NiceHash Hacked, $62 Million of Bitcoin May Be Stolen

New submitter Chir breaks the news to us that the NiceHash crypto-mining marketplace has been hacked. The crypto mining pool broke the news on Reddit, where users suggest that as many as 4,736.42 BTC -- an amount worth more than $62 million at current prices -- has been stolen. The NiceHash team is urging users to change their online passwords as a result of the breach and theft.

The users are amazing

[imidan]

What's truly bizarre to me, after looking at the Reddit thread, is all the people who are impatient that the app is shut down for 24 hours because they want to keep using it. This company just lost more than $60 million of its users' money, and the users are upset that there is a delay in them sending the company more of their money.

What? You lost our $60 million?! Well, gosh, we'll give you more, but be more careful this time...

Re:Apparently that's insignificant now

[SlaveToTheGrind]

I think it's beyond question that the irrationality has reached a fever pitch.

Re: I had $10 mined there

On NiceHash, you mine hashes that are in turn sold to others for the purpose of minting new coins (and/or more sophisticated/creative purposes). NiceHash automatically selects an in-demand and valuable hash type for your system to calculate so that you can send the results back to NiceHash for sale, and you get rewarded on a regular schedule for your recent calculations. NiceHash won't assign your GPU/CPU to calculate hashes for Bitcoin, because that wouldn't pay. It will assign you hash types associated with hot altcoins, similar to what you'll see at the top of the chart a on whattomine.

Re:Let me be the first but not the last to say...

[CreamyG31337]

When mining for them, you can let it collect earned BTC payments in a virtual wallet until you 'withdraw' it, paying a fixed transaction fee that is the lowest once you have 0.15 of BTC -- about $2000.
Alternatively, you can let them pay a real external wallet directly, but you have to pay extra fees, will be paid less often, and some of the stats on their web page don't work as well. They talk about sending 1000 BTC or so every Friday which is probably to external wallets only.
They also accept bitcoin payments to purchase hashing power. Hopefully, they have just lost a wallet for handling some types of transactions and they have a lot more BTC offline somewhere to cover their internal wallets they pretty much force you to use.

Bitcoin is not for amateurs

[Orgasmatron]

Back when bitcoin went over a dollar for the first time, I noticed that people were unusually willing to steal it. For your own personal safety, you should absolutely not draw attention to your possession of bitcoin. If you do, you will be targeted. Not just drivebys and portscans, but actual they-are-after-me targeted.

If you are unable to create distance between your identity and your identity as a bitcoin holder, like if you are doing a public project involving bitcoin, you absolutely positively must not let your security be amateur shit.

The first thing you must do is establish ironclad multilayer operational security. If you don't know what that is, or don't know what it means in a bitcoin project, stop - you are not tall enough for this ride. That is actually intended to be a bit less offensive than it sounds at first. It just means that you are too young (inexperienced) to have good odds.

There is no reason to have 10 bitcoins in an online wallet, much less 4600. Those keys should be printed on paper in a N-of-M scheme and distributed to the people who will be authorizing transactions.

Yes, people should be processing transactions of that size, not computers. Ideally, the never-online signing computer software would print out the candidate transaction in a format that puts the recipient addresses and amounts in the exact same location as the request sheet so that you can visually diff the two (hold them up to a strong light to make sure they are the same) before unlocking the key and passing it on to the next signing agent.

Never-online? Yup, there should be no electronic communication between the computer that occasionally has the signing keys decrypted in memory and the rest of the world. There are Free (and free) options for generating barcodes and QR codes and hardware scanners that can read them as keyboard input or virtual character device input. Generate the payment online, print it as a QR code. Scan it on the signing computer. Verify the transaction (human job!) Scan the key, type the passphrase to decrypt it. The signing computer can then print the signed or partially signed transaction as another QR code that you can take back to the online computer for sending (or sending to the next signer).

If your security plan is not at least this good, you should under no circumstances be handing bitcoin that doesn't wholly belong to you and that you aren't willing to lose.

On the other hand, it seems like millions of dollars of bitcoins get stolen from fools every few months and no one seems to care, so maybe I'm wrong and the level of "security" seen in the field is exactly right.