Slashdot Mirror
NiceHash Hacked, $62 Million of Bitcoin May Be Stolen (reddit.com)
New submitter Chir breaks the news to us that the NiceHash crypto-mining marketplace has been hacked. The crypto mining pool broke the news on Reddit, where users suggest that as many as 4,736.42 BTC -- an amount worth more than $62 million at current prices -- has been stolen. The NiceHash team is urging users to change their online passwords as a result of the breach and theft.
Learn what? Not to trust others with your Bitcoin? That's been the #1 rule since day 1. Treat Bitcoin like cash.
Putting any appreciable amount in an online wallet or exchange is just asking for it to be taken.
What's truly bizarre to me, after looking at the Reddit thread, is all the people who are impatient that the app is shut down for 24 hours because they want to keep using it. This company just lost more than $60 million of its users' money, and the users are upset that there is a delay in them sending the company more of their money.
What? You lost our $60 million?! Well, gosh, we'll give you more, but be more careful this time...
I think it's beyond question that the irrationality has reached a fever pitch.
Treat bitcoin like cash?
Put it in the bank and you'll still get it all back back (with interest!) if the bank gets robbed?
Back when bitcoin went over a dollar for the first time, I noticed that people were unusually willing to steal it. For your own personal safety, you should absolutely not draw attention to your possession of bitcoin. If you do, you will be targeted. Not just drivebys and portscans, but actual they-are-after-me targeted.
If you are unable to create distance between your identity and your identity as a bitcoin holder, like if you are doing a public project involving bitcoin, you absolutely positively must not let your security be amateur shit.
The first thing you must do is establish ironclad multilayer operational security. If you don't know what that is, or don't know what it means in a bitcoin project, stop - you are not tall enough for this ride. That is actually intended to be a bit less offensive than it sounds at first. It just means that you are too young (inexperienced) to have good odds.
There is no reason to have 10 bitcoins in an online wallet, much less 4600. Those keys should be printed on paper in a N-of-M scheme and distributed to the people who will be authorizing transactions.
Yes, people should be processing transactions of that size, not computers. Ideally, the never-online signing computer software would print out the candidate transaction in a format that puts the recipient addresses and amounts in the exact same location as the request sheet so that you can visually diff the two (hold them up to a strong light to make sure they are the same) before unlocking the key and passing it on to the next signing agent.
Never-online? Yup, there should be no electronic communication between the computer that occasionally has the signing keys decrypted in memory and the rest of the world. There are Free (and free) options for generating barcodes and QR codes and hardware scanners that can read them as keyboard input or virtual character device input. Generate the payment online, print it as a QR code. Scan it on the signing computer. Verify the transaction (human job!) Scan the key, type the passphrase to decrypt it. The signing computer can then print the signed or partially signed transaction as another QR code that you can take back to the online computer for sending (or sending to the next signer).
If your security plan is not at least this good, you should under no circumstances be handing bitcoin that doesn't wholly belong to you and that you aren't willing to lose.
On the other hand, it seems like millions of dollars of bitcoins get stolen from fools every few months and no one seems to care, so maybe I'm wrong and the level of "security" seen in the field is exactly right.
See that "Preview" button?