Tracking a Bitcoin Thief

An anonymous reader writes A small group of researchers were able to publish an investigative report on the hacking of a popular Bitcoin exchange earlier this year by the name of CryptoRush.in. Close to a million dollars stolen in crypto currency lead the group to discover evidence, track down the attacker and put together a timeline of what exactly happened. A captivating read for a community desensitized by thefts, hackings and lack of reporting. With pictures, and logs to prove it all.

Hmm

Never heard of it.

Queue misguided bitcoin comments in....3....2....

They'll involve ponzi accusations, pedophilia, "non-backing", etc....the usual lame arguments.

Re:Queue misguided bitcoin comments in....3....2..

That would be refreshing then. Slashdot is usually quite pro-Bitcoin.

Re:Yes, but what does Bennett Haselton have to say

By all means, send in your masterpiece then. Let's see if you have enough cock to write a proper article.

Re:Queue misguided bitcoin comments in....3....2..

I don't frequently come here, was assuming it would be more like the comments on news articles :P

Re:Yes, but what does Bennett Haselton have to say

Bennett Haselton? How long is his penis

Re:Yes, but what does Bennett Haselton have to say

about 0.00069 furlongs

Pictures and Logs Prove What Exactly?

[l0ungeb0y]

Both these things can easily be faked, so unless they have something more damning, I'd hardly call this proven as presented on it's own. Now, take it to trial and allow the other side to refute the allegations and provide their own evidence and I will give it merit as "proof".

Re:Pictures and Logs Prove What Exactly?

[PRMan]

The Blockchain can't be faked. Everyone has a copy.

Re:Pictures and Logs Prove What Exactly?

The two biggest mining pools could easily perform a 51% attack.

Re:Pictures and Logs Prove What Exactly?

Still have to prove it was actually stolen, as opposed to a morning-after-regret.

I know people who have ordered things online while blackout drunk. Just sayin'...

Re:Pictures and Logs Prove What Exactly?

And that's why Republicans are anti-Bitcoin. They hate the fact that we can track their crimes.

Re:Pictures and Logs Prove What Exactly?

[Richard_at_work]

The blockchain doesn't tie in anything that irrefutably proves real world identity, just another bitcoin wallet address which could be controlled by anyone at anytime.

Re:Pictures and Logs Prove What Exactly?

[jones_supa]

But those are trusted pools, right? So we have no reason to worry about such attack.

Criminals are dumb

[radarskiy]

Steal a million dollars... in a perfectly traceable currency where every transaction is public.

Re:Criminals are dumb

Then cash out under a fake name, cash the cashier's check, and delete your bitcoin ID. Perfect crime.

Re:Criminals are dumb

[arbiter1]

Um consider there are a lot of countries that don't even see bit coin as a real currency. Claiming million $ loss for digital item is like haveing item stole in warcraft. Proven real harm is hard when its something purely digital.

Re:Criminals are dumb

The RIAA and MPAA don't seem to have any problems.

Re:Criminals are dumb

If this is true, why haven't the mtgox bucks been recovered yet?

Re:Criminals are dumb

Yup, or any amount of gift cards, prepaid credit cards, gold bars or illicit research chemicals.

Re:Criminals are dumb

[AmiMoJo]

They aren't in jail, and it remains to be seen if they launder the money successfully. Also, not all Bitcoin transactions are public. If you put a Bitcoin wallet on a USB flash drive and hand it to someone the transaction is not recorded anywhere. There is no way to know how many people the wallet passed through before the coins resurface in public transactions again.

Re:Criminals are dumb

[Kjella]

So what? Since there's no central authority to block transactions or seize funds they'll simply be passed around until any relation with the crime is meaningless with almost everybody in the transaction chain is blissfully unaware that somewhere they were stolen. Then what? If you find the person behind the wallet and seize the "stolen property", you introduce a massive transaction risk that totally undermines the cryptographic guarantee that the transaction is final and irreversible. Imagine the following scenario, you sell a car for bitcoins. The bitcoins come in, transaction is verified, you hand over the keys. Then you try to spend your bitcoins only to be told that they're stolen, we have the serial numbers and is returning them to their rightful owner. Now you have no bitcoins and no car and good luck recovering it.

Imagine if cash was that way, every time the grocery store tried to despoit money at the bank the bank would say "oh no, this and that bill came from a gas station robbery two years ago so we'll return it to the gas station and deduct it from your deposit. The system would crumble as cash couldn't be trusted to really have the cash value it says, even if it's a genuine bill. Everyone with money of questionable origin would pass it off to others who can't and won't verify their legitimity and let others pick up the tab. By all means, if the cops can uncover a whitewashing operation that's fine but once it's passed back into normal circulation again you can't suddenly take away that value.

Re:Criminals are dumb

[ultranova]

If you put a Bitcoin wallet on a USB flash drive and hand it to someone the transaction is not recorded anywhere.

Which means there's nothing stopping me from going home and moving the coins in the wallet I just gave to another one, leaving it empty.

There is no way to know how many people the wallet passed through before the coins resurface in public transactions again.

If I give away a wallet I received from someone else I risk being held accountable if whoever gave it to me spends the coins in it. So even if I accepted a wallet rather than a transaction to an address I control, I'd still need to transfer the coins to one generated by me before using them.

So no, you can't trade Bitcoins without making the transaction public. Not without total trust to everyone you trade with, and everyone they trade with, and so on. But if you have that, why not just use pen and paper - or, better yet, just abandon bookkeeping completely and share everything, since you trust everyone to not abuse the arrangement?

Re:Criminals are dumb

[idontgno]

Because for good or ill, almost every nation has signed off on the idea that the form of fantasy property called "copyright" is legitimate property. Show me a Berne Convention equivalent that "legitimizes" bitcoins and its ilk, and you'll have a serious point instead of vague nerd-rage trolling.

Re:Criminals are dumb

[Cramer]

He stole "coins", not money. He might as well have stolen rabbit droppings, or lawn clippings. The real-world money ("leafy green spendy money") came from people (read: "fools") who will trade real money for those things.

The only crime here is fraud and computer hacking ("unauthorized access", etc.) But as he's in one part of the world, breaking into systems in various other parts of the world, taking things from people in yet other parts of the world... nobody will bother pursuing him.

Re:Criminals are dumb

Mate, they are looking really really hard for it... at a beach in Hawaii.

Amateur hour

[kharchenko]

Whipping up a few lame PHP scripts, leaving all the logs, using real name, your own static IP and a personal Dropbox account?! Is that what cuts for a hacker these days? With a million dollar payoff? I am starting to think I am not optimizing my earnings potential :)

Re:Amateur hour

[Lord_Jeremy]

Note that basically the only hacking technique he used was running a couple websites with malicious code that stole user's email and passwords. Then trying those credentials at lots of other sites looking for stuff to take. In particular, he discovered that the founder/administrator of CryptoRush used the same password for everything and he was able to download server backups that contained the necessary information (private keys?) to access the exchange wallets. So basically everyone involved was participating in amateur hour.

Re:Amateur hour

[rmstar]

Fools fooling fools in bitcoinland. Shocking!

Images are broken

[rebelwarlock]

I actually tried to read the article, but their images which are supposedly irrefutable proof are all broken. Good job, geniuses.

Re:Images are broken

loads fine for me

Re:Yes, but what does Bennett Haselton have to say

Calm your butthurt Bennett. You've never written a "proper" article ever.

Re:Queue misguided bitcoin comments in....3....2..

[Applehu+Akbar]

I wonder what would happen here is someone used Bitcoin to buy an Apple?

Bennett Haselton on crypo currencies

I read the article, but do we have any record of Bennett's thoughts on crypto currency? I would like to read any insight he has before drawing my conclusions. He's a frequent contributor.

Sekrit anti-government crypto currency

[__aaltlg1547]

turns out to be much more traceable than the old fashioned kind, because you need the traceability to verify the transaction and establish who "has" the bitcoins.

Look out, Mark Karpeles.

Re:Sekrit anti-government crypto currency

Speaking of Mark Karpeles, any news on where those coins went to?
I

Re:Sekrit anti-government crypto currency

The transactions are all done publicly, but unless the wallet was tied to a person through some other means (a transaction for real goods for instance), you can hold that 'money' anonymously forever.

Then again, what is the point of having money you aren't allowed to spend?

"How lame are we? We are looking up 'money laundering' in the dictionary!"

Re:Sekrit anti-government crypto currency

[TeknoHog]

It's great that Bitcoin is the only cryptocurrency out there, and there are absolutely no advanced alternatives with serious anonymity. After all, Bitcoin was released in 2009 and there's no way for the scene to evolve significantly in mere 5 years.

Re:Fuck that thief. Ebola is here.

You scared bro?

What not to do with an exchange

[dermoth666]

Well that sounds like the solution to http://xkcd.com/792/ 's problems...

On a serious note though, I won't shed a tear for CryptoRush.in. Using the same password on a small, no-reputation mining pool as the admin access to a currency exchange!?! That's a huge fail even by the lowest security standards, and these guys should know better.

Then what about getting coins stolen from the hot wallet and not even flagging the loss? What's even the point of an offline wallet when you don't reconcile the hot wallet before adding funds to it?? Another huge neglect on their part.

I actually it's probably a good thing they're now out of business because with that level of laxity, if not now there's no doubt it would have happened later, likely with more users and bigger balances... It's just sad for those who lost their coins in the process.

Wah

Someone stole my buttcoins :(

Re:Wah

[dermoth666]

I have a problem! somebody all my fleshcoins! the whole thing!

Re:Queue misguided bitcoin comments in....3....2..

That's a pretty recent development.

Re:Queue misguided bitcoin comments in....3....2..

I've bought clothes, hosting, food, electronics, stuff with bitcoin, with varying degrees of anonymity and source ips.
what's your point?

Is he really dumb ?

I mean OK he stole and it is now public. Now what ? He is in philippine, and how do you complain you were hacked in ,say, germany, by this guy ? How far does it sticks ? Wake me up when that JBA guys feel some legal consequence. I doubt it.

Re:Fuck that thief. Ebola is here.

[chad_r]

Oh my God! Ebola hysteria is imfecting other Slashdot threads! Why are they telling us it's so hard to spread! The only sensible solution is to prevent people from posting in other discussions after being in the daily Ebola discussion thread! Shame on the Slashdot administrators for not implementing such a trivial solution that would be guaranteed to stop the spread of Ebola hysteria to unrelated discussions!

Re:Yes, but what does Bennett Haselton have to say

It's technically a clitoris.

lead != led

Sorry if I misunderstood and the crypto currency is actually made out of lead....

Re:Queue misguided bitcoin comments in....3....2..

[CaptainDork]

What varying degrees of anonymity did the perps in TFS use?

Fail ...

[CaptainDork]

I don't have a copy.

Re:Fuck that thief. Ebola is here.

[CaptainDork]

I wear those cool blue CSI rubber evidence gloves when I type and handle my mouse. Also, I an careful to wear a mask when I lean in a squint at my small screen.

People who post Ebola shit on /. are putting us all at risk.

It's very hard to discern, just from screen names (and the ACs), who, exactly is from NYC or Dallas and stuff.

Mass analysis

[DrYak]

1 single transaction tracked ? Yes, you mostly get just 1 other bitcoin wallet.

Massively track thousands of such transaction? (that's beyond the capabilities of a small budget research team. But that's well within the capabilities of any decent government) And correlate them with "end-point transaction" (transaction that can be traced to a real-world identity: buying something from an e-shop using bitcoins and ordering it delivered to an address) ?
then, if the tracked person isn't using an insanely high number of "tumbler/mixers" (i.e.: laundering) or moving it in-and-out of tons of exchanges (basically also a form of mixing), you might find some correlation:
aka "a significant number of these BTC have transited to these wallets all mapped to the same real-world address/person"
that is not enough to warrant an arrest, but that is enough to put these real-world persons with the shortest "path" to the tracked transaction on a suspects list for further investigation by classical police work.

(Saddly, often government don't have such concepts of "suspect list". Very often such unsure statistical result won't be used as a "hunch" but will get you put on the "no fly list" and such)

That's why bitcoin protocol is considered "pseudonymous" and not "anonymous".
That's also why we need to have:
- law against data-collection abuses (because someone brilliant in the NSA/CIA/etc. will definitely try to jail people on this base or at least put them on a "pedo watch list" without much tinking)
- better way to do anonymous transactions (optionnal tumblers/mixers for BTC, or alternate protocols that include provision for anonymity)

Re:Mass analysis

[Richard_at_work]

How is a research group with non-privileged access to third party data going to determine such things as shipping addresses? The bitcoin blockchain doesn't extend verification to those shipping addresses etc, so the point stands - it doesn't tie in anything which cannot be faked, all you actually get with the blockchain is "random number X did something with second random number Y".

Great, the bitcoin blockchain can't be faked - but what about these logs that say "bitcoin wallet X purchased some cocaine and sent it to Barack Obama, The White House, Fuck You Street, Merka"?

Will they ?

[DrYak]

So what? Since there's no central authority to block transactions or seize funds they'll simply be passed around until any relation with the crime is meaningless with almost everybody in the transaction chain is blissfully unaware that somewhere they were stolen.

Will they pass them around? Enough to blur any relation ship? In a secure way that never leaks any identity?
(oops, one of the exchange I sent money to managed to record my IP address. No matter how much I keep mixing downstream, part of identity are leaked here)

Remember that they have adversaries like government who (as recently proven for the NSA, for example) have quite a few ressources.
A single policeman might not be able to pull enough data and analysis.
But if goverment suspects that some big danger as possible ("pedo-terrorist pirates!" threat, or more realistically: juicy corporate spying opportunities :-P ) and decides to throw ressources at it, tracking might be achievable.

It's not impossible for the thief to manage to get out un-identified. But it requires being particuliarly smart.

Imagine if cash was that way, every time the grocery store tried to despoit money at the bank the bank would say "oh no, this and that bill came from a gas station robbery two years ago so we'll return it to the gas station and deduct it from your deposit.

Cash *does* function this way (a bit): bills have serial numbers. Of the grocery stores deposits a bill with a known serial number on it, police might show up the next day asking for the CCTV suveraillance tapes, because that serial number happens to be a bill passed through the hands of known drug kingpin/terrorist/pedophily ring leader/etc. do it enough with enough of such incidents, and you might get a vague idea of the identity of the people you're looking for.
Unless the criminals have been absolutely perfect in their laundering and have managed to never leak any info (i.e.: by the time the known bill are flagged, they're in the hand of complete random strangers).

Google for "Ransom bill reappear" type of news reports.

At least you can't call it "theft"

Yeah, but it's all electronic, man!! It's all a bunch of ones-and-zeros!! Just like electronic file-sharing - you can't copyright a number. You can't call it theft!! Dude din't steal shit!!

Re:Queue misguided bitcoin comments in....3....2..

With your current score of 1, the subject of your post shows "....3....2..." [...] 1

Nicely done. But why not aim for higher? Use subjects that say "....7....6..."

Re:Queue misguided bitcoin comments in....3....2..

[Applehu+Akbar]

I'm wondering what would happen here in the Slashdot community if such a transaction came to light.

Russian or Chinese?

Which this time?

And how is bitcoin safe again?

What use is complete anon currency when the shit is easier to steal then any other form of money.

Bacon Thief

At first glance, I thought this said Bacon Thief. And I was very outraged and concerned.
Then I realized it was only Bitcoin.