cloud tools were compromised.”
“As you’d imagine, the first few days were complex and involved (and continue to involve) the F.B.I., Secret Service, regulators and others,” Purcell told Fortune in an email. “We brought in cybersecurity teams who are very experienced with these things to sweep the system and ensure nothing else was affected.”
Purcell repeatedly emphasized that fault for the security breach was with the third-party vendor, not Fortress Trust, or the company’s custody partners, Fireblocks or BitGo.
A spokesperson for Fireblocks did not confirm the extent of the security breach to Fortune. “We can confirm that the breach happened on a third-party service with a preconfigured automated authorization and that the Fireblocks platform behaved according to the configuration,” she said in a statement.
BitGo CEO Mike Belshe previously posted on X (formerly Twitter) that the incident had “nothing to do with BitGo.” He added: “The real victims here are Fortress’ clients who deserved enough respect to get the whole truth. They are not to be blamed.”
Purcell, the CEO of Fortress Trust, told Fortune that BitGo had also been in the running to acquire his company: “As you’ve seen from his sour-grapes tweets, Mike Belshe has chosen to violate our NDA to essentially whine about me not selling the trust company to him.”