The future of the up-and-coming Bitcoin exchange Bitfloor was thrown into question Tuesday when the company's founder reported that someone had compromised his servers and made off with about 24,000 Bitcoins, worth almost a quarter-million dollars. The exchange no longer has enough cash to cover all of its deposits, and it has suspended its operations while it considers its options.
Bitfloor is not the first Bitcoin service brought low by hackers. Last year, the most popular Bitcoin exchange, Mt.Gox, suspended operations for a week after an attacker compromised a user account and sold all of his Bitcoins in a firesale that temporarily pushed the price down to zero. The site survived the attack and remains the leading Bitcoin exchange today. Hackers made off with another $228,000 in Bitcoins from online services earlier this year.
Bitcoin's peer-to-peer design means that transactions are irreversible. Once a transaction appears in the blockchain, the global record of Bitcoin transactions, no one has the authority to reverse it. And the pseudonymous nature of Bitcoin makes it difficult to trace stolen Bitcoins to their new owners.
Some regard irreversible transactions as a key Bitcoin feature, since it means merchants never have to worry about "chargebacks." But this "feature" also dramatically raises the security stakes. Anyone who deals in Bitcoins, from complex exchanges to ordinary users have to worry about hackers making off with their cash. Indeed, malware that steals your Bitcoins automatically has been spotted in the wild.
In a June interview, Bitcoin developer Gavin Andresen told Ars that his team is working on a new feature called multi-signature transactions that could reduce the vulnerability of Bitcoin wallets to this kind of attack. Under this scheme, a user's signature is divided among multiple devices, all of which would need to approve a transaction before it could be accepted by the Bitcoin network. For personal users, that might mean splitting the key up between a PC and a smartphone. For online Bitcoin services, it would mean splitting control of a Bitcoin wallet among multiple servers. Under that scheme, hackers could only steal Bitcoins if they succeeded in compromising all of the servers holding portions of the private key.
But at least until these new techniques mature, it's wise not to entrust large amounts of Bitcoins to third-party services, even those with excellent reputations. And always encrypt your Bitcoin wallet as soon as you're done using it.
Disclosure: The author owns some Bitcoins, and has so far avoided having them stolen by hackers.
reader comments
89