The latest lawsuit that unfolded the hacking scandal of Bitpay, which led to the loss of more than 5000 bitcoins, enkindled the whole “history of bitcoin exchange hackings” which is now flashing before my eyes, so I thought I can write a piece that looks through these scandals in an attempt to find a cure to this “plague” that is presaging the future of bitcoin.
Bitcoin Exchange Hackings – An Introduction
It seems like not a month passes without me being hammered by the news of some bitcoin exchange or bitcoin payment processor getting hacked and losing thousands of bitcoins. Fortunately, such hacking incidents are rather scarce when compared to the large number of bitcoin businesses, bitcoin exchanges and bitcoin payment processors present on the internet today.
However, when considering the enormous size of the cryptocurrecny economy in general, these hacking scandals are way more common than they should ever be to the extent that an analysis of the history of bictoin hacks is an analysis of the blockchain technology itself.
We will discuss most of the bitcoin hacks that took place since the blockchain technology was introduced in 2009, but we won’t tackle incidents related to black market sites like the “Silk Road”, which was an illegal online drug black market, and the “Armory”, which was the online “Walmart” of weaponry.
The Major Bitcoin Hacks Ever Occurred Since The Advent of the Blockchain
Bitcointalk Forum User “Allinvain”
Allinvain is the username of one of the earliest and most active members on Bitcointalk.org who was the first victim ever to suffer a major loss secondary to a hack of his/her bitcoin wallet.
Allinvain lost 25,000 bitcoins which were stolen by hackers who burned his/her computer processors and graphic cards most probably via using an advanced version of the notorious “4th of May” Windows virus. This incident took place in June, 2011 and the amount of bitcoins stolen was worth more than $500,000, but it is worth now more than $6,000,000 (1).
The famous Mt Gox hacking incident took place a week after Allinvain’s bitcoins were stolen. In the first half of 2011, Mt Gox have had a monopoly over the world’s trading between Bitcoin and Fiat money.
Figure 1 – Mt Gox’s transaction charts revealing the bitcoin loss in June, 2011
On Monday, the 13th of June 2011, at around 5pm, more than 25,000 bitcoins were stolen from Mt Gox; however, this was just the first scene of the play, as Mt Gox officials eventually admitted that more than $8.5 million worth of Bitcoins were stolen by a hacker with an IP address from Hong Kong who transferred the stolen bitcoins to the address “1KPTdMb6p7H3YCwsy FqrEmKGmsHqe1Q3jg”.
Ironically enough, the hacker who stole Mt Gox’s bitcoins didn’t manage to make “real money” as he/she ignited a massive sale of bitcoins which threw the price of bitcoins from around $32 to a few cents (2)!!
Bitcoin Savings and Trust
Bitcoin Savings and Trust was technically a “Ponzi Scheme” that used bitcoin to avoid being tracked and accused of fraud. A Ponzi scheme is an illegal business that promises its users rates of interests that are way higher than bank interests. In classis “Ponzi schemes” only the first investors would ever receive those high interests as the money invested by new comers are usually used to pay off interests of the early investors.
This Ponzi scheme was launched in November 2011 and was shut down in August 2012, when Tendon Shavers, the man behind it, announced that the “curtains had come crashing down on him” and that he was forced to shut the business down. Although no one really knows how many bitcoins were really stolen by this scam, evidence shows that the over 700,000 bitcoins went through the fund, of which Shavers creamed off more than 125,000 for himself (3)!!!
The Bitcoin Savings and Trust scam incident unfolded another incident at Bitonica, a bitcoin exchange that was struggling back then in 2012. Bitonnica was hacked twice in 2012 and thousands of bitcoins were stolen from the exchange’s bitcoin wallets. In May 2012, the company shut down their website and cut a promise to its customers that 50% of their bitcoin holdings would be refunded.
By September 2012, no one had ever been refunded and the company was sued by 4 users from the USA who claimed they owed Bitonica a sum of approximately $460,000 worth of bitcoins. The Bitonica suit was the second ever USA lawsuit to involve bitcoin or cryptocurrency in general.
Bitfloor, a cryptocurrency exchange, was hacked in September 2012 and more than 24,000 bitcoins were stolen when a hacker managed to recover the “the decrypted backup of the exchange’s wallet keys”.
Bitfloor’s founder, Roman Shtylman, managed to pay all of the exchange’s account holders the owed money in US$ (4).
Inputs.io was a bitcoin payment processor and an online bitcoin wallet service. Technically, bitcoin payment processors are more tempting to hackers when compared to bitcoin exchanges, simply because they are not involved in the banking system like bitcoin exchanges that are usually engaged in Fiat-to-Bitcoin trades and vice versa.
Inputs.io was hacked twice in 2013 losing more than 4,100 bitcoins which were worth more than $1 million back then. The owner of the company, who went by the avatar “TradeFortress”, announced the hacks in and shut down of the whole business in late October 2013.
BIPS was another bitcoin wallet service that was hacked a few weeks after the hacking incident of Inputs.io and claimed the theft of 1$ million dollars worth of bitcoins.
In September 2012, Poloniex was a bitcoin exchange that was hacked using a rather unique attack. The exchange’s servers were infected by a virus that rendered the operators of the site unable to stop users from withdrawing bitcoins even if they had negative balance. Poloniex owners claimed that they lost more than 12% of the company’s bitcoin assets to this attack.
Picostocks was the first online business ever to offer its users to trade on the stock markets in bitcoin. In Novermber 2013, Picostocks was hacked and 6,000 bitcoins were stolen. Interestingly enough, the company survived this attack and is still “kicking” at the time of writing of this article!!
In August 2011, Flexcoin, a btcoin payment processor and bank, was hacked and more than 895 bitcoins were lost to a group of hackers who managed to retrieve the private keys of the company’s bitcoin wallets. The lost bitcoins were worth more than $500,000 then (6).
Bitcurex, a Polish cryptocurrency exchange, was hacked in March 2014. The exchange lost around 20% of its bitcoin assets back then which forced the owners to shut down temporarily.
Candian Bitcoins, a Canadian cryptocurrency exchange, was hacked back in March 2014 by a hacker who stole more than $100,000 worth of bitcoins back then. The fraudster behind this hack attack tricked the exchange’s server moderators to reboot the servers which enabled him to bypass the security protocols and access the exchange’s wallets’ private keys (7).
As per the court document filed by Bitpay’s legal department in a federal court in Atlanta a few days ago, BitPay Inc. was attacked by a hacker who managed to steal 5,000 bitcoins worth around $1,800,000 in December 2014. BitPay is now suing their insurance company, Massachusettes Bay Insurance Company, in an attempt to get them pay $950,000 of the total stolen amount.
In January 2015, Bitstamp, the European bitcoin exchange, was hacked and more than 18,000 bitcoins were lost to the attack. The attackers managed to retrieve the private keys of one of the exchange’s “hot” operational wallets (8).
In part 2 of this article, we will discuss the security standards that are proposed by internet security gurus to be implemented by bitcoins exchanges and businesses to avoid such hack attacks in the future.
Bitcoin Exchange Hackings - References
1- Allainvain's thread on Bitcointalk.org mentioning the hacking incident. https://bitcointalk.org/index.php?topic=16457.0
2- Inside the Mega-Hack of Bitcoin : the Full Story. THE DAILYTECH. by Jason Mick. http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+Full+Story/article21942.htm
3- "Suspected multi-million dollar Bitcoin pyramid scheme shuts down, investors revolt". The VERGE. By Adrianne Jeffries on August 27, 2012 03:43 pm http://www.theverge.com/2012/8/27/3271637/bitcoin-savings-trust-pyramid-scheme-shuts-down 4- Bitcoin exchange BitFloor shuttered after virtual heist. CNET. by Steven Musil. http://www.cnet.com/news/bitcoin-exchange-bitfloor-shuttered-after-virtual-heist/ 5- Bitcoin site Inputs.io loses £1m after hackers strike twice. THE GUARDIAN by Alex Hern. http://www.theguardian.com/technology/2013/nov/08/hackers-steal-1m-from-bitcoin-tradefortress-site 6- Bitcoin bank Flexcoin closes after hack attack . The GUARDIAN by Alex Hern. http://www.theguardian.com/technology/2014/mar/04/bitcoin-bank-flexcoin-closes-after-hack-attack 7- Ottawa bitcoin exchange defrauded of $100,000 in cyber currency. Vito Pilieci, OTTAWA CITIZEN http://www.ottawacitizen.com/business/Ottawa+bitcoin+exchange+defrauded+cyber+currency/9628321/story.html 8- Bitcoin Exchange Bitstamp. e Security Planet by Jeff Goldman. Hacked http://www.esecurityplanet.com/network-security/bitcoin-exchange-bitstamp-hacked.html