Scott Purcell, the founder and CEO of Fortress Trust, a custodian that safeguards customers’ crypto, told Fortune that his firm lost between $12 to $15 million in crypto in a recent hack. Most of the crypto lost was in Bitcoin, but there were small amounts of USDC and USDT, the two largest stablecoins by market capitalization, also stolen, he told Fortune.
“It was $12 to $15 million out of billions, and we covered it right away,” he told Fortune, in reference to the total amount of stolen crypto compared to the amount Fortress Trust holds in custody for its customers. “It was only really four customers out of 225,000 customers.”
Purcell’s previously unreported admission follows a report from The Block that crypto giant Ripple reimbursed customers affected by the hack as part of its recently announced acquisition of Fortress Trust. The crypto custodian had previously said the security breach resulted in “no loss of funds.”
A spokesperson for Ripple declined to comment on the extent of the security breach but said that “the amount used to cover customer funds was baked into the deal.”
On Sept. 7, Fortress disclosed that four “Fortress customers were impacted by a third-party vendor whose cloud tools were compromised” and wrote that “impacted accounts were fully restored.”
The next day, Ripple announced its acquisition of the crypto custodian, with its CEO Brad Garlinghouse saying in a statement that the firm has “built an impressive business with recurring revenue and a strong roster of both crypto-native and new-to-crypto customers.”
At the time of announcement, neither Ripple nor Fortress Trust disclosed that Ripple had agreed to make customers whole as part of the deal. In The Block‘s report on the added wrinkle to the tie-up, a spokesperson for Ripple said that conversations “accelerated last week following the security incident via a third-party analytics vendor, but this opportunity makes sense for Ripple in the long term.”
Purcell, who was the former CEO of Prime Trust, another crypto custodian that went belly up after it was alleged to be misusing customer funds amid a security breach, declined to identify who the four customers affected by the hack were as well as who the identity of the “third-party vendor whose cloud tools were compromised.”
“As you’d imagine, the first few days were complex and involved (and continue to involve) the F.B.I., Secret Service, regulators and others,” he told Fortune in an email. “We brought in cybersecurity teams who are very experienced with these things to sweep the system and ensure nothing else was affected.”
Purcell repeatedly emphasized that fault for the security breach did not lie with third-party vendor, Fortress Trust or the company’s custody partners, Fireblocks or BitGo.
A spokesperson for Fireblocks did not confirm the extent of the security breach to Fortune. “We can confirm that the breach happened on a third-party service with a preconfigured automated authorization and that the Fireblocks platform behaved according to the configuration,” she said in a statement.
BitGo’s CEO Mike Belshe previously posted on X that the incident had “nothing to do with BitGo.” He added: “The real victims here are Fortress’ clients who deserved enough respect to get the whole truth. They are not to be blamed.”
Purcell, the CEO of Fortress Trust, told Fortune that BitGo had also been in the running to acquire his company. “As you’ve seen from his sour-grapes tweets,” Purcell told Fortune. “Mike Belshe has chosen to violate our NDA to essentially whine about me not selling the trust company to him.”
