$500,000 Worth of Bitcoins Stolen

olsmeister writes "A Bitcoin user allegedly has had $500,000 worth of Bitcoins stolen from him. A hacker supposedly gained access to the user's home computer and managed to get the user's wallet.dat file, which contained the cryptographic keys that allowed him to drain the user's balance."

Anonymous payments

[cgeys]

No worries! Police has to investigate a robbery of $500,000.. oh wait, anonymous payments were good now?

Re:Anonymous payments

[Skarecrow77]

True. Sort of. The victim should know exactly what the recipient address of those ill gotten gains are.

Technically, if I understand the way that bitcoin confidence works, half the damn bitcoin network should know about the details of the transfer.

The problem of course is figuring out who the hell the address belongs to. That is the hard part.

As I understand the technology, each and every one of those bitcoins now contain their transaction history, so -in theory- they could be "flagged as stolen", IF there were a central authority that took care of that thing, but of course there isn't as that's the point of bitcoin, no central authority.

I honestly confused if bitcoin technology is for this though. Technically, this isn't all that different from the victim leaving his front door open, and a robber coming in to steal $500,000 worth of jewelry or the like. If your home gets broken in to, you can't blame the jewelry itself for being stolen, that's what thieves -do-, steal stuff. This thief just happened to break in to his computer instead of his house. So therefore you may not want to store $500,000 of bitcoin on your own home pc just like you probably don't want to store $500,000 of jewelry in your dresser drawer. Maybe you keep a few pieces at home, and keep the rest in your safety deposit box?

I know that bitcoin technology provides for cloud-based "banks" of a sort. If they have been implemented yet, I do not know.

Re:Anonymous payments

[DanTheManMS]

A better analogy would be leaving the front door closed but unlocked (like having a firewall on your computer), but otherwise pretty much, yeah. You shouldn't have $500k worth of jewelry and $100 bills sitting in a known location in your house, and likewise it's pretty stupid to have $500k worth of BTC in an unencrypted, insecure wallet.dat file.

It's relatively easy to make a new wallet unknown to anybody, copy the first address made by this fresh wallet, send that address most of your coins, then encrypt your "savings" wallet and delete the unencrypted copy. Heck, put the encrypted "savings" wallet on some USB keys and a few CDs/DVDs and put them in a safety deposit box if you want to. You can continue sending payments to that address as much as you want.

Re:Anonymous payments

[SanityInAnarchy]

The victim should know exactly what the recipient address of those ill gotten gains are.

Assuming there's a single address.

Technically, if I understand the way that bitcoin confidence works, half the damn bitcoin network should know about the details of the transfer.

Sure.

But there's two problems here: First, addresses are trivial to create, and generally you create a new one per transaction. So it could've gone to dozens of accounts.

Second, you can't prove the person who claims to be robbed didn't transfer the money to another account they own (like the "savings" account I describe below), and even if you could track the account they went to, it's much harder to figure out who actually owns that account. And maybe they've already spent them -- in which case, you have similar problems again; did they actually buy this, or simply transfer the money to another account they own?

I know that bitcoin technology provides for cloud-based "banks" of a sort. If they have been implemented yet, I do not know.

I think the main idea of those is for people who don't want to install the software and manage it themselves. I don't think they give you any additional security. If anything, they reduce your security, since an attacker can either steal your username and password (with or without breaking into your machine) or attack the online bank in pretty much any way (including being the online bank).

By contrast, if you run your own security, you have options. If I had a significant amount of Bitcoins, I'd create a second wallet and keep it encrypted and probably offline, and use it as a "savings" account. I could trivially generate a few hundred accounts, then put the wallet on a flash drive or two, and then not need to plug it in until I need to withdraw, since I can send coins to it without it being on my or any machine.

Of course, you have to be equally careful to actually make backups, since if your wallet.dat is on a drive which fails, or even if there's just a bad sector in the middle of it, your money is just as gone as if someone stole it. I'd like to think that this sort of thing would be incentive for people to finally start giving a fuck about security. Unfortunately, it looks like it's instead going to be a disincentive for people to adopt Bitcoin.

Re:Anonymous payments

[SanityInAnarchy]

Technically, if I understand the way that bitcoin confidence works, half the damn bitcoin network should know about the details of the transfer.

Which is also probably why the thief knew where to go. It's a security hole.

Ok, parent was already wrong, and you are more wrong.

First, yes, they knew which account it went to, but without sniffing the traffic of the entire Bitcoin network, it's much harder to know which machine it went to. It seems unlikely that the Bitcoin network itself is vulnerable that someone could send an attack to a Bitcoin address without at least getting an IP address out of it first.

Maybe if you were a neighboring peer, you could notice a lot of transactions coming from one particular peer, but you still don't know if those transactions originated from that peer, and it also doesn't help you, since transactions originate from the sending peer (for obvious reasons), and are broadcast to pretty much the entire network. So even if you could track where a transaction originated from by sniffing traffic, that doesn't tell you where it went -- it could, in fact, be anywhere in the entire network, or in an account which is physically disconnected, or even in an account which doesn't exist (user mis-pasted the destination address).

To get anywhere close, you'd have to be able to sniff pretty much all of the originating peer's traffic, including other channels like web and IRC where the transaction was probably negotiated. Even that doesn't help you much, since you now have the problem of tracking a website, forum user, or IRC user back to the actual IP address where the coins are kept.

Now, all of this stuff is possible, certainly, but none of it really has much to do with Bitcoin being anonymous or not. At least, it provides no new problems over traditional banking, and is actually somewhat safer. If I could somehow sniff your communication with your bank (though admittedly, Bitcoin IRC and forums aren't always encrypted, and are more often TORed), I could drain your account whether you're the sender or receiver, and I wouldn't need to break your machine if I could somehow intercept your credentials (MITM). Banks can use SSL, but you could also refuse to trade Bitcoins over any forum which doesn't.

So, TL;DR: There's no way that the entire Bitcoin network knowing about a transaction (or about every transaction) is going to lead to knowing which physical machine to attack.

Not that the user should have known this, but dontcha think if there was $500k involved that a little curiosity on how it works and how to encrypt it better (put the .dat file in TrueCrypt container and make copies)?

Um. Yes. And yes, the user absolutely should've known that. WTF were they doing putting $500k in Bitcoin if they didn't? It's certainly enough to afford some extra hardware so you can do air-gaps.

I mean, I don't know what sort of precautions I should take before carrying $500k around in my pocket (or in a briefcase), but I'd bloody well find out before I did so.

Brilliant...

[FritzTheCat1030]

What type of MORON keeps a balance of $500,000 in BTC?

Re:Brilliant...

What type of MORON keeps a balance of $500,000 in BTC?

What type of MORON keeps a balance of more than $0 in BTC?

Re:Brilliant...

[igreaterthanu]

There are nowhere near $500,000 worth of asks on any of the BitCoin exchanges, selling anywhere near that amount would cause BitCoin's value to drop very quickly.

However I agree that it isn't the best idea to store $500,000 worth of BTC in one BitCoin account.

Re:Brilliant...

[KDR_11k]

Well, he didn't, it got stolen before he could cash out.

Re:Brilliant...

[Chapter80]

You started being incorrect in the third paragraph.

The thief transferred the Bitcoins out of the user's account and into his or her own. At that point, it was too late for "allinvain" to do anything.

But to answer your other question.. what if two people spend Bitcoins at approximately the same time? Well, the "network" spreads the transactions pretty quickly. So the spending would have to be near instantaneous to be confusing to the network. Even a 2 second head start will likely have one transaction HIGHLY favored over the other. None the less, the network can hold two transactions, temporarily, that are in conflict.

And then the miner who solves the next puzzle is the tie-breaker. No miner will have two conflicting transactions. Each miner would reject the 2nd conflicting transaction, and, although different miners may consider different transactions as the "first" one, there will likely be one transaction that is highly favored over the other, and that's the one that is likely to be honored.

It's the same concept as if you have $100 in your checking account, and you mail two $100 checks to two different people. Who wins? Most likely (but not always) the one who receives your check first. Most likely (but not always) the one who cashes it first. And the bank will make an arbitrary decision if they both come in at approximately the same time.

The difference is, with a check you won't know for days. And even after a week, the bankers/government can come and reverse the transaction later. With Bitcoin, you will know within 10 minutes with some degree of certainty, and within an hour with almost absolute certainty.

Allinvain?

[Relyx]

The victim's name was "allinvain"... Rather fitting, don't you think? Or maybe the story was made up.

I'd imagine reporting it to police went like...

[Sneeze1066]

Victim - "I've had the my wallet stolen officer"
Officer - "Okay can you describe the wallet to me?"
Victim - "It was about 58KB and ended in .DAT"
Officer - "Errrrr......so was it leather?"

Re:I'd imagine reporting it to police went like...

[PenquinCoder]

Officer - Listen here meow, we don't have time to be playing these games...

Re:Who cares

[nitehawk214]

Keep hyping that ponzi scheme.

Now you need to give the editors some credit here. If they were financially invested in pumping Bitcoins up, this article certainly would not help.

I mean people wouldn't imagine this is good publicity for Bitcoin, would they? Unless someone would go under the logic of, "Wow, people have so much of these things, I should get in on this game." I would like to think the reasoning here is. "Wow, digital property on a computer is so easy to steal."

Maybe I give people too much credit...

Re:What the hell is a bitcoin?

[Skarecrow77]

Check the FAQ on the website. it's too long to explain here.

The short and dirty version is "If you asked a bunch of libertarians to design a digital currency, this is what you'd get". Which isn't a wholely bad idea of course, but obviously has some issues that need to be worked out.

Re:Who cares

[gilleain]

Maybe I give people too much credit...

So long as that credit is not in Bitcoin, it's probably okay.

Whoops

[Attack+DAWWG]

Whoops--I meant to quote a bit more of TFA:

Like most major worldwide money systems, BitCoin is a form of fiat currency, meaning it only has value because people believe it has purchasing power.

That's the important part. Bitcoin is not like most major worldwide money systems.

Re:My Thought Was Similar But Different

[next_ghost]

Those coins are only worth what someone will pay for them -- maybe some products online you could buy with them.

Thank you, Captain Obvious. That's pretty much the definition of money.

Re:"the end"

[Bogtha]

the numerous slashvertisements for Drupal and now Bitcoin, it's now clear that /. has become just another corporate shill machine

How on earth is pointing out a major security breach "shilling" for BitCoin?

Next up: Articles about Sony's security breaches are secretly paid for by Sony!

Re:"the end"

[ledow]

There was no security breach in terms of Bitcoin.

Some idiot had his computer open to abuse and lost private data that correlates to money (and the 000,000$ figure is nothing but guesswork - he didn't "invest" that amount of money in Bitcoin only to lose it - that's what he *estimates* his stuff was worth if he had tried to sell it and all he "spent" was various amount of CPU cycles amounting nowhere close to that figure). Basically, he has his "credit card" number stolen. That's not a breach of the system, just a breach of his inadequate security procedures surrounding something he considered to have a value of several years earnings.

Basically: Pillock.

Having said that, I have to agree with the OP. In the last year, I've come closer to never returning to this site again than I ever have in the past. I don't even know why I have it on my "always open" list of sites, probably force-of-habit more than actual interest.

Re:What the hell is a bitcoin?

[Thud457]

The short and dirty version is "If you asked a bunch of libertarians to design a digital currency, this is what you'd get". Which isn't a wholely bad idea of course, but obviously has some issues that need to be worked out.

Much like most libertarians. /rimshot

Re:Who cares

[Kenja]

It has to do with the US dollar being backed by the US GNP and Bitcoin being backed by the equivalent of pink elephants.

Re:It's a oax

[Dragonslicer]

Nobody could be stupid enough to...

Any sentence beginning this way is automatically incorrect.

Oh /.

This thread was on Reddit 2 days ago. Here's the link: http://www.reddit.com/r/geek/comments/hzrcc/bitcoin_user_loses_25k_bitcoins_when_his_machine/

To summarise:
  * it could've never been $500k, that's purely theoretical. In practise it would be worth far less.
  * "allinvain" is a true idiot. He was keeping the coins on his main computer which had a virus on it. He was browsing the web and IRCing with it. He found the trojan the night before, had seen that his payout address was changed to another and then to fix this he "changed it back" and went to sleep. He then "moved [his wallet] to a Ubuntu linux vmware install. On the same machine."
  * It's probably a hoax

Re:My Thought Was Similar But Different

[edremy]

It's not obvious to a lot of people- folks think objects have value. Listen to any gold bug discuss the intrinsic value of gold, as if it has some inherent value beyond what people will pay you for it. Or, if you'd prefer, all the people who can't sell their house because they can't get what they paid for it and it's "Worth more"

Lots of people assume that various objects (including paper or virtual money) have value outside of what you can get in exchange.

Re:My Thought Was Similar But Different

[DamienRBlack]

About $2 million is traded at mt gox every day. And it is always going up. You could get $500,000 in about a week without effecting prices much. No problem.

Massive transfers

[alphatel]

This would explain the laundering activity that has been going on the past 24 hours. The equivalent of the entire market of bitcoins has been transferred to hundreds of accounts in 50k+ increments. Only 6.5m BTC in existence, over 8m BTC in transfer activity. If any of that starts selling, it will collapse the market down to nickels and dimes.

Re:STOP POSTING BITCOIN STORIES

[slim]

Bitcoin is used by drug addicts and drug dealers to buy narcotics.

So are dollars.

Now, you could have slipped in the word "exclusively", and you'd have had a point, but a point that was factually incorrect.

You could have slipped in the word "primarily", and you'd have had an uncorroborated claim to back up.

Even if it *is* primarily used for criminal purposes, Bitcoin is *fascinating*, and geeky. So it belongs here.

And

[interkin3tic]

And nothing of value was lost.

Re:STOP POSTING BITCOIN STORIES

[Beelzebud]

It's not even for drug dealers! Drug dealers want MONEY for their drugs. This is only for the people at the top of the pyramid. You go somewhere trying to buy drugs with bitcoins and you're going to get stabbed.

Re:What the hell is a bitcoin?

[timholman]

The short and dirty version is "If you asked a bunch of libertarians to design a digital currency, this is what you'd get".

I'd amend that to "If you asked a bunch of libertarians who wanted to put the world's economies back on the gold standard ...". Because really, when you think about it, that's what bitcoin is supposed to be - digital gold.

Consider the parallels to gold coinage: a finite worldwide supply, "mining" becomes more difficult as time goes by, and the amount of money in circulation can be reduced by coins being hidden or lost, but never artificially increased. Furthermore, the statements you'll hear from the BTC crowd are exactly like the statements from the gold money crowd - bitcoins will herald in a new era of economic prosperity, bitcoins cannot be manipulated by governments creating more of them, etc. In effect, you've got a community of speculators who are trying to make their own "gold", and get rich by doing it, provided they can make the rest of us buy into the idea. (The historical failure of gold-backed currency in modern economies seems to completely escape all of them.)

However, there is a very big difference between BTC and gold. While it is true that you cannot create more BTC, anyone (or any government) can certainly create a competing digital currency that has as much "value" as bitcoins. Who is to say that a bitcoin has more or less value than any other cryptographically-signed digital coinage? Nothing more than public opinion, and that can be manipulated.

Ultimately, I expect the BTC standard to fail, and when it does, you'll hear exactly the same claims of government / commercial manipulation / sabotage that you hear from believers in gold currency. In that respect, there will be no difference in BTC and gold at all.

Re:Time for hardware security.

[westlake]

I've long longed for a USB hardware device containing a small crypto-processor, a public/private keypair, and a button. Given a standardized interface (as standardized as USB block-devices) it would make a perfect key-solution to keep in my physical keychain to identify myself in all kinds of circumstances.

What happens when your keychain is lost or stolen?

bullshit

[xded]

Timeline of events:

1. [June 13, 2011, 08:47:05 pm] allinvain post on bitcoin forums
2. [2011-06-13 21:13:49 GMT] LulzSec upload of Bethesda torrent on TPB, donation account in text is 176LRX4WRWD5LWDMbhr94ptb2MW9varCZP
3. [Jun 15, 2011 1:59 PM] PCWorld story linked in TFS published
4. [Jun 15th, 2011] Bethesda Lulz text upload to pastebin, donation account is 1KPTdMb6p7H3YCwsyFqrEmKGmsHqe1Q3jg

While I didn't check timezones/hours on some timestamps, I think it's still fairly reasonable to call this bullshit. Please check your sources next time.

Re:My Thought Was Similar But Different

[Savantissimo]

You say that like it's a bad thing. I'm not into Bitcoins, but I don't think any government should be a party to every transaction I make. "Mony laundering" is just an elastic propaganda term for any kind of financial privacy.