Currency plunges to virtually nothing as 100,000 Bitcoins move; exchange pledges to undo the damage
The storm had been building for over a week now. Last Monday at around 5 p.m. 25,000 Bitcoins were transferred from 478 accounts on the currency's largest exchange -- Mt. Gox. But that was just the beginning. Now Mt. Gox is admitting to a major breach and has shut down, in an unprecedented action.
I. What Are Bitcoins?
Bitcoins are a peer-to-peer cryptocurrency.
Invented in 2009 by a shadowy Japanese figure -- Satoshi Nakamoto -- the coins promise a degree of anonymity against casual tracking attempts (though insecure practices, or more concerted government efforts could still breach your anonymity. Bitcoins are also popular because they do not rely on any one central financial authority and thus represent an anarchistic/nation agnostic financial system of sorts.
To seed the market with Bitcoins, the brains behind the project created the concept of "mining" coins -- devoting computing resources to finding "blocks" of Bitcoins. Today millions of coins have been "mined" and some people accept Bitcoins as a means of payment, showing that the currency has taken its first steps towards legitimacy.
Likewise, Bitcoins are traded on a number of currency exchanges, the largest of which is Mt. Gox. Mt. Gox allows for the trade of Bitcoins to and from U.S. dollars. The exchange accounts for over 90 percent of Bitcoin trading volume on an average day.
II. A Volatile Market
Over the last month the Bitcoin market has exploded, with the currency rising in value from around $1 USD per Bitcoin to around almost $30 USD per Bitcoin at its peak. Bitcoins were expected to slowly deflate over time, but this sudden rise was highly unusual -- and unexpected.
Some chalked it up to misleading media reports which claimed Bitcoin to be a "totally anonymous" currency which could be used to safely "buy drugs" without fear of prosecution (this is expressly not true). Regardless of the source of the interest, the public was becoming interest in Bitcoins and the market was booming.
Then two Fridays ago the market began a downward plunge, with the price per coin falling nearly in half. Much like the rise, there were no hard at fast explanations for the fall, though speculative theories abounded.
The market recovered slightly last week, but the level of volatile was alarming as virtually no currency in history had ever seen these kinds of swings.
In a couple weeks the currency had risen 30-fold in value. And in just two days it had fell in half, returning to about 14-times the May value.
III. Accounts Breached
Over the last couple weeks people began to claim their accounts had been hacked and their Bitcoins stolen.
On Monday at around 5 pm, 25,000 bitcoins were transferred into account "1KPTdMb6p7H3YCwsyFqrEmKGmsHqe1Q3jg". The coins in question came from 25,000 accounts. Given recent trading values, that would indicate the counts were worth somewhere between $375,000 and $500,000 USD.
Mt. Gox's support team insisted such claims were isolated. "Magical Tux" a Tokyo-based member of the support team wrote on Saturday:
Ok, we've been seeing a "lot" of cases recently.
So far I have 10 known cases of people whose coins were stolen (someone logged in on the account using their password, traded USD for BTC, withdrew all the BTC). Considering we have now over 60000 accounts (2 months ago we had 10 times less), this seems to be a problem coming mainly from users.
Problem is many have been posting in various places (forums, reddit, twitter, irc, etc) causing a lot of fear among users when the problem is still fairly limited.
Responding to commenters upset about the 25k Bitcoin heist, he comments:
As I already replied you, your funds were stolen by someone logging in onto your account with your password. Your funds are right now on a bitcoin address and have not moved since then.
As a reminder we assume no responsibility should your funds be stolen by someone using your own password.
...
The coins stolen from Mt.Gox were not stolen using any CSRF exploit... [the thieves] logged in on users account using the correct login and password. We have logs showing the loggin succeed on first try.
Mt. Gox's carefree attitude over account theft (e.g. if you lose your password it's your only fault) would only last so long, though. Because a much worse breach was coming.
IV. "Tango Down" -- Mt. Gox Closes
In recent weeks, we suggested that the Bitcoin markets cooperate to close trading in cases where extreme volatility (deflationary or inflationary) was observed. Many Bitcoin proponents did not take kindly to this suggesting, saying that closing currency exchanges for market events would be blasphemy and the antithesis of everything the market stood for.
Writes DailyTech user "whitslack":
The idea of shutting down the Bitcoin exchanges when they heat up is just as repugnant to the central idea of Bitcoin as central banks are. Markets do get emotional at times, but that is something we all understand and accept. Shutting down a market is an artificial move that is in opposition to the concept of a free market. If an exchange took up such a policy, it would only incentivize the creation of new exchanges without such an artificial policy. If I can't trade my Bitcoins on Mt. Gox because it has "shut down," I'll simply go to another exchange that hasn't shut down. Even if all the currently existing exchanges colluded to shut down together, they would simply be granting enormous leverage for a newcomer to take all their volume. The concept of artificial market limits has no place in a free economy and cannot stand in one.
Well, friends, Mt. Gox has shut down. On Sunday at about 4 p.m., site official "Mark Karpeles" wrote users:
The bitcoin will be back to around 17.5$/BTC after we rollback all trades that have happened after the huge Bitcoin sale that happened on June 20th near 3:00am (JST).
Service should be back by June 20th 11:00am (JST, 02:00am GMT) with all the trades reversed and accounts available.
One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins.
Apart from this no account was compromised, and nothing was lost. Due to the large impact this had on the Bitcoin market, we will rollback every trade which happened since the big sale, and ensure this account is secure before opening access again.
UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS
We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible.
Several other major Bitcoin exchanges including TradeHill (closed at $13.79 USD per Bitcoin) have stopped showing financial transactions that recently occurred indicating a possible shutdown (though the site Bitcoin Charts reports more recent sales).
V. What is Known
First, it is clear that the Mt. Gox database has been stolen. According to one source the database had 61,020 entries -- roughly in line with Mt. Gox official MagicalTux's previous statement.
Within an hour of the hack, reportedly 100,000 Bitcoins were sold at incredibly cheap rates on Mt. Gox, plunging the market from around $17.50 USD per Bitcoin to just $0.01 per Bitcoin. Meanwhile 400,000 other Bitcoins were reported missing.
Around the same time an unknown party also posted a Pastebin commenting:
I have hacked into mtgox database. Got a huge number of logins password combos.
Mtgox has fixed the problem now. Too late, cause I've already got the data.
Will sell the database for the right price.
Send your offers to:
Soon after, though the actual database dump was public posted. It's available (for now), via direct download from here.
According to MagicalTux Mt. Gox's current protection scheme was to use and MD5 hash on passwords in its database, along with a salt [source]. However, he did not specify whether a single salt was applied to all user passwords, multiple periodic salts, or whether user-specific unique salts were employed.
The attacks have reportedly been traced to a Hong Kong IP, according to sources. Of course this could simply be a hijacked server or a proxy server, which the hackers used to obfuscate their true location
Regardless, some sources are reporting that the salting was not initially used and approximately 1,600 passwords appear unsalted. Cracking unsalted MD5 hashes is a pretty elementary task with rainbow table or brute force attacks.
Even salted passwords could be cracked, given the strength of the salting scheme and how much effort malicious parties put in (the expense in computing time likely wouldn't be worth the Bitcoin payoff -- of course, if you were using hijacked machines, it's "free labor" anyways.
On the Mt. Gox forums users openly mocked the admins and expressed frustration at the site's security practices. Writes one user "Man From The Future":
The fact that it uses MD5 is an issue.
It should definitely have been set up using SHA256/SHA512, and at least a per user salt(You haven't clarified as to whether it's the same for all, unless I've misread something). Or even double SHA512 two-unique-salts halved.
As stated in the press release the exchange says it's undoing the sell transactions currently and is working to restore the market to around $17.50 USD per Bitcoin.
VI. What's Next
Ultimately, the massive breach may not be enough to kill the Bitcoin movement. After all, many people are very dedicated and enthusiastic about the concept of Bitcoins.
That said, the recent volatility, combined with this breach raise serious doubts about Bitcoin managing to become mainstream. The fact that the largest exchange in a $130M USD would practice such lax security practices such as failing to use the state of the art hashing methods to protect its database seems disturbing.
Ultimately a greater underlying problem may be the vulnerability of users' local "wallet" file, wallet.dat. When news of the original Bitcoin hack broke, many assumed that malicious users had infected victims' computers and exposed their wallet.dat files.
Of course, serious Bitcoin aficionados encrypt their wallet.dat file soundly, but as casual interest in Bitcoins explodes, the question remains whether the average, security-ignorant user will practice similar safety precautions.
The idea of virtual currency has been one that has long excited. Cybercurrency was a focus of famous science fiction writer Neal Stephenson's 1995 postcyberpunk novel The Diamond Age: Or, A Young Lady's Illustrated Primer, in which digital cryptocurrency was mentioned as a driving force that eliminated the nation state by destroying their ability to collect taxes from citizens. Mr. Stephenson attacked the topic again in his 1999 book Cryptonomicon, in which protagonist search for gold to use as a basis of a digital cryptocurrency.
Now that one such implementation of this ambitious concept has finally arisen, it's easy to wonder whether Mr. Stephenson could have predicted the future, much as William Gibson predicted the future of the internet, in many ways, with his seminal 1984 cyberpunk work Neuromancer.
However in order for Bitcoins to truly be a legitimate international currency, there's a lot of work that must be done to improve and protect the technology. In short, it's been a very bad week for Bitcoins; one can only hope this is the last bad news we hear.
The storm had been building for over a week now. Last Monday at around 5 p.m. 25,000 Bitcoins were transferred from 478 accounts on the currency's largest exchange -- Mt. Gox. But that was just the beginning. Now Mt. Gox is admitting to a major breach and has shut down, in an unprecedented action.
I. What Are Bitcoins?
Bitcoins are a peer-to-peer cryptocurrency.
Invented in 2009 by a shadowy Japanese figure -- Satoshi Nakamoto -- the coins promise a degree of anonymity against casual tracking attempts (though insecure practices, or more concerted government efforts could still breach your anonymity. Bitcoins are also popular because they do not rely on any one central financial authority and thus represent an anarchistic/nation agnostic financial system of sorts.
To seed the market with Bitcoins, the brains behind the project created the concept of "mining" coins -- devoting computing resources to finding "blocks" of Bitcoins. Today millions of coins have been "mined" and some people accept Bitcoins as a means of payment, showing that the currency has taken its first steps towards legitimacy.
Likewise, Bitcoins are traded on a number of currency exchanges, the largest of which is Mt. Gox. Mt. Gox allows for the trade of Bitcoins to and from U.S. dollars. The exchange accounts for over 90 percent of Bitcoin trading volume on an average day.
II. A Volatile Market
Over the last month the Bitcoin market has exploded, with the currency rising in value from around $1 USD per Bitcoin to around almost $30 USD per Bitcoin at its peak. Bitcoins were expected to slowly deflate over time, but this sudden rise was highly unusual -- and unexpected.
Some chalked it up to misleading media reports which claimed Bitcoin to be a "totally anonymous" currency which could be used to safely "buy drugs" without fear of prosecution (this is expressly not true). Regardless of the source of the interest, the public was becoming interest in Bitcoins and the market was booming.
Then two Fridays ago the market began a downward plunge, with the price per coin falling nearly in half. Much like the rise, there were no hard at fast explanations for the fall, though speculative theories abounded.
The market recovered slightly last week, but the level of volatile was alarming as virtually no currency in history had ever seen these kinds of swings.
In a couple weeks the currency had risen 30-fold in value. And in just two days it had fell in half, returning to about 14-times the May value.
III. Accounts Breached
Over the last couple weeks people began to claim their accounts had been hacked and their Bitcoins stolen.
On Monday at around 5 pm, 25,000 bitcoins were transferred into account "1KPTdMb6p7H3YCwsyFqrEmKGmsHqe1Q3jg". The coins in question came from 25,000 accounts. Given recent trading values, that would indicate the counts were worth somewhere between $375,000 and $500,000 USD.
Mt. Gox's support team insisted such claims were isolated. "Magical Tux" a Tokyo-based member of the support team wrote on Saturday:
Ok, we've been seeing a "lot" of cases recently.
So far I have 10 known cases of people whose coins were stolen (someone logged in on the account using their password, traded USD for BTC, withdrew all the BTC). Considering we have now over 60000 accounts (2 months ago we had 10 times less), this seems to be a problem coming mainly from users.
Problem is many have been posting in various places (forums, reddit, twitter, irc, etc) causing a lot of fear among users when the problem is still fairly limited.
Responding to commenters upset about the 25k Bitcoin heist, he comments:
As I already replied you, your funds were stolen by someone logging in onto your account with your password. Your funds are right now on a bitcoin address and have not moved since then.
As a reminder we assume no responsibility should your funds be stolen by someone using your own password.
...
The coins stolen from Mt.Gox were not stolen using any CSRF exploit... [the thieves] logged in on users account using the correct login and password. We have logs showing the loggin succeed on first try.
Mt. Gox's carefree attitude over account theft (e.g. if you lose your password it's your only fault) would only last so long, though. Because a much worse breach was coming.
IV. "Tango Down" -- Mt. Gox Closes
In recent weeks, we suggested that the Bitcoin markets cooperate to close trading in cases where extreme volatility (deflationary or inflationary) was observed. Many Bitcoin proponents did not take kindly to this suggesting, saying that closing currency exchanges for market events would be blasphemy and the antithesis of everything the market stood for.
Writes DailyTech user "whitslack":
The idea of shutting down the Bitcoin exchanges when they heat up is just as repugnant to the central idea of Bitcoin as central banks are. Markets do get emotional at times, but that is something we all understand and accept. Shutting down a market is an artificial move that is in opposition to the concept of a free market. If an exchange took up such a policy, it would only incentivize the creation of new exchanges without such an artificial policy. If I can't trade my Bitcoins on Mt. Gox because it has "shut down," I'll simply go to another exchange that hasn't shut down. Even if all the currently existing exchanges colluded to shut down together, they would simply be granting enormous leverage for a newcomer to take all their volume. The concept of artificial market limits has no place in a free economy and cannot stand in one.
Well, friends, Mt. Gox has shut down. On Sunday at about 4 p.m., site official "Mark Karpeles" wrote users:
The bitcoin will be back to around 17.5$/BTC after we rollback all trades that have happened after the huge Bitcoin sale that happened on June 20th near 3:00am (JST).
Service should be back by June 20th 11:00am (JST, 02:00am GMT) with all the trades reversed and accounts available.
One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins.
Apart from this no account was compromised, and nothing was lost. Due to the large impact this had on the Bitcoin market, we will rollback every trade which happened since the big sale, and ensure this account is secure before opening access again.
UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS
We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible.
Several other major Bitcoin exchanges including TradeHill (closed at $13.79 USD per Bitcoin) have stopped showing financial transactions that recently occurred indicating a possible shutdown (though the site Bitcoin Charts reports more recent sales).
V. What is Known
First, it is clear that the Mt. Gox database has been stolen. According to one source the database had 61,020 entries -- roughly in line with Mt. Gox official MagicalTux's previous statement.
Within an hour of the hack, reportedly 100,000 Bitcoins were sold at incredibly cheap rates on Mt. Gox, plunging the market from around $17.50 USD per Bitcoin to just $0.01 per Bitcoin. Meanwhile 400,000 other Bitcoins were reported missing.
Around the same time an unknown party also posted a Pastebin commenting:
I have hacked into mtgox database. Got a huge number of logins password combos.
Mtgox has fixed the problem now. Too late, cause I've already got the data.
Will sell the database for the right price.
Send your offers to:
Soon after, though the actual database dump was public posted. It's available (for now), via direct download from here.
According to MagicalTux Mt. Gox's current protection scheme was to use and MD5 hash on passwords in its database, along with a salt [source]. However, he did not specify whether a single salt was applied to all user passwords, multiple periodic salts, or whether user-specific unique salts were employed.
The attacks have reportedly been traced to a Hong Kong IP, according to sources. Of course this could simply be a hijacked server or a proxy server, which the hackers used to obfuscate their true location
Regardless, some sources are reporting that the salting was not initially used and approximately 1,600 passwords appear unsalted. Cracking unsalted MD5 hashes is a pretty elementary task with rainbow table or brute force attacks.
Even salted passwords could be cracked, given the strength of the salting scheme and how much effort malicious parties put in (the expense in computing time likely wouldn't be worth the Bitcoin payoff -- of course, if you were using hijacked machines, it's "free labor" anyways.
On the Mt. Gox forums users openly mocked the admins and expressed frustration at the site's security practices. Writes one user "Man From The Future":
The fact that it uses MD5 is an issue.
It should definitely have been set up using SHA256/SHA512, and at least a per user salt(You haven't clarified as to whether it's the same for all, unless I've misread something). Or even double SHA512 two-unique-salts halved.
As stated in the press release the exchange says it's undoing the sell transactions currently and is working to restore the market to around $17.50 USD per Bitcoin.
VI. What's Next
Ultimately, the massive breach may not be enough to kill the Bitcoin movement. After all, many people are very dedicated and enthusiastic about the concept of Bitcoins.
That said, the recent volatility, combined with this breach raise serious doubts about Bitcoin managing to become mainstream. The fact that the largest exchange in a $130M USD would practice such lax security practices such as failing to use the state of the art hashing methods to protect its database seems disturbing.
Ultimately a greater underlying problem may be the vulnerability of users' local "wallet" file, wallet.dat. When news of the original Bitcoin hack broke, many assumed that malicious users had infected victims' computers and exposed their wallet.dat files.
Of course, serious Bitcoin aficionados encrypt their wallet.dat file soundly, but as casual interest in Bitcoins explodes, the question remains whether the average, security-ignorant user will practice similar safety precautions.
The idea of virtual currency has been one that has long excited. Cybercurrency was a focus of famous science fiction writer Neal Stephenson's 1995 postcyberpunk novel The Diamond Age: Or, A Young Lady's Illustrated Primer, in which digital cryptocurrency was mentioned as a driving force that eliminated the nation state by destroying their ability to collect taxes from citizens. Mr. Stephenson attacked the topic again in his 1999 book Cryptonomicon, in which protagonist search for gold to use as a basis of a digital cryptocurrency.
Now that one such implementation of this ambitious concept has finally arisen, it's easy to wonder whether Mr. Stephenson could have predicted the future, much as William Gibson predicted the future of the internet, in many ways, with his seminal 1984 cyberpunk work Neuromancer.
However in order for Bitcoins to truly be a legitimate international currency, there's a lot of work that must be done to improve and protect the technology. In short, it's been a very bad week for Bitcoins; one can only hope this is the last bad news we hear.
