If you have funds locked up in on-going trades, please read the relevant section below!
On May 8th, 12:43:33 UTC, we received the following email:
Subject: READ | IMPORTANT
From: torexit@sigaint.org
To: contact@bitrated.com
Date: Sun, 8 May 2016 12:43:33 -0000
Received: from sigaintevyh2rzvw.onion (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id 8eb24baf for <contact@bitrated.com>; Sun, 8 May 2016 12:43:33 +0000 (UTC)FORWARD THIS E-MAIL TO SOMEONE IN YOUR COMPANY THAT CAN MAKE DECISIONS
5 minutes after this e-mail is sent, a DDOS attack will be sent to your server for 15 minutes.
You will send 7 BTC to 17ySemyqWSV5yWg9BwM1arb4FJYPzaZAnx by the 8th of May or the attack will continue.
When you have paid, we will never bother you again.
And, indeed, the extortionists stood up to their promise. For the past few hours, Bitrated’s servers has been undergoing a DDoS attack to the tune of 3.2Gb/s, which resulted in DigitalOcean null routing traffic to our servers on their network infrastructure.
First, we’d like to clarify that Bitrated will never succumb to blackmail demands. We believe that giving in to extortion is unethical, provides financial resources for the extortionist to continue attacking other victims, encourages additional attacks by increasing their success rate, and is simply morally wrong.
As we’re a bootstrapped startup that does not have the financial resources to effectively counter-measure such an attack on a short notice, this might mean that Bitrated won’t be available for awhile.
We’re deeply sorry for any inconvenience this may cause.
Secondly, and more importantly, we want to clarify that the architecture of the Bitrated payment system ensures that funds held up in on-going trades are never at risk.
The private keys used in the multi-signature script are directly derived from the users’ passwords (using Scrypt and key stretching), which ensures that users are always in full control of their funds. Even in the worse case scenario of Bitrated becoming permanently unavailable, private keys are always recoverable by the user and access to funds is never lost.
We’re currently working on a tool to help users go through the process of recovering their keys and signing a transaction releasing funds from the multi-signature address to an address of their choosing.
If you’d like to receive updates about the availability of this tool, please follow us on Twitter, Facebook or Reddit.
If you have funds held up in the system and need to urgently release them, please reach out to us for help at support@bitrated.com. If it’s not urgent and can wait for a little while, we’d like to request that you allow us for some time to publicly release the tool.
Finally, we’ll be looking into ways to mitigate such attacks in the future. Our current hosting provider, DigitalOcean, does not provide us with any measures to counter the attack. Their decision to resolve the issue by null routing traffic to our servers has been disappointing. We offered to pay for help dealing with the DDoS attack, which they declined.
The solution that usually comes up for DDoS protection is CloudFlare. However, CloudFlare and similar services requires the service operator to surrender their SSL keys, which we find unacceptable for a service that deals with users’ funds. In our opinion, surrendering control over Bitrated’s SSL keys would be irresponsible.
We’re looking for alternative solutions, and would appreciate hearing feedback on this matter from members of the community.
Thanks for your patience,
Nadav Ivgi, Founder & CEO, Bitrated.
