Michael Glaser (right), with his lawyer Allister Davis at Christchurch District Court today. Photo / Kurt Bayer
A former employee of Christchurch-based cryptocurrency exchange Cryptopia – attacked in a $30 million cyber hack that shocked the digital currency world – has today been sentenced to home detention after admitting an unconnected and subsequent $250,000 theft and been named for the first time.
Cryptopia went into liquidation months after a hacker – or group of hackers – stole millions of investors’ crypto coins on January 13, 2019.
Police have been investigating ever since but no arrests have been made.
At its peak, Cryptopia employed more than 80 staff and had 1.4 million customers globally.
Michael Glaser, 45, was employed from January 2018 to May 2019, managing the software interface for virtual wallets where various crypto currencies were stored.
Glaser, whose interim name suppression lapsed this afternoon, says during his employment he raised concerns with management around the security of the private keys for the numerous wallets held by the company.
He was in a position of trust, Christchurch District Court heard today, having legitimate access to the wallet keys.
But between January 16, 2019 and May 14, 2019, Glaser made an unauthorised copy of the private keys, moving it to a USB storage device.
He then took the USB device from the company’s city centre premises to his house, where he installed it on his personal computer.
The access to private keys gave him “potential access” to tens of thousands of digital wallets and more than NZ$100m worth of crypto currencies. Judge Gerard Lynch said there is no evidence that he did, however, access those wallets.
In September 2020, a Grant Thornton liquidator received an email from a previous Cryptopia client saying they had accidentally deposited Bitcoin into an old Cryptopia wallet and was asking for their funds to be returned.
When the wallets were reviewed, it appeared that some Bitcoin – valued at NZ$235,000 – had been unlawfully withdrawn in August 2020.
Seven days later, Glaser sent an email to the liquidator, admitting to stealing the Bitcoin along with additional Litecoin, valued at NZ$10,000.
He ended up returning the entire balance of NZ$246,000 – which the judge today stressed was an important factor.
Glaser acted alone, the court heard, and nobody knew of his offending.
When Glaser was interviewed by police, he admitted copying and removing keys from Cryptopia’s premises and stealing the Bitcoin and Litecoin through withdrawals and mixing to conceal ultimate destination.
He told police he was frustrated with Cryptopia but said he hadn’t intended to keep the money.
Glaser earlier pleaded guilty to a charge of theft and another of theft by a person in a special relationship.
Today, Glaser tried unsuccessfully to keep his name secret, afraid of online death threats and extreme hardship to others close to him.
Defence counsel Allister Davis told Judge Lynch that naming him would be “throwing him to the wolves”.
It was an “extraordinary case”, the lawyer said, and it might be difficult for some investors to separate Glaser’s theft from the massive hack – despite it being completely unconnected.
“He hasn’t been involved – and there is no suggestion from Crown or police that he was involved,” Davis said.
Glaser, who has no previous convictions and is now a self-employed software developer, has since been thoroughly investigated, Davis said, with investigators going through his bank accounts and life “with a fine-tooth comb”.
The Crown, however, was opposed to final name suppression.
Concerns of death threats made on social media platforms had been looked at by police, but were not found to have been made directly towards Glaser – or specifically to his theft.
Crown prosecutor Sean Mallett said ongoing suppression would only cast suspicion to all other Cryptopia workers.
And Mallett said that white collar crime can be very difficult to discover, adding that it needs to be clear to “well-educated people” that if they offend in this way, they run the risk of being named in the public domain.
Anyone offending in a serious way needs to accept that one of the natural consequences is publication of their name, Mallett said.
Judge Lynch said that although there was no loss for the currency holders, the offending had been felt keenly by fellow employees and friends. Glaser had also shown few signs of remorse, the court heard.
The judge declined the application for final name suppression.
Glaser was sentenced to nine months of home detention with special conditions not to possess or consume alcohol or non-prescribed drugs and undertake and complete counselling or treatment as directed by his probation officer.
He was also ordered to pay $21,225 in reparation to cover the liquidators’ costs.