Liberio — A Detailed Report Regarding Unauthorized Access

EONS
5 min readNov 17, 2019

--

This report will provide an official and authorized account of relevant and factual information concerning the issues and unauthorized account breaches that plagued the now-deprecated Liberio platform, problems which began in Feb 2019 when the first reports of user accounts experiencing unauthorized access occurred. Certain aspects of this report reference data that is incomplete and impossible to validate, so this report will serve to provide clarity from data that is both public and private, and in our custody, while avoiding unwarranted conjecture or accusation.

Liberio was an online wallet that claimed to utilize data sharding to store encrypted data on the ALQO masternode network, masternodes are the backbone of the ALQO network. The ALQO network first launched in November 2017 and multiplied rapidly due to the ambitious roadmap and the fully disclosed and public team. A main contributing factor to ALQO’s early success was the Liberio wallet. Liberio promised to be a multi-coin wallet that would be the first to implement unique and highly sought-after technology; cold staking, encrypted data sharding, and more. It’s important to note that with the data structure it promised the types of attacks that occurred would have been virtually impossible.

By former lead ALQO developer Kevin Collmer’s admission, Liberio was built and architected solely by him to include these technologies and presented to the community as a safe alternative to existing coin storage wallets. Liberio promised to be safe, virtually impenetrable, multi-coin enabled, and scalable, featuring cold staking via an innovative process, and other new technologies. In the months after Liberio’s launch leading up to the unauthorized account reports, functionality seemed to behave as promised, and user accounts and funds appeared secure. Kevin Collmer’s statements to the executive board and the ALQO community led many to believe that Liberio was an early success.

In an ongoing effort to increase transparency and legitimacy to the ALQO product line, specifically Liberio, current, and former executive team members requested access to the Liberio source code so to seek 3rd party independent security code audits. Time and time again, lead developer Kevin Collmer stalled or outright declined requests to make the source code available. He cited a competitive advantage as the primary purpose of maintaining closed source code. It’s worth mentioning; closed source code has its benefits; however, the integrity of a platform is paramount. When a platform experiences issues, immediate response, and disclosure of functionality should be made available to its users; such action helps mitigate the further loss of user funds and brand integrity.

In Feb of 2019, several Liberio users reported having their accounts compromised and their funds withdrawn. The reports similar, users logged in to their Liberio account, funds shown as transferred out of their Liberio account, and the same funds appeared as deposited into newly created accounts on the decentralized exchange, Crypto-Bridge, where they were sold off for BTC & ETH. The BTC & ETH funds were withdrawn from Crypto-Bridge to a 3rd party wallet (in several instances, provably to Kraken) for exchanging to fiat or settlement via OTC transactions for fiat.

Around the time the first Liberio user accounts were reported compromised, an ALQO community member going by the alias Yannick#0007, provided blockchain data suggesting the developer’s fee wallet address (a wallet controlled and maintained by former lead developer Kevin Collmer) could have co-mingled with transactions which traced back to the compromised Liberio user accounts. At the time this information was made public, executive members of ALQO requested that lead developer, Kevin Collmer, make a thorough investigation into the platform breaches and release a public statement regarding his findings in response to the claims made by Yannick#0007. Additionally, the executive board called for releasing Liberio’s code as open-source, and to have a 3rd party audit of the Liberio source code by a leading code auditing firm to provide a report to release to the public.

Kevin continued to deny access to the source code, again citing competitive advantage as the main reason. He maintained the platform was safe, that data was encrypted, and sharded on the masternode network while presented with evidence to the contrary. Kevin suggested that users made password difficulty errors (used weak passwords) to secure their Liberio accounts and suggested that users take additional precautions to protect their accounts. Additionally, he suggested users were experiencing brute-force attacks as the reason for the unauthorized access to their accounts, methods which seemed improbable given the nature of architecture upon which he claimed to have built Liberio. Kevin dismissed the criticism, and at the behest of the community and ALQO management team, instituted 2FA as a security feature and gave the “OK” for Liberio to continue to operate as usual.

As the weeks and months went by, additional users reported experiencing similar unauthorized account access, having their XLQ funds transferred from their accounts, and then liquidated on Crypto-Bridge. A pattern emerged that the Liberio account breaches only be explained by a significant code deficiency or by internal unauthorized access by the single person with access to the backend code, Kevin Collmer.

It was at this time that CEO, Jared Grey, pressed Kevin to provide the public with a comprehensive overview of the platform, with its architecture detailed in a series of technical articles, and to make the Liberio code open source. Kevin finally agreed to provide this insight. The articles were scheduled to be made public Nov 1st, announced in a Medium article on the ALQO Medium account. During the time leading up to the Nov 1st release date, Kevin did not attempt to satisfy the requests, to provide access to the Liberio source-code, or to help in ongoing investigation attempts conducted by the executive team. Kevin’s actions demonstrated he had no intention of delivering the articles or source code, and he was asked to step down from the role of lead developer of ALQO and CTO of Bitfineon GmbH.

In closing, it is the prevailing opinion of the ALQO management team that Kevin Collmer’s actions contributed directly to the loss of user funds on Liberio, which were the result of unauthorized access. And, that his inaction to deliver remediation in the form of technological insight and bug fixes for Liberio constitute negligence, which exacerbated the loss of user funds and brand integrity for ALQO. We hope that Kevin’s departure will allow the community to heal and that the Liberio compensation fund will help pay for any user losses. Please reach out to the ALQO management team in Discord if you have further questions regarding this topic.

--

--

EONS

A decentralized ecosystem for financial services.