Hacked BitCoin Exchange Sued By Customers

Bitcoinica, an exchange for the BitCoin virtual currency, is being sued by former customers, after it was hacked. Thieves stole around $180,000 worth of BitCoins in two attacks. The site is now closed, and customers are suing to get their money back.

If you have Bitcoins, there are three things you can do with them:

1. Convert them to a currency people actually use, minus an exchange fee.
2. Use them to buy shady or downright illegal goods on TOR.
3. Put them in an account/wallet somewhere and wait until somebody figures out how to take them.

That's about it. I've been keeping track of this for giggles off and on for a while now. The theory that it's based on is pretty interesting in some ways, but in practice it's just a comedy of errors, as a bunch of wacky people reenact the development of financial systems from the Dark Ages to today. Except in the Dark Ages, if you were at an inn or something, you could just hand the proprietor a gold coin or a chicken and get yourself a drink. With Bitcoin, you have to exchange wallet numbers, submit a transaction with a device, and wait five, ten, or however many minutes it takes for a majority of nodes to agree that the transaction is legitimate. (You might have to wait for one of the miners to win the block so it can be committed to the blockchain too. I don't remember.)

But hey, at least it's not FIAT. "Fiat", meaning, "worthless without a government holding a gun to your head". Unlike those slips of linen with green ink on them, Bitcoin is made by screwing graphics cards to two-by-fours in your bedroom, and getting heatstroke in your sleep, while your mining rig converts your parents' electricity bill into a bigger number to write to your wallet.dat file. So it has oodles of inherent value.

Bitcoinica is especially hilarious because the "hacks" were carried out with accounts that belong to the guy who developed it. The new owners had kept him on as a consultant, so he still had access to pretty much everything. After one of the exchanges being used to convert the Bitcoins to dollars dug up that information, the developer (Zhou Tong) crawled out of the woodwork to announce that his friend had compromised a dummy e-mail account he used for testing, and had carried out the hacks using that as a starting point. This friend just happens to be named the Chinese approximate of "John Smith", and he's a millionaire who likes robbing people for the hell of it. Not only was Tong able to track him down in hours and wheedle a confession out of him, the "friend" was willing to return the money as long as the authorities weren't brought in. Quite a few people bought that story. This sort of crap happens about every other month with Bitcoin. Partly because the exchanges and other financial services sites are developed by "entrepreneurs" who have no experience securing such things--so a simple SQL injection can add thousands of USD to an exchange and drive that exchange's price for Bitcoins up to $30 and more in a matter of minutes--and partly because the bulk of Bitcoin users are looking to get rich with as little effort as possible. Some of them happen to be the same entrepreneurs running the financial services, and a small but significant portion of them have no scruples.

Hacker steals $250k in Bitcoins from online exchange Bitfloor

Irreversible transactions make Bitcoin security a high-stakes business.

By Timothy B. Lee

The future of the up-and-coming Bitcoin exchange Bitfloor was thrown into question Tuesday when the company's founder reported that someone had compromised his servers and made off with about 24,000 Bitcoins, worth almost a quarter-million dollars. The exchange no longer has enough cash to cover all of its deposits, and it has suspended its operations while it considers its options.

Bitfloor is not the first Bitcoin service brought low by hackers. Last year, the most popular Bitcoin exchange, Mt.Gox, suspended operations for a week after an attacker compromised a user account and sold all of his Bitcoins in a firesale that temporarily pushed the price down to zero. The site survived the attack and remains the leading Bitcoin exchange today. Hackers made off with another $228,000 in Bitcoins from online services earlier this year.

Bitcoin's peer-to-peer design means that transactions are irreversible. Once a transaction appears in the blockchain, the global record of Bitcoin transactions, no one has the authority to reverse it. And the pseudonymous nature of Bitcoin makes it difficult to trace stolen Bitcoins to their new owners.

Some regard irreversible transactions as a key Bitcoin feature, since it means merchants never have to worry about "chargebacks." But this "feature" also dramatically raises the security stakes. Anyone who deals in Bitcoins, from complex exchanges to ordinary users have to worry about hackers making off with their cash. Indeed, malware that steals your Bitcoins automatically has been spotted in the wild.

In a June interview, Bitcoin developer Gavin Andresen told Ars that his team is working on a new feature called multi-signature transactions that could reduce the vulnerability of Bitcoin wallets to this kind of attack. Under this scheme, a user's signature is divided among multiple devices, all of which would need to approve a transaction before it could be accepted by the Bitcoin network. For personal users, that might mean splitting the key up between a PC and a smartphone. For online Bitcoin services, it would mean splitting control of a Bitcoin wallet among multiple servers. Under that scheme, hackers could only steal Bitcoins if they succeeded in compromising all of the servers holding portions of the private key.

But at least until these new techniques mature, it's wise not to entrust large amounts of Bitcoins to third-party services, even those with excellent reputations. And always encrypt your Bitcoin wallet as soon as you're done using it.

Disclosure: The author owns some Bitcoins, and has so far avoided having them stolen by hackers.

Timothy covers tech policy for Ars Technica, with a particular focus on patent and copyright law, privacy, free speech, and open government. His writing has appeared in Slate, Reason, Wired, and the New York Times.