Hacker News new | comments | show | ask | jobs | submit login
Computer compromise leads to theft of bitcoins valued at $500,000 USD (bitcoin.org)
96 points by trotsky on June 14, 2011 | hide | past | web | favorite | 136 comments

I now understand that BitCoin is actually an experiment to teach people basic economics and why many of today's rules and institutions (e.g., banks) exist. Sorry for criticizing it. BitCoin is an awesome educational tool.

Bitcoin is not money on the bank, but cash. If your wallet is stolen, the bank will not refund you, either. You can, however, go to the police and that is what the victim here is doing as well. There is, of course, a much lower chance of catching the thief than there would be with real cash.

Yep, which is why if you have $500K you keep it in the bank and not in your wallet. (Err, not that $500K would fit in your wallet, but anyway...)

Bitcoin has no "bank" equivalent.

Except you can put a wallet on a thumb drive, and literally put it in a bank (safe deposit box).

Exactly, make sure the only copies of the wallets with your money are on non-networked, non-running hardware, preferably just straight up storage media, and secure it physically. You can make it as secure as you can possibly make anything. Hell, you could even get it insured.

Though interestingly, your bank isn't generally required to repay you for losses in your safe deposit box unless it arises from their negligence.

Probably makes sense to print it out on a sheet of paper and put it in there too.

What do you call exchanges that hold an on-site balance?

I'm also fairly sure there are several brands trying to provide a "bitcoin banking service".

not decentralized?

I have spent very little time thinking about bitcoin, so I really am not qualified to say anything for or against it - however I have a question that seems ridiculously obvious:

WHY would you implement the digital version of cash, as it seems you just stated -- WHY would you create a digital currency with no ability to really track and disable and refund?

Kind of the whole point of digital currency is to evade tracking. A currency that is truly anonymous is more generally useful than one that isn't. The same features that make it easy to steal also make it easy to spend.

The US government won't let you leave with more than $10k in physical cash without "declaring" it, but declaring exposes you to likely theft by the government in the form of civil forfeiture or tax seizure, as does carrying it past TSA. Your bank won't let you wire-transfer large amounts without having to file a bunch of CTRs, again exposing you to potential legal liability. Making transactions in smaller amounts to avoid notice of the big amounts - even if you're doing so to avoid private thieves - is a federal crime called "structuring". Credit card companies solve some of the problem but can randomly "put a hold" on your funds without your consent.

Digital cash is trying to fill the role that cash used to fill before the War On Some Drugs made everything insane. Back when the government printed $500 bills and $1000 bills and it wasn't deemed "suspicious" to use them. In the modern age, digital cash promises to let us buy things around the world, "no questions asked", without banks and governments and other middlemen getting in the way.

Overhead is (supposed to be) lower with cash.

What prevents you from setting up a BitCoin bank?

More interestingly: are the features that let you set up a dollar-denominated bank features or bugs?

This is one of the casualities of the Bitcoin monetary policy.

(Obviously I'm simplifying, your money gets pooled with others and deposits and withdrawls happen from a pool of money, you don't get your own money back when you withdraw, but lets compare two hypothetical banks with only 1 customer each)

A dollar denominated bank takes your money and invests it. They use it for mortgages, or they put it in bond markets or equity markets. They make a profit. Some of that profit gets returned to you as interest. They also provide for safe keeping of the money. With interest rates near zero, we forget this, but thats the real reason for a bank. If it was just a safe place to keep money, we'd be paying them.

A Bitcoin bank couldn't work. You give them some Bitcoins. They transfer them to dollars, make some investments. Now you go to withdraw some money and they have to sell the investments. Since Bitcoins are deflationary, they can not make you whole without incurring a loss. There is no money to be made in operating a Bitcoin bank and giving interest so long as the exchange rate of Bitcoins to the real world keeps going the way its going. Everyone should just sit on their bitcoins and hold them.

Now if you just want to make a safe deposit box for Bitcoins, that's would work. And you would have to pay a fee. But there is a difference between a bank account and a safe deposit box, and I don't see bank accounts working with bitcoin any more so than they would have worked based on tulip bulbs in the 80s.

> You give them some Bitcoins. They transfer them to dollars

It should work just fine if they do the investments in Bitcoins.

What you described is not how banks or money work.

Below is an entertaining, albeit slightly alarmist, educational video on how the money system works today. This should be required viewing for anyone considering using money:


I don't want to risk wasting 45 minutes listening to a crackpot, and honestly, there are quite a few indicators for lunacy in the first few minutes. Can you give a few bullet points to help me decide if it's worth to watch?

I haven't checked the video (can't watch it here), but there are indeed many misconceptions about how the banking system operates.

In particular, banks do not lend out deposits, at least not in any meaningful way, and the so-called money multiplier is non-existent.

To get up to speed on such things, I would recommend the blogs of economics professor Bill Mitchell. His style is a bit rambling without much polish, since he writes one entry every day, but I found it very worthwhile for getting a deeper understanding. Consider looking for entries with "money multiplier" in the title in the index here: http://bilbo.economicoutlook.net/blog/?page_id=1667

It talks about the history of banking and the fractional reserve system, the difference between commercial and central bank money.

What most people don't realize is that banks don't have to actually have the money they lend out. That's the basis for our monetary system and while it has nice qualities, like spurring innovation, there are some undeniable drawbacks.

You know these concepts are explained in any first-year economics textbook, yes?

How would a bank stop you from getting taken to the cleaners if an outsider got access to your bank account in malicious ways?

The point is that is a little bit harder and more traceable than having to manage files(all your money) yourself. There is at least a semblance of security and the bank/govt will make good if someone breaks into the bank and steals all the cash there.

Banks are regulated by law and have the funds insured by FDIC. i.e even if the bank goes belly up, the FDIC will make sure the depositors get the money. With BitCoin, how do you trust a bank? Even if it's just by word-of-mouth trust, eventually the bank will be taken over or run by non-trustworthy people. The threat of federal prison keeps most real banks honest. Nothing like that exists in the BTC world.

Well, ultimately what you're saying is that you trust the FDIC more than you trust any given bank. That's nice, but it begs the question:

- Will the FDIC fulfill its obligations at all times?

- How does the FDIC have the resources to do so?

- Does the presence of the FDIC lead to better or worse behavior among banks?

It's especially interesting to look at the issue of non-trustworthy people. When S&Ls were semi-deregulated in the early 80's, they got extra FDIC protection and were allowed to lend to a wider variety of projects. Suddenly, the credit decisions of the bank didn't matter, because the FDIC backstopped their deposits. And that attracted some really non-trustworthy people.

Wikipedia says the total cleanup cost was $87.9 billion, which discounts the opportunity cost from building pointless malls and empty offices. Can you imagine a BitCoin-based system ever hitting that level of losses?

Banks also inflate the money supply using fractional reserve banking, effectively diminishing the value of every other dollar in active currency.

If you think that is honest behavior, then bury all your money for 10 years and then try to spend it. Suprise! You've been robbed.

If I'm not mistaken, there is an eventual limit on the amount of bitcoins that can ever be created.

That's not entirely a negative... We're better off that people are incentivized to not bury all their money. Deflationary spirals are no fun.

I agree that circulation of currency/commodities is necessary for a healthy economy. I don't agree that we're better off having value stolen from our currency by inflating it for the sake of "incentive".

How many joe sixpacks actually spend their money as quickly as possible because they're afraid of inflation? Hopefully it never comes to that.

> Deflationary spirals are no fun. $5/gallon of gas and $7/gallon of orange juice are no fun either.

Banks inflate the money without creating (printing) it physically. I guess a bank taking deposits and giving loans in bitcoins would do just the same.

>If you think that is honest behavior, then bury all your money for 10 years and then try to spend it. Suprise! You've been robbed.

That does induce people to spend,invest or save(savings in banks are loaned out to others by the banks) which drives the economy.

The problem with bitcoin right now is that it's being thought of an investment to hold on to, instead of a currency that must be exchanged for goods.

Imagine if the dollar was appreciating in value big time every week and month. People would stop spending and just hog them. The economy as we know if might collapse and lead to a full blown depression.

> instead of a currency that must be exchanged for goods.

My prediction is the bitcoin market will correct itself, as markets without interference do. Bitcoins are intrinsically worthless, like the USD, unless it can be exchange for goods/services.

> Imagine if the dollar was appreciating in value big time every week and month.

As long as a central banking authority (Federal Reserve) can legally make dollars from thin air, this will never happen.

The problem is that people are using BitCoin as a 'Get Rich Quick' scheme instead of a currency. While this does drive adoption, some lives may be destroyed on the way because of market manipulation by malicious parties. How many legitimate transactions are happening compared to transactions with an intent to hoard BitCoins for future gains?

> Banks are regulated by law and have the funds insured by FDIC. i.e even if the bank goes belly up, the FDIC will make sure the depositors get the money. With BitCoin, how do you trust a bank?

There were banks before the FDIC and people trusted them. The threat of insolvency can (but doesn't always) keep them honest.

True, but atleast the banks were real physical places with real people at the helm. It is really hard to trust anything over the internet these days,except if one of the big financial players like Citibank or someone like Amazon starts a bitcoin bank.

AFAIK any of the online banks could be running out of a hole in the wall in Ukraine or Nigeria. Even paying online sites with credit cards is risky these days with the rampant fraud etc, I wouldn't trust anything online only enough to entrust my money unless backed by a big player.

> except if one of the big financial players like Citibank or someone like Amazon starts a bitcoin bank.

That's part of how the market solves this sort of problem, traditionally. When trustworthiness is especially valuable, brands develop that have it. One way to bootstrap the process is to start with an existing brand that has it, like American Express. Companies that want to be seen as trustworthy can also do things like offering money-back guarantees and putting money aside in an escrow account held by a third party.

>Banks are regulated by law and have the funds insured by FDIC.

And following the train of logic, what prevents you from regulating a bitcoin bank?

Crypto-currency is kind of like cash. Yes, you're a fool to try and run an entire economy with cash, but that doesn't mean it should disappear!

How did people trust banks before FDIC?

They didn't, necessarily. Banks were just a place to get loans and a slightly more secure place to keep money than a hole in the back yard:


I'm a BitCoin skeptic with the best of them. But this is breathtaking.

That's one thing about bitcoins. There's no FDIC or SIPC watching your back. It's the wild west with train robberies and stage coach heists in all.

It's interesting to consider why that is. I could start a BitCoin deposit insurance company, for example: you'd pay me X% of your balance each month, and I'd make you whole in the event of fraud.

Of course, I'd want all sorts of regulations on how you set this up; I might sell you some kind of extra-secure system for managing your balance, for example. At that point, the market would basically be putting a price on BitCoin security.

Obviously, my deposit insurance scheme could go broke, if I price it wrong. That's theoretically a risk with SIPC. It's not a risk with the FDIC, since that is ultimately backed by the government's ability to print an unlimited amount of money.

So it might make more sense to say that deposit insurance is a feature of unstable currencies: if anyone's dollar-denominated debt can be 100% guaranteed by the government, then the value of everyone's dollar-denominated assets will face an inflation tax to pay for this guarantee.

Maybe I'm missing some detail of the scheme you're proposing, or have some fundamental misunderstanding of bitcoin, but if bitcoin is anonymous and untraceable, how do you prevent insurance fraud?

You could only insure bitcoin that is stored in a wallet that you control (i.e. act as a bank).

Wouldn't this also defeat the purpose of BitCoin in the first place? And by "purpose" I'm referring to the whole "anonymous, untraceable" aspect of it. It's very much like cash - it's anonymous, yes, but also if it gets stolen there's not much you can do about it.

It would be nice to have that option. "Anonymous, untreacable, and un-recoverable, or not-so-anonymous, somewhat traceable, and recoverable."

Plus, I'd bet that you could create an onion router-style arrangement with multiple off-shore banks in different jurisdictions.

The thing I find more dangerous than that is anyone with your wallet.dat file can go and do whatever with your account.

There really should be additional checks. Having to sign your transfer requests and allow people to impose a voluntary delay on their transactions to allow time for cancellation would help significantly.

My wallet is on an IronKey - in order for me to use it I have to plug it in and decrypt it. I also backup my wallet on a NAS server but the wallet is encrypted with GPG.

Gotta protect your data!!

Where do you back up your GPG private key? Where do you store the passphrase for the key? It's a long chain of vulnerabilities in any well architected system that must be addressed. This seems acceptable for a big company, but for an individual to have to go through all these steps just to protect their money seems arduous.

And it's simple to run a keylogger after a brower/flash/pdf/java exploit to grab your password, isn't it? Not even admin/root access is needed.

Not if you have a secure means of input in your OS. OSX does, for instance, you can turn it on in the Terminal application and no loggers will see what you type.

Unless they install as a kernel extension, then you're screwed. But that requires a password.

or a bog standard privilege escalation bug

of course. But now we're talking something significantly more complicated than a keylogger, and more fragile as it probably relies on glitchy behavior.

FDIC or SIPC don't cover you if you have stacks of cash that get stolen.

This guy wasn't using a bank, he wasn't encrypting his wallet, so that is inevitable.

Seems fairly inevitable: if I sat by the window of my house, talking to anyone who walked by about having a large cache of money, which it was clear was also in my house... well, I would probably want to do one or all of: (a) invest in some quality locks; (b) stop talking about it; (c) keep my money somewhere else

Correct me if I'm wrong, but given the P2P nature of bitcoin, wouldn't it effectively give someone interested in malicious activity a list of target IP addresses? In theory he could set up his own P2P, watch for large transactions, and then he has an ip running a bitcoin client who (potentially) has a large wallet.

Then it's just a matter of running common exploits (or new ones, if you have them) in order to access the machine and the bitcoin wallet.

Also: this is the perfect crime for those so inclined to do this. What authorities are going to give a damn about your missing Bitcoins?

I've thought about that as well. But I would imagine if you have the technical chops to do that (I'd be interested in seeing a distribution of Mac/Linux/Windows users for BitCoin as well), you'd have the technical chops to get more money from other ways than stealing a few bitcoins. That said if I were a botnet master I'd put in some code to search for a wallet as a 'bonus'.

There's no way to know which IP address corresponds to which bitcoin address.

The point is that all of the IP addresses recorded in the network transactions are Bitcoin users.

No, you can make a receiving address without ever connecting to the network. Current clients won't do so (that I'm aware of), but it's entirely possible.

The main reason though is that new addresses aren't broadcast. The only time you know their location is when they send, and only if you were watching their traffic / the traffic of all nodes they sent to.


That's the account record of the address that supposedly stole the huge amount of bitcoin. The maximum balance I see it have is 400 blocks. Is it missing from the record or is a bitcoin block larger than 1 BTC?

A BTC "block" is currently 50 BTC, I think.

This reminds me of the "come from" statement. COMEFROM is a long-running joke, it's a flow control statement which is intentionally confusing. It works like a GOTO but backwards. There is no indication in the area being jumped from that flow control is about to go somewhere else in the program. https://secure.wikimedia.org/wikipedia/en/wiki/COMEFROM

I think, when parts of your currency start to resemble any part of INTERCAL, you have a big problem :-)

People joke about the COMEFROM statement all the time, but isn't this was observers do?

What, you don't read your code in reverse chronological order?!

This guy's experience reads like something out of a William Gibson novel. If BTC takes off, I wouldn't be surprised if the world got several orders of magnitude nastier, malware-wise. If the value of breaking into someone's machine is not merely the computer's connectivity or, worse, information to enable identity theft but actual, untraceable value-holding currency, you know the incentive to compromise computers is going to skyrocket.

Are we prepared to live in that world?

What's the cyber-analog of those "driver carries no cash" signs?

Funny. More seriously, this reminds me of the difference in deterrence value between Lojack and The Club:

Lojack makes it little less likely that any particular car will get stolen but increases the likelihood that a car thief will be caught.

The Club basically says, "Go steal someone else's car."

"Driver carries no cash" is well intentioned but says, "Go rob someone who does have cash." It has a local deterrent value perhaps, but is of limited value as a deterrent from robbing people who drive delivery trucks.

All of this gets me wondering? Does UPS still do COD? And if so, do they accept cash?

The worst part of this is how irreversible it is. With a bank you might be able to get it back, with cash nobody can just siphon the actual paper money remotely, but with bitcoin you're out of luck.

With a bank you might be able to get it back

I'm not sure that's true. As I mentioned in another comment, the CHAPS payment system doesn't allow transactions to be reversed, and the other major system in the UK, Faster Payments, I believe has a 24 window for banks to request a reversal, usually in case they transmit something by mistake.

Honestly, I think we place too much faith in banks sometimes.

In the US, consumer liability for fraudulent withdrawals from bank accounts is generally limited to $500 by federal law, provided that the consumer detects the fraud and notifies the bank within 60 days. The bank is responsible for the amount in excess of $500. Many banks even have a policy to refund the entire amount fraudulently deducted.

Probably... At least it would be more traceable, though...

Traceability in the real world banking institutions has its advantages. As a business owner I've once had a mistaken transactions that resulted in erroneous withdrawal of +10,000 from business bank account. A phone call to the bank and a bit of investigation fixed things and I don't think the bank was out any money either, it was just a wrong account number issue.

With bitcoin, things are not at all reversible.

Also I expect bitcoin to be shutdown because it could be a great way to fund terrorist activities. (There are major federal investments in anti-money laundering systems that monitor bank transactions, bitcoin transactions operate outside of this system and thus will be suspect.)

With bitcoin, things are not at all reversible.

True of plenty of payment methods, e.g. CHAPS in the UK:

Unlike other forms of payment such as cheques, CHAPS payments are irrevocable


I think a better word is "traceable". Presumably with CHAPS one can find out who the money went to, and other mechanisms can come into play to get it back.

Bitcoin, though, is supposed to herald the awesome future of totally anonymous, totally untraceable transactions in which once your money's gone, you're fucked.

There are major federal investments in anti-money laundering systems that monitor bank transactions

That worked really well for Wachovia...


Also I expect bitcoin to be shutdown because it could be a great way to fund terrorist activities.

So is cash :)

It's pretty hard to move large quantities of cash around... it's pretty easy to move a flash drive with a bitcoin wallet around.

That is why people who try to bring into the US large amounts of cash through border control have it confiscated if they don't declare it.


Even if it's not, that's the easy claim to make these days that will get them shut down.

Kind of like "it's for the children". That phrase alone can be used to justify so many actions.

> With a bank you might be able to get it back

Only if it hasn't been transferred elsewhere and laundered and whatnot. Then all the bank is doing is penalizing its other customers to make you whole.

There's some capacity for error or crime built into the numbers as they stand. This means that the bank is more-or-less insuring against those things. All customers reap the benefits of insurance, because the benefit is the security, not the restitution.

Nobody would keep $500,000 in cash sitting around their house, but that's essentially what this guy did.

Completely untrue.

I've witnessed stacks of cash far in excess of that.

However, when it is done, there is usually a fair bit of armament around the cash, and the kinds of people that keep that sort of cash on hand are also not the sort you want to commit an amateur robbery against.

We're not all criminals. Civilians keeping 500K in their house is plain stupid.

Doubly so in the UK. Here, the police can presume without proof (and have done so) that any cash in excess of GBP1000 is the "proceeds of crime", and the onus is then upon the owner of the cash to prove that it isn't.

Sounds like a convenient rule for law enforcement to incriminate people when they have a "hunch" about their illegal actions.

When I was 12 y.o. I had that sort of money in my bedroom (years of saving money from my paper route job, and factoring inflation). Of course, I could prove that it was mine, but it seems like the bar is somewhat low if it's set at GBP1000. It's the kind of money that you use to pay to rent a cottage for your vacations, not ludicrous drug-traffic amounts ...

But what would be the other options for a normal user? You could completely hand over your wallet to someone else, but that sort of defies the point of Bitcoin: they could log transactions, be raided by authorities, etc. You could store your wallet in a way that's physically secure (say, on a flash drive), but this just requires the hacker to insert software that waits until you try to spend some of that bitcoin. You could maintain many separate wallets on separate flash drives, so you would only lose part of your savings to this sort of attack, but that is inconvenient.

The only solution I'm coming up with would be to hand over control of your wallet to an anonymous-yet-trusted third party who's hidden behind Tor or such. The difficulty is in finding (or creating) an anonymous-yet-trusted party in the first place.

It seems like secure servers where you can store / access your bitcoins could be a good product.

BitCoin has an analog in cash. Yes, it's anonymous but there are things you simply dont do with it.

The design of BitCoin only includes very weak anonymity. A medium-to-large scale network analysis could most likely break any anonymity people thought they had.

Adding Tor to the equation makes the system fully anonymous, assuming you don't leak other information.

Yes, but there's no FDIC-insured BitCoin bank, and there's no way to write a virus that steals cash.

And there really can't ever be one. A bank requires some way to offset risk (insurance, etc); If it gets robbed, the insurer pays out; In this case, an insurer would need to physically keep more bitcoins than the insured on hand in order to handle a payout situation. Since bitcoins can't be 'printed' like dollars, there's no way to simply have an 'FBcIC' without allowing them to substitute something for those bitcoins in a payout situation (e.g., the USD cash value).

For a bunch of DIY hackers, I'm sort of surprised you guys are so willing to hand your money and control over its security over to the government and financial institutions. Then again, I was a computer security guy for the government and online financial institutions, so I guess I'm comfortable with my ability to protect my (very very small amount of) money, or I'm just more cynical about them.

Western Union is irreversible, and would probably have been shut down if it wasn't so well-established. Most other US payment systems are reversible, which is why you have holds on getting the money out of those systems - they want time to detect fraud and reverse the fraudulent transaction. This requirement for reversibility seeps through the system, which makes anonymity very difficult, and causes a lot of friction on anything that changes a reversible payment into a non-reversible payment, since that's where you eat the fraud. Now you know why it's hard to get cash equivalents out of the system, especially to a remote party.

The point here is that once the money is in a non-reversible network, you can accept a payment and know that it's good very very quickly. If you make bitcoin reversible, you might as well just use one of the old payment systems, where the money might disappear later (and you'll be out your privacy, goods, cash and services), or you'll be paying transaction fees based on your charge-back rates, and unable to charge more for the reversible payments than the non-reversible ones due to contracts you have to sign to be part of the payment network - and thus the non-reversible payers subsidize the reversible payers. What a racket.

As we used to say, "there's no good guys in payment processing, only bad guys and less-bad guys".

Sounds to me like a BTC bank should be set up, with corresponding accounts. Instead of 'you' holds all your BTC, your BANK holds most of your BTC in a secured location, and you can make withdrawals to your account on demand.

Of course, this would effectively require an insurance corp also set up in such a fashion that integrity of the bank could be configured.

/hmm... maybe I should do this!

Third sentence:

> If only the wallet file was encrypted on the HD.

Yep. Anyone who doesn't do this is stupid.

He then proceeds to say that he backed up his unencrypted wallet to "dropbox, wuala, and spideroak", which doesn't strike me as extremely clever when you're talking about something in the half a million price range.

On the other end it's a good cautionary tale. I'm quite curious about this bitcoin thing, but this reminds me I definitely don't want to secure all my money myself without any insurance or guarantees. A stupid mistake and shazam you lost all your money.

Regarding the issue of whether the application should encrypt the wallet by default, it'd probably be a good thing to have but I'm not sure it would have helped in this case. The wallet would have to be decrypted in order to mine or execute any transaction and the attacker was obviously targeting the bitcoin wallet specifically, so it could just have installed a keylogger or whatever to catch the passphrase, like they do with banking sites (or wait until the walled is decrypted and dump it then, or install a backdoored version of the bitcoin client...).

I haven't used Bitcoin, so this is an honest question - Why doesn't the software encrypt the wallet automatically?

Bitcoin is a Thesis of one Guy. Its great in many ways but in terms of Softwaredesing and Engeniering at least the Client sucks. I've the Auther had knew it would be blowing up like this he would probebly have build something better.

Its Open Source and you can interact via JSON so it would be that hard to build a good client that does this kind of stuff.

Beats me. Probably one of those "get around to it later" things.

It's in the works: http://goo.gl/XAiBr and http://goo.gl/7HvQ4 (see quote in #3)

I doubt that encrypting the wallet on the HD would have helped much. It sounds like allinvain's computer was compromised. The attacker could have copied the decryption key when it was used legitimately by allinvain.

I put my wallet on an IronKey - I imagine that helps the situation.

Until you plug into a compromised computer and type the password? Or does it include protection against that?

Well then I'm buggered. But the plan is to not plug into a compromised computer...

Sounds like a plan... Why bother with the IronKey?

Could a hacker move the file somewhere else and ask for ransom?

If so, that's a lot easier to deal with than losing everything outright, but not risk proof.

I don't see why a hacker would do this. They've already broken the law so this just increases their chances of being caught. If they wanted to be "nice", they could just have stolen fewer of the bitcoins.

It seems to me that Bitcoin requires an actual wallet. A physical device that will store your "money" ie. verifiable account info, the way a general purpose computer is storing it now.

Anybody have the text of the post available? The site's not working for me.

I just got hacked - any help is welcome! allinvain June 13, 2011, 08:47:05 pm

Hi everyone. I am totally devastated today. I just woke up to see a very large chunk of my bitcoin balance gone to the following address:


Transaction date: 6/13/2011 12:52 (EST)

I feel like killing myself now. This get me so f'ing pissed off. If only the wallet file was encrypted on the HD. I do feel like this is my fault somehow for now moving that money to a separate non windows computer. I backed up my wallet.dat file religiously and encrypted it but that does not do me much good when someone or some trojan or something has direct access to my computer somehow.

The transaction sent belongs rightfully to this address: 1J18yk7D353z3gRVcdbS7PV5Q8h5w6oWWG

Block explorer is down so I cannot even see where the funds went.

I tried restoring an earler backup of my wallet but naturally that does not work because the transaction has already been validated.

Needles to say I feel like I have lost faith in bitcoin.

Anyone have any ideas what I can do besides just jump off a bridge?!

--------------- [snipping out posts that don't contribute much] --------------- Re: I just got hacked - any help is welcome! June 13, 2011, 09:05:04 pm allinvain

First thing that I noticed is that my slush's pool account got hacked into and someone changed the payout address to this:


I then changed the password and proceeded to run some antivirus and anti malware scans. Some stuff was found, but they were all cleaned up and they were all in my windows user profile temp dir which I deleted all the temp files. God I can't even type properly. Sorry folks I'm a bit emotional now.

I then left another virus scanner running and went to sleep. When I woke up I check my bitcoin wallet. I leave the client running to help the network, and I notice -25,000 (and a transaction fee) gone.

Fuck, I really should've moved the coins to a vmware linux session I have running. But the question is was it already too late? Could someone had my access to my wallet.dat for a long time and now just decided to "cash out"

Valued by who? Hasn't this been fluctuating like crazy lately?

No. One exchange one day.

No? I'd say a high of $24 and a low of $16.10 over the last 48 hours most assuredly qualifies as 'fluctuating like crazy.'

Man, JCP is fluctuating like crazy.

someone should make a physical bitcoin wallet device.

It's not really $500,000 though is it? As soon as you exchange a small amount of that into dollars you crash the exchange and the value drops significantly. I'd estimate it at about $30,000 worth.

If you try to cash them out all at once, yes.

On June 12th, $3,5M were exchanged on MtGox. For 8 of the last 10 days, the daily volume has been above $1M. I think that you could get these $500K in small chunks in a few days, provided you do it full time.

Edit -- Source: http://bitcoincharts.com/charts/mtgoxUSD#rg30zigDailyzvzcvzl...


Without an unbiased third party auditing of their accounts I would be loath to place too much trust in data they themselves produce to say how awesome they are. Especially with such a significant amount of capital allegedly at stake and nothing to lose for bending the truth.

Granted the market is easy to manipulate with small transactions that can start large swings; as well it would be difficult to find a buyer if you wanted to liquidate a lump sum of this size without a solid discount.

That said, I think you're overstating the impact this would have. The recent downswing from ~$30 to ~$10 in a period of a couple days was speculated to be due to MtGox consolidating 20 times this amount.

Can you elaborate on how to came to the discount factor you used?

He means that there isn't enough people to cash with the current rate. That is $500K.

Yes, I realize that, I'm just wondering how he came to 30k.

Without knowing how much real backing the exchanges have it's hard to get a figure on what effect a large dump would have on the market. Additionally, you'll get shock dumpers who do a run on the exchange once they see value erosion. $30,000, although fabricated, feels right. Although i'd add that's probably an upper bound rather than expected value.

Perhaps that was the reason for the black friday.

Isn't that why Mt Gox has a dark pool?

ahem, read up on European history..

The Merchant trade in Europe came up with three valued things:

1. Corporations 2. Insurance 3. Banks

Those three items are related to one another. While its true that due to the anonymous nature BitCoin is biased towards illegal mafia-like formation of banks and such for illegal activities as soon as legal activities start using them as trade banks, insurance, etc will form as a nature evolution.

Maybe there's value in creating a BitCoin bank that will hold money for people, just like real banks?

Mt. Gox and Bitcoin Market already do that.

They're just exchanges though -- they don't offer incentives (e.g. interest) for depositing.

Since you can't manufacture bitcoins, I think guaranteeing interest would be difficult at best

This is why we can't have nice things.

IMHO the shadiest side of the bitcoin daemon is that it discovers peers by connecting to an irc channel. Just like a typical virus botnet handles command and control. Connecting these two uses of IRC is pretty obvious, and then you get a virus that attacks windows machines running bitcoin and steals wallets.

What... That's like saying the shadiest part of the BTC daemon is that it uses computers because botnets use computers.

It doesn't just get them from IRC. IRC is the quickest way for the daemon to get them.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact