

Bitcoinica hacked. ~$100k USD stolen. - mschonfeld
http://bitcoinica.com/
Bitcoinia's officially statement: http://bitcoinica.blogspot.com
======
avree
This is now the 2nd, 3rd time that Bitcoinica has been hacked?

People warned of this when it was first announced—a financial platform created
by a lone teenager in China [1] is obvious going to be a target for high
profile attacks. The site owner's comments [2] make it clear that he's not
ready to do security on a large-scale financial system.

The idea that they were holding even 100K of Bitcoins is mind-boggling.

[1] <http://news.ycombinator.com/item?id=2973301> [2]
<http://news.ycombinator.com/item?id=2973732>

~~~
slig
<http://news.ycombinator.com/item?id=2975010>

Could it be that he had the same kind of breach GH had?

------
SODaniel
To balance out the critique I would like to point out that this has nothing to
do with an inherent insecurity or fault in the bitcoin currency, but with the
way the current marketplaces handle their security.

It is however a PR nightmare for an up and coming currency that the bitcoin
'user community' will have to handle better to have a chance to be mainstream
recognized as a 'real' currency.

~~~
epequeno
This is very important to point out. For those who aren't very familiar with
the system a story like this says: "bitcoins aren't safe" when the message
they should get is: "bitcoin exchanges don't have a great track record for
security"

Once again, if you want real safety in trading bitcoin, do it "over-the-
counter" on irc. The "low-tech" solution can sometimes prove to be the best.

------
michaelbuckbee
Occasionally you'll see a story about a dramatic months long heist take place
in Eve Online [1] - the in game currency of Eve is loosely convertible to real
world USD currency and the amounts 'stolen' (this is a tricky point because it
happens in game) are real world significant: tens of thousands of dollars.

Bitcoin strikes me as similar, it has a weird quasi real feel to it, there are
markets that trade between BC and USD and spot prices and everything, but I
have a hard time thinking how/if a prosecution could occur with it.

[1] - [http://gamergaia.com/pc/1724-eve-online-space-heist-one-
tril...](http://gamergaia.com/pc/1724-eve-online-space-heist-one-trillion-
isk.html)

~~~
ChuckMcM
This is an intriguing parallel. I'm only personally familiar with World of
Warcraft gold farmers, but have read about Eve, Star Wars, even Everquest
folks trading goods/gold for real $$.

So computationally, I wonder what the cost to 'mine' a bitcoin is, vs the cost
to 'generate 1000 gold' in an MMO that sells for an equivalent amount? I will
definitely have to add this to my never ending book project.

~~~
michaelbuckbee
I was referring to more of a cultural feel and my own reactions, I never made
the link of computation to computation, we need an economist to weigh in on
this.

Also, if you find this sort of thing intriguing you might enjoy Charles
Stross's Halting State - <http://www.amazon.com/Halting-State-
ebook/dp/B000W9180A/>

------
ajross
I hate to snark, but bitcoin seems to be turning into something of a bad joke.
How long will it be before the net volume of bitcoins stolen exceeds that of
those spent?

~~~
jlarocco
Everything about Bitcoin seems silly to me. What exactly was "stolen" here?
What if they just restore from yesterday's backup? Is there a bitcoin
equivalent of the ink packets regular banks use to track stolen cash?

~~~
wmf
_What if they just restore from yesterday's backup?_

If _every Bitcoin user_ rolled back the block chain by a day then the theft
essentially didn't happen. But you can't get everyone to agree to do that.

 _Is there a bitcoin equivalent of the ink packets regular banks use to track
stolen cash?_

All Bitcoin transactions are public, so it's possible to trace thefts. But
when a transaction has both tainted and untainted inputs the output ends up
partially tainted and you end up with a lot of innocent people holding BTC
that's lightly tainted (sort of like having 100 $1 bills of which two were
marked by police — what is the probability that you're a criminal?).

[http://anonymity-in-bitcoin.blogspot.com/2011/07/bitcoin-
is-...](http://anonymity-in-bitcoin.blogspot.com/2011/07/bitcoin-is-not-
anonymous.html) <http://news.ycombinator.com/item?id=2800790>
<https://bitcointalk.org/index.php?topic=56170.0>
<https://bitcointalk.org/index.php?topic=67609.0>
[http://bitcoin.stackexchange.com/questions/2119/is-there-
any...](http://bitcoin.stackexchange.com/questions/2119/is-there-any-way-the-
bitcoin-network-could-resist-a-viral-tainted-coin-tagging-s)

~~~
drewcrawford
> But you can't get everyone to agree to do that.

Bitcoin is essentially a network of mutual trust, right? It is _possible_ to
get enough machines on the network to vote to void the transaction. It is even
possible to set up some kind of body or bodies that investigate thefts, and
make recommendations about which transactions the community should void. Of
course, now we're inching towards a central bank, and so whether such a step
would be "in the spirit of Bitcoin" I don't know, but it's probably a
requirement if Bitcoin is to be taken seriously as a safe medium of exchange
for business purposes. Of course, perhaps it doesn't want to be used as such,
which is fine.

> sort of like having 100 $1 bills of which two were marked by police — what
> is the probability that you're a criminal?

The convention in the real world is that you are deprived of the stolen
property you've received even if you did not know that they were stolen. This
may seem undesirable, but it does incentivize ordinary people to perform some
basic checks that they are not purchasing stolen goods. Allowing innocent
people to keep stolen goods may seem like a fair course of action, but it also
can increase the market for stolen goods, and incentivize for thievery,
ultimately leading to an escalating situation.

~~~
wmf
_The convention in the real world is that you are deprived of the stolen
property you've received even if you did not know that they were stolen._

The problem with applying that standard to Bitcoin is that Bitcoins get mixed
together, so depriving people of money that's only partially tainted is a
disproportionate punishment.

~~~
dlitz
Voiding transactions is a poor technical solution to a social problem. A
better solution is to track down the recipients, prosecute them, and have a
court order them to pay back a certain number of Bitcoins, just like you would
with cash.

------
arange
the transaction in question: [http://blockchain.info/tx-
index/5416502/7a22917744aa9ed740fa...](http://blockchain.info/tx-
index/5416502/7a22917744aa9ed740faf3068a2f895424ed816ed1a04012b47df7a493f056e8)

it's like having cctv access to a robbery but being able to do nothing about
it

~~~
cakeface
Can you track where the bitcoins eventually end up and then get the thieves
that way? If someone takes that money and buys some pizza then wouldn't it be
trackable?

I suppose that it is probably going to just be cashed out for other bitcoins
or cash and laundered some other way which would make this kind of pointless.

~~~
Karunamon
It actually looks like the coins in question haven't moved anywhere yet.

<http://blockchain.info/tree/5416502>

~~~
Karunamon
* They have started moving now.. couple of 2600BTC transactions and a lot of others. I got bored at following the chain when it scrolled off the right side of the page.

------
BCBuyer
He's from Singapore and they were not holding 100k in a hot wallet. More like
18K which is still too much. JP Morgan lost $2B US due to some idiot traders.
<http://goo.gl/fqN3S> Shit happens.

------
aidenn0
I don't know much about bitcoins, can someone who does explain why one would
want to keep the coins in a wallet on a server somewhere instead of e.g. your
home computer, or a USB stick or something? Aren't they supposed to be roughly
equivalent to cash? Storing it on Bitcoinica seems like taking a briefcase
full of cash and storing it in a public locker.

~~~
devtestapp
This is exactly right. It is not a flaw in bitcoin rather irresponsibility
with large amounts of digital cash.

------
rbn
This is why bitcoins will never gain mainstream use. It seems that every few
months a high profile bitcoin site gets hacked.

~~~
darksaga
Agreed. I know a lot of people who start to flirt with the notion of using
Bitcoin, only to have their dreams smashed when they learn how frequently
these companies and their accounts are hacked.

It may be anonymous, but its far from being secure.

~~~
j_s
> It may be anonymous, but its far from being secure.

Would you mind clarifying what you're meaning by 'it' and 'secure'? To me, the
(in-)security of a particular bitcoin site is orthogonal to the security of
Bitcoin as a protocol/currency, though the security of bitcoin sites does have
a huge impact on mainstream use.

~~~
darksaga
Sorry, should have been more clear. By "it" I meant the sites where bitcoins
are being traded. And yes, seeing these sites getting hacked frequently makes
mainstream acceptance a lot harder. Which in turn makes changing the paradigm
take a lot longer.

------
stcredzero
Note: security is hard. The typical highly competent programmer isn't quite
competent at computer security.

~~~
tptacek
Which directly implies that financial systems that require massive investments
of new software infrastructure to make them useful to the public are
especially risky.

~~~
stcredzero
I should think that depends on if the massive investment is for paying hordes
of typical competent programmers, or for paying fewer guys more like you.

~~~
tptacek
My sense of the whole industry right now is that the demand for competent
software security far, far outstrips the supply; Bank of America could _want_
to build a gigantic new transaction processing infrastructure in a few years,
but logistically would probably not be able to retain the talent required to
secure it.

The major security advantage our legacy infrastructure has is that it's old,
and its failings are well-understood and (from a risk management / loss
mitigation perspective) mostly mitigated.

Bitcoin (or _any other_ online currency or transaction infrastructure) has
none of that.

------
mschonfeld
Here's the official statement: <http://bitcoinica.blogspot.com/>

------
mindstab
There are some very solid reasons for all the banking regulation, and we're
seeing them played out here. People are treating these places like banks,
storing hundreds of thousands of dollars with them, but they have none of the
regulations, security requirements or insurance and so they are great easy
prey for hackers and people keep getting robbed blind.

I hate to say it but what did people expect treating Joe Website like a bank,
and this is also what the deregulation camp can expect to happen if they keep
pushing for bank and market deregulation.

~~~
mynameishere
Most regulations aren't about security but that what kinds of business a bank
can engage in. This is more akin to giving your money to the protection of
your hapless, dimwitted cousin who promises not to let his pitbull eat it.

~~~
mindstab
And yet where are the stories of the banks loosing your savings account?
Usually it's credit card fraud, not the banks fault but some other site that
was storing it and got hacked, and then insurance steps in and pays it and you
still aren't out any money.

There are some pretty strict regulations about bank and credit card cyber
security and I presume they pay some pretty hefty insurance premiums for our
benefit.

------
carbocation
> "The database was most likely compromised."

> "Bitcoinica uses the most stringent best practices for password security.*"

> "For the technically inclined, we salt and encrypt passwords with bcrypt."

------
Slackwise
The irony of having a centralized banking institution compromised, and having
currency, designed to be decentralized and controlled by the individuals and
not organizations, stolen from them--is too much.

It's like the GitHub users who cry when GitHub is down saying "How are we
going to do work?!", not realizing that Git was designed to be completely
decentralized and not dependent on one single repository.

------
JoachimSchipper
Is bitcoinica still solvent? They've now lost $100K + $215K in BTC in
published hacks.

------
jonny_eh
This was inevitable. I remember when bitcoinica was first announced her a
while back and commenters warned this would happen.

I'd be curious as to how the breach occurred and how it could have been
prevented.

~~~
mschonfeld
Were they warned in a general sense? Or were they specifically targeted?

~~~
wmf
A financial company run by one inexperienced person is pretty much a big "hack
me" sign.

------
codexon
The site is down.

Here is a better source of info.

<https://bitcointalk.org/index.php?topic=81045.0>

------
meatpopsicle
If one does a cursory glance of the history of money, one will see many
different currencies having a debasement period similar to this. While others
will take the bait and parrot someone else's opinion that bitcoin is not a
safe place to put money, I'll be investing even more in the currency. Always
buy to the sound of cannons/scandal.

------
pavelkaroukin
you guys don't get it. if such a high profile hacks happens - it means it
worth a lot!

~~~
trafficlight
No, it just means there was a monetary gain to be made.

------
SpiderX
Hacked, or the guy who created the site just stole customers money? There's
really no way to tell.

------
sevenstar
Who would do such a thing? Who would want to give a bad name to bitcoins? Who
would not want them to gain popularity? Who would want to keep the people in
the dark about things like bitcoin? Okay... I will stop.

