
13k BTC, 300k LTC Stolen from Cryptsy Exchange - xyzzy4
http://blog.cryptsy.com/
======
sirsar
> _About a year and a half ago, we were alerted in the early AM of a reduction
> in our safe /cold wallet balances of Bitcoin and Litecoin_

If this happened, it means what were thought of as "cold wallets" were not
implemented properly. When handling millions of dollars of coins, as Cryptsy
was, a deep cold wallet [1] should be used. Take an offline computer and an
offline printer. Generate a bunch of (optionally multisig) addresses. Print
the private keys. Copy the addresses to your server that processes
transactions. Lock away the private keys (optionally in multiple places).
Never connect the offline computer or printer to the internet. Send every X
bitcoins to a new address from the cold wallet.

This takes a few hours and a few hundred bucks to implement. It requires human
intervention to access the cold wallet (to replenish the internet-facing "hot"
wallet), but _that is what you want!_ It is a whole lot easier to manually
move coins once a week than it is to check for bugs and backdoors in your
whole stack. Worst case, customers suffer a delay in withdrawals and a hack
causes you to lose X bitcoins.

Edit: Of course, it could also be an inside job. An "exit scam." Moving coins
to a new address and then not spending them is pretty hard to get caught
doing.

[1]
[https://en.bitcoin.it/wiki/Cold_storage](https://en.bitcoin.it/wiki/Cold_storage)

~~~
danmaz74
> It requires human intervention to access the cold wallet (to replenish the
> internet-facing "hot" wallet), but that is what you want!

Am I the only one who finds it a bit amusing that an e-currency bank needs
people to physically move the bullion from one vault to the other?

~~~
tlrobinson
On the contrary, I think it's pretty neat you can implement a variety of
security schemes depending on your risk tolerance and convienence
requirements.

Some of the parameters you can pick from:online vs offline ("cold"), hosted vs
not, SPV vs full node, multisig, dedicated hardware wallet, etc.

And you can combine them in various permutations: e.x. offline + multisig is
just about the most secure thing you can imagine.

~~~
forgetsusername
> _I think it 's pretty neat you can implement a variety of security schemes
> depending on your risk tolerance and convienence requirements._

Can you tell me the last time some you know had money go missing from their
bank account?

~~~
doppel
Lots of people lose money because of scams, cards getting
stolen/scanned/photographed, etc. - in a lot of cases, the banks just cover
the cost and can rollback transactions because everyone has agreed that's how
the system works. It is not because people do not have money stolen from their
bank accounts due to various breaches.

------
Animats
_" Some may ask why we didn’t report this to the authorities when this
occurred, and the answer is that we just didn’t know what happened, didn’t
want to cause panic, and were unsure who exactly we should be contacting."_

This happened back in July 2014. $5M stolen and you didn't call the cops. They
continued to do business and accept deposits even though insolvent. Only when
a class action was filed because they were not paying out timely withdrawals
did they disclose this theft.

That just screams "inside job".

(Yesterday I made the comment on another thread that Bitcoin exchanges seemed
to be doing better; no major exchange had collapsed in 2015. Here we go
again.)

~~~
rwmj
Or perhaps just badly run, bordering on fraudulent.

Where is this company based? Trading while insolvent is explicitly illegal, at
least in the UK
([https://en.wikipedia.org/wiki/Trading_while_insolvent](https://en.wikipedia.org/wiki/Trading_while_insolvent)).

~~~
Animats
Southern Florida, the scam capital of the United States. Or they were. From
the class action complaint: "CRYPTSY has vacated its Delray Beach, Florida
physical office space without any indication where it would be relocating."

Also, Paul Vern, the CEO, seems to be missing. One site claims he's in China,
based on an IP address seen.

~~~
Animats
More info: WHOIS for cryptsy.com:

    
    
        Name: PAUL VERNON
        Organization: CRYPTSY INTERNATIONAL LTD
        Street: 5 CALLE AL MAR
        City: BELIZE CITY
        State/Province: BELIZE
        Postal Code: 00000
        Country: BZ
        Phone: +1.8889639935
    

which is a "virtual office" space in Belize.[1]

Cryptsy is not in Dun and Bradstreet or the Florida Department of Corporations
database. But they have another corporate name, "Project Investors Inc." It
has a BBB rating of F, with 17 complaints.[2] That business is registered with
the state of Florida.[3] Those records include the CEO's home address, which
is in Boynton Beach, FL.

[1] [https://www.abcn.com/offices-belize-city--calle-al-
mar-3605](https://www.abcn.com/offices-belize-city--calle-al-mar-3605) [2]
[http://www.bbb.org/south-east-florida/business-
reviews/busin...](http://www.bbb.org/south-east-florida/business-
reviews/business-and-trade-organizations/project-investors-in-delray-beach-
fl-90098747) [3]
[http://search.sunbiz.org/Inquiry/CorporationSearch/SearchRes...](http://search.sunbiz.org/Inquiry/CorporationSearch/SearchResultDetail?inquirytype=EntityName&directionType=Initial&searchNameOrder=PROJECTINVESTORS%20P130000104300&aggregateId=domp-p13000010430-6fc732fd-6494-4bce-a64e-bde23ee31e09&searchTerm=Project%20Investors&listNameOrder=PROJECTINVESTORS%20P130000104300)

------
detaro
Info about the backdoor:
[https://github.com/alerj78/lucky7coin/issues/1](https://github.com/alerj78/lucky7coin/issues/1)

So, basically, someone re-released a new, modified codebase for an abadoned
coin, and they ran it on their servers without proper isolation, so the
backdoor could access their other wallets?

~~~
geofft
That is what it sounds like, yes. It also sounds like this is a new and
innovative definition of "cold storage," where the wallet lives on a network-
connected computer.

The lack of isolation between the various coins reminds me of Allcrypt, the
exchange that ran their Bitcoin-trading software on the same database with the
same password as their WordPress website. In their explanation they managed to
absolve themselves of all responsibility and blame their marketing person
whose account was stolen, when in fact the marketing person was the only
responsible one in the whole company, alerting the technical folks about the
unexpected password reset email:
[https://archive.is/2UY7e](https://archive.is/2UY7e)

~~~
ceejayoz
Gotta love this bit:

> Q: You morons! You had a WordPress site that allowed uploading of new
> files?!?!

> A: It was the marketing director’s account. Beings that he was constantly
> updating files, it was necessary for his account to have the ability to
> upload new files.

The real question, of course, being "You morons! You had a WordPress site on
the same server as critical financial services?!?!"

 _edit:_ Also:

> Q: Your security sucks!

> A: I see you running an exchange successfully, I’ll take your advice.

Says the guy running an exchange unsuccessfully.

------
hijinks
I spent almost 4 years working at a PCI level 1 compliant company that handled
subscriptions.

It's really a joke the lack of security these bitcoin "banks" have around
their vaults. Our PCI auditor wouldn't pass us if he audited our firewall and
noticed the crypto servers that stored the credit cards had outbound access to
anything other then the 1 vlan that acted as a API layer from those servers
and the banks.

These companies should really just follow PCI and start there.

~~~
threeseed
It is getting beyond a joke.

The US government et al should really classify these as banks and force them
to address the same privacy, disclosure, fraud prevention etc regulations.

The potential of Bitcoin as something your grandparents could one day use is
constantly being undermined by these cowboy operators.

~~~
Lazare
1) Nothing is stopping you from refusing to deal with any Bitcoin exchange
that is not audited to adhere to PCI 1 standards as adapted to deal with
Bitcoins. If no such exchange exists, nothing is starting you from starting
one.

2) I think far more damage is being done to Bitcoin by the political fighting
and poor technical decisions of the core developers. Bitcoin weathered Mt Gox,
it can weather Cryptsy.

------
hammock
One out of every 14 Bitcoins are stolen property.[1] Does anyone know how this
compares to US currency?

[1][http://seekingalpha.com/instablog/7360901-robert-
wagner/2715...](http://seekingalpha.com/instablog/7360901-robert-
wagner/2715103-many-bitcoins-are-now-stolen-property-with-a-public-ledger)

~~~
FatalLogic
How could you estimate the rate of theft for US currency? It depends on how
you define 'stolen'. Was the 2008 global financial crash a huge case of theft?
It also depends on how you define 'currency', as there are various measures of
money supply, not just physical currency.

One case, Bernie Madoff: $65 billion stolen

Though that 1 in 14 number which you cited is barely even a guesstimate, for
bitcoin it is easier to estimate the rate of theft, because at least you know
exactly how many bitcoins exist now, or will exist in future, unlike the USD.

A few other points for us to consider..

* About 75%-80% of banknotes in developed countries have traces of illegal drugs. One study suggested about 4% were involved in illegal activity such as purchasing, selling or using drugs[1]. Other crimes do not leave obvious chemical traces of course.

* The further back into history you look, into colonial times and earlier, the more true becomes the statement "All wealth is stolen"

[1][https://en.wikipedia.org/wiki/Contaminated_currency](https://en.wikipedia.org/wiki/Contaminated_currency)

~~~
Animats
_" One case, Bernie Madoff: $65 billion stolen"_

From bop.gov:

    
    
        BERNARD L MADOFF
        Register Number: 61727-054
        Age:  	77
        Race: 	White
        Sex: 	Male
        Located at: Butner Medium I FCI
        Release Date: 11/14/2139

~~~
jacquesm
> Release Date: 11/14/2139

I think given his age that he'll be released in a horizontal position a lot
sooner than that.

------
matt_wulfeck
This is the stuff that scares me about Bitcoin. People tout it as being safe
from regulation, free, quasi-anonymous... But if you have your savings stolen
you want it back.

~~~
x1798DE
The same could be said for any form of cash. Probably you wouldn't keep large
amounts of money in any form where you don't trust it to remain safely.

~~~
ori_b
That's why "I've shoved my life savings in my mattress" isn't a very popular
form of banking.

~~~
CyberDildonics
Depends on the country

~~~
fixermark
... in the United States, where real banks are FDIC-insured.

If this crap had happened to an institution that was audited, protected, and
enumerated in US dollars, this whole fiasco would be only a bad day for the
Cryptsy owners, not the depositors also.

But you get what you get when you go with a non-fiat currency. It's
interesting to me to watch people in the BTC space re-learn the lessons
learned by financial systems since the dawn of currencies; at least they're
learning them faster in the digital age.

------
rlanday
So they lost something on the order of $10 million (if my math is right) and
waited a year and a half before telling anyone? This is some Mt. Gox-level
sleaze.

~~~
fuddle
13k BTC x $369.39 = $4,802,070

300k LTC x $3.31 = $ 993,000

Total: $5,795,070

~~~
jpatokal
When the heist happened in Aug 2014, BTC was trading at ~$600, so it actually
_was_ close to $10m at the time.

~~~
jonlucc
Maybe they just hoped the value would keep decreasing until they could cover
it up? Their loss already was halved by waiting 1.5 years.

------
jonesb6
Tomorrow a new person will still pour his/her heart out to me on the virtues
of bitcoin and how the world is blind and should adopt it, in its current
state, as soon as possible.

~~~
vocatus_gate
Well, to be fair it wasn't a problem with _bitcoin itself_ that caused this.
Exchanges (companies) tanking don't concern me as much as if an actual
vulnerability was found in bitcoin itself.

------
forgetsusername
> _" Hello, Lucky7Coin is not maintained and I would like to take care of it.
> I have announced that on bitcointalk.org in Lucky7Coin thread. You’re the
> only exchange for this coin and I hope you will let me take care of it. I’m
> responsible. You don’t have to be afraid of errors or forks. I’m developing
> multipool and I know bitcoin internals and protocol."_

That's the email they received, and did business with this company, while
overseeing millions of dollars in other people's money. Then got ripped off.
Who needs banks?

> _If they are returned, then we will assume that no harm was meant and will
> not take any action to reveal who you are. If not, well, then I suppose the
> entire community will be looking for you._

Not the FBI? Oh, right, they don't care. By the way, the guy who stole the
coins was part of "the community".

> _2\. Somebody else comes in to purchase and run Cryptsy while also making
> good on requested withdrawals._

How is that even an option?

What a bizarre story.

------
fuddle
I think exchanges need to take responsibility and notify user's straight away
about a breach. Multiple exchange's have had large breaches and continue to
accept new deposits.

------
dorianm
"Bitcoin: 13,000 BTC Litecoin: 300,000 LTC"

"In fact, I’m offering a bounty of 1000 BTC for information which leads to the
recovery of the stolen coins."

e.g.: ~$350k! This could quickly escalate into an bounty head.

~~~
chillydawg
I imagine assassinations have been carried out for far, far less.

------
r721
Proper link:
[http://blog.cryptsy.com/post/137323646202/announcement](http://blog.cryptsy.com/post/137323646202/announcement)

------
gizi
My job is to evolve and secure a particular bitcoin platform.

Money directly stolen out of a platform wallet is an unneeded problem. It
should never happen. It should not be possible for an attacker to give that
instruction. The system should not even know where to send such instruction
to. So, how could an attacker ever do that?

The real difficulty is to prevent an attacker to inject misleading/deceptive
messages into the system that cause the system to pay out to the wrong
address. This does happen, if only because of bugs in the system.

------
wyldfire
I love cryptocoins. But I think these high profile thefts will continue. And I
think adoption/popularity will continue.

If so, I would wager global law enforcement organizations will want to step in
and offer merchants and users a service which traces and blacklists the
outputs from thefts like this (until/unless returned to the original owner).
If so, it would create a big rift between the many who enjoy cryptocoins'
fungibility and independence from the state and those who want to punish/deter
thieves. Big merchants like Overstock would want to publicly align themselves
with "bitcoin is legit" and "we don't want to profit from that theft"
activity.

There'd be little that anyone could do to stop the law enforcement agencies
from providing such a theft tracking service. And little anyone could do to
stop merchants from integrating it into their services. It would be an
interesting threat to the fungibility of bitcoin.

Some cryptocoins (monero, et al) use ring-signatures that mask their specific
input/output address path. I suspect if these events came to pass, those coins
would become much more popular.

------
cfcef
About time. Cryptsy's end has been more telegraphed and expected than Mtgox's
was. The site had many bugs in basic functionality long before the hack.

------
jimrandomh
[https://99bitcoins.com/federal-investigations-of-cryptsy-
und...](https://99bitcoins.com/federal-investigations-of-cryptsy-underway/)
alleges Cryptsy was the subject of a federal criminal investigation going back
at least as far as October. Having lost all their customer's deposits a year
and a half ago will certainly not help their case.

------
logicallee
I Googled Lucky7Coin (the wallet that the article says its developer had
placed an IRC backdoor into). Check this out:

[https://github.com/alerj78/lucky7coin/issues/1](https://github.com/alerj78/lucky7coin/issues/1)

It's like a living Underhanded C competition.

------
nikolay
Do you see the recurring pattern here?!

------
Joeri
Why weren't they insured against theft? Why did people deposit money with an
exchange that is not insured against theft? Theft is a fact of life. You
cannot have a perfectly secure bank, and you cannot have a perfectly secure
bitcoin exchange. If you don't want to be hurt by theft, get insurance.

~~~
perlgeek
> Why weren't they insured against theft?

Because the insurance would have been way too expensive, or would have
demanded way better operational security and auditing. And because they were
able to operate without one.

------
Animats
Update: "cryptsy.com" is down. Not even responding to pings. Their blog
("blog.cryptsy.com") is still up, but that's hosted by Tumblr. Other reports
indicate that the company's offices are vacant.

It's time to get an arrest warrant out for the CEO, Paul Vernon.

~~~
Animats
Update: Server is back up, but not doing transactions, all the numbers have
frozen, and there's an announcement from "Big Vern" about the shutdown.

(When the CEO calls himself "Big Vern", one might question the legitimacy of
the company.)

------
lini
Isn't every BTC transaction easily traceable? How can you prevent someone from
examining the blockchain and following the stolen BTC until they are
transferred to a known/public address?

~~~
Joeri
You use standard laundering practices. Mix good money and bad money in one
legitimate account, then pass it on from there minus a commission fee. It's
impossible to track which money came from which account once it leaves the
laundering operation.

------
zitterbewegung
So is this the end of Crypsy? Or the beginning of the end.

~~~
vidarh
Only thing that could save them would be a buyer. It's one thing to suffer a
breach and try to make good on it. It's another thing entirely to cover it up
for year and a half.

Question is what a buyer would be interested in: Their platform is suspect
from a security standpoint - if they got this much wrong, then what else did
they get wrong? Their brand is shot. The code is hardly going to be worth even
a fraction of what it'll cost to make customers good.

And it's exceedingly ridiculous to get caught out in this way: No isolation of
third party coin daemons, and a very creative interpretation of cold wallets
(why in the world was it possible for someone to get the keys for the cold
wallets via a network breach)

They've demonstrated they can't be trusted to be open about problems, and that
they can't be trusted to get even basic security precautions right, so even if
they got the funds back somehow, it's extremely unlikely that they'd manage to
repair the damage to their trust.

So, yes, it's probably the end, whether or not they manage to recover some of
the stolen coins.

~~~
fixermark
In short, the company is not worth the paper its cold-wallet keys weren't
printed on. ;)

------
quadlock
criminal for covering this up.

------
unkoman
Another day in bitcoin land. Sorry for your losses!

------
gchokov
Oh Bitcoin.

------
dlsx
BTC is funny, it is revolutionary, but it does not really have anything to
offer over insured money in a real bank. Bitcoin, if it ever wants to have the
every-man invest in this "currency" it needs to offer some sort of insurance,
which usually requires identity. Digital cash that is anonymous can not offer
this, so it is inherently flawed. To use it, quite simply puts yourself at
risk.

So really the banks are correct in their assesment, the real value quite
obviously is indeed in the blockchain technology.

~~~
um_ya
Some of us would call it's anonymous nature and lack of government control, a
benefit to the currency.

------
cenal
2016

Seemingly this is the year that Bit Coin stumbled.

~~~
Asparagirl
...have you not been paying attention the past few years?

------
bitJericho
Seems like a good time to promote this alternative exchange:
[http://bitcoinsexchange.itmustbetrue.com](http://bitcoinsexchange.itmustbetrue.com)

~~~
LyndsySimon
Interesting. A Bitcoin Sex Change.

We're truly living in the future.

