
Regarding the NiceHash security breach - 6d6b73
https://www.nicehash.com/
======
nikanj
It’s really scary in Bitcoin land. Either you store your coins online and
worry about hackers, or you store them offline and worry about burglars,
fires, etc.

I’m starting to appreciate the government enforced protections a traditional
bank account provides.

~~~
kbody
There's a very simple solution if you care about security.

Buy a hardware wallet (e.g. Trezor in my example) note down the 24 words that
are basically your privatekey. But enable the passphrase (25th word/phrase)
which you type yourself and could keep just in your mind.

You have the safety of multiple backups for the 24 words and the extra
security from burglars and others with the 25th passphrase.

[https://blog.trezor.io/hide-your-trezor-wallets-with-
multipl...](https://blog.trezor.io/hide-your-trezor-wallets-with-multiple-
passphrases-f2e0834026eb)

It also serves as a plausible deniability because when you input your
passphrase it will never say it's incorrect, it will merely open a different
wallet (generate a different private key).

Helps with the $5 wrench attack. You could setup a "fake" wallet with some
activity and a low amount of Bitcoins, and have a different passphrase for the
real wallet with the big amount.

BYOB, freedom comes at a price.

~~~
username223
My "bank account" holds "money" "insured" by the FDIC. Enjoy your "freedom."

~~~
kbody
Your tone showcases your emotions. I can send bitcoins to anyone that wants to
accept them, anytime. I can send my USD only if my bank permits me to do so
and depending on their schedule.

That's one of the core values for me, however I can see that people are used
to or just fine with their current bank relationships. Thinking that it's
either the one or the other that work for everyone is naive.

~~~
victor106
“I can send my USD only if my bank permits me to do so and depending on their
schedule.”

I can login to my online Bank of America account now and transfer money to
most anyone I know in about 100 countries. I can do the same from my bank
account in A foreign bank account.

Freedom = I don’t want the government to know. I don’t have anything to hide
and I am perfectly fine with the government seeing to whom I send/receive my
money.

But bitcoin’s utility of it being a mechanism for transactions is over. It has
become a mechanism to hoard wealth. The same way Tulips were used to hold
wealth. The bulb will burst and it will lose that mechanism as well.

That said I think crypto currencies are the future...I just don’t think it’s
bitcoin...

~~~
mplewis
You don't see utility in hoarding wealth? Plenty of rich people do when they
keep their money in the Cayman Islands.

------
fpgaminer
It looks like people are saying ~4000 BTC got stolen.

That's ... an incredible amount of coin to be stored on the service. I would
never have thought NiceHash had that much usage. Not that I thought NiceHash's
usage was low, but ... well let's put this into perspective.

Only 1,800 BTC are mined on Bitcoin per day. Now, NiceHash is _not_ a Bitcoin
mining pool; they just pay out in Bitcoin. But that should give some
perspective as to the magnitude of funds NiceHash was playing with.

I've seen some people mention cold storage, etc. NiceHash isn't a service for
storing coin. The intended usage is to only keep your (the user) profits on
there long enough that it exceeds their minimum withdrawal limits. I'm sure
some people leave coins on there for a bit longer, to reduce the % of their
profits consumed by TX fees. But, for most intents and purposes, the funds on
NiceHash are 100% hot funds.

So we're talking about 4,000 BTC of _hot_ funds. It's hard to fathom what
their user base must be. It'd be like walking into a department store and
finding out they have $56 million in their cash registers; not for any other
reason than that they have enough business to justify it.

~~~
SilverSlash
I'm not very familiar with how crypto currencies work but when such an
incident happens, how hopeful can the company be that they will get their
BTC's back?

I ask because they're saying on their reddit thread that they are working
towards "solving this issue". What does that mean here?

~~~
grufftech
almost zero, unless they have verifiable evidence that the funds were seized
by someone internal, and can somehow exact the wallet's private keys from said
individual.

------
ktta
There's some discussion going on a reddit thread, and people there seem to
think this is an inside job

[https://www.reddit.com/r/NiceHash/comments/7i0s6o/official_p...](https://www.reddit.com/r/NiceHash/comments/7i0s6o/official_press_release_statement_by_nicehash/)

~~~
pjc50
One of the great things about bitcoin is that unless someone confesses we'll
probably never know if it was an inside job. Do we even know who runs nicehash
and in which country?

~~~
adrr
I always wondered how the hackers can get the money out of bitcoins to a fiat
currency without exposing who they are. If they transfer it to an exchange,
the exchange will know where the bitcoins came from being that transactions
are open for everyone to see.

~~~
volker48
There are a few ways I can think of.

The first address they send the hacked coins to (a1) will most likely be black
listed by some exchanges. However, the hackers could create thousands of new
addresses and transfer the coins from a1 to the new addresses. Then do that
again. All exchanges would have to monitor all addresses that a1 ever sent
coins to. They could do this, but I'm not sure how many exchanges would
actually do this. All it takes is one exchange to accept the hacked coins then
the hacker can sell the BTC for something like ETH.

Another option would be OTC trades, but that would take a really long time to
sell 4000 BTC.

------
exhilaration
Can someone explain what NiceHash is/was? I'm guessing an online Bitcoin
wallet but there no longer seems to be any content on their website to verify
that.

~~~
Tbeiko
No, it's a mining pool. If you have a miner, you can direct it to Nicehash,
and it gives you a proportion of all the pool's mining rewards. This way, it
reduces the variance of rewards for individual miners, who may otherwise go
months before mining an actual block.

~~~
dylz
It's not quite a mining pool. You don't solve shares and get it back tied to
that share.

You sell computing power for $x/hr, and you get paid $x-%/hr, as two
completely unlinked things.

------
mizzack
Even though I lost ~$500 here and I'm sure others lost many more, the biggest
bummer here is that NiceHash is/was a great idea and service that will be
forever tarnished.

~~~
FLUX-YOU
The fact that anyone still trusts Bitcoin services after all of the hacks
still floors me.

~~~
mizzack
It's a nature of their payout structure caused by high bitcoin tx fees. Payout
happens in rounds.

I didn't lose a penny of cash as a seller, but hash buyers did.

~~~
altern8tif
Depending on whether you used their internal wallet (which they heavily
incentivised), sellers might have lost their earnings in BTC from selling
their hashpower.

------
H99189
"We are working to verify the precise number of BTC taken."

How is this not a simple task?

~~~
ktta
Seems like it was about $65 million from various comments on reddit. Address -
[https://blockchain.info/address/1EnJHhq8Jq8vDuZA5ahVh6H4t6jh...](https://blockchain.info/address/1EnJHhq8Jq8vDuZA5ahVh6H4t6jh1mB4rq)

~~~
watoc
There might very well be other addresses used to transfer the stolen Bitcoins.

------
quadcore
I dont think reddit is reliable here. Some redditor shows up and affirm he has
the hacker btc address. How come he knows that. Im supprised bloomberg report
the 63$ million number as it seems very weak sourced.

~~~
lasc4r
Bitcoin transactions are done on a distributed ledger that everyone can see.
4700BTC went from NiceHash -> Hacker

~~~
quadcore
I know but how do you get what's at the left of the arrow exactly?

------
mlamat
The Slovenian media is reporting that the majority owner of NiceHash is the
father of the programmer who created the Butterfly bot (Mariposa botnet) and
got busted by the FBI.

I heard he taught as an assistant at the CS school I went to some time ago.

------
provost
> Importantly, our payment system was compromised and the contents of the
> NiceHash Bitcoin wallet have been stolen. We are working to verify the
> precise number of BTC taken.

That should be easy to find via the transactions. Are they still in your
wallet? What's the address? If they are still in there, then use a backup key
to move the BTC now. Do you have a backup of the keys?

Being that it is connected to a payment system, it's surely the hot-wallet. No
mention of a cold-wallet makes it seem they've been completely wiped.

Multi-edit: Stream of consciousness

~~~
dragontamer
Various people online suggest its this wallet:

[https://bitinfocharts.com/bitcoin/address/1EnJHhq8Jq8vDuZA5a...](https://bitinfocharts.com/bitcoin/address/1EnJHhq8Jq8vDuZA5ahVh6H4t6jh1mB4rq)

4,736.42 BTC transferred.

------
pknerd
What are best multi currency offline or hardware wallet options to store
various alts? I hold Eth, Ark, Strats, PAY and a few more.

------
didibus
Is it possible to know with those breaches if it was truly stolen by a hacker,
or if it was stolen by them or someone internal?

