Online bandits made off with at least $228,000 worth of the virtual currency known as Bitcoin after exploiting a vulnerability in a widely used Webhost that gave unfettered access to eight victims' digital wallets.
Ars Technica was able to confirm the theft of 46,703 BTC, as individual units of Bitcoin are known, worth about $228,845 in US currency based on current exchange rates. More than 43,000 of the stolen BTC belonged to a Bitcoin trading platform known as Bitcoinica, the company's CEO and lead developer, Zhou Tong, told Ars. Another 3,094 BTC were lifted from the virtual purse of Marek Palatinus, a freelance programmer from the Czech Republic. He said in an interview that a separate Bitcoin user he's been in contact with lost 50 BTC to the same attackers. And Gavin Andresen, the lead Bitcoin programmer, told Ars he lost all 5 BTC he had stored in one online account.
Hours after Palatinus and Andresen brought the Thursday-morning attacks to light, cloud services provider Linode confirmed that a hacker targeted Bitcoin wallets stored on its servers after compromising a customer service portal.
"All activity by the intruder was limited to a total of eight customers, all of which had references to 'bitcoin,'" Linode's advisory stated. "The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any bitcoins. Those customers affected have been notified."
Neither Linode Vice President Thomas Asaro nor members of Linode's press team responded to an email seeking comment for this article. The identities of the remaining four victims and the numbers of BTC they lost couldn't be determined at time of writing.
It's not the first time there have been reports of Bitcoin thefts reaching into the hundreds of thousands of dollars. In June, a veteran Bitcoin user reported a heist of the digital currency worth as much as $500,000, although the theft couldn't be independently verified. In the weeks that followed, several strains of malware were discovered that used the resources of compromised machines to "mine" bitcoins.
Convenience as the enemy to security
Palatinus said he kept his $15,000 worth of BTC that was stolen in what's known as a "hot wallet" that was stored unencrypted on Linode's servers so it would be available for automatic payments.
"When somebody requests [a] significant amount of bitcoins for payout, I need [to] load them manually to wallet," he said during an online chat with Ars. "Of course, low amount in wallet means lower comfort for users, because automatic payouts are sometimes unavailable. And higher amount means higher security risk."
He said he stored considerably more BTC in encrypted format in USB drives that weren't connected to the Internet.
Andresen said he's working on an update to the Bitcoin framework that would largely prevent thefts like those reported Thursday by requiring "multisignature transactions." Under the new system, wallets would contain only one of two private encryption keys needed to spend coins. The other key would reside on a separate machine at a different location. Software on the second machine would scrutinize proposed transactions to make sure they're legitimate, and wouldn't send an entire payment all at once. The reworked system won't be in place for another few months.
"As I said in my blog post, [the theft] is very unfortunate because it is, in theory, preventable," Andresen told Ars. "If I could go back in time a couple of years knowing then what I know now.... This kind of thing is the reason the bitcoin.org home page says that bitcoin is still 'experimental.'"
An advisory issued by Bitcoinica admonished customers not to reuse old Bitcoin deposit addresses.
"As of now, our website will only display new deposit addresses which are not affected by this," it stated. "However any old bitcoin addresses which you may have recorded for convenience should never be used ever again. This is the most important thing."
The advisory said Bitcoinica lost more than 10,000 BTC in the heist, but Tong later told Ars the actual number was 43,554 coins. Both Palatinus and Tong have said they'll cover the loss for their customers.
Story updated to fix Czech Republic and spelling and to add details.
Listing image by Photograph by Storm Crypt
reader comments
76