How my Bitcoin was stolen…and the hacker returned most back
In Septemer 2013 my company Tealet started to accept bitcoin as payment via the service Coinbase. We have been extremely happy with the result and amazing support we have received from the Bitcoin community.
Since launching our monthly average percentage of revenue in bitcoin is 20% (in the first 5 months of launching we saw 40% revenue in bitcoin). Although we started out by converting all transactions to USD immediately we started to hold onto a minimal account to be used to pay our employees and certain invoices.
Bitcoin and cryptocurrency is so important to our business because we do many international transactions. Convenient services that are available now can cost us to 12% in fees. We recently welcomed our first B2B client that is purchasing his tea wholesale utilizing bitcoin they received in their tea shop. By closing the loop Tealet can reduce payment costs from 15% to 1% from consumer to producer.
Last night I received a transactional email from Coinbase stating that a significant amount of bitcoin (all of the bitcoin in our account) was sent to an unknown address. I knew I did not authorize this payment; we had been hacked. My heart sunk. All the love I have shown for Bitcoin and the encouragement I have given to other merchants to accept it, and this is the karma I get?
I called our rockstar developer Cody Moniz to see if he knew what was going on. Within 5 seconds he went through our Coinbase account and servers to see that the payment was authorized through Coinbase’s API, but who could have access to the keys?
Our junior developer was frantically searching Coinbase for support and answers on how we could stop the payment (which we learned is impossible due to the nature of bitcoin). He realized that perhaps he could have done something wrong that jeopardized our security. He traced back his steps and realized that without knowing what he was doing he pasted a file which contained all of tealet.com’s passwords onto the internet! He’s sorry to say the least and walking away from this experience a much smarter developer. A hacker accessed this information and found the ease of sending bitcoin payments to their address via Coinbase’s API.
We quickly resolved the security issue by changing all our passwords and API keys. Cody mentioned that we could send a message to the person that took our bitcoin and ask them to send it back. I thought it was a crazy idea, but why not. Utilizing his own address Cody sent a transaction to the address our bitcoin was sent that read:
Hey man, this is the original developer of tealet.com. We’re a small tea startup, and we’re trying bring Bitcoin to the masses. Our new developer did incredibly really stupid and posted our password file to pastebin. We would appreciate it if you could send the bitcoins back to this address. Mahalo!
Within seconds a majority of the bitcoin that was taken was sent back to Cody (all but 1 bitcoin was returned). WTF! It worked, well, kind of.
If you would like to help us recover this bitcoin and support our efforts, you can purchase farm-direct tea from our website with bitcoin. We will restore our bitcoin account and utilize it to run our company. Receive 30% off our subscriptions or order our special Bitcoin Teabox which contains a Bitcoin keychain (we also give 3% off for all bitcoin transactions).
Bitcoin is still a new idea taking off in the world and there are security problems (our Paypal API keys were compromised, but the hacker was not able to access our Paypal account). Coinbase has released a new API which could have stopped this from happening and has a more secure storage called Coinbase Vault. It is not bitcoin’s fault, there is still much more learning and innovating necessary to resolve these issues.
Although there are still issues I love the bitcoin community. This situation could have turned out much worse, but our trust in humanity was restored when the majority of the bitcoin was returned.
Merchants, Protect Yourself!
We want this to be a lesson for others that have taken the step towards the future by accepting bitcoin. If you are using Coinbase you should make sure you are using the most up-to-date API and keep only a minimum account in your Coinbase account. You can use their Vault service or other more secure storage for the majority of your bitcoin.
As more innovation comes to the Bitcoin ecosystem these issues will be less and less. For now we are taking a big risk, but don’t be afraid. It is our responsibility to bring Bitcoin to the masses!
