Hacker News new | comments | show | ask | jobs | submit login
Regarding the NiceHash security breach (nicehash.com)
169 points by 6d6b73 on Dec 6, 2017 | hide | past | web | favorite | 110 comments

It’s really scary in Bitcoin land. Either you store your coins online and worry about hackers, or you store them offline and worry about burglars, fires, etc.

I’m starting to appreciate the government enforced protections a traditional bank account provides.

There's a very simple solution if you care about security.

Buy a hardware wallet (e.g. Trezor in my example) note down the 24 words that are basically your privatekey. But enable the passphrase (25th word/phrase) which you type yourself and could keep just in your mind.

You have the safety of multiple backups for the 24 words and the extra security from burglars and others with the 25th passphrase.


It also serves as a plausible deniability because when you input your passphrase it will never say it's incorrect, it will merely open a different wallet (generate a different private key).

Helps with the $5 wrench attack. You could setup a "fake" wallet with some activity and a low amount of Bitcoins, and have a different passphrase for the real wallet with the big amount.

BYOB, freedom comes at a price.

If you're handling millions of bitcoins, belonging to other people, I would go with something more hardened than a Trezor. Hardware Security Module with M of N authentication... Use that as a main vault. Keep a smaler number available as liquid. I don't understand why this isn't common sense among these people.

Can you link to a product available for purchase that implements your recommendation so that I can compare pricing vs. the Trezor?

The products I'm talking about are tens of thousands of dollars, but that's a drop in the bucket compared to the security architect that will set that up. This is not a solution for personal use. If you are in this kind of business, and are honestly clueless, then you probably need to be looking to hire a security director who is qualified to handle this. I'll probably venture to say that only the founder/owner or CFO/controller of the company should ever, EVER have unrestricted access to the vault wallet, and depending on the size of the company then even that will need to be addressed somehow (of which I have no idea the best practice on). The security chief does not need to have unlimited access to this in order to do his job. I'd not trust one who asked for such access.

"Simple" ones start at about 5k but require a proper business to buy and can usually do m of n. If you want to go all out you should write your own firmware module and use that. Those engineers are even more expensive than the security architect.

YubiHSM 2 is $650 or less in volume https://www.yubico.com/products/yubihsm/

YubiHSM2 doesn’t do m-of-n in hardware.

And how would that help Nicehash? They have automated processes paying out amounts. An inside job is enough. Some disgruntled employee having access to scripts and giving someone the private keys the script accesses and KABLOOM!

M of N requires multiple private keys in order to withdraw. The script that handles the automated payouts would have access to a wallet that has a relatively small amount of money. When that wallet gets too low or too high, the security and finance team can go to the HSM with their keys, and perform an agreed upon transfer of funds from the vault wallet to the online wallet, or vice versa.

I won't say it's impossible for the vault to get robbed, but with a proper security setup, such a heist would be unprecedented. It could even garner some respect on this forum (toward both the attacker and the victim), rather than shame. The online wallet could get hacked, but it would be a smaller fraction of the funds lost, rather than the entire farm. Of course, if you have a decent security team, they'll also be taking other measures to lower the likelihood of that happening. And unless you pissed the wrong people off, you'd be very unlikely to be sunk due to a random hacking. You would be too difficult of a target for it to be worth even trying.

Disclaimer: I'm not a security specialist, so don't take this as real security advice. However, was technical lead for payments system of a non-crypto fintech company (this doesn't imply that that company's security is or isn't set up in this way).

Indeed, my suggestion was merely about an approachable secure way for everyday people. Business etc. have do as you say and have more sophisticated setups.

This sounds pretty good, but what if the $5 wrench attacker knows your real wallet needs 25 words, and not just 24... Wouldn't they just hit you with the wrench a few times until you added the 25th word?

That's not how it works. You create two wallets with the same initial 24 words and a different 25th word, and put a small amount of money in the second one. If an attacker has the first twenty four words and tries to beat the 25th out of you, you give them the word that unlocks the fake wallet. They have no way of determining if you have more than one wallet, or how many you created. The only way they could tell it was a decoy would be if they had some other way of knowing the approximate value of your wallet.

I had always assumed the wrench would come out because the wrench-holder had at least some knowledge about my Bitcoin holdings.

Or scopolamine. Who needs a wrench when you've got angel's trumpet growing on the fence outside? Especially when it comes to the right 25th word (or the right VeraCrypt volume password, etc).

My "bank account" holds "money" "insured" by the FDIC. Enjoy your "freedom."

There is no right or wrong in this. Dollar and Bitcoin have their strengths and weakness. Neither is going to replace other in the near future.

Your tone showcases your emotions. I can send bitcoins to anyone that wants to accept them, anytime. I can send my USD only if my bank permits me to do so and depending on their schedule.

That's one of the core values for me, however I can see that people are used to or just fine with their current bank relationships. Thinking that it's either the one or the other that work for everyone is naive.

“I can send my USD only if my bank permits me to do so and depending on their schedule.”

I can login to my online Bank of America account now and transfer money to most anyone I know in about 100 countries. I can do the same from my bank account in A foreign bank account.

Freedom = I don’t want the government to know. I don’t have anything to hide and I am perfectly fine with the government seeing to whom I send/receive my money.

But bitcoin’s utility of it being a mechanism for transactions is over. It has become a mechanism to hoard wealth. The same way Tulips were used to hold wealth. The bulb will burst and it will lose that mechanism as well.

That said I think crypto currencies are the future...I just don’t think it’s bitcoin...

You don't see utility in hoarding wealth? Plenty of rich people do when they keep their money in the Cayman Islands.

Sure, for a $40 fee. No thanks.

> Your tone showcases your emotions.

I doubt you can define or explain those words, but you're welcome to try.

Crossing into outright incivility is definitely the wrong direction to take a discussion on HN. Please read the site guidelines and please don't do this again.


FDIC insures up to 250k so you have to spread it around to get protection above that. Not like that is a problem to most people just saying there are limits to that protection.

Crypto currency accounts have some massive accounts now, not sure those would be covered much in those cases even with FDIC protection though it would be nice.

If there truly was a banking crash where more banks went down than in the Great Recession, I wonder how FDIC would hold up based on how many over leveraged games were being played that led to that implosion. Crypto currency is probably a reaction to that as well, trust in banking is immensely low in history.

Could you please not post snarky dismissals to HN? This is just the sort of thing we're trying to get away from.

If you have a substantive point to make, make it thoughtfully; if you don't, please don't comment until you do.

You can store your bitcoins online (in multiple places for redundancy) in encrypted file you never decrypt. You can still send new bitcoins to that wallet.

When you finally do need to withdraw some bitcoins you just set up clean linux system, download the file, decrypt it, make a transfer, encrypt it again and upload (if you don't withdraw often you can skip that because such offline wallet (at least the one generated by bitcoin core client) can handle few dozens outgoing transfers before you need to update it).

Then you don't have to worry about burglars, fires or hackers. You just need to worry about remembering your password. And about the portion of bitcoins you keep elsewhere to pay for things or trade.

> You can store your bitcoins online (in multiple places for redundancy) in encrypted file you never decrypt.

> Then you don't have to worry about burglars, fires or hackers. You just need to worry about remembering your password. And about the portion of bitcoins you keep elsewhere to pay for things or trade.

This accounts for confidentiality but does not preserve the integrity or availability of the wallet and for those reasons is far less secure than you believe.

The availability part is addressed if you use this approach for a larger "vault" wallet that doesn't need to make withdrawals often.

I would like to see banks operate Bitcoin accounts.

The bank operates its own wallets, you transfer your Bitcoin to theirs (or just buy it from them.) Keeping the Bitcoin safe is their responsibility. If you want to spend the Bitcoin, you can transfer it back to your own wallet, or directly to the payee. You pay them some fee to do this.

Now, it has obvious downsides. Less privacy. Easier for the government to confiscate your Bitcoin. The bank could go bankrupt. But, a person might rationally reason that those possibilities are less likely than them stuffing up a wallet maintained by themselves. Especially if it was a major bank that they might reason is unlikely to go broke. Obviously the Bitcoin account would not be government insured so if the bank goes bankrupt you might lose it all.

If criminals break into your account and steal your Bitcoin – if it is due to a problem at your end, e.g. a key-logger on your machine, the bank shouldn't owe you anything. If it is because the bank screwed up, they should be liable to compensate you for the loss.

Isn't that mostly the situation we're in with the places that are getting hacked?

BitcoinBank holds your bitcoin. Keeping the bitcoin safe is their responsibility. They get hacked and someone takes the bitcoin from them. They're liable to compensate you for the loss, but they don't have the money to compensate you with - someone stole it all.

Is the difference that a bank like Bank of America would have non-bitcoin assets to compensate you with? That is to say, the hypothetical BitcoinBank gets $65M of bitcoin stolen and that's 100% of their assets so you're out of luck. BitcoinBank owes you money, but doesn't have any. However, if Bank of America had $65M stolen, you could expect them to have other assets to cover that loss and make you whole.

I think the issue is that would cost a lot of money. Would you be willing to pay 2% of your bitcoin per year for this insurance?

I think one of the reasons that our current financial system works well against fraud is the ability to undo many transactions and detect fraud in addition to swallowing losses. If you try to spend $10M, that's likely to cause fraud alerts. If you're shipping goods to someone else and they're expensive, you'll again get fraud alerts. If you're transferring money between banks, it can have certain fraud-protection oversight and has a certain ability to be undone. A lot of this comes from lack of anonymity and limitations. A $5 transaction isn't suspicious and doesn't carry the same risk as a $5M transaction. Most bank to bank transfer systems have daily and monthly limits on them. The banks know who owns the accounts and can confirm if it's the same person. Banks generally have some latitude to undo transactions. Banks can see where you purchase things and determine whether it's suspicious. Banks have centralized places where they determine whether to permit a transaction.

> However, if Bank of America had $65M stolen, you could expect them to have other assets to cover that loss and make you whole.

That's exactly my point. Asking some cryptocurrency startup to look after your bitcoin, if they get hacked, they'll probably go out of business and you will lose everything. A major bank, with billions (or even trillions) of dollars of non-cryptocurrency assets, they will survive the theft of a few million (or billion) dollars worth of bitcoin, and have plenty left to compensate you with.

> I think the issue is that would cost a lot of money. Would you be willing to pay 2% of your bitcoin per year for this insurance?

Some people will probably say yes. If you expect bitcoin to go up by substantially more than 2% pa, 2% might be a reasonable amount to pay to reduce the risk of holding it yourself.

> Banks generally have some latitude to undo transactions.

I don't expect banks would apply the same rules to cryptocurrencies given the inability to reverse. For example, if you make a typo in the target account for a bank transfer, with normal currency the bank will probably just reverse it for you if you call them, with bitcoin you've lost your money. The threshold for compensation would be much higher. But still, if the bank loses your bitcoin due to their own negligence (as opposed to your own negligence), they'd be liable for that.

Can banks reasonably do this with current money laundering rules?

Is the margin of 2% sufficient to cover costs + risk?

Incidentally - when a bank account gets hack the bank compensates a single person worth of $. However every bitcoin system seems to revolve around keeping all of their eggs in a single basket for some reason. Surely the complexity cost is worth the additional security?

If the bank is holding your Bitcoin, what is the point of using Bitcoin at all? It is just an extremely inefficient centralized currency at that point.

As an investment. If a person believes Bitcoin is going to continue to go up in value, they might want to buy a lot of Bitcoin, but have someone else manage the safekeeping of that Bitcoin they bought.

I'm one of many people kicking myself that I didn't buy Bitcoin years ago when I first heard about it. And now I'm wondering if I should buy some now, because there is a decent chance it will continue to go up (in the long run). But if I could pay a modest fee for someone I trust (like a very big bank) to look after those Bitcoins for me, I might consider it.

Sure, but to say that is to say that bitcoin's "unique investment opportunity" is akin to that of pieces of irreplaceable artistic value ... or tulips of irreplaceable biological heritage.

Once people believed bitcoin could be a currency, a medium of exchange that could be used for the ordinary transactions people used ordinary cash for. Now, it's an "investment vehicle" hurdling down the road that gold, natural gas futures and similar things went gone after 2008 when the Fed began QE in earnest.

And sure, "it's different thing time."

> I'm one of many people kicking myself that I didn't buy Bitcoin years ago when I first heard about it. And now I'm wondering if I should buy some now, because there is a decent chance it will continue to go up (in the long run). But if I could pay a modest fee for someone I trust (like a very big bank) to look after those Bitcoins for me, I might consider it.

I'm one of those who looks at the 2013 spike and 2014 crash, and wonders what's different this time around.

Well probably nothing, but the gambler in me goes, but wouldn't it have been nice to get out on top. The trick of course being knowing when the top is

You’re describing cryptocurrency ETFs like http://www.nasdaq.com/symbol/gbtc/stock-chart

Can't you use futures for that? No risks of hacks.

I would like to see banks operate Bitcoin accounts.

This is completely antithetical to bitcoin. Upon reading that sentence, I thought surely this is a joke.

Not only is a bank account for bitcoins completely antithetical to the very notion of bitcoin, but it eliminates any need for bitcoin's central innovation, a distributed, unified verification system in the form of a 'blockchain,' generated by a clever utilization of P and NP.

Money is fungible, it doesn't really matter if I have dollars, or pesos, or yen in my bank account. The only reason you want a bank account for bitcoin is because you want a bank account with magic internet money that magically, irrationally increases in value until it doesn't. And you don't want the headache of worrying about all the potential missteps when messing about with your magic internet money.

You are describing coinbase.

If you can store it offline, why can't you just store it online in an encrypted file using a strong encryption key?

The whole point of offline storage is to guard against the risk of whatever internet-connected device you use to store your keys getting compromised.

If you make a mistake or fall victim to an attack that lets someone steal the encrypted file containing your key, there's a good chance the attacker will also be able to install a keylogger and get your passphrase.

The way I do it, is have a bootable usb stick with a clean install of Tails OS that has all my crypto stuff. I also have a gpg encrypted seed file on my google drive as a backup with MFA turned on.

I don't think offline storage is necessary as long as you're certain your system is clean, which a clean linux install helps.

If he can run a keylogger on whatever computer you use to unlock your wallet, then it does it really matter whether you store it offline on USB stick in a safe or not.

That's where hardware wallets like Trezor or KeepKey come into play. Any transactions are signed on the device and sent back to the computer; your private keys never leave the device.

A bitcoin 'wallet' is a strong encrypted key. The question is where do you keep that key.

But where do you store the key?

In my head? The same place I store the passphrase to my password manager.

With no backup? What if you suffer a massive head trauma (or an unfortunate death), no way to recover your millions of dollars for friends and relatives? I'm guessing people put this stuff in their wills these days, how secure is a will?

I have an encrypted file with online banking passwords, account numbers, etc for my wife.

It's on a USB stick in our fire safe, and also in our safe deposit box along with a passphrase hint that my wife or daughter would understand, but is not obvious to an outsider.

There are three widely-used approaches to managing your own keys:

1. Store the keys on your own device, and also write them down on paper as a backup.

2. Store the keys on a dedicated piece of hardware, and also write them down on paper.

3. Encrypt the keys with a username/password and back that up to the cloud.

Option 2 protects against all kinds of malware, including keyloggers. The device has its own screen and buttons, so you can see the backup keys and verify the destination of the funds without trusting you PC.

For the paper backups in options 1 and 2, there are fireproof options like cryptosteel.

Option 3 gives a really nice UX, since it's feels like a standard username/password login. This is what Lastpass does for passwords, but applied to Bitcoin. Keyloggers are still a threat, and if your password is weak, someone might brute-force it in a database breach situation. Depending on your use-case, this may be worth the tradeoff.

The company I work for, Airbitz, implements option 3. In our experience, far more people lose funds accidentally than due to hackers (at least with self-managed keys). Therefore, a familiar UX is crucial to helping users retain control of their funds. Plus, most people aren't willing to invest in specialized hardware, at least at first. If crypto-currencies are ever going to go mainstream, there needs to be a software-only on-ramp.

While I tend to fully agree with everything you are saying wouldn't it be a nice side effect if Bitcoin / crytocurrency dominance forced the average computer user to get serious about password creation and management?

And no insurance company (understandably) wants to fully cover Bitcoins.


There are other options in Bitcoin land to protect against theft. If the online wallet uses multisig then it requires a signature from yourself before they can take the funds. If they're hacked then the hacker can't spend the coins.

Multiple copies and store them in a deposit box?

Like it’s not as complicated as people pretend heck encrypt it again so the wallet file cannot be profiled and store it on a cloud service.

A safe deposit box with the digital copies of wallet may work

Is that sarcasm?

We should not be supporting these criminals, most likely based out of Russia or China. It's my biggest gripe with Bitcoin. By buying Bitcoin you are indirectly supporting them.

Full disclosure: I am biased; a US citizen.

This makes no sense.

And is subtly racist.

Why do you hold that bias? Are you aware that certain parts of the world have large numbers of people who engage in certain types of cybercrime?

"All males are human" doesn't imply that "all humans are male."

It looks like people are saying ~4000 BTC got stolen.

That's ... an incredible amount of coin to be stored on the service. I would never have thought NiceHash had that much usage. Not that I thought NiceHash's usage was low, but ... well let's put this into perspective.

Only 1,800 BTC are mined on Bitcoin per day. Now, NiceHash is _not_ a Bitcoin mining pool; they just pay out in Bitcoin. But that should give some perspective as to the magnitude of funds NiceHash was playing with.

I've seen some people mention cold storage, etc. NiceHash isn't a service for storing coin. The intended usage is to only keep your (the user) profits on there long enough that it exceeds their minimum withdrawal limits. I'm sure some people leave coins on there for a bit longer, to reduce the % of their profits consumed by TX fees. But, for most intents and purposes, the funds on NiceHash are 100% hot funds.

So we're talking about 4,000 BTC of _hot_ funds. It's hard to fathom what their user base must be. It'd be like walking into a department store and finding out they have $56 million in their cash registers; not for any other reason than that they have enough business to justify it.

From Reddit: The owner of the company with a share capital of half a million euros is Bitorious (45%) based in Dornberk, its director is Marko Kobal, and 55% of the company is owned by H-Bit. The owner of H-Bit is Martin Škorjanc. An interesting fact is that Martin Škorjanc is the father of Matjaž Škorjanc, who was arrested by Slovenian police a year ago for online cyber crime with the help of the US FBI in Maribor.


It seems they are using the service of bitgo to store bitcoin though the following post is old. A reddit user seems to say that it talk to them via the support 2 months ago and they were saying they are using bitgo.


NiceHash only makes payouts once a day - they could easily keep their wallet offline, generate the payment transaction with the public key of their wallet and sign it on the offline machine. As far as the buyers who deposit funds to purchase hashing power, I'm sure they couldn't get to miffed about any withdrawals being delayed to ensure attacks like this just don't happen.

I had about $60 BTC in Nicehash. I'm aware to not store BTC in places like this, but given transaction fees, it's also not something where if you're working with a small amount of mining (just a single GPU) that you can transfer out daily without getting destroyed for transfer fees.

I'm guessing there were a lot of users like this.

I'm not very familiar with how crypto currencies work but when such an incident happens, how hopeful can the company be that they will get their BTC's back?

I ask because they're saying on their reddit thread that they are working towards "solving this issue". What does that mean here?

almost zero, unless they have verifiable evidence that the funds were seized by someone internal, and can somehow exact the wallet's private keys from said individual.

As a buyer you transfer BTC to NiceHash. You basically top up your account with credits.

weren't they pretty transparent by definition? if you are listing X offers of Y hashrates, all this data is public... or was public anyway until they put up that placeholder.

There's some discussion going on a reddit thread, and people there seem to think this is an inside job


The comment on their web site says that their payment system was compromised. If so, that means they had $64 million worth of bitcoin connected to their public-facing web site.

So I actually kinda hope for their sake it was an inside job, because that would be a lot less stupid.

One of the great things about bitcoin is that unless someone confesses we'll probably never know if it was an inside job. Do we even know who runs nicehash and in which country?

I always wondered how the hackers can get the money out of bitcoins to a fiat currency without exposing who they are. If they transfer it to an exchange, the exchange will know where the bitcoins came from being that transactions are open for everyone to see.

There are a few ways I can think of.

The first address they send the hacked coins to (a1) will most likely be black listed by some exchanges. However, the hackers could create thousands of new addresses and transfer the coins from a1 to the new addresses. Then do that again. All exchanges would have to monitor all addresses that a1 ever sent coins to. They could do this, but I'm not sure how many exchanges would actually do this. All it takes is one exchange to accept the hacked coins then the hacker can sell the BTC for something like ETH.

Another option would be OTC trades, but that would take a really long time to sell 4000 BTC.

In the case of past thefts high level executives of a Bitcoin exchange were in on the hack and facilitated laundering the stolen coins.


They usually don't. They just stay in the attacker's addresses.

I would say the best way to go would be to using bitcoin mixing services, but then the attacker would open themselves upto a huge risk of getting caught if the mixing wasn't perfectly secure, when they eventually go to an exchange.

Never heard about NiceHash before, but this story is currently being reported by Slovenian national media and NiceHash is presented as a Slovenian company.

I looked it up before I started mining with them and concluded they were based in Amsterdam. Incase you’re wondering, I lost approx. $120.

They are a Slovenian company.

Can someone explain what NiceHash is/was? I'm guessing an online Bitcoin wallet but there no longer seems to be any content on their website to verify that.

Nicehash is a bitcoin mining hash reseller. You could download their client and mine whatever cryptocoin was most profitable (ETH/BTC/LTC...) and get paid in bitcoin. Actually quite easy to use.

But they just got hacked for $52million...

No, it's a mining pool. If you have a miner, you can direct it to Nicehash, and it gives you a proportion of all the pool's mining rewards. This way, it reduces the variance of rewards for individual miners, who may otherwise go months before mining an actual block.

It's not quite a mining pool. You don't solve shares and get it back tied to that share.

You sell computing power for $x/hr, and you get paid $x-%/hr, as two completely unlinked things.

Their rates were about 4 BTC to rent 1 TeraHash/s of mining capacity for 24 hours. Some of their pools for rent had 1800 miners, some were solo operations. I was looking into renting mining time through them a few days ago.

At this price rate, the ~4000 BTC could be 1 or 2 days of rental fee for a couple hundred transactions. No idea about their volume of transactions or cash flow.

A multi-pool: you point your miner at them and they switch automatically to the coin with the highest expected profit to mine. They pay miners in BTC. On the other side, they let people bid on mining power to direct to coins of their choice.

As others have pointed out, it's not a pool. They're a service for connecting people with miners to people who want to mine something. They're a hash reseller. A user bids for mining power and where they want it assigned. Miners post rates they're willing to mine at.

Even though I lost ~$500 here and I'm sure others lost many more, the biggest bummer here is that NiceHash is/was a great idea and service that will be forever tarnished.

The fact that anyone still trusts Bitcoin services after all of the hacks still floors me.

Same thought here, there are millions and millions lost every week

It's a nature of their payout structure caused by high bitcoin tx fees. Payout happens in rounds.

I didn't lose a penny of cash as a seller, but hash buyers did.

Depending on whether you used their internal wallet (which they heavily incentivised), sellers might have lost their earnings in BTC from selling their hashpower.

Yeah same here I lost about a week worth of mining since Friday was their payout day. Thankfully i used my own wallet for payout so the damage is limited.

Your rig is bigger than mine. Have been mining on and off for two months on my 1080TI to my own address (mainly overnight as days have been hot in Australia) and was just moments away from reaching the 0.01BTC payout threshold.

Glad I didn't trust them to use their wallet system - those are the ones who'd really get burned by this, if NH can't recover.

They really need to lower the minimum payout limit, or set that you can pay out e.g. every two weeks.

Same here, I had about 0.008 'saved' - kinda irritating. On the other hand, the profitable mining algorithms didn't really change much for me (cryptonight, kekkak, lyra2re), so you'd be better off just doing it on your own and then trading on an exchange. I'm not sure which coins exactly were being mined, but you can check here: http://whattomine.com

Cheers; having a go of AwesomeMiner now and numbers are looking good. Pretty sure they'll claim somehow that the money they hadn't paid me is not their responsibility and if that happens there's no way I'm going back to NH.

~$120 here. I will stick with mining Zcash now.

"We are working to verify the precise number of BTC taken."

How is this not a simple task?

Seems like it was about $65 million from various comments on reddit. Address - https://blockchain.info/address/1EnJHhq8Jq8vDuZA5ahVh6H4t6jh...

There might very well be other addresses used to transfer the stolen Bitcoins.

They probably need to contact lawyers first

I dont think reddit is reliable here. Some redditor shows up and affirm he has the hacker btc address. How come he knows that. Im supprised bloomberg report the 63$ million number as it seems very weak sourced.

Bitcoin transactions are done on a distributed ledger that everyone can see. 4700BTC went from NiceHash -> Hacker

I know but how do you get what's at the left of the arrow exactly?

The Slovenian media is reporting that the majority owner of NiceHash is the father of the programmer who created the Butterfly bot (Mariposa botnet) and got busted by the FBI.

I heard he taught as an assistant at the CS school I went to some time ago.

> Importantly, our payment system was compromised and the contents of the NiceHash Bitcoin wallet have been stolen. We are working to verify the precise number of BTC taken.

That should be easy to find via the transactions. Are they still in your wallet? What's the address? If they are still in there, then use a backup key to move the BTC now. Do you have a backup of the keys?

Being that it is connected to a payment system, it's surely the hot-wallet. No mention of a cold-wallet makes it seem they've been completely wiped.

Multi-edit: Stream of consciousness

Various people online suggest its this wallet:


4,736.42 BTC transferred.

What are best multi currency offline or hardware wallet options to store various alts? I hold Eth, Ark, Strats, PAY and a few more.

Is it possible to know with those breaches if it was truly stolen by a hacker, or if it was stolen by them or someone internal?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact