← back to the index
VT-012 Crypto exchange · Canada 2018

MapleChange — Claimed a Hack, Deleted Everything, Never Came Back

trading-exchangeat-largeico-era
Platform
MapleChange
Est. Losses
~$5.9M (913 BTC at October 2018 prices)
Users Affected
Undisclosed; exchange listed 62 tokens
Status
At-Large

Summary

MapleChange, a small Canadian cryptocurrency exchange that had launched in May 2018, announced on October 28, 2018 that it had suffered a hack in which all funds were drained from its hot wallets. The same day, the exchange deleted its Twitter account, its Discord server, its Telegram channel, and its website. The reported loss was 913 Bitcoin — approximately $5.9 million at the time — which the exchange attributed to a bug that allowed users to exploit the withdrawal system. No verifiable evidence of an external hack was ever produced. The exchange's operators were never publicly identified through any confirmed name or legal proceeding, and no charges have been filed in connection with the incident.

The sequence of events on October 28 — hack announcement followed within hours by simultaneous deletion of every public-facing channel — was widely characterised by security researchers and the crypto press as an exit scam executed under the cover of a fabricated security incident. The anonymous internet investigation that followed the deletion identified an individual suspected to be behind the exchange, but no law enforcement body has publicly confirmed or acted on that identification. Approximately five months of operations and 913 Bitcoin in customer deposits were the total scope of the exchange's existence.

The users who lost funds at MapleChange were cryptocurrency traders who had deposited Bitcoin, Litecoin, and other altcoins into a platform that had listed 62 trading pairs and was in the process of building a user base. Many had modest balances; some had more significant positions. The exchange had been in operation for only five months, had no known regulatory registration, no published team information, and no audited financial records.

Timeline

May 2018
MapleChange launches
The exchange opens to users, listing 62 token trading pairs including Bitcoin and Litecoin. The platform presents as a Canadian-operated altcoin exchange in the mold of larger competitors. No operator names or team information are published.
May–October 2018
Exchange builds user base
MapleChange processes trades across its listed pairs, accumulating Bitcoin and altcoin deposits from users. Peak trading activity, per post-incident analysis, reached approximately $67,000 in daily volume.
October 22, 2018
Trading volume recorded
On-chain and exchange-side records show that MapleChange handled 9.837 BTC ($63,693) in trades on October 22 — six days before the claimed hack.
October 27, 2018
Site taken offline for "server upgrade."
MapleChange's website and trading interface go down, ostensibly for maintenance.
October 28, 2018
Hack announced
MapleChange posts on its official Twitter account announcing that "due to a bug, some people managed to withdraw all the funds from our exchange." The announcement frames the loss as a technical exploit rather than an external intrusion.
October 28, 2018
All social media deleted
Within hours of the hack announcement, MapleChange deletes its Twitter account, Discord server, and Telegram channel. The website remains offline. The statement "Because we have no more funds to pay anyone back, the exchange has to close down unfortunately" is the last official communication before deletion.
October 28–29, 2018
Internet investigation
Community researchers identify IP addresses associated with MapleChange infrastructure and circulate the name and address of an individual suspected of being the exchange's operator. The individual's prior association with a cryptocurrency called Weycoin and a related mining pool is cited in the investigation.
October 29, 2018
Twitter briefly reactivated
MapleChange's Twitter account is briefly reactivated, with a statement that the team had not disappeared and had merely turned off accounts temporarily. The exchange acknowledges it cannot refund users and states it will open remaining wallets for whatever token balances are left.
Late October 2018
Remaining token distribution
The exchange indicates it will distribute whatever non-BTC, non-LTC token balances remain in the system to users, and directs losses toward the development teams of the affected cryptocurrency projects. No Bitcoin or Litecoin is returned.
2018–2026
No legal resolution
No Canadian law enforcement body publicly identifies or charges any operator. No assets are recovered. The suspected individual identified by internet researchers is never confirmed by any official source.

Five Months of Apparent Legitimacy

MapleChange entered the market in May 2018 during a period when new exchange launches were common and users were willing to deposit into platforms that lacked the track record of larger venues. The exchange's functional performance — real trades, real order books, deposits and withdrawals processing across 62 token pairs — gave it the surface characteristics of a working platform. It had no published team, no visible incorporated entity, and no regulatory registration, but these absences were normal across the small-exchange tier and did not prevent user deposits.

The five-month operating period served a purpose common to exit scams in this category: establishing credibility through demonstrated functionality before the exit. By October 2018, the exchange had been running long enough for some users to have cycled deposits in and out, building a confidence baseline. The modest scale — peak daily volume of approximately $67,000, a total BTC drain of 913 coins — suggests a targeted accumulation exercise rather than an attempt to build at scale.

Listing 62 tokens was strategic in a second sense: many of those altcoins had limited alternative trading venues, giving holders fewer options for rapid exit when problems emerged.

The Hack Narrative and What It Was Designed to Do

The framing of the October 28 announcement was deliberate. Rather than claiming an external intrusion, MapleChange attributed the drain to "a bug" that "some people managed to exploit." This framing distributed moral responsibility — if users exploited the bug, the exchange could present itself as a fellow victim — while providing a technical narrative that required no identification of wallet addresses or transaction hashes, details that would have been verifiable on-chain and immediately scrutinised.

Security researchers noted at the time that no on-chain evidence was produced to support either the hack or the bug-exploit narrative. In a genuine 913-BTC hack, the Bitcoin would move through identifiable wallet addresses in a traceable sequence. MapleChange published no such trace, and the announcement was accompanied by the immediate deletion of every channel through which users might have asked follow-up questions.

The brief Twitter reactivation on October 29 — after internet researchers had circulated the suspected operator's personal details — was reactive, not planned. The offer to distribute remaining non-BTC, non-LTC token balances returned no significant value to users who had deposited Bitcoin or Litecoin.

The Limits of Anonymous Exchange Operation

The MapleChange case illustrates the minimum viable architecture for a small-scale exchange exit scam: an anonymous team, a limited operating period, a plausible technical failure narrative, and a coordinated infrastructure deletion. No element required any specific individual to expose themselves to accountability before, during, or after the exit.

The exchange operated with no published team information, no regulatory registration, no audited accounts, and no proof-of-reserves. The Bitcoin deposited by users was held in hot wallets with no independent custodian, no multi-signature access controls, and no time-delay withdrawal mechanism. When internet researchers surfaced a suspected individual through IP tracing, the identification was circulated publicly rather than reported to law enforcement — distributing personal details to a hostile community audience while simultaneously destroying the element of surprise that a formal investigation would have needed. No Canadian law enforcement body publicly confirmed the identification or filed charges.

The 913 Bitcoin and undetermined Litecoin losses have no legal remedy pathway: there is no confirmed defendant and no corporate entity with attachable assets.

The Five Factors

01
Anonymous team as permanent impunity architecture
A cryptocurrency exchange that publishes no operator names, no corporate registration, and no physical address has constructed a legal impunity mechanism as part of its basic architecture. This is not an oversight; it is a design choice that eliminates accountability regardless of what happens to user funds. Any exchange that does not disclose verifiable operator identity, registered legal entity, and jurisdiction of operation should be treated as offering no recourse to users.
02
Hot wallet concentration with no cold storage evidence
The MapleChange drain — 913 Bitcoin from what were described as hot wallets — reflects the risk of an exchange that held the majority or entirety of its Bitcoin reserves in internet-connected, operationally accessible storage. Cold storage — airgapped wallets with multi-signature access controls — would have required multiple parties to authorize any withdrawal, creating a structural impediment to single-operator drain. The absence of cold storage evidence at MapleChange meant that the exit required no co-conspirators and no technical complexity.
03
Fabricated security narrative as exit cover
The bug-exploit framing served to introduce ambiguity about whether what occurred was fraud or misfortune, buying reputational cover and reducing the immediate intensity of victim response. Genuine exchange hacks produce traceable on-chain evidence; the absence of a published transaction trace should have been treated as disqualifying the hack narrative from the outset. Regulator and law enforcement protocols for exchange-claimed security incidents should include mandatory on-chain evidence submission within a defined period.
04
Simultaneous channel deletion as evidence destruction
The coordinated deletion of Twitter, Discord, Telegram, and the website on October 28, 2018 removed the contemporaneous record of the exchange's communications with users and destroyed the most accessible evidence of operational representations made to depositors. On-chain records of the Bitcoin drain were preserved by the blockchain itself; but the exchange's off-chain communication record — the promises made, the terms represented, the support interactions with users — was destroyed. Evidence preservation requirements for financial services operators do not currently extend to social media accounts operated outside licensing frameworks.
05
Small-scale exit scam as low-detection-risk fraud
The $5.9 million scale of the MapleChange loss — significant to individual victims, modest by the standards of institutional fraud — falls below the threshold that typically triggers international law enforcement coordination. Large-scale crypto frauds attract FBI, DOJ, Europol, and Interpol resources; small-scale exchange exit scams in anonymous operator structures are investigated, if at all, by local agencies that lack the blockchain forensics capability and jurisdictional reach to pursue operators who have taken pains to obscure their identity. The small-exchange category is, structurally, a low-accountability environment.

Aftermath

No individual has been charged in connection with the MapleChange incident. The suspected operator identified by community investigators through IP analysis and social graph tracing has never been publicly confirmed by any official body as a subject of investigation. No Canadian law enforcement agency has made a public statement about the case.

The 913 Bitcoin drained from the exchange — approximately $5.9 million at October 2018 prices — was not recovered and was not distributed to users. The small number of non-Bitcoin, non-Litecoin token balances remaining in the exchange's system were made available for withdrawal following the October 29 Twitter reactivation, returning marginal value to a subset of affected users; no creditor list, no formal distribution process, and no accounting of residual assets was ever published.

The MapleChange incident is referenced in regulatory discussions about minimum operator disclosure requirements for cryptocurrency exchanges operating in Canada. Canada's Financial Transactions and Reports Analysis Centre (FINTRAC) has since imposed mandatory registration requirements on businesses dealing in virtual currencies, requiring disclosure of beneficial ownership, a registration obligation, and compliance with AML/KYC standards. An exchange operating under MapleChange's anonymity architecture in 2024 would be in violation of FINTRAC registration requirements — though enforcement against operators who have already disappeared remains a separate practical challenge.

Lessons

  1. An exchange that does not publicly disclose the name, jurisdiction, and verifiable identity of its operators before accepting deposits provides users with no recourse pathway in the event of failure; operator identity disclosure should be treated as a non-negotiable precondition for deposit, not a feature that can be waived based on functional performance.
  2. An exchange that attributes a loss to a "hack" or "bug exploit" but does not publish on-chain transaction evidence within 24 hours should be treated as unverified; genuine security incidents produce blockchain records that responsible operators publish immediately as the first step in user communication.
  3. Cold storage with multi-signature access controls is the minimum standard for any exchange holding customer Bitcoin beyond a small operational float; an exchange that holds all customer reserves in hot wallets has created the technical conditions for a single-actor drain regardless of whether an external hack occurs.
  4. The coordinated deletion of all communication channels on the day of an announced fund loss is not a technical failure — it is evidence of intent; users and regulators who observe this pattern should treat it as confirmation of a deliberate exit rather than a response to a security crisis.
  5. Community IP investigations that surface suspected operator identities should be reported to law enforcement agencies rather than circulated publicly; premature public disclosure destroys the element of surprise for official investigation while simultaneously exposing potentially innocent individuals to community harassment, and it does not substitute for the evidentiary process required for prosecution.

References