Hacker News new | past | comments | ask | show | jobs | submit login
Bitcoinica hacked. ~$100k USD stolen. (bitcoinica.com)
68 points by mschonfeld on May 11, 2012 | hide | past | favorite | 85 comments

This is now the 2nd, 3rd time that Bitcoinica has been hacked?

People warned of this when it was first announced—a financial platform created by a lone teenager in China [1] is obvious going to be a target for high profile attacks. The site owner's comments [2] make it clear that he's not ready to do security on a large-scale financial system.

The idea that they were holding even 100K of Bitcoins is mind-boggling.

[1] http://news.ycombinator.com/item?id=2973301 [2] http://news.ycombinator.com/item?id=2973732


Could it be that he had the same kind of breach GH had?

To balance out the critique I would like to point out that this has nothing to do with an inherent insecurity or fault in the bitcoin currency, but with the way the current marketplaces handle their security.

It is however a PR nightmare for an up and coming currency that the bitcoin 'user community' will have to handle better to have a chance to be mainstream recognized as a 'real' currency.

This is very important to point out. For those who aren't very familiar with the system a story like this says: "bitcoins aren't safe" when the message they should get is: "bitcoin exchanges don't have a great track record for security"

Once again, if you want real safety in trading bitcoin, do it "over-the-counter" on irc. The "low-tech" solution can sometimes prove to be the best.

Occasionally you'll see a story about a dramatic months long heist take place in Eve Online [1] - the in game currency of Eve is loosely convertible to real world USD currency and the amounts 'stolen' (this is a tricky point because it happens in game) are real world significant: tens of thousands of dollars.

Bitcoin strikes me as similar, it has a weird quasi real feel to it, there are markets that trade between BC and USD and spot prices and everything, but I have a hard time thinking how/if a prosecution could occur with it.

[1] - http://gamergaia.com/pc/1724-eve-online-space-heist-one-tril...

Occasionally you'll see a story about a dramatic months long heist take place in Eve Online

As far as I can tell, investment opportunities in Eve are pretty much all Ponzi schemes. Much of the political change and economic activity centers around monopolizing certain things in 0-security space that are like "dungeons" and "quests" and much of that happens through skullduggery and betrayal.

I quit playing Eve because in some ways, it was too emotionally involving.

I loved Eve...and hated it too. The idea of free-actions through any space, pirates and what not was awesome. The politics, empire building and something for everyone rule system was great. And the economy was amazing.

+1 on being too emotionally involving

This is an intriguing parallel. I'm only personally familiar with World of Warcraft gold farmers, but have read about Eve, Star Wars, even Everquest folks trading goods/gold for real $$.

So computationally, I wonder what the cost to 'mine' a bitcoin is, vs the cost to 'generate 1000 gold' in an MMO that sells for an equivalent amount? I will definitely have to add this to my never ending book project.

I was referring to more of a cultural feel and my own reactions, I never made the link of computation to computation, we need an economist to weigh in on this.

Also, if you find this sort of thing intriguing you might enjoy Charles Stross's Halting State - http://www.amazon.com/Halting-State-ebook/dp/B000W9180A/

The cost to "mine" a bitcoin isn't constant, the network is self-regulating and the difficulty increases over time, to ensure a certain rate of supply.

I hate to snark, but bitcoin seems to be turning into something of a bad joke. How long will it be before the net volume of bitcoins stolen exceeds that of those spent?

I hope you never do a google news search for things like robberies and muggings.

Look, at the end of the day you're hearing only the exception not the norm. Its like people who watch the nightly news and think their little suburb is full of terrorist and murderers. Confirmation bias is a hellava drug.

Retail banks are not routinely losing customer dollars to online breaches in their own systems; virtually all of them also have infrastructure in place to make any such potential losses immaterial to actual customers. The impression that Bitcoin's actual practical implementation on the web is seriously shady is probably not a product of cognitive bias.

According to http://bitcoinica.blogspot.com/ they didn't lose any customer dollars in this case either. The distinction isn't one of infrastructure, but of policy: the bank defines the theft as being of their money, not your money, and bitcoinica seems to be behaving like a bank in this regard: "The thief stole from us not you. All withdrawal requests will be honored."

Comparing a teenager's site to a bank is being pretty disingenuous here. If you're saying its impossible to code a safe bitcoint repository on par with electric banking then I really need you to back that up with proof because its a pretty insane premise.

I can lose $20 right now and it would be impossible to trace back. Bitcoin really isn't any different than cash, except bitcoin users probably understand the risks a lot more than $random_consumer.

Bitcoin really isn't any different from cash, except that its retail online presence seems to have been uniformly built by people with a teenage-level of engineering experience?

I don't want to bag on the guy who wrote Bitcoinica, except that I wish he had done what I said earlier and built a play-money exchange instead of a "real"†-money system like this.

But I'm happy to berate the people who talk up Bitcoin, the Bitcoin economy, and the ecosystem of Bitcoin services and then, when things fail to the tune of 6-figure losses for customers, try to apologize around it by saying "oh, well, that service was built by a teenager; wait until the serious engineers get around to building Bitcoin services!". It's a frustrating and intellectually dishonest argument to make.


I think the chinese dude needed some money and faked a hack. anyone can prove otherwise? Rephrase to make it less offensive if the owners of such a system stole money, how could anyone tell?

I'm actually pretty sure he's not Chinese at all, but actually an alien from a planet in the Gliese 876 system. Can anyone prove otherwise?

I think that's the most offensive thing I'll read all day. I really hope nobody proves otherwise.

He says he's going to reimburse customers out of his pocket; if he actually does that then he couldn't have made money on the hack.

I get where you're coming from, but that's an meaningless comparison.

Keep in mind that the same bitcoin can be spent over and over again. And once stolen, it will certainly be spent. (You don't steal bitcoins except to spend them.) Pretty much by definition, the volume of bitcoins being spent is going to exceed the volume of bitcoins being stolen[1].

So basically, the answer is "never", which is why that's not really a useful metric. What might be more interesting is what percentage of bitcoins have been stolen in the past,

[1]: Unless we end up with a situation where a large number of bitcoins are being repeatedly stolen from thieves before they can spend them. That's theoretically possible...but highly implausible.

> How long will it be before the net volume of bitcoins stolen exceeds that of those spent?

I don't know, but there's a graph I'd like to see.

There are roughly 1 million USD Bitcoin transactions per day.[1] The stolen transaction accounts for 10% of a single day's worth of transactions.

1. http://blockchain.info/charts/estimated-transaction-volume-u...)

Does this figure include people wiring money to themselves?

Everything about Bitcoin seems silly to me. What exactly was "stolen" here? What if they just restore from yesterday's backup? Is there a bitcoin equivalent of the ink packets regular banks use to track stolen cash?

What if they just restore from yesterday's backup?

If every Bitcoin user rolled back the block chain by a day then the theft essentially didn't happen. But you can't get everyone to agree to do that.

Is there a bitcoin equivalent of the ink packets regular banks use to track stolen cash?

All Bitcoin transactions are public, so it's possible to trace thefts. But when a transaction has both tainted and untainted inputs the output ends up partially tainted and you end up with a lot of innocent people holding BTC that's lightly tainted (sort of like having 100 $1 bills of which two were marked by police — what is the probability that you're a criminal?).

http://anonymity-in-bitcoin.blogspot.com/2011/07/bitcoin-is-... http://news.ycombinator.com/item?id=2800790 https://bitcointalk.org/index.php?topic=56170.0 https://bitcointalk.org/index.php?topic=67609.0 http://bitcoin.stackexchange.com/questions/2119/is-there-any...

> But you can't get everyone to agree to do that.

Bitcoin is essentially a network of mutual trust, right? It is possible to get enough machines on the network to vote to void the transaction. It is even possible to set up some kind of body or bodies that investigate thefts, and make recommendations about which transactions the community should void. Of course, now we're inching towards a central bank, and so whether such a step would be "in the spirit of Bitcoin" I don't know, but it's probably a requirement if Bitcoin is to be taken seriously as a safe medium of exchange for business purposes. Of course, perhaps it doesn't want to be used as such, which is fine.

> sort of like having 100 $1 bills of which two were marked by police — what is the probability that you're a criminal?

The convention in the real world is that you are deprived of the stolen property you've received even if you did not know that they were stolen. This may seem undesirable, but it does incentivize ordinary people to perform some basic checks that they are not purchasing stolen goods. Allowing innocent people to keep stolen goods may seem like a fair course of action, but it also can increase the market for stolen goods, and incentivize for thievery, ultimately leading to an escalating situation.

The convention in the real world is that you are deprived of the stolen property you've received even if you did not know that they were stolen.

The problem with applying that standard to Bitcoin is that Bitcoins get mixed together, so depriving people of money that's only partially tainted is a disproportionate punishment.

Voiding transactions is a poor technical solution to a social problem. A better solution is to track down the recipients, prosecute them, and have a court order them to pay back a certain number of Bitcoins, just like you would with cash.

> it's probably a requirement if Bitcoin is to be taken seriously as a safe medium of exchange for business purposes

Bitcoin is just an alternative to cash. It doesn't aspire to be anything else. Businesses generally don't transact in large amounts of physical cash either. They use trusted institutions and contracts to limit their liability.

You can of course build all that infrastructure on top of bitcoins just as easily as you can on top of cash. It's a question of reaching a sufficient amount of economic activity to make it all profitable.

Bitcoin is designed to be a cash replacement using digital cryptography. As such, one of the design decisions was to make transactions non-reversible (the conditions where this would not be true aren't relevant). Basically once the transactions of originating account, destination account, and amount is entered into the distributed ledger/transaction log, it can't be removed, since the majority of systems believe it.

Thus is the original account tries to use those same "coins" (really tokens) the network would reject it, as that account not having access to those coins.

The bitcoins are the data. If you steal their files, you can spend their money anonymously and there's nothing anyone can do about it. Restoring from a backup just gets them a bunch of worthless bitcoins that have already been spent.

And the answer to the second question is "absolutely not". The lack of tracking is a primary requirement that was designed into the system from the start.

There is no lacking of tracking built into bitcoin. In fact it's exactly the opposite. Everything is tracked within bitcoin. The one exception is with stolen bitcoins, like what had happened. Those bitcoins show up as owned by the rightful owner... And when spent and tracked, would appear to have been spent by that person, instead of the thief.

You're right. I was imprecise. The transactions themselves are trackable, so with backups you know to "who" your specific bitcoins were transfered. But the "who" is just a number, and anonymous. And you can create as many identities as you want.

Essentially: bitcoins are anonymous because money laundering in the bitcoin world is perfect and free.

Eventually the money has to come out somewhere, though.

Well, I think that there is something like the ink packet for bitcoins, or there could be. I may be wrong (and please correct me if I am mistaken), but it is my understanding that every Bitcoin transaction is public (just peruse the block chain), it's just that they are transfered between possibly unknown parties. You could track where those bitcoins went (the thief's account), and where that thief subsequently spent or laundered those bitcoins. You can trace them as far as you like though they would quickly get combined with bitcoins that came from legal means and then you can only give lower and upper bounds on how many bitcoins are illegal in each wallet.

We could, as a society, decide that we will not accept bitcoins transfers from addresses that are reported to have taken any stolen bitcoins, whether directly implicated or implicated by violating the rule I just described. We could also decide that the only way to get your address back into good standing is to, for instance, transfer whatever coins that could possibly be ill-gotten into a bitcoin sink (an account that everyone agrees to never accept transfers from, basically dead bitcoins). You can even come up with more continuous proposals; not just illegal or legal, but rather you can have a 90% clean account, and it is clear how that translates to value of your bitcoins when dealing with people who won't accept illegal coins.

This is in many ways like an ink-packet. That doesn't get the other person their bitcoins back, but it removes the financial incentive to steal. Of course this is probably ripe for abuse. It would definitely be a way to screw over whoever you were sending money too, but it wouldn't be a charge reversal. You lose the money but the other party gets no spendable money.

Addresses in the bitcoin system are designed to be disposable, you can generate as many as you want. Adding an address that you can prove was involved in theft to a blacklist is wasted effort.

Edit: Also, the use of "anonymizers" in the bitcoin ecosystem is common. Silk Road has something they call tumbler which masks transactions in such a way that you can't really say for sure where the bitcoins are coming from.

If you look at the Anonymity page on this wiki, it basically states that being able to generate as many addresses as you want is not much protection. The coins still need to be transfered between your wallets, and that means people can track whether a wallet has received any funds from an address that has been reported as having stolen coins (after the theft was reported, of course) In fact, I think it is down right easy to do.


I assume that "tumbler" is basically as good as any eWallet service with a bit of obfuscation on the transactions in and out. That is fine, if you trust someone enough to take you coins, mix them with a bunch on other peoples money, and then send them back to when you need them, you can remain pretty anonymous. This is because that person/organization can do virtual funds transfers off of the bitcoin block chain record. However, in the scenario where address are marked as dirty or clean, that eWallet supplier is going to find him/herself in the possession of many dirty bitcoins and will have to burn them.

In the Silk Road example, if people use stolen bitcoins on that network, all bitcoins that get sent in are tainted by that (to some percentage) and the value of the entire working volume of Silk Road bitcoins in the "tumbler" laundering machine is lessened. This means that either Silk Road passes that loss of value on to the sellers, possibly pissing them off, or they throw those bitcoins away (or send them back) and tell the person paying with them to pay again from a clean address because that money was reported as stolen.

How long will it be before the net volume of bitcoins stolen exceeds that of those spent?

How different is that from trillions of dollars traded in credit default swaps dwarfing the "real economy?"

I hate the economic nonsense as much as you do, but let's not go abusing the word "theft" like the RIAA does.

You can ask that without abusing the word "theft." How about shenanigans?

There's no shenanigans surrounding the use of CDO's and other financial instruments. Like most of them, they have a valid and legal purpose, the fact that they were abused by banks recently (who misrepresented their value) doesn't remove that use and legality.

You're putting words in my mouth. I'm not saying something is illegal, but questioning its real value.

Oh god.. I got your comment mixed up with someone elses.. you never even mentioned theft. My sincerest apologies!

This has nothing to do with bitcoins, just some shitty financial website.

the transaction in question: http://blockchain.info/tx-index/5416502/7a22917744aa9ed740fa...

it's like having cctv access to a robbery but being able to do nothing about it

Can you track where the bitcoins eventually end up and then get the thieves that way? If someone takes that money and buys some pizza then wouldn't it be trackable?

I suppose that it is probably going to just be cashed out for other bitcoins or cash and laundered some other way which would make this kind of pointless.

It actually looks like the coins in question haven't moved anywhere yet.


* They have started moving now.. couple of 2600BTC transactions and a lot of others. I got bored at following the chain when it scrolled off the right side of the page.

He's from Singapore and they were not holding 100k in a hot wallet. More like 18K which is still too much. JP Morgan lost $2B US due to some idiot traders. http://goo.gl/fqN3S Shit happens.

I don't know much about bitcoins, can someone who does explain why one would want to keep the coins in a wallet on a server somewhere instead of e.g. your home computer, or a USB stick or something? Aren't they supposed to be roughly equivalent to cash? Storing it on Bitcoinica seems like taking a briefcase full of cash and storing it in a public locker.

This is exactly right. It is not a flaw in bitcoin rather irresponsibility with large amounts of digital cash.

This is why bitcoins will never gain mainstream use. It seems that every few months a high profile bitcoin site gets hacked.

This is a problem with the websites, not with bitcoin directly. This is what happens when teenagers try and write the equivalent of an online bank system... Think diaspora, but with money transactions.

Of course, this affects how the general public perceives bitcoin.

Yes. The technology behind bitcoin is brilliant. However in order for bitcoin to gain mainstream usage people should feel safe using it. it's hard for a regular non-techy to feel safe using bitcoins when some of it's biggest sites are getting hacked.

Agreed. I know a lot of people who start to flirt with the notion of using Bitcoin, only to have their dreams smashed when they learn how frequently these companies and their accounts are hacked.

It may be anonymous, but its far from being secure.

To my knowledge, the bitcoin system itself has never been compromised. Unfortunately, there are a lot of services built /around/ the bitcoin system that have been set up by teenagers... If you were to deposit $100K of platinum in a reserve set up by teenagers, I wouldn't have much sympathy when you lose it. Doesn't mean platinum is useless, however.

> It may be anonymous, but its far from being secure.

Would you mind clarifying what you're meaning by 'it' and 'secure'? To me, the (in-)security of a particular bitcoin site is orthogonal to the security of Bitcoin as a protocol/currency, though the security of bitcoin sites does have a huge impact on mainstream use.

Sorry, should have been more clear. By "it" I meant the sites where bitcoins are being traded. And yes, seeing these sites getting hacked frequently makes mainstream acceptance a lot harder. Which in turn makes changing the paradigm take a lot longer.

It's just a matter of having proper security. I'm sure that hacking into any real bank would be quite lucrative to hackers, but their security is more difficult to penetrate. Yes, if a 'regular' bank was hacked and money was stolen, those stolen from would be reimbursed, whereas with bitcoins there is no chance of reimbursement, but the gain to the hackers would still be there. Bitcoin sites run by individuals are low-hanging fruit, but I wouldn't say they will 'never' gain mainstream use. They simply need to invest more into their own security before I would trust them with my own money.

True, but you can never guarantee 100% security. Banks have the added bonus of accountability -- transactions can generally be traced to real people or organizations, so if a large scale breach occurs, there is at least the possibility of either restitution of stolen funds or the deterrent of criminal prosecution. With bitcoin, you have neither.

> Yes, if a 'regular' bank was hacked and money was stolen, those stolen from would be reimbursed, whereas with bitcoins there is no chance of reimbursement

This is not entirely true. When someone is holding a great deal of someone else's money, they can do exactly like banks do and insure their bitcoins, or they can just take the hit and pay for it out of their own pocket, like slush did when his mining pool's bitcoin wallet was comprimised: http://bitcoinmedia.com/compromised-linode-coins-stolen-from... The end user isn't necessarily screwed, and should probably request whoever is holding their money to protect it not only via security but also via some guarantees against the worst case scenarios.

That's why cash will never gain mainstream use. Someone could just walk in a bank with a gun and cart out all of it...

Oh, wait...

Money in bank vaults are insured and recently 200k is also insured by FDIC so even if the entire financial system crumbles, 200k is guaranteed by the government.

When a robber steals money from a bank vault, its not like one day you see. oh shit look at that someone must have stolen my money from the bank. = If someone even robs your safety deposit box, i'm pretty sure that it's insured.

Also when markets collapsed people did and still do bank runs and convert their paper money to gold. So it's not like the dollar hasn't experienced a lack of confidence before.

Currency is all about confidence.

The only way it's so easily insured, is because they can print a boatload more at everyone's expense. At least when bitcoins are stolen the only party harmed is the original owner, not the society at large...

Note: security is hard. The typical highly competent programmer isn't quite competent at computer security.

Which directly implies that financial systems that require massive investments of new software infrastructure to make them useful to the public are especially risky.

I should think that depends on if the massive investment is for paying hordes of typical competent programmers, or for paying fewer guys more like you.

My sense of the whole industry right now is that the demand for competent software security far, far outstrips the supply; Bank of America could want to build a gigantic new transaction processing infrastructure in a few years, but logistically would probably not be able to retain the talent required to secure it.

The major security advantage our legacy infrastructure has is that it's old, and its failings are well-understood and (from a risk management / loss mitigation perspective) mostly mitigated.

Bitcoin (or any other online currency or transaction infrastructure) has none of that.

Here's the official statement: http://bitcoinica.blogspot.com/

There are some very solid reasons for all the banking regulation, and we're seeing them played out here. People are treating these places like banks, storing hundreds of thousands of dollars with them, but they have none of the regulations, security requirements or insurance and so they are great easy prey for hackers and people keep getting robbed blind.

I hate to say it but what did people expect treating Joe Website like a bank, and this is also what the deregulation camp can expect to happen if they keep pushing for bank and market deregulation.

Most regulations aren't about security but that what kinds of business a bank can engage in. This is more akin to giving your money to the protection of your hapless, dimwitted cousin who promises not to let his pitbull eat it.

And yet where are the stories of the banks loosing your savings account? Usually it's credit card fraud, not the banks fault but some other site that was storing it and got hacked, and then insurance steps in and pays it and you still aren't out any money.

There are some pretty strict regulations about bank and credit card cyber security and I presume they pay some pretty hefty insurance premiums for our benefit.

> "The database was most likely compromised."

> "Bitcoinica uses the most stringent best practices for password security.*"

> "For the technically inclined, we salt and encrypt passwords with bcrypt."

The irony of having a centralized banking institution compromised, and having currency, designed to be decentralized and controlled by the individuals and not organizations, stolen from them--is too much.

It's like the GitHub users who cry when GitHub is down saying "How are we going to do work?!", not realizing that Git was designed to be completely decentralized and not dependent on one single repository.

Is bitcoinica still solvent? They've now lost $100K + $215K in BTC in published hacks.

This was inevitable. I remember when bitcoinica was first announced her a while back and commenters warned this would happen.

I'd be curious as to how the breach occurred and how it could have been prevented.

Were they warned in a general sense? Or were they specifically targeted?

A financial company run by one inexperienced person is pretty much a big "hack me" sign.

The site is down.

Here is a better source of info.


If one does a cursory glance of the history of money, one will see many different currencies having a debasement period similar to this. While others will take the bait and parrot someone else's opinion that bitcoin is not a safe place to put money, I'll be investing even more in the currency. Always buy to the sound of cannons/scandal.

you guys don't get it. if such a high profile hacks happens - it means it worth a lot!

No, it just means there was a monetary gain to be made.

Hacked, or the guy who created the site just stole customers money? There's really no way to tell.

Who would do such a thing? Who would want to give a bad name to bitcoins? Who would not want them to gain popularity? Who would want to keep the people in the dark about things like bitcoin? Okay... I will stop.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact