Wayne Huang
113 min readApr 24, 2015


RSA 2015 Panel: Bitcoin’s Future Threats: Expert’s Roundtable based on 150 Case Studies

Slides: http://www.slideshare.net/wayne_armorize/rsa-2015-bitcoins-future-threats-experts-roundtable-based-on-150-case-studies

RSA talk: https://www.rsaconference.com/events/us15/agenda/sessions/1710/bitcoins-future-threats-experts-roundtable-based-on


Wayne Huang, Vice President Engineering, Proofpoint, Inc. @waynehuang

Charlie Lee, Creator, Litecoin. @SatoshiLite

Danny Yang, Founder & Chief Technical Officer, MaiCoin, Inc. @huuep

Fyodor Yarochkin, Senior Threat Researcher, VArmour, Inc. @fygrave

Kristov Atlas, Bitcoin Security Researcher, Independent Security Researcher @kristovatlas

This document contains raw data used to conduct this research.

Incident categories:

  1. Remote exploitation: 32
  2. Mining resources theft: 17
  3. Fraud or scam: 13
  4. Wallet theft: 11
  5. Crime or terrorism: 11
  6. Insider threat: 9
  7. DDoS: 8
  8. Phishing: 6
  9. Coin loss: 4
  10. Software bug or human error: 3
  11. Hoax news to manipulate market: 3
  12. Social engineering: 1
  13. 51% attack: 1
  1. Remote exploitation of server-side vulnerabilities

Case studies:

1.1. BTER Exchange breach (Aug 15, 2014)

1.2. Poloniex breach (March 5, 2014)

1.3. Coinbase android app vulnerability (July 1, 2014)

1.4. DogeVault.com breach (May 13, 2014)

1.5. LocalBitcoins breach (May 5, 2014)

1.6. Coinbase vulnerability (April 1, 2014)

1.7. CoinEX.pw breach (March 19, 2014)

1.8. Bitcurex breach (March 14, 2014)

1.9. Cannabis Road breach (Aug 25, 2014)

1.10. Silk Road 2.0 breach (Feb 13, 2014)

1.11. CoinTerra breach (Feb 3, 2014)

1.12. Seals with Clubs breach (Dec 20, 2013)

1.13. BitcoinTalk Dec 2013 breach (Dec 3, 2013)

1.14. Bidextreme.pl breach (Nov 20, 2013)

1.15. Bitcash.cz breach (Nov 11, 2013)

1.16. BitcoinTalk Oct 2013 breach by The Hole Seekers (Oct 3, 2013)

1.17. cryptorush.in breach (March 11, 2014)

1.18. Flexcoin breach (March 2, 2014)

1.19. BIPS breach (Nov 17, 2013)

1.20. Bitfloor breach (Sep 4, 2012)

1.21. Bitcoinica Linode breach (March 1, 2012)

1.22. Bitcoinica RackSpace breach (May 12, 2012)

1.23. Vircurex breach (May 10, 2013)

1.24. OzCoin breach (April 19, 2013)

1.25. MyBitcoin users weak password breach (June 20, 2011)

1.26. BTCGuild breach (March 10, 2013)

1.27. Mt. Gox Jun 2011 breach (June 19 , 2011)

1.28. Mooncoin breach (Sep 11, 2011)

1.29. Betcoin breach (April 11, 2012)

1.30. Bitcointalk breach (April 26, 2013)

1.31. Coinbase information disclosure incident (March 31, 2014)

1.32. Bitstamp $5 Million Hot Wallet Hack (Jan 5, 2015)

[1.1] BTER Exchange breach

Hackers Steal $1.65 Million in NXT from BTER Exchange (Aug 15, 2014)

PDATE (15th August 17:20 BST): According to reports from the NXT community and BTER, a rollback is no longer being actively considered. BTER announced on Twitter that it would seek to retrieve the stolen funds through other means.

The company said:

Update (15th August 22:15 BST): Updated with feedback from NXTOrganization.


BTER is reporting that 50m NXT, or roughly $1.65m at press time, has been stolen from its exchange following an attack on one of its hosting servers.

A developer representing the China-based digital currency exchange platform confirmed the news on the community information website NXT Forum, suggesting that the BTER team was considering urging the NXT community to roll back the NXT block chain to recover the lost funds.

In a post to the community, developer ‘freeworm’ revealed the gravity of the situation for both the exchange and the NXT community, saying:

“It’s totally our fault and we are trying our best to cover all the loss. However, 50m nxt is huge for us, we cannot afford it at the moment.”

http://www.coindesk.com/bter-nxt-bitcoin-exchange-hack/ (Aug 15, 2014)

http://www.coindesk.com/bter-bitcoin-stolen-cold-wallet-hack/ (Feb 15, 2015)

Poloniex Loses 12.3% of its Bitcoins in Latest Bitcoin Exchange Hack (March 5, 2014)

Digital currency exchange Poloniex, which trades bitcoin and other popular digital currencies such as litecoin, namecoin and dogecoin, has lost 12.3% of its total bitcoin supply in an attack.

The exchange took to Bitcoin Forum on 4th March to report it had been compromised by a previously unknown vulnerability in its coding.

Writing under the username Busoni, Poloniex owner Tristan D’Agosta, moved to calm concerned users by explaining what lead to the hack, as well as what the next steps from the company would be.

D’Agosta explained:

“The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.”

http://www.coindesk.com/poloniex-loses-12-3-bitcoins-latest-bitcoin-exchange-hack/ (March 5, 2014)

[1.2] Poloniex Claims All Customers Repaid Following March Bitcoin Hack

US digital currency exchange Poloniex has released a new update on the customer repayment plan it implemented following the loss of 12.3% of its total bitcoins in a March attack.

In a new press release, Poloniex claims 100% of the customers who experienced a financial loss have been reimbursed after a hacker or hackers reportedly exploited a vulnerability in the exchange’s coding in order to steal the funds.

Speaking to CoinDesk, Poloniex owner Tristan D’Agosta indicated his belief that customers have been adequately and successfully compensated for the site issues, stating:

“97 BTC were taken and 97 BTC were paid back. Although the value of bitcoin fluctuated, it is not very different now from what it was in the beginning of March.”

http://www.coindesk.com/poloniex-claims-customers-repaid-following-march-bitcoin-hack/ (July 2, 2014)

[1.3] Coinbase Android Apps Have Security Flaw, Expert Warns (July 1, 2014)

A Canadian programmer has published what he claims is a vulnerability in Coinbase’s Android apps, one that could allow an attacker to gain full access to a user’s account.

Software Engineer Bryan Stern went so far as to caution users not to use the Coinbase Bitcoin Wallet and Merchant apps for Android until the problem is fixed, and advised them to check their accounts for suspicious activity.

However, the company has since responded to Stern in a reddit thread stating that the vulnerabilities were not as serious as Stern claims.

Stern, who works on Android development at Hootsuite, said he’d brought the issue to Coinbase’s attention via their ‘white hat’ bug bounty program in early March, but there had been a disagreement over the seriousness of the issue.

Upon finding his issue present in the latest version of the app, he decided to release the information publicly on 27th June in the hope that prompt action would be taken.

He wrote:

“I don’t mean any harm posting this, but I am frustrated that some security fixes that might require maybe 20 [development] hours to implement and is allegedly on the roadmap 3 months ago has not yet been addressed.”

http://www.coindesk.com/coinbase-apps-android-security-flaws-expert-warns/ (July 1, 2014)

[1.4] $50k in Dogecoin Rumoured to Have Been Lost in Recent Hack (May 13, 2014)

Online dogecoin storage provider DogeVault.com has been compromised by hackers, according to an official announcement from the service.

The site shut down as a result of the attack, which also saw the destruction of all of the service’s data. As a result, DogeVault is encouraging users not to transfer any funds to its wallet addresses while the attack is under investigation, and explained:

“We are currently in the process of identifying the extent of the attack and potential impact on users’ funds. This involves salvaging existing wallet data from an off-site backup.”

DogeVault has indicated that it will issue an additional statement on its findings within 24 to 48 hours of the initial post.

The overall loss of funds sustained by the site is as-yet unknown, though The Cryptocurrency Times has estimated that as many as 111m DOGE (nearly $51,000 at press time) could have been lost in the theft.

http://www.coindesk.com/50000-in-dogecoin-estimated-stolen-in-security-breach/(May 13, 2014)

[1.5] LocalBitcoins Shrugs Off Security Breach (May 5, 2014)

Digital currency exchange LocalBitcoins suffered a security breach over the weekend, but was quick to respond by taking the site offline and reassuring clients that their bitcoins and user data are safe.

The exchange described the attack as “very dangerous” and said it targeted the site infrastructure.

The breach occurred on Sunday and allowed the intruder to briefly gain access to the server console.

Hosting weakness

The attack appears to have been carried out with some good old-fashioned social engineering. LocalBitcoins explained:

“LocalBitcoins hosting received a request to restart the LocalBitcoins.com website server and give access to the server console (root) on Sat May 3 13:32:27. LocalBitcoins team did not initiate this request. For now, it looks like the request was made using spoofed email addresses and other weakness in the hosting provider support system.”

The LocalBitcoins team was quickly alerted and the attacker had root access for about 40 minutes. Data was not compromised, however, as it is encrypted and manual actions are required for access.

“It is very unlikely that the attacker gained access to any data; LocalBitcoins is still performing full investigation on the matter,” the company said.

All bitcoins stored in the LocalBitcoins hot wallet and cold wallet are safe and are hosted on a separate server.

The team apologised for the outage and said it would take about 24 hours to resolve.

http://www.coindesk.com/localbitcoins-shrugs-security-breach/ (May 5, 2014)

[1.6] Coinbase Denies Reports of Data Breach, Addresses Security Concerns (April 1, 2014)

San Francisco-based bitcoin wallet provider Coinbase formally responded to community concerns relating to a design function of its ‘Request Money’ service on 1st April, amid reports that suggested this service could be misused by phishers and fraudsters.

The response was issued after a Pastebin entry surfaced suggesting that roughly 2,000 Coinbase customer names and emails were compromised as part of a “data breach” of the site, rumours that caused widespread speculation on reddit and social media.

Speaking to CoinDesk, the company clarified that, although certain user personal information was posted online, the event was not a data breach, but rather an exploitation of a feature common to popular tech services. Malicious users, it noted, can use an email address to determine if someone has an account on other payment services such as PayPal, Square Cash and Venmo — a process called email enumeration.

Wrote the company in its official response:

“Though we believe this type of spam and user enumeration activity doesn’t represent a significant risk to Coinbase customers, we absolutely recognize that it can be an inconvenience and cause confusion.”

http://www.coindesk.com/coinbase-denies-reports-data-breach-addresses-security-concerns/ (April 1, 2014)

[1.7] CoinEX.pw: We Were Hacked, But Will Cover All Losses (March 19, 2014)

CoinEX.pw has confirmed it recently suffered a hack resulting in the theft of all the bitcoins in its possession.

The digital currency exchange has assured customers that it is going to cover the losses out of its own pocket, although it didn’t confirm the total number of bitcoins lost.

In a post on the Bitcoin Talk forum, a CoinEX.pw representative under the username ‘erundook’ said:

“Long story short: yes, our wallet server got hacked and all funds were withdrawn.”

He also asked users to keep calm and asserted the company’s operators are not “doing a runner”.

Erundook (real name Vitaly A. Sorokin) mentioned that the company has suffered similar problems in the past and, in those instances, it covered the losses.

Of the recent hack, the company spokesperson said: “The only way I can see to restore this is to sell more shares at cryptostocks to cover the losses *and to hire a professional security audit team to prevent this from happening again*. Long story short, we’re covering this from our own pockets again.”

On 16th March, CoinEX.pw indicated on Twitter that it was facing problems.

http://www.coindesk.com/coinex-pw-hacked-will-cover-losses/ (March 19, 2014)

[1.8] Polish Bitcoin Exchange Bitcurex Targeted by Hacking Attack (March 14, 2014)

UPDATE (17th March, 23:32 GMT): Bitcurex has issued an official update stating: “We inform that Bitcurex PLN will be resumed tomorrow, on March 18 at 12:00. Bitcurex EUR will be resumed on thursday on March 20, also at 12:00.”

UPDATE (14th March, 17:37 GMT): Bitcurex official statement added.


Poland’s leading bitcoin exchange Bitcurex temporarily shut down its site today following a hack which targeted funds in its users’ bitcoin wallets.

The exchange’s staff published a message on Facebook which stated that due “to an error and ongoing maintenance works” the platform had decided to “temporarily shut down [its] service”.

Company representatives told CoinDesk that the decision to temporarily close the website will allow the platform’s IT team to “perform a necessary verification”.

More details on the incident will be disclosed shortly once the maintenance works are completed, the representatives said, adding that there are reasons for optimism on their final outcome.

Filip Godecki, a representative of Bitcurex, told CoinDesk: “Based on what our IT team has been able to determine, it seems that the worst-case scenario can be ruled out.”

The site reportedly halted all transactions at 09:37 am local time.

A statement from the company said:

“We successfully blocked a hacking attack on Bitcurex, preventing mass theft of BTC funds of our users. Thanks to automatic safety procedures, hackers managed to defraud only a portion of the funds stored in operational Hot Wallet Bitcurex. The majority of funds from Hot Wallet, as well the entirety of funds from Cold Wallet and FIAT monetary funds remained intact.

Our team located and removed the source of the problem. We are working on resuming normal service, at the same time an external audit is being conducted: we will soon provide the exact date of resuming all Bitcurex functionalities. More information will be provided in further statements.

We are sorry for the inconvenience, and most of all we thank the whole BTC community for the support we received: we were put to a test that will make us stronger.”

http://www.coindesk.com/polish-bitcoin-exchange-bitcurex-targeted-hacking-attack/ (March 14, 2014)

Polish Bitcoin Exchange Bitcurex Relaunches Following Hacking Attack

After last week’s hacking attack forced the site to temporarily shut down, Polish bitcoin exchange Bitcurex resumed service on 18th March.

The platform said the perpetrators did not manage to break its security measures and gain full access to its operational hot wallet.

“Today, we launch trade in Polish zlotys, and on Thursday at 12:00 local time in euros to ensure our support team has sufficient capacity of handling bids in this important period,” Filip Godecki, a representative of Bitcurex, told CoinDesk.

As earlier reported, the exchange decided to temporarily close its site on 14th of March at 09:37 am local time as a result of a hack that targeted funds in user wallets.

Company representatives told CoinDesk that shutting down the site would allow its IT team to “perform a necessary verification”.

Bolstered security measures

Bitcurex said in a statement on its website that its safety procedures prevented the hackers from further actions after the initial theft.

Explained a representative:

“The service was shut down to carry out repair works and implement the necessary improvements to our system. Our internal procedures prevented any further losses which were limited to between 10 and 20% of our operational Hot Wallet Bitcurex.”

http://www.coindesk.com/polish-bitcoin-exchange-bitcurex-relaunch-hacking-attack/ (March 18, 2014)

[1.9] Black Market Cannabis Road Hacked, $100k in Bitcoin Lost (Aug 15, 2014)

Cannabis Road is now offline after suffering from an attack that saw hackers abscond with 200 BTC or roughly $100,355 at press time.

Users who attempt to access the online marketplace dedicated to cannabis products are now presented with a message from lead developer ‘Crypto’ detailing the attack and the potential paths forward for the development team.

Crypto writes that he discovered the theft at roughly 10:15 AM UTC, after logging into Cannabis Road’s bitcoin wallet and noticing the balance was near zero.

He recalls:

“At first I thought it was a mistake, until I double checked, and triple checked, only to find out, we had in fact been robbed not 15 minutes earlier!”

http://www.coindesk.com/black-market-cannabis-road-hacked-loses-100000-bitcoin/ (Aug 15, 2014)

[1.10] After Massive Hack, It’s Pay Back Time for Silk Road 2.0 (Feb 13, 2014)

Online black market Silk Road 2.0 has announced via reddit that it will forego paying its staff until it reimburses users for the more than 4,000 BTC that was compromised last week.

The massive loss is said to be the work of enterprising hackers, who exploited bitcoin’s ongoing transaction malleability issues to steal funds from the site, though other, more colorful theories abound.

Silk Road 2.0 moderator Defcon issued a seven-point repayment plan to the community yesterday. Effective 15th February, the proposal reaffirmed his outlet’s commitment to its merchants and clientele, and was open to user feedback.

Said Defcon:

“We are committed to getting everyone repaid even if it takes a year.”

In addition, Defcon moved to downplay persisting rumors that the theft was an inside job, writing:

“We are deep into the investigation of data surrounding the attacks, and it there is absolutely zero evidence of any staff member being involved.”

He went on to suggest that Silk Road 2.0 is still looking out for the alleged thieves, and that he will provide updates as the search progresses.

http://www.coindesk.com/pay-back-silk-road-2-0/ (Feb 17, 2014)

Silk Road 2 Loses Over $2.6 Million in Bitcoins in Alleged Hack

Dark market web site Silk Road 2 has told customers that all of their bitcoins are gone after a massive hack, in which at least 4,476 bitcoins (worth over $2.6m at current prices) are believed stolen. Organizers at the site are blaming the compromise on the transaction malleability attack in the news this week.

“Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as “transaction malleability” to repeatedly withdraw coins from our system until it was completely empty,” said a post from Defcon, one of the site’s moderators, on a forum, located on the Tor network.

The post added that thieves attacked after the organizers of the site took too long to respond to widespread industry concern about the transaction malleability attack. “Despite our hardening and pentesting procedures, this attack vector was outside of penetration testing scope due to being rooted in the Bitcoin protocol itself,” it said.

Generally, good security principles would have a bitcoin-based web site putting the bulk of bitcoins under management in cold storage (ie stored offline), so that they could not be stolen by online attackers. However, the post said that they were all stored online, because of back-end developments on the site.

“We were planning on re-launching the new auto-finalize and Dispute Center this past weekend,” Defcon said in the post. The implementation of the two features would have bumped up the volume of orders being finalized, causing the site to make all of the bitcoins instantly available.

The post came with profuse apologies. “I should have taken MtGox and Bitstamp’s lead and disabled withdrawals as soon as the malleability issue was reported. I was slow to respond and too skeptical of the possible issue at hand,” Defcon said, before posting the fraudulent transactions, and asking for community help in bringing down the alleged thief.

The post suggested that the escrow wallets (which hold funds until goods have been delivered) were compromised. One thing that wasn’t clear is whether users’ personal wallets (holding funds that have been uploaded but not spent, or received from customers but not withdrawn) had been stolen.

Some postings on the forums suggested that they had also been compromised. “Appears so at least in my case. While only .1286 BTC (deposited last night) I can see a transcation on blockchain that has sent payment to an address and I have made no such transaction,” said one user, calling himself ‘UncleFester’.

“Blockchain showing my SR wallet emptied. So — escrow and wallets are all gone :-(,” said another, ‘meathead_420′.

Others suggested that all remaining coins may have been taken off the Silk Road 2 server while the situation was resolved.

http://www.coindesk.com/silk-road-2-loses-bitcoins-hack/ (Feb 13, 2014)

[1.11] CoinTerra Battles With Performance Issues and Security Breach (Feb 3, 2014)

Confirmed security breach

As if board issues weren’t enough, the company also suffered a security breach over the weekend. CoinTerra said the attack was detected on Sunday and it is still investigating.

For the time being, the scope of the attack remains unclear. However, CoinTerra was quick to reassure customers that they won’t be affected:

“A small number of customers who paid for their order with bitcoin between January 31st and February 2nd may have been affected and we are in the process of reaching out to those customers directly. Note that this will not affect the current shipping schedule of our units to customers this week.”

CoinTerra also urges all customers who received any “suspicious emails” regarding their orders over the last few days to get in touch. It seems the emails were promising customers some rather shady deals.

http://www.coindesk.com/cointerra-performance-issues-security-breach/ (Feb 3, 2014)

[1.12] ‘Seals With Clubs’ Bitcoin Poker Site Hacked, 42,000 Passwords Stolen (Dec 20, 2013)

Bitcoin poker site Seals with Clubs has confirmed that its database was compromised, although it failed to mention that it lost 42,020 hashed passwords in the process. The hashes were posted to a forum some 24 hours earlier and needless to say they attracted plenty of people bent on cracking them.

For some reason Seals with Clubs used SHA1 hash functions, which are for all intents and purposes obsolete. Even the latest SHA3 hash is not suitable for passwords and it appears that the site was relying on cryptographic salting to make them more secure, making sure that different hashes would be used even if two users chose the exact same password.

In any case, it did not take long for people to start figuring out some passwords, such as “bitcoin1000000”, “sealswithclubs”, “88seals88” and “pokerseals”. The revealed passwords quickly led security experts to join the dots and conclude that the passwords came from Seals with Clubs users.

On Wednesday, a user posted the database of hashes to a password recovery forum operated by commercial password cracking service InsidePro. The user offered $20 in bitcoins for every set of a thousand unique hashes. It took just nine minutes for the first reply and the first set of 1,000 hashes. Within a day, about two thirds of the list was cracked, reports Ars Technica.

By Thursday, Seals with Clubs was in damage control mode, officially admitting the breach and announcing that it has issued a mandatory password reset. A post on its site read:

The datacenter that we employed up to November permitted unauthorized access to a database server and our database containing user credentials was likely compromised. Passwords were salted and hashed per user, but to be safe every user MUST change their password when they next log in.

Please do so at your earliest opportunity. If your Seals password was used for any other purpose you should reset those passwords too as a precaution.

http://www.coindesk.com/seals-clubs-bitcoin-poker-site-hacked-42000-passwords-stolen/ (Dec 20, 2013)

[1.13] BitcoinTalk Hacked Again, Members Urged to Change Passwords (Dec 3, 2013)

Bitcoin is stateless, frictionless and more valuable than ever. But these things also mean that BTC is a security risk, from an IT perspective.

Case in point is the popular virtual currency forum Bitcoin Talk. The site was recently hacked, and the administrators have posted a note regarding the possibility of compromised passwords over a recent period of time:

“If you used your password to login between 06:00 Dec 1 UTC and 20:00 Dec 2 UTC, then your password may have been captured in a man-in-the-middle attack, and you should change your password here and wherever else you used it. If you were only logged in via the “remember me” feature, then you’re OK.”

http://www.coindesk.com/bitcoin-talk-hacked-password-vulnerabilities/ (Dec 3, 2013)

[1.14] Polish Bitcoin Exchange Bidextreme.pl Hacked, Bitcoin and Litecoin Wallets Emptied (Nov 20, 2013)

Poland’s digital currency exchange Bidextreme.pl has been hacked and its customers’ bitcoin and litecoin wallets have been emptied.

In a statement published on its website, the platform said it decided to temporarily suspend all activities until the matter is resolved. The incident was reported to the law enforcement authorities, the company said.

The amount of digital currency stolen was not disclosed by the platform, which was founded in 2013.

Local observers say the attack could hamper the development of Poland’s bitcoin market, even though bitcoin trading is becoming increasingly popular in Poland and the number of companies accepting payment for services and goods in bitcoins is steadily rising.

The incident, which took place on 18th November, follows a similar attack that happened a week earlier in the Czech Republic.

Czech bitcoin exchange Bitcash.cz was hacked and up to 4,000 customers’ wallets were emptied, after which, the company’s site was shut down.

A statement from Bidextreme.pl said:

“Should the [digital currency] be retrieved, it will be returned to the users according to the balance from 17th November 2013. The users’ funds which were deposited on the platform’s bank accounts are safe.”

http://www.coindesk.com/hacker-attack-polands-bitcoin-exchange/ (Nov 20, 2013)

[1.15] Czech bitcoin exchange Bitcash.cz hacked and up to 4,000 user wallets emptied (Nov 11, 2013)

Czech Republic-based bitcoin exchange Bitcash.cz has been hacked and up to 4,000 customers’ wallets have been emptied.

The company’s site is currently down, showing only a message informing of the hack, which took place on 11th November.


According to Czech news site E15.cz, some 4,000 bitcoin wallets had been opened with Bitcash.cz, with a total value of over 2 million Czech koruna (roughly equivalent to $100,000).

A post on the company’s Facebook page reads (roughly translated):

“Unfortunately, as we have already announced on our website Bitcash.cz, our server was attacked and compromised — including the wallets.

We are trying to resolve the situation, but we want to warn our users about fraudulent emails and scams [claiming to be from Bitcash].

We never ask anyone for access to his or her accounts or wallets nor ask for money.

We will inform you of any developments as soon as possible.


http://www.coindesk.com/czech-bitcoin-exchange-bitcash-cz-hacked-4000-user-wallets-emptied/ (Nov 12, 2013)

A Czech Bitcoin exchange, bitcash.cz, reported a hack in mid-November 2013. The hack was relatively minor; however, Bitcoin prices were very high at the time relative to the preceding and succeeding months.

https://bitcointalk.org/index.php?topic=576337#post_bitcashcz_hack (Nov 11, 2013)

[1.16] BitcoinTalk forum hacked by ‘The Hole Seekers’ (Oct 3, 2013)

Article updated on October 7 at 11:00

Popular digital currency forum BitcoinTalk has been hacked by a group calling themselves “The Hole Seekers”.

The site is now down, but for a period, it displayed animations of bombs exploding and photos of classical music conductors, all set to the 1812 Overture, which is also the soundtrack to the explosion scene in V for Vendetta.

Toward the end of the animation, a banner was displayed, stating:

“Hello friend, Bitcoin has been seized by the FBI for being illegal. Thanks, bye”

http://www.coindesk.com/bitcointalk-forum-hacked-hole-seekers/ (Oct 3, 2013)

[1.17] CryptoRush Theft (March 11, 2014)

Cryptocurrency exchange cryptorush.in suffered a security breach leading the the loss of almost 1000 BTC and a significant amount of other cryptocurrencies such as Litecoin.

The exchange attempted to continue operations and withhold its insolvency from its users. Some days later, it created its own propietary cryptocurrency, purporting to pay dividends to owners.

The exchange later suffered another bug leading to the loss of cryptocurrency balances in Blackcoin. A support employee later leaked details of the theft and the attempts to cover it up.

https://bitcointalk.org/index.php?topic=576337#post_cryptorush_theft (March 11, 2014)

http://pastebin.com/eLkPxLWi (March 26, 2014)

[1.18] Flexcoin Theft (March 2, 2014)

Canadian-based Bitcoin “bank” Flexcoin reported a security breach causing the loss of most hot wallet funds, thanks to a race condition.[86] Creditors were not reimbursed. Flexcoin SHUT DOWN.

Flexcoin has made every attempt to keep our servers as secure as possible, including regular testing. In our ~3 years of existence we have successfully repelled thousands of attacks. But in the end, this was simply not enough.

Having this be the demise of our small company, after the endless hours of work we’ve put in, was never our intent. We’ve failed our customers, our business, and ultimatley the Bitcoin community.

https://bitcointalk.org/index.php?topic=576337#post_flexcoin_theft (March 2, 2014)

http://flexcoin.com/ (March 3, 2014)

[1.19] BIPS Hack (Nov 17, 2013)

The then up-and-coming payment processor BIPS suffered a major breach in mid-November 2013, a month that saw numerous other companies shut down due to hacks. BIPS refused to refund creditors, justifying the loss as inevitable for a web wallet. BIPS made an attempt to continue business despite the hack.

https://bitcointalk.org/index.php?topic=576337#post_bips_hack (Nov 17, 2013)

https://bitcointalk.org/index.php?topic=252308.msg3675013#msg3675013 (Nov 22, 2013)

[1.20] Bitfloor Theft (Sep 4, 2012)

Although the keys to the hot wallet of Bitfloor was secured, an unencrypted backup was mistakenly stored on some of the servers. After a hacker gained entry, most of not only the hot wallet but also the cold wallet was stolen. To this date, none of the coins have been returned by the hacker to Bitfloor. Although Bitfloor briefly shut down after the incident, it has since restarted and has committed to repaying its creditors.[44] Unfortunately, Bitfloor’s banks shut down the exchange’s operation before all coins could be recouped.

As much as I regret the post I am about to write I feel that it is only fair and holding to the spirit of BitFloor that I disclose everything that is going on and make the information available. Please read the entirety of the post. As always, if you have any questions please post them here versus contacting support so that other users may benefit from the answer (unless it is private).

Last night, a few of our servers were compromised. As a result, the attacker gained accesses to an unencrypted backup of the wallet keys (the actual keys live in an encrypted area). Using these keys they were able to transfer the coins. This attack took the vast majority of the coins BitFloor was holding on hand. As a result, I have paused all exchange operations. Even tho only a small majority of the coins are ever in use at any time, I felt it inappropriate to continue operating not having the capability to cover all account balances for BTC at the time.

Due to the serious nature of what has happened I am currently evaluating options for BitFloor. One of the last things I want to happen is for BitFloor to shutdown and cause more panic in the bitcoin community. The platform itself is very valuable and provides an important and friendly service to many users.

BitFloor is very much focused on the end user and creating a reliable and trusted platform for everyone. Through exchange user support, I can continue to operate BitFloor. I believe that posting the exchange source and being even more transparent about operations would be a step in this direction if we were to continue operating. BitFloor is currently the #4 USD exchange and #1 in the US.

As a last resort, I will be forced to fully shut BitFloor down and initiate account repayment using current available funds. I still have all of the logs for accounts, trades, transfers. I know exactly how much each user currently has in their account for both USD and BTC. No records were lost in this attack.

I realize that saying that I appreciate everyone’s understanding is a moot point, however I do wish to re-iterate that my goal is to find the best and most reasonable way forward for BitFloor customers and the exchange and not create more panic that the community has already seen time and time again.

I would like to keep this thread focused on evaluating ideas of BitFloor operation and will create a separate thread for discussion (see below) about the actual transactions and tracing the coin theft. I will not speak at detail about the actual breach at this time as my current focus is on the future and not the past.

In the intrest of information for tracking stolen coins:



https://bitcointalk.org/index.php?topic=576337#post_bitfloor_theft (Sep 4, 2012)

https://bitcointalk.org/index.php?topic=105818.0 (Sep 4, 2012)

[1.21] Linode Hacks (March 1, 2012)

In early March 2012, the New Jersey-based web and cloud hosting company Linode was suspected of robbing many popular Bitcoin services. A vulnerability in the customer support system was used to obtain administrator access to the servers. Once the Linode servers were compromised, eight accounts dealing with bitcoins were targeted.[27] The hardest hit was the bitcoin trading platform, Bitcoinica. This resulted in the unauthorized transfer of BTC from the “hot wallets”, a term used to describe operational withdrawal wallets, of the services affected. A severe bitcoin-denominated theft, the Linode theft also affected Tradehill, but no coins were stolen from them; instead, Tradehill had a short downtime because of the incident. In the aftermath of this theft, all the services migrated to other platforms. To this day, Bitcoin users fear Linode and usually refrain from using its services

https://bitcointalk.org/index.php?topic=576337#post_linode_hacks (March 1, 2012)

[1.22] May 2012 Bitcoinica Hack (May 12, 2012)

Zhou Tong, former founder of Bitcoinica, discovered an entry into Bitcoinica’s Rackspace server through an excessively privileged compromised email address. This caused the theft of the entire “hot wallet”, funds stored on-site, as well as the loss of the main database. No backups were kept. Bitcoinica shut down because of this incident. The claims process is still ongoing; however, Bitcoinica is now entering receivership.

On December 21, 2012, it was discovered that BitMarket.eu, a company run by Maciej Trębacz, lost a large portion of customer funds which were stored on Bitcoinica.[32] These customers were reportedly unaware that their funds were stored on Bitcoinica. Return of a portion of these funds is still possible, pending the outcome of liquidation.

https://bitcointalk.org/index.php?topic=576337#post_may_2012_bitcoinica_hack (May 12, 2012)

Hello all. I’m terrible sorry for not responding to this earlier. A mix of personal issues with searching for a solution prevented me from it.

Unfortunately, I have very bad news. I cannot currently proccess your withdrawals. The situation is very complicated and it’s all my fault, that’s why I feel terrible about it. I tried to make this up, to keep the site afloat and somehow recover the funds, but it’s not possible anymore. Right now there are 1786 BTC pending withdrawal, which I can’t honor…

Earlier this year, I had this “genius” idea which led me to making a fatal mistake. I thought I could provide a hedge fund service for Bitmarket users. There were other sites providing this service so I guesses that it could be successful. I had experience in trading before, all I needed is a platform. And there was one — Bitcoinica. I was so convinced with this idea (and sooo wrong in hindsight) that for a while I kept majority of “offline” Bitmarket funds there. What I didn’t expect was that one day it could just dissapear — taking all the money with it. What’s worse, the funds were shorted when it happened (converted to USD and sold) — and after Bitcoinica dissapeared BTC price rose by about 250% until now. So while there is still chance to recover the funds (there is an appointed liquidator assigned to this case and I’ve already sent in claims) it will be not enough to cover all people’s funds. For the record — there are 20161 18787.72139217 BTC missing (edit: I subtracted my funds that also were deposited on Bitmarket), and Bitcoinica claims total for around 50K USD (the exact amount is uncertain because the liquidators haven’t yet stated at what rate they will liquidate positions).

Sadly, I alone, I’m out of options. I don’t have own money to pay for this loss (Bitmarket never made any real profit and I make up for a living by part-time web/mobile programming). The options for making this up for everyone as I see are:

- find an investor (or investors) that is willing to cover at least part of is debt. I would transfer all rights to the website software, servers and database to him and also work as a technician, possibly also implementing features he’d wanted. If you reading this have the funds necessary to make this work, PLEASE contact me on this.

- freeze all current funds and “start over” trading with explicit fees, implementing much-needed features like rating system and others. All profits from the fees would go directly to a fund for repaying the debt. I’m afraid that this option alone is not enough though — many people won’t (and have full right to do so) trust the site again…

- something else?

Again, I would like to deeply apologize to everyone involved with this. I’m really sorry Sad. I made a fatal mistake and I have to deal with it now. If you thinking about sueing me about this — you have full right to do so, but I don’t think it’s a good idea — I don’t have any money so winning a case will get nothing for you and possibly ruin my life Sad. It also would prevent me from doing anything to alleviate this situation, and I really want to make this up for everyone and I’m willing to do anything in my power to do this. I had many sleepless nights thinking about how I can make this tight. I just need some help with this.

Last, but not least…

If you have any bitcoin you can donate to help users that have locked funds, please send them here: 1Km5GFMat1DXcbvMTeH9ZvLGKvFCLBA9dM

All received Bitcoins will go directly to process withdrawals. I will update how much is left in this thread.

https://bitcointalk.org/index.php?topic=5441.msg1413156#msg1413156 (May 12, 2012)

[1.23] Vircurex Theft (May 10, 2013)

The hot wallet and “warm” wallet of Bitcoin to alternative cryptocurrency exchange service Vircurex was emptied in May 2013, resulting in a significant loss of three currencies: Bitcoin, Terracoin, and Litecoin.[57] Initially, Vircurex operated normally despite the loss, though it no longer paid dividends to shareholders. In March 2014, due to strain caused by large withdrawals (in addition to a default by AurumXChange, a fiat processor Vircurex used), Vircurex froze large quantities of many currencies; however, it promises to pay these back eventually.[59]

https://bitcointalk.org/index.php?topic=576337#post_vircurex_theft (May 10, 2013)

https://vircurex.com/welcome/ann_reserved.html (Aug 20, 2014)

[1.24] OzCoin Hacked, Stolen Funds Seized and Returned by StrongCoin (April 19, 2013)

OzCoin, one of the larger Bitcoin mining pools, has reported that an unknown attacker managed to hack into their server, defacing their website and database and stealing 923 BTC ($135,000) from their Bitcoin wallet. However, in less than a day over half of the money was seized as it was passing through the web wallet StrongCoin, and promptly returned to Ozcoin. 354.06 BTC are still missing, and will likely never be found, but this nevertheless leaves OzCoin with a much softer blow than what anyone expected.

Although most people agree with StrongCoin’s actions, this is nevertheless a very worrying sign for the security and privacy of StrongCoin, and other web wallets by extension. StrongCoin is what is often called a hybrid web wallet, accessible as a website on the internet but doing all of the transaction signing and address management in Javascript on the client side. Essentially, the client is downloading a fresh version of the wallet software from StrongCoin each time, and from that point, in theory, the software becomes just as secure as any other client-side program. The user’s wallet data, including the private keys needed to sign transactions, is backed up on StrongCoin’s servers, but it is encrypted and decrypted client-side using the user’s password so, once again in theory, there should be no way for StrongCoin themselves to get hold of the user’s private keys. StrongCoin heavily advertises this feature; on the website’s front page, they write: “Therefore our servers only hold encrypted private keys and neither we nor anyone else can spend your Bitcoins. Only you.” Except they just did.

http://bitcoinmagazine.com/4273/ozcoin-hacked-stolen-funds-seized-and-returned-by-strongcoin/ (April 24, 2013)

(Ozcoin Theft)

A hacker managed to infilterate Ozcoin’s payout script, such that all money was paid out to the hacker’s address. Luckily, a day later Strongcoin seized most of the stolen funds and promptly returned them to Ozcoin.

https://bitcointalk.org/index.php?topic=576337#post_ozcoin_theft (April 19, 2013)

[1.25] Mass MyBitcoin Thefts (June 20, 2011)

Users with weak passwords on MyBitcoin who used the same password on Mt. Gox were in for a surprise after the June 2011 Mt. Gox Incident allowed weakly-salted hashes of all Mt. Gox user passwords to be leaked. These passwords were then hacked on MyBitcoin and a significant amount of money lost.

MyBitcoin estimates indicate 1% of MyBitcoin users were affected.[11] Users that were not affected would be later stolen from anyways, due to the subsequent MyBitcoin Theft.

https://bitcointalk.org/index.php?topic=576337#post_mass_mybitcoin_thefts (June 20, 2011)

From the desk of Tom Williams, operator of MyBitcoin.com

For immediate release.

There are a lot of unanswered questions floating around on the Bitcoin

forum and other places about the recent Mtgox password leak, and theft

from the MyBitcoin system.

I will attempt to answer as many of the questions and concerns as best

as I can in order to silence the rumor-mill once and for all.

As many of you already know, Mtgox was hacked and its password file was

leaked. As soon as we heard about the leak we were closely monitoring

the system for abnormal activity, and we didn’t see any.

https://bitcointalk.org/index.php?topic=22221.msg279396#msg279396 (July 25, 2011)

[1.26] BTCGuild Incident (March 10, 2013)

When BTCGuild was upgrading the Bitcoind client to 0.8, the mining pool used its original upgrade plan. However, 0.8 is unique in that it reindexes the blockchain. This prompted a temporary state in which the pool was paying out for difficulty-1 shares, as that was the extent of the blockchain parsed. Sixteen separate thieves subsequently emptied the hot wallet. 47 BTC have been returned to the pool. The pool would on the following day lose even more money thanks to a bug causing its recent upgrade to 0.8 to differ from nodes running 0.7 or lower.

https://bitcointalk.org/index.php?topic=576337#post_btcguild_incident (March 10, 2013)

[1.27] June 2011 Mt. Gox Incident (June 19 , 2011)

Mt. Gox, then the leading BTC/USD exchange service, suffered a severe breach as a consequence of an ownership change. The sale conditions involved a share of revenue to be remitted to the seller. To audit this revenue, the seller was permitted an account with administrator access.[8]

The seller’s administrator account was hacked by an unknown process. The priveleges were then abused to generate humungous quantities of BTC. None of the BTC, however, was backed by Mt. Gox. The attackers sold the BTC generated, driving Mt. Gox BTC prices down to cents. They then purchased the cheap BTC with their own accounts and withdrew the money. Some additional money was stolen by non-attacking traders capitalizing on the dropping price and withdrawing in time, including toasty, a member of BitcoinTalk.

Mt. Gox resolved the hack by reverting trades to a previous version. Many customers claim they have lost money from this reversion, but Mt. Gox claims it has reimbursed all customers fully for this theft. After the incident, Mt. Gox shut down for several days.[10]

The event’s scale was widely disputed; some report a theft of almost 500000 BTC due to related account hacking. However, these reports are sparse and disreputable. Closer inspection puts the losses at closer to 2500 BTC.

Aside from the direct damages of the theft, the hack involved a database leak. Some weaker passwords were used to conduct the relatively more severe Mass MyBitcoin Thefts.

https://bitcointalk.org/index.php?topic=576337#post_june_2011_mt_gox_incident (June 19 , 2011)

https://bitcointalk.org/index.php?topic=20207.0 (June 20 , 2011)

[1.28] Mooncoin Theft (Sep 11, 2011)

During the waning months of 2011, numerous alternative cryptocurrencies boomed, in part fuelled by Bitcoin’s poor performance following the 2011 bubble. Exchanges such as Moonco.in were set up to capitalize on this alternative cryptocurrency boom. Suddenly, Mr. Moon disappeared. It is not known where the funds went.

At the time, SolidCoin was considered to be the most successful alternative cryptocurrency bar Bitcoin itself, though its success was short-lived. Moonco.in’s hack had a devastating impact on that currency, with over 800000 SC removed from circulation, only to have been put back through SolidCoin 2.0. The effects on Bitcoin were also substantial, with an estimated 4000 BTC lost. and the effect on Namecoin (another alternative cryptocurrency that was among the largest at that time) was not negligible.

https://bitcointalk.org/index.php?topic=576337#post_mooncoin_theft (Sep 11, 2011)

http://pastie.org/2544332 (Sep 16, 2011)

http://www.reddit.com/r/Bitcoin/comments/khv6v/mooncoin_was_hacked_the_database_has_been_leaked/ (Sep 16, 2011)

[1.29] Betcoin Theft (April 11, 2012)

Similar to the Mooncoin Theft a year ago, and just as devastating, a gambling website’s customers lost a large amount of money. This time, the owner took just as large a hit: all the deposits, plus non-live storage, were stolen. 2900 BTC remains to be refunded to creditors today.[28]

https://bitcointalk.org/index.php?topic=576337#post_betcoin_theft (April 11, 2012)

https://bitcointalk.org/index.php?topic=82100.0 (May 17, 2012)

2012 50BTC Theft

The 50BTC mining pool suffered a hack of the billing software in late 2012. They were unable to identify the vulnerability. After the incident, 50BTC completely rewrote the billing software.[46]

https://bitcointalk.org/index.php?topic=576337#post_t2012_50_btc_theft (Oct 13, 2012)

[1.30] Bitcoin Auction Site Puts Itself Up for Sale After Theft of 15 Bitcoins (April 26, 2013)

Another day, another bitcoin-related story of a hacking intrusion and BTC theft.

According to people that have provided documentation to CoinDesk, as well as information posted on the Bitcointalk forum, the auction site Bitmit had 15 BTC stolen, after the server was accessed by an employee of their hosting company without authorization.

This theft, along with the effort and responsibility of securing an auction site that has escrow functionality, were the two largest factors in Bitmit announcing that it is being sold.

And although 15 BTC does not sound like a large number, at current CoinDesk Bitcoin Price Index (BPI) values, that’s almost $10,000.

Bitmit, known as the ‘eBay of bitcoin’, has had a string of setbacks since its inception. After the theft the site has remained online, albeit with the header “Bitmit is going to be sold. Please complete your orders and withdraw your funds asap!”

“We are planning to let another company take over Bitmit. Meanwhile we deactivated the site to let you withdraw your funds & complete your orders. The chances are good that Bitmit will be continued.”

http://www.coindesk.com/bitmit-bitcoin-auction-sale-after-theft/ (Nov 21, 2013)

https://bitcointalk.org/index.php?topic=339195.0 (Nov 19, 2013)

Hackers hit Bitcoin Central exchange

European bitcoin exchange Bitcoin Central has suspended its service temporarily, after it was hacked last week.

Bitcoin Central’s website said a few hundred bitcoins had been stolen from a hot wallet after an intruder managed to reset the password for its hosting provider’s web interface, locking the exchange out of its own site. The attacker then requested a reboot of the exchange’s machine, in rescue mode.

“Using this, the attacker copied our hot wallet and sent away what was present,” Bitcoin Central’s website said.

The exchange has promised to cover its users’ losses.

http://www.coindesk.com/hackers-hit-bitcoin-central-exchange/ (April 26, 2013)

[1.31] Full Disclosure: Coinbase design allows for mass, targeted phishing of its users. (March 31, 2014)

http://blog.shubh.am/full-disclosure-coinbase-security/ (March 31, 2014)

[1.32] Bitstamp Claims $5 Million Lost in Hot Wallet Hack

Bitstamp has released a new statement regarding the security of its website, admitting that it has lost “less than 19,000 BTC”, about $5.1m at press time.

The revelation follows the disclosure that Bitstamp’s wallet system was compromised, prompting it to halt deposits and later shut down its platform entirely.

According to the statement, an undisclosed number of wallets were compromised and upon learning of the breach, the Bitstamp team issued warnings about deposits and moved to suspend operations. Bitstamp CEO Nejc Kodrič said that all other funds held by the bitcoin exchange are secure in cold storage, stating:

“This breach represents a small fraction of Bitstamp’s total bitcoin reserves, the overwhelming majority of which are are held in secure offline cold storage systems. We would like to reassure all Bitstamp customers that their balances held prior to our temporary suspension of services will not be affected and will be honored in full.”

http://www.coindesk.com/bitstamp-claims-roughly-19000-btc-lost-hot-wallet-hack/ (Jan 5, 2015)

Analysis: Bitstamp Hacker Almost Stole Additional $1.75 Million

Bitstamp narrowly avoided losing an additional $1.75m in bitcoin during its recent hack, according to a blockchain analysis by an independent researcher.

In the final hours of a $5.1m heist that took place at the exchange five days ago, the $1.75m in bitcoin was quickly moved to an address thought to be used for cold storage by Bitstamp, analyst Danno Ferrin has found.

CoinDesk can confirm that the address in question was controlled by Bitstamp as recently as 2nd December. The firm’s chief executive, Nejc Kodric, said at the time that the address was being used during an audit. While the CEO said the data was to be made public in the week of 8th December, the exchange hasn’t published any audit results since 24th May.

Ferrin, who publishes his blockchain analysis at his blog CryptoCrumb, said the rescued funds likely came from the hundreds of addresses the exchange used to accept customer deposits. Those addresses appear to form the ‘operational wallet’ Bitstamp said was compromised on 4th January, leading to a heist of the $5.1m.

http://www.coindesk.com/analysis-bitstamp-hacker-stolen-additional-1-75-million/ (Jan 9, 2015)

http://www.coindesk.com/bitcoin-exchange-bitstamp-resumes-services/ (Jan 9, 2015)


2. Mining resources theft

(Bitcoin mining malware, illegal use of machines, theft of mining traffic)

Case studies:

2.1. Lecpetex miner botnet (Facebook) (July 9 , 2014)

2.2. Synology Dogecoins miner worm (SecureWorks, SANS) (March 31, 2014)

2.3. Iowa State University mining campaign (April 23, 2014)

2.4. Darlloz miner (Symantec) ( March 24, 2014)

2.5. WatchDogs trojaned miner (GameCrastinate) ( May 26, 2014)

2.6. BadLepricon miner (Lookout) (April 24, 2014)

2.7. Songs and Prized Android app miner (Trend Micro) (March 27, 2014)

2.8. jhProtominer (Emsisoft) ransomeware and miner (Feb 10, 2014)

2.9. CryptoLocker (AVG, UK National Cyber Crime Unit) ransomeware and miner ( Oct 19, 2013)

2.10. ‘Sefnit’ bitcoin mining botnet (Microsoft) (Jan 22, 2014)

2.11. Yahoo malvertising incident, spread bitcoin miner malware (Light Cyber) (Jan 8, 2014)

2.12. German BKA arrest (Oct 2, 2013)

2.13. 19 IPS compromise to steal mining traffic (Aug 8 ,2014)

2.14. London student misuses university computers (March 3, 2014)

2.15. Litecoin miners steal Amazon accounts (Dec 20, 2013)

2.16. “Potentially Unwanted Programs” (PUPs) mining coins (Dec 4, 2013)

2.17. E-Sports Entertainment embeds miners into games (Nov 20, 2013)


2.A. McAfee: ‘Futile’ Mining Botnets Are Going Mainstream

2.B. Symantec: Why ZeroAccess botnet stopped bitcoin mining

[2.1] Facebook Breaks Up Cryptocurrency Mining Botnet ‘Lecpetex’ (July 9 , 2014)

Facebook has successfully dismantled a major bitcoin botnet operated by a small team of cyber criminals based in Greece.

The Lecpetex botnet managed to infect 250,000 computers. At its peak it compromised as many as 50,000 Facebook accounts.

Lecpetex propagated through the social media platform using spam messages with malicious code inserted into zipped attachments.

Each zip archive contained an embedded Java file that would download and install a litecoin miner. It would also steal cookies and gain access to the victim’s friend list, using it to send out even more spam.

However, mining was not its only function. The botnet was also used to distribute more dangerous malware designed to steal banking details, passwords and bitcoins.

My big fat Greek botnet

Facebook detected the Lecpetex botnet months ago and it is believed that it first started spreading in December.

The social media giant says it tracked more than 20 distinct waves of spam sent out by the botnet between December 2013 and June 2014.

http://www.coindesk.com/facebook-breaks-cryptocurrency-mining-botnet-lecpetex/ (July 9, 2014)

[2.2] 500 Million Dogecoins Mined by Unknown Hacker in Malware Attack (March 31, 2014)

An unknown hacker has reaped an estimated 500 million dogecoins — worth nearly $200,000 at today’s prices — by hacking into a series of data storage hubs for computer networks, according to SecureWorks, an information services subsidiary of personal computing giant Dell.

The SecureWorks report revealed that the hacker targeted network attached storage (NAS) boxes made by Taiwan-based Synology Inc. and used its computing power to mine dogecoin through a private pool. The action caused problems for Synology’s customers, some of whom reported poor performance on Facebook in February.

SecureWorks called the months-long intrusion unprecedented, saying:

“To date, this incident is the single most profitable, illegitimate mining operation.”

http://www.coindesk.com/500-million-dogecoin-mined-hacker-malware-attack/ (June 17, 2014)

How Unsuspecting Homeowners Helped Hackers Mine 500 Million Dogecoins

New details have emerged regarding the illicit mining of roughly half a billion dogecoins in the winter and early spring of 2014, which mainly targeted unsuspecting homeowners and may have affected thousands of customers of Taiwan-based manufacturer Synology.

Earlier this week it came to light that an as-yet unidentified hacker or hackers gained administrator access to network attached storage (NAS) servers sold by Synology. This resulted in the creation of roughly 500 million dogecoins over a several month-long period, with activity peaking in February.

The malware attempt first came to the company’s attention in September, prompting a quick response and the development of a software fix within four days of initial discovery. A follow-up fix was announced in February. However, some customers failed to update their NAS servers. As a result, those involved with the hack were able to exploit security vulnerabilities and create a botnet that mined bitcoin and dogecoin.

Many of the customers involved were homeowners who largely remained unaware of the problem until it had already been addressed by Synology. Thadd Weil, public relations specialist for Synology America Corp., told CoinDesk that the event was the first time that a digital currency-focused cyber attack successfully impacted their customers.

However, he said that attempts to do so have happened before and are likely to take place again, stating:

“We’ve become a target, because we’re one of the names in network attached storage. As such, nefarious people have been aiming their guns at us since the end of last year, most particularly. We’ve been releasing operating system updates frequently [as a result].”

http://www.coindesk.com/how-homeowners-helped-hackers-500-million-dogecoins/ (June 19, 2014)

More Device Malware: This is why your DVR attacked my Synology Disk Station (and now with Bitcoin Miner!)

Update: Just found what looks like a bitcoin miner on the infected DVR. There are two more binaries. D72BNr, the bitcoin miner (according to the usage info based on strings) and mzkk8g, which looksl ike a simplar http agent, maybe to download additional tools easily (similar to curl/wget which isn’t installed on this DVR by default). I will add these two files to https://isc.sans.edu/diaryimages/hikvision.zip shortly.

Last week, we reported that some of the hosts scanning for port 5000 are DVRs (to be more precise: Hikvision DVRs, commonly used to record video from surveillance cameras [1] ).

Today, we were able to recover the malware responsible. You can download the malware here https://isc.sans.edu/diaryimages/hikvision.zip (password: infected) .

The malware resides in /dev/cmd.so . A number of additional suspect files where located in the /dev directory which we still need to recover / analyze from the test system. The compromisse of the DVR likely happened via an exposed telnet port and a default root password (12345).

Analysis of the malware is still ongoing, and any help is appreciated (see link to malware above). Here are some initial findings:

- The malware is an ARM binary, indicating that it is targeting devices, not your typical x86 Linux server.

- The malware scans for Synology devices exposed on port 5000. The http request sent by the malware:

https://isc.sans.edu/diary/More+Device+Malware%3A+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+%28and+now+with+Bitcoin+Miner%21%29/17879 (March 31, 2014)

Hackers Turn Security Camera DVRs Into Worst Bitcoin Miners Ever

Here’s something we haven’t seen before: security camera recorders hacked and used to mine bitcoin.

The issue was first reported by Johannes Ullrich, an instructor at the SANS Technology Institute — a computer security training organization. Last Friday, he discovered malicious software infecting the Hikvision DVRs used to record video from security cameras. The malware jumps from device to device, trying to infect any other machines it can find on the network. But it also tries to earn a little scratch for its creators by mining bitcoins, a processor-intensive activity that would probably slow down any infected DVR.

Though this is a novel method, it’s hardly the first time hackers have tried to bust their way into other people’s hardware in order to make some bitcoin, the popular digital currency. The bitcoin system is run by independent machines spread across the globe, and if you contribute processing power to the system, you receive some bitcoin in return. This is called mining, and hackers often seek to mine using any machines they can gain control of — including security camera DVRs.

http://www.wired.com/2014/04/hikvision/ (April 1, 2014)

[2.3] Iowa State University Hit by Bitcoin Mining Malware (April 23, 2014)

The Iowa State University has suffered a massive security breach which compromised the security of student data and attempted to mine bitcoin.

The University says the compromised servers contained social security numbers of 29,780 students enrolled between 1995 and 2012.

However, there is no indication that any of the files were accessed. No financial information was stored in the student records and further investigation led the university to conclude that personal information was not the target.

“The servers were hacked by an unknown person or persons seeking to generate enough computing power to create a type of digital money known as bitcoins,” the university said in a statement.

http://www.coindesk.com/iowa-state-university-hit-bitcoin-mining-malware/ (April 23, 2014)

[2.4] Linux Malware Evolves to Mine Cryptocurrencies( March 24, 2014)

While cryptocurrency mining malware has generally been targeted at PCs running the Windows OS, owners of Linux-based machines are now experiencing a taste of malware misery too.

Computer security company Symantec has identified a new version of an old worm that has been going after Linux-based routers and set-top boxes for some time.

The Darlloz worm, as it is called, has evolved to attack Linux desktops and to press them into service as unwilling cryptocurrency miners, IDG News Service reports.

Darlloz is a rather unusual piece of malware, as it was originally developed to wreak havoc on embedded device architectures — computer systems within mechanical devices, such as printers.

In its latest incarnation, however, the coin-mining worm seeks out Intel-based computers running Linux, installs the ‘cpuminer’ program and sets the PC to mining for either dogecoins or mincoins.

Attractive altcoins

Since bitcoin can no longer be effectively mined by personal computers, the developers of the Darlloz worm sensibly opted for scrypt mining instead. Scrypt is the ‘proof of work’ algorithm used by many altcoins, such as litecoin and dogecoin, whereas bitcoin uses SHA-256.

Symantec researcher Kaoru Hayashi said scrypt-based altcoins can still be successfully mined on standard PCs, hence malicious developers now find them a more attractive proposition than bitcoin.

Fortunately, the worm appears to be propagating slowly and it is not doing much damage. Hayashi cited one attacker who used Darlloz to mine 42,438 dogecoins and 282 mincoins, with a combined value of less than $200.

However, Hayashi cautioned that the situation could get worse:

“These amounts are relatively low for the average cybercrime activity, so we expect the attacker to continue to evolve their threat for increased monetization.”

http://www.coindesk.com/linux-malware-evolves-mine-cryptocurrencies/ ( March 24, 2014)

[2.5] ‘Watch Dogs’ Game Torrent May Be Infected with Crypto Mining Malware (May 26, 2014)

Hackers may have started employing a clever tactic in an effort to enlist powerful PCs into cryptocurrency mining botnets.

According to GameCrastinate, a game torrent is installing bitcoin mining malware on the computers of thousands of unsuspecting users. The torrent in question is Watch Dogs, an upcoming AAA title from Ubisoft, which is scheduled to officially launch tomorrow, 27th May.

However, the reports have been questioned by some gamers who claim that they downloaded the same torrent — with no bitcoin mining malware in tow. Of course, this does not mean that the torrent is safe, as some users may have evaded infection through other means.

If it is true, the new approach is a clever one, as it makes life easier for botnet operators on more than one level.

http://www.coindesk.com/watch-dogs-game-torrent-may-infected-crypto-mining-malware/ ( May 26, 2014)

[2.6] Google Pulls Five Mobile Wallpaper Apps Due to Bitcoin Mining Malware (April 24, 2014)

Lookout, a mobile security startup based in San Francisco, has identified a new type of bitcoin mining malware that targets mobile devices. Dubbed ‘BadLepricon’, the malware represents a more sophisticated type of mining malware attack than previously seen.

The malware was designed to be delivered via a wallpaper app. Lookout identified five separate apps that contained BadLepricon, and Google removed the apps soon after being contacted by the mobile security firm.

The company announced the discovery in a 24th April blog post, citing the specifics of the malware.

CoinDesk spoke with Michael Bentley, head of Lookout’s research and response team, who said that the malware presents a new level of sophistication not normally seen in this type of cyberattack, adding that the malware writer knew what he or she was doing.

Said Bentley:

“When [malware authors] are looking into protecting the phone, making sure certain conditions exist, and making sure you’re participating in a pool, it tells us that they are a more experienced developer.”

http://www.coindesk.com/google-pulls-six-mobile-wallpaper-apps-bitcoin-mining-malware/ (April 24, 2014)

[2.7] Mining Malware Infects Mobile Market via Google Play Apps (March 27, 2014)

Cryptocurrency mining malware for PC platforms has been around for a while, but now it has gone mobile, specifically via the Android OS.

A team of security researchers from Trend Micro has managed to identify two apps that can use your Android device to mine litecoin and dogecoin.

The apps in question are called Songs and Prized, and both are available from the Google Play Store. Songs has between one and five million downloads so far, while Prized has 10,000 to 50,000 downloads.

This is not the first case of mining malware targeting new and unusual platforms. Linux recently got what was likely its first taste of mining malware with the Darlloz worm.

The Android ecosystem is quite a bit bigger, but targeting it is rather pointless from a mining point of view because the hardware simply isn’t up to the job.

Malware to the moon

The researchers identified the malware as ANDROIDOS_KAGECOIN.HBT, which has previously been found in repackaged copies of several popular apps, including Football Manager Handheld and TuneIn Radio.

The apps were injected with CPU mining code from a legitimate Android mining app, based on cpuminer. This time around the malware was found on Google Play apps, rather than repackaged apps from third-party app stores.

Google’s hands-off approach to app vetting (or lack thereof) will probably be blamed for the mess, but in all fairness this would not be the first time a big tech firm was used to spread cryptocurrency malware.

On New Year’s Eve, Yahoo’s European servers were piggybacked to spread mining malware to a large number of PCs, but the attack appears to have been limited and relatively unsuccessful.

Once installed, this strain launched CPUminer and connected to a dynamic domain, where it was redirected to an anonymous dogecoin mining pool.

Trend Micro said:

“By February 17, his network of mobile miners has earned him thousands of dogecoins. After February 17, the cybercriminal changed mining pools. The malware is configured to download a file, which contains the information necessary to update the configuration of the miner. This configuration file was updated, and it now connects to the well-known WafflePool mining pool.”

http://www.coindesk.com/mining-malware-infects-mobile-market-via-google-play-apps/ (March 27, 2014)

[2.8] Malware Uses Victims’ Machines to Mine Bitcoin Until Ransom is Paid (Feb 10, 2014)

A new Trojan has been discovered by Emsisoft, producer of PC security software. This is no garden-variety Trojan, however, it is a curious hybrid of bitcoin-mining malware and ransomware.

Whereas most ransomware directly attacks your PC or encrypts files stored on its drives, ‘Trojan-Ransom.Win32.Linkup’ blocks internet access by modifying your DNS and turns your computer into a bitcoin-mining bot at the same time.

Luckily, it shouldn’t be hard to spot when your system has been infected. ‘Linkup’ blocks all internet access bar a bogus Council of Europe website, which will demand personal information and a ‘payment method’ (read ‘ransom’) to unblock your access. Needless to say the Council of Europe has absolutely nothing to do with your internet access and you should not pay anything or enter personal details to regain your service.

In addition to messing around with the DNS, Linkup can also link up to a remote server and pressgang your PC into service as a bitcoin-mining bot. This is carried out via a downloader called ‘pts2.exe’, which extracts a second file, named ‘j.exe’, onto your computer. This is, in fact, a popular piece of mining software called ‘jhProtominer’.

The damage that is likely to be inflicted by the Trojan is limited. jhProtominer only works on 64-bit operating systems, but, even so, that still leaves plenty of computers around the globe to infect.

http://www.coindesk.com/malware-mines-bitcoins-until-ransom-paid/ (Feb 10, 2014)

[2.9] CryptoLocker malware demands bitcoin ransom ( Oct 19, 2013)

A piece of malware is currently terrorising computer users by encrypting their data and charging a ransom — in fiat currency or bitcoins — to decrypt the information.

Called CryptoLocker, the ransom malware is contained within phishing emails, so it infects a users computer when they open an attachment in one of these messages.

Yuval Ben-Itzhak, CTO at security software company AVG, said: “Ransom malware has been around in different variations since the early 1990’s.”

He went on to explain that a victim of the malware would typically receive an email that pretends to be from a well-known brand such as Fedex, UPS and DHS and claims to be related to a customer support issue.

“The email would have a zip file attachment which contains the executable code for the malware disguised as a PDF file. If the user clicks on this PDF icon, it infects the computer as soon as it opens,” Ben-Itzhak added.

Once a computer is infected, a message is displayed on the screen, stating: “To obtain the private key for this computer, which will automatically decrypt files, you need to pay 300 USD / 300 EUR / similar amount in another currency.”

Users are given a choice of payment method, but CryptoLocker describes bitcoin as the “most cheap option” and asks for 2 BTC.

http://www.coindesk.com/cryptolocker-malware-demands-bitcoin-ransom/ ( Oct 19, 2013)

Tens of Millions in the UK May Be Targeted by CryptoLocker Bitcoin Ransomware

The UK’s crime agency released an alert today after a flood of spam swept the country promoting bitcoin ransomware scourge CryptoLocker.

The National Cyber Crime Unit predicted that emails would hit tens of millions of UK customers, and that they were targeting small to medium-sized businesses in particular. “This spamming event is assessed as a significant risk,” it said.

Discovered last month, CryptoLocker is distributed by email. It includes a ZIP file attachment that infects a victim’s computer, encrypting their files, and them demanding a ransom of 2 bitcoins. That will see people paying almost £500 to get their files back. It’s likely, however, that victims at this point will choose to pay in fiat currency, which is also an option. Reports indicate that this costs $300.

CryptoLocker has become more sophisticated over the last few weeks. The perpetrators have created a Tor-shielded web site that enables victims to redownload the private keys necessary to unlock their files, rather than sending bitcoin or MoneyPak payments. It also offers a ‘second chance’ option to download their files. The software originally warned that files would be unrecoverable after 72 hours. Now, the site simply increases the ransom to 10 BTC, and the option to pay with fiat via MoneyPak is removed.

http://www.coindesk.com/tens-millions-uk-may-targeted-cryptolocker-bitcoin-ransomware-gang/ (Nov 15, 2013)

[2.10] Microsoft Destroys Bitcoin Mining Botnet Sefnit (Jan 22, 2014)

Microsoft has gone on the offensive against the ‘Sefnit’ botnet and it has remotely removed Sefnit from many computers. But, contrary our original report, it left the Tor clients behind.

Sefnit is a curious form of Tor-based malware that managed to infect millions of computers and turn them into zombies for click fraud and bitcoin mining.

It was first detected last summer, after the Tor Project noticed a 600% increase in Tor use. The spike coincided with the highly publicised revelations about NSA’s snooping programmes, namely Prism.

However, privacy concerns and paranoia had nothing to do with the surge. In September it became evident that the cause of the massive increase in Tor users had nothing to do with the NSA and whistleblower Edward Snowden: the culprit was Sefnit.

http://www.coindesk.com/microsoft-destroys-bitcoin-mining-botnet-sefnit/ (Jan 22, 2014)

[2.11] Yahoo Infects 2 Million European PCs with Bitcoin Malware (Jan 8, 2014)

For four days last week Yahoo’s European servers were the equivalent of a cyber Typhoid Mary, spreading disease to anyone who came near. Yahoo was the victim of a major security breach, which caused its servers to send out millions of malware-laden ads to an estimated two million European users.

Suspicions were first raised by Dutch security outfit Fox IT, which estimated that Yahoo’s servers were responsible for 27,000 malware infections every hour the malware was live on Yahoo’s website.

Yahoo confirmed the embarrassing attack in a statement:

“From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines — specifically, they spread malware.”

The statement went on to point out that mobile users and Mac users were not affected, as the malware apparently targeted Windows systems, The Guardian reports.

http://www.coindesk.com/yahoo-infects-2-million-european-pcs-bitcoin-malware/ (Jan 8, 2014)

[A] McAfee Report: ‘Futile’ Mining Botnets Are Going Mainstream

Security firm McAfee has issued its latest quarterly threat report, focusing on a wide range of emerging technology security risks, including mobile malware disseminated by Flappy Bird clones and dangerous rootkits.

The June 2014 edition of the McAfee Labs Threats Report is the first time McAfee has taken an in-depth look at cryptocurrency mining botnets.

McAfee reports seeing numerous botnets with various levels of mining functionality, but goes on to say that, even if the cost of power and hardware is taken out of the equation, mining major cryptocurrencies on infected PCs simply isn’t a worthwhile pursuit and is already effectively obsolete:

“The difficulty level of common mining algorithms and the nonspecialized hardware that the malware infects make this a futile effort.”

http://www.coindesk.com/mcafee-report-futile-mining-botnets-going-mainstream/ (June 24, 2014)

[2.12] German Police Detain ‘Bitcoin Mining Hackers’ (Oct 2, 2013)

German police have detained two people suspected of hacking into computer networks and using them to mine over €700,000 worth of bitcoins. Three suspects face organised computer fraud and commercial fraud charges, according to the public prosecutor’s office in Kempten.

Two of the suspects were arrested Monday night in a raid by GSG-9, the German federal counter-terrorism unit. The raids were carried out in Bavaria and Lower Saxony, According to the Federal Criminal Police Office of Germany (BKA)

There was no arrest warrant against the third suspect, and it is somewhat unclear why federal authorities decided to employ a counter-terrorism unit to take down a handful of counterfeiters.

The group managed to create a bitcoin mining ‘botnet’ by modifying existing malware and letting it loose on the internet. The custom malware compromised several computer systems and gave them access to a powerful botnet. The malware also allowed the attackers to collect personal data from affected networks and computers.

BKA President Jorg Ziercke said the internet provides organised criminal groups with a new modus operandi that poses a great financial risk.

“In this case the perpetrators managed to generate virtual currency bitcoin through compromised computer systems. Digital currencies, like bitcoin, will be tracked by law enforcement agencies in the future. The relative anonymity of these currencies facilitates money laundering and minimizes risk of detection.”

http://www.coindesk.com/german-police-detain-bitcoin-hackers/ (Dec 5, 2013)

[B] Why ZeroAccess botnet stopped bitcoin mining

There have been several reports this week detailing how security firm Symantec took down a large portion of a bitcoin mining botnet called ZeroAccess. What few, if any, mention is that the bitcoin mining part of the botnet hasn’t been functional for almost six months, because the developers deliberately killed it. The question is, why?

ZeroAccess is a piece of malware that joins an infected computer to a large network of similarly compromised machines. They can then be controlled by a central administrator, commonly called a botherder, who then gets the machines to do his bidding.

Most botnets follow predictable criminal practices, using victims’ computers to send spam, or simply harvesting sensitive information on the infected machines, so that cybercriminals can use them to steal money. Others are used for click fraud, in which machines are made to click on profitable online links.

ZeroAccess was different, because it included a bitcoin mining module. The software used infected computers’ CPUs to mine for bitcoins, returning the profits to the botherders.

ZeroAccess isn’t a new botnet — Symantec first saw it in the summer of 2011, according to Vikram Thakur, a research with Symantec Security Response. The next major revision emerged a year later, with minor revisions found in between.

But something significant happened in April this year, he said, going on to explain:

“ZeroAccess deprecated the bitcoin mining module back in April 2013. The botnet harnessed the hashing power of all those bots until April 2013 and then pushed out an update which effectively removed the mining module. No mining has happened on the ZeroAccess network since then.”

http://www.coindesk.com/zeroaccess-botnet-stopped-bitcoin-mining/ (Oct 2, 2013)

[2.13] Hackers Reroute ISP Traffic to Steal $83k in Bitcoins (Aug 8 ,2014)

Hackers have managed to reroute raw internet traffic from numerous internet service providers (ISPs) in an attempt to steal bitcoins.

Dell SecureWorks says it has identified a total of 19 ISPs affected. Data used by Amazon, DigitalOcean and OVH was compromised in the attack.

Each incident lasted just 30 seconds, but the hacker managed to carry out the attack 22 times over the course of four months. The ultimate goal was to seize control of bitcoin miners, organised in mining pools.

Stealing up to $9,000 a day

The attacks appear to have been successful. Dell SecureWorks reports that up to $9,000 in bitcoin and altcoins such as dogecoin was stolen per day.

During the attack, miners believed they were still mining for their pool, while the flow of cryptocurrency generated by their mining operations redirected elsewhere. Researchers believe the culprits employed BGP hijacking to redirect the traffic, using spoofed commands to redirect traffic from ISPs.

The hackers used a staff user account belonging to a Canadian ISP, but the researchers do not know whether the hack was orchestrated by an ISP employee or someone from outside the company. A detailed description of the attack is available on the SecureWorks blog.

Researcher Pat Litke said this sort of attack can easily grab a “large collection of clients” in next to no time.

“It takes less than a minute, and you end up with a lot of mining traffic under your control,” he told Wired.

http://www.coindesk.com/hackers-reroute-isp-traffic-steal-bitcoins/ (Aug 8 ,2014)

[2.14] London Student Mines Dogecoin With University’s Computers — They Don’t Know, Yet (March 3, 2014)

Each evening, ‘Felix’ sneaks into the computer suite at his university and starts up the machines. One by one, he runs a script on each computer and his ‘workers’ begin solving complex algorithms.

You wouldn’t know just by looking, but he’s making his own money — using his university’s computers to mine dogecoin.

Felix’s story mirrors that of a Harvard researcher who used his university’s supercomputer for dogecoin mining, earning himself a permanent ban from the computer and, presumably, a heck of a lot of coins in the process.

Like others who came onto the cryptocurrency scene late, Felix (not his real name), says he was gutted about “completely missing the bitcoin craze”. Mining dogecoin is his chance at getting on the gravy train while the price is low and riding it all the way to the moon — he hopes.

Dodging the IT department

After giving his laptop a shot at mining dogecoin before Christmas, he returned to his university, Imperial College London, after the holidays with a plan: he would use rows upon rows of university computers as his personal mining pool. So far he’s managed to sneak under the radar, he says:

“I’ve not had a single issue yet, so I’ve kept scaling up! It seems they don’t have anything set up to bring attention to the fact I’m maxing out the CPUs, which is nice.”

http://www.coindesk.com/london-student-mines-dogecoin-university-computers-dont-know/ (March 3, 2014)

[2.15] Online Thief Steals Amazon Account to Mine Litecoins in the Cloud (Dec 20, 2013)

Why bother installing CPU-mining malware on thousands of machines, when you can just break into someone’s Amazon cloud computing account and create a well-managed datacentre instead?

This week, a software developer discovered someone had done just that, and made off with a pile of litecoins on his dime.

Melbourne-based programmer Luke Chadwick got a nasty shock after receiving an email from Amazon. The firm told him that his Amazon Key (a security credential used to log on to Amazon Web services) had been found on one of his Github repositories.

http://www.coindesk.com/online-thief-steals-amazon-account-mine-litecoins-cloud/ (Dec 20, 2013)

[2.16] Unsuspecting PC Users Duped into Mining Bitcoin by Malware (Dec 4, 2013)

It seems malicious actors will find a way to infiltrate a user’s system, no matter what. This is evident when one considers the allegations that bitcoin mining on unsuspecting users’ PCs is increasingly prevalent.

A new report released by anti-malware software company Malwarebytes addressed this issue. It found that a number of Windows-based software applications are now mining small amounts of bitcoin on many machines, unbeknownst to their users.

The posts refers to “Potentially Unwanted Programs” (also known as ‘PUPs’), which are applications such as browser toolbars and search programs. Many of these display advertising and slow computers to an excruciatingly slow speed.

Many of these PUPs are inadvertently downloaded by users who are trying to install other programs. Often, users don’t realise that the other programs are being put on their PCs during the install process.

Many end user license agreements (EULAs) allow for subsidiary programs to be installed. In fact, Malwarebytes has found that some EULAs include an explicit right for software to perform functions that sound suspiciously like virtual currency mining activities:

“As part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and increase security. Any rewards or fees collected by WBT or our affiliates are the sole property of WBT and our affiliates.”

http://www.coindesk.com/unsuspecting-users-mining-bitcoin-malware/ (Dec 4, 2013)

[2.17] Gaming Company to Pay $1 Million for Secretly Using Customer Computers for Bitcoin Mining (Nov 20, 2013)

The New Jersey Attorney General’s office said on Tuesday (19th November) that it had reached a $1m settlement with New York-based gaming company E-Sports Entertainment, which admitted in April this year that it had experimented with injecting bitcoin mining code into its users’ computers.

Named in the settlement order as being responsible for the malicious code were E-Sports’ co-founder Eric Thunberg and software engineer Sean Hunczak, whose programming efforts reportedly allowed E-Sports employees “full administrative access to users’ computers” and allowed access to files, screen captures, mouse movements and monitor activity.

The software, which cost users $6.95 a month to use, watched their activity to see when they were active and what software they were using to take advantage of lulls in their GPU usage and mine for bitcoins.

During a two-week period back in April, the company reportedly mined a total of 29 bitcoins, (currently valued at around $15,000) which they subsequently donated to the American Cancer Charity; a sum around the order of $4,000 at the time.

In addition, the settlement order claims that, in at least some of the instances, “ESEA employers used the software to copy files from ESEA end-users’ computers” with the Attorney General adding:

“The company violated state consumer and computer abuse laws by putting malware on users’ computers, spying on them, and accessing their computers without their knowledge with the mining code.”

http://www.coindesk.com/company-pay-1m-secretly-using-customer-computers-bitcoin-mining (Nov 20, 2013)

3. Fraudulent vendors and scams

Case studies:

3.1. GBL scam (Oct 26, 2013)

3.2. Butterfly shutdown (May 14, 2014)

3.3. BTCST ponzi scheme (July 23, 2013)

3.4. MyBitcoin scam (July, 2011)

3.5. Mt. Gox speculations (Feb 11, 2014)

3.6. Neo & Bee fraud (April 15, 2014)

3.7. BitInstant Shrem Silk Road arrest (Jan 27, 2014)

3.8. Bitcoin Rain scam (March 28, 2013)

3.9. Ubitex scam (April 2011)

3.10. Bitscalper scam (Jan 2012)

3.11. Florida Altcoin ‘Pump and Dump’ Scam (Dec 17, 2014)

3.12. 70 Bitcoin NY scams shutdown (Jan 27, 2015)

3.13. MyCoin ponzi scam (Feb 9, 2015)

[3.1] GBL Scam (Oct 26, 2013)

Beijing-based “GBL” was advertised as a Hong Kong-based exchange and shut down after attracting significant investment. At the time, there was a Bitcoin craze in China, which lasted for much of the latter half of 2013 and was credited as the leading cause of the November 2013 bubble.

https://bitcointalk.org/index.php?topic=576337#post_gbl_scam (Oct 26, 2013)

Imagine if the bank you did business with just disappeared one day. Wake up, and all of your money is completely gone. It isn’t a scenario that happens in banks residing within countries that have a lot of financial regulation. But with bitcoin, it happens. Hong Kong-based exchange GBL is an example of this.

After being in business since May of 2013, the site shut down near the end of October, taking $4.1m in investor money with it. In the Chinese bitcoin market, where BTC China has the number one global bitcoin exchange ranking, regulation is not even on the horizon. The lack of regulation makes these types of things more common, begging the question why there isn’t more security.

“This is happening frequently, and I think this is not good for the bitcoin ecosystem,” says Ankur Nadwani, the developer behind payment project BitMonet. “Cases like these show that there is a market for companies in the bitcoin space that focus on security.”

http://www.coindesk.com/bitcoins-cruel-world-scams-thefts-fbis-influence/ (Nov 13, 2013)

[3.2] US Government Shuts Down Embattled Mining Firm Butterfly Labs (May 14, 2014)

Mining hardware maker Butterfly Labs has been shut down by the US Federal Trade Commission (FTC), which accused the embattled company of fraud and public misrepresentation.

On 18th September, the agency was granted permission by the US District Court for the Western District of Missouri to freeze Butterfly Labs’ assets and close the company pending trial, according to documents released by the FTC.

The move comes months after customers began sending complaints to the federal agency, a process that produced nearly 300 filings accusing the company of delaying shipments and refund payments.

http://www.coindesk.com/us-government-shuts-embattled-mining-firm-butterfly-labs/ (Sep 21, 2014)

Breaking Down the Butterfly Labs FTC Complaints Data

Customers in 24 countries have made 283 complaints to the Federal Trade Commission (FTC) against Kansas-based mining equipment maker Butterfly Labs since 2012, as we reported earlier this week.

Since detailed information about notable companies in the bitcoin economy is thin on the ground, CoinDesk wrangled the data on two dimensions — geography and order value — to see what it could tell us.

http://www.coindesk.com/breaking-down-butterfly-labs-ftc-complaints-data/ ( May 17, 2014)

Butterfly Labs Customers Appeal to FTC for $1 Million in Missing Orders

A new report reveals that ButterflyLabs customers have submitted 283 complaints against the company — worth more than $1m in combined refunds and late orders — to the US Federal Trade Commission (FTC) since 2012.

According to documents revealed by Ars Technica, the complaints against the Kansas-based ASIC miner manufacturer are for orders totalling $1,016,243 across a period of about 17 months (see the report data here).

The first complaint was filed in September 2012, with the most recent complaint having been submitted on 15th April of this year.

Notably, one entry made a claim for $30m with no date attached. This entry has been omitted from our tally of orders claimed from ButterflyLabs.

Complaints over delays

The FTC complaints range from outstanding orders to refunds that have not been received.

One customer in Hawaii, who paid $30,247 to ButterflyLabs last March, but is still awaiting their shipment, wrote:

“Please! Somebody help us, I’m not the only one trying to get a refund from these crooks. I beg you, please someone look into this!”

http://www.coindesk.com/butterflylabs-customers-appeal-to-ftc-1-million-missing-orders/ (May 14, 2014)

Butterfly Labs Accused of Buying Blog to Hide Negative Search Results

Bitcoin mining hardware manufacturer Butterfly Labs stands accused of buying out a blog that criticised its products in order to manage its online reputation.

While numerous companies have been accused of using nefarious tactics to remove or alter reviews on websites such as Amazon, if true, BFL’s action would take whitewashing product criticism to a whole new level.

The claims have been made by the founder of the blog in question, reddit user ‘borderpatrol’, who will only reveal his first name as Evan.

His site, Buttcoin.org, which aims to inject a little humour into the bitcoin world, has been in operation since 2011. According to its founder, Buttcoin.org recently received its millionth visitor.

Kansas-based Butterfly Labs manufactures a range of bitcoin-mining hardware. The firm has been plagued by complaints over the quality of some of its products, alongside frequent and long delays in shipments.

CoinDesk recently broke down the global statistics of complaints about the company received by the US Federal Trade Commission.

http://www.coindesk.com/buterfly-labs-accused-buying-blog-hide-negative-search-results/ (July 14,2014)

[3.3] SEC Charges Texas Man With Running Bitcoin-Denominated Ponzi Scheme (July 23, 2013)

The Securities and Exchange Commission today charged a Texas man and his company with defrauding investors in a Ponzi scheme involving Bitcoin, a virtual currency traded on online exchanges for conventional currencies like the U.S. dollar or used to purchase goods or services online.

The SEC alleges that Trendon T. Shavers, who is the founder and operator of Bitcoin Savings and Trust (BTCST), offered and sold Bitcoin-denominated investments through the Internet using the monikers “Pirate” and “pirateat40.” Shavers raised at least 700,000 Bitcoin in BTCST investments, which amounted to more than $4.5 million based on the average price of Bitcoin in 2011 and 2012 when the investments were offered and sold. Today the value of 700,000 Bitcoin exceeds $60 million.

http://www.zerohedge.com/news/2013-07-23/texan-charged-bitcoin-denominated-ponzi-scheme (July 23, 2013)

http://www.coindesk.com/bitcoin-ponzi-scheme-perpetrator-fined-40-million/ (Sep 19, 2014)

http://www.coindesk.com/bitcoin-ponzi-scheme-operator-pleads-not-guilty-to-fraud/ (Mach 24, 2015)

http://www.coindesk.com/sec-charges-texan-man-for-defrauding-investors-in-bitcoin-ponzi-scheme/ (July 23, 2013)

http://www.coindesk.com/bitcoin-ponzi-schemer-charged-criminal-securities-fraud/ (Nov 6, 2014)

[3.4] MyBitcoin Theft (July, 2011)

Little information was released about the MyBitcoin theft, however, many argue that Tom Williams ran it as a scam (and was not a theft per se). In terms of both dollars and bitcoins, this was by far the largest theft, however, it is possible it was simply a scam. Although MyBitcoin offered to release its code as a gift to the community, it failed to follow through on that promise. In the months ensuing, some evidence has been uncovered supporting mortgage broker Bruce Wagner; however, any evidence is inconclusive.

The theft resulted in the closure of MyBitcoin, which was once a successful Bitcoin company in Bitcoin’s early days.

https://bitcointalk.org/index.php?topic=576337#post_mybitcoin_theft (July, 2011)

[3.5] Leaked Documents Suggest Mt. Gox Paid $200k to Parent Company in May (July 7, 2014)

Controversy surrounds a leaked report that bankrupt exchange Mt. Gox paid almost $200,000 in fees to its parent company, Tibanne K.K., after the exchange had filed for bankruptcy.

According to documents posted on the website goxdox.org, Tibanne, the web services company also owned by Gox CEO Mark Karpeles, and which shared the same office space, invoiced Mt. Gox on 26th May for “services rendered”.

Those services included office rent, server fees and employee expenses. However, according to a Reuters report in March, Mt. Gox had no other full time employees besides Karpeles and everyone else worked on a one-year contract basis.

Trustee approved

The two Japanese-language invoices from May were approved for payment from Mt. Gox’s remaining assets by the court-appointed bankruptcy trustee, Nobuaki Kobayashi, and were issued during the company’s civil rehabilitation timeframe. As trustee, Kobayashi has exclusive power to administer and dispose of Mt. Gox assets.

In other alarming news, the documents, if genuine, reveal Mt. Gox’s remaining funds total only $7.6m — significantly less than the $38m in assets claimed in its bankruptcy application.

Additionally, a physical mailout to creditors notifying them of proceedings also allegedly cost $85,000, even though the information had already been posted on Mt Gox’s website.

These funds were not part of the 200,000 bitcoins recovered from what was described as an “old style wallet” after an initial 850,000 BTC went missing in an apparent hacking attack at some stage before February. The recovered bitcoins are worth roughly $125m on markets today.

http://www.coindesk.com/leak-documents-suggest-mt-gox-paid-200k-parent-company-may/ (July 7, 2014)

Community Outrage Marks Latest Chapter in Mt. Gox Story

Following Mt. Gox’s decision to abruptly suspend all bitcoin withdrawals on 7th February, many industry commentators and observers, CoinDesk included, began to feel the writing was on the wall for bitcoin’s first and once-largest exchange.

But, despite the results of our extensive reader survey and critiques from industry heavyweights like Andreas Antonopoulos, there were those who maintained that given its industry reputation, the company’s critics may have been premature in their statements.

However, Mt. Gox’s future may be even more uncertain after controversial statements issued Monday further damaged the company’s reputation and industry standing.

The comments, which blamed inherent problems with the bitcoin protocol for the withdrawal delays, ignited a veritable firestorm of anger on message boards, much of which was directed at Mt. Gox CEO Mark Karpeles.

Karpeles’ critics alleged he failed to take responsibility for his exchange’s technical failures and management limitations. A swift rebuke from other industry thought leaders soon followed, with many saying that Mt. Gox was being deceptive by blaming previously known issues for its delays.

http://www.coindesk.com/community-outrage-latest-chapter-mt-gox-story/ (Feb 11, 2014)

Mt. Gox Allegedly Loses $350 Million in Bitcoin (744,400 BTC), Rumoured to be Insolvent

PDATE (25th February, 17:30 GMT): Mt. Gox has released a statement on its website concerning its decision to halt trading.

UPDATE (25th February, 13:47 GMT): Domain investor Andy Booth has confirmed the sale of www.gox.com to Mark Karpeles.

UPDATE (25th February, 09:28 GMT): The source code on Mt. Gox’s website now reads “put announce for mtgox acq here” leading some to speculate on the motives behind the document leak:


A document has surfaced suggesting that troubled Japan-based bitcoin exchange Mt. Gox will close for one month as part of a four-step rebranding plan, and that CEO and former Bitcoin Foundation board member Mark Karpeles will step down from his executive position as part of the process.

The bitcoin price has been tumbling all morning amid the news, hitting a low of $419 so far.

Entitled “Crisis Strategy Draft,” the document suggests the company’s increasingly dire financials are greatly impacting the decision. By Mt. Gox’s own estimates, it has only 2,000 BTC and approximately $22.4m in fiat currencies in its possession.

The document was first reported by Ryan Galt, aka the Two-Bit Idiot, who later confirmed to CoinDesk:

“Several sources familiar with the situation confirmed the legitimacy of the loss claims and the authenticity of the ‘Crisis Strategy’ document.”

http://www.coindesk.com/mt-gox-loses-340-million-bitcoin-rumoured-insolvent/ (Feb 25, 2014)

US Class Action Lawyer: Mt. Gox Wallet Discovery “Highly Suspect”

Bankrupt Japan-based bitcoin exchange Mt. Gox released a new press statement earlier today (21st March) confirming 20th March reports that it had uncovered an ‘old-format’ bitcoin wallet containing some 200,000 bitcoins ($115.8m at press time) presumed lost in the run-up to its insolvency.

The statement indicated that the company discovered the funds on 7th March and promptly informed the necessary authorities of the recovery.

However, Chris Dore, a partner at Edelson law firm, isn’t exactly buying Mt. Gox’s version of the events.

Dore, whose firm represents the US class action against the insolvent exchange, suggested that the announcement is closely tied to matters it is currently investigating.

Dore summed up his opinion on the news, telling CoinDesk:

“Their statement that they found [these bitcoins] in a random wallet and failed to tell anyone for two weeks is highly suspect.”

Instead, Dore indicated he believes that the funds may be connected to his firm’s ongoing investigation of 180,000 bitcoins that were said to have been moving through the blockchain on or around 7th March.

“We believe we were on the right trail. It appeared that these 180,000, 200,000 bitcoins were being tumbled, that they were being broken down and reconstituted, so our goal was to find this out.”

Dore suggested that the announcement may have been a move by Mt. Gox to make it harder for information to be uncovered about the funds.

Added Dore: “If it’s a coincidence, it’s a $120m coincidence. We frankly just don’t buy it.”

http://www.coindesk.com/us-class-action-lawyer-mt-gox-wallet-discovery/ (March 21, 2014)

[3.6] Neo & Bee CEO Breaks Silence on Alleged Bitcoin Fraud

Danny Brewster, CEO of Cyprus-based bitcoin company Neo & Bee, has broken his silence, taking to reddit to address some of the rumours that have been circulating about him of late.

Posting on the forum as ‘cryptocyprus’, the British-born entrepreneur said the suggestion he has committed fraud is his “greatest concern” at the moment.

Earlier this month, Cyprus Mail reported that two customers paid Brewster €15,000 and €20,000 for bitcoins, which they never received.

Further allegations then started flying, claiming Brewster had left Cyprus and defrauded investors. Brewster took to the Bitcoin Talk forum to defend himself and admitted he was out of the country, but stressed that he was away on business.

In his reddit post, He goes on to explain that he sold bitcoins to a number of people prior to Neo & Bee opening to the public, with four of these people requesting that he hold their bitcoins until they provide him a wallet address to send them to.

“Sorry to disappoint those that believe the tales that I simply took them…. The keys are still stored on paper. The total sales to these 4 people amounts to 75.29270138 BTC which were purchased for a combined total of €35,213.57 so I have no idea where the values reported in the media have been derived from,” Brewster’s reddit post continues.

It goes on to say:

“I have not received one single request from the individuals who bought the bitcoins from me to send the coins to an address they provided. With one exception a request was made but that was received from the individual that introduced one of the buyers to me, they requested for me to transfer the coins to his Bitstamp account.

I didn’t send the coins to his address as he was not the person that I had the agreement with. One of these people went directly to the police following rumors that I had fled the country.”

http://www.coindesk.com/neo-bee-ceo-breaks-silence-alleged-bitcoin-fraud/ (April 15, 2014)

[3.7] BitInstant CEO Charlie Shrem Arrested in Silk Road Bitcoin Bust (Jan 27, 2014)

Updated 23:40 GMT with comments from Senator Tom Carper & the Winklevoss brothers.

Charlie Shrem, CEO of bitcoin exchange service BitInstant, has been arrested for his alleged involvement in a scheme to “sell and launder over $1m in bitcoins” through the now defunct online black market Silk Road.

According to a document published by the Manhattan US Attorney, charges have also been filed against Robert M. Faiella, a 52-year-old Florida native better known as “BTCKing”. Both Shrem and Faiella have been charged with conspiring to commit money laundering and operating an unlicensed money transmitting business, among other individual charges.

If convicted, Faiella and Shrem face maximum prison sentences of 25 years and 30 years, respectively. The case is being handled by the Office’s Complex Frauds Unit, and Assistant US Attorney Serrin Turner is in charge of the prosecution.

Official reactions

Manhattan US Attorney Preet Bharara issued a statement, reinforcing his office’s hardline stance toward the use of virtual currencies to commit crimes, not simply the currency itself:

“Truly innovative business models don’t need to resort to old-fashioned law-breaking, and when bitcoins, like any traditional currency, are laundered and used to fuel criminal activity, law enforcement has no choice but to act. We will aggressively pursue those who would coopt new forms of currency for illicit purposes.”

http://www.coindesk.com/bitinstant-ceo-charlie-shrem-arrested-silk-road-bitcoin-bust/ (Jan 27, 2014)

[3.8] Bitcoin Rain (March 28, 2013)

A suspected long-running con likened to the infamous Bitcoin Savings and Trust, Bitcoin Rain finally defaulted on March 28, 2013. Leandro César claimed there was a security breach on his exchange website Mercado Bitcoin.[52] As Bitcoin Rain’s funds were stored there, investors in Bitcoin Rain as well as account holders on Mercado Bitcoin lost money. Some money was reportedly paid back, but the vast majority is still outstanding.

https://bitcointalk.org/index.php?topic=576337#post_bitcoin_rain (Oct 3, 2013)


https://bitcointalk.org/index.php?topic=160150.0 (March 28, 2013)

[3.9] Ubitex Scam (April 2011)

Ubitex was the first company to be listed on the now-defunct GLBSE “stock exchange”, which has been criticized for its illegal operations.[4] The company was run by a minor, but this fact was not initially known.

Around 1000 BTC of the missing investments are said to have been “spent”, many of which were further scammed, or converted into USD without follow-up.

The Ubitex scam would not have been possible today. Bitcoin users at the time were enjoying their newly-acquired wealth thanks to significant appreciation. Most “investors” at the time were extremely naïve.

https://bitcointalk.org/index.php?topic=576337#post_ubitex_scam (April 2011)

[3.10] Bitscalper Scam (Jan 2012)

Bitscalper was founded as an “arbitrage engine”, and users were invited to deposit money. It was promising extremely high and unrealistic returns. As a result, it was suspected of being a scam from the beginning, fears that were compounded due to a shady and anonymous management. After Bitscalper shut down without returning user funds, BitcoinTalk user MiningBuddy attempted to reform Bitscalper using the remnants of the engine. However, no success was found and the coins could not be returned.

https://bitcointalk.org/index.php?topic=576337#post_bitscalper_scam (Jan 2012)

[3.11] Florida Altcoin ‘Pump and Dump’ Scam (Dec 17, 2014)

Florida Group Faces Fraud Charges for Alleged Altcoin ‘Pump and Dump

A group of Florida residents have been accused of fraudulently selling scrypt mining ASICs as part of an altcoin ‘pump-and-dump’ scheme.

Allegedly perpetrated from March 2013 through August of this year, the scheme centered on a cryptocurrency called cachecoin, whose market is said to have been manipulated by the actions of the defendants.

The five individuals, which include a married couple, as well as a company called Scrypted Life, are also accused of stealing funds raised for an independent mining operation, Fibonacci Scrypt Mining ASICs.

Represented by Florida-based law firm Akerman LLP, the plaintiffs are seeking loss-of-profit damages, as well as reparation for legal costs, and have requested a trial by jury.

Akerman attorney Christopher Hopkins told CoinDesk that those named in the case used a variety of means to collect funds from unsuspecting investors.

http://www.coindesk.com/florida-group-faces-fraud-charges-alleged-altcoin-pump-dump/ (Dec 17, 2014)

[3.12] 70 Bitcoin NY scams shutdown (Jan 27, 2015)

Over 70 Bitcoin Scams Shut Down By New York Law Enforcement

More than 70 websites promising unrealistically high returns on bitcoin investments have been shut down by the New York County District Attorney’s office.

As originally reported by Bloomberg News, 73 sites were taken offline on 16th January by the office, including BitcoinHYIP.org and others owned by a company called YouYou Finance.

The defendants are accused of securities fraud and intent to commit fraud, as well as larceny charges, according to documents provided to CoinDesk. The investigator explained the background of his investigation into high-yield investment schemes based on bitcoin, as well as how the office went undercover and used the services.

http://www.coindesk.com/70-bitcoin-scams-shut-new-york-law-enforcement/ (Jan 27, 2015)

[3.13] MyCoin ponzi scam (Feb 9, 2015)

Hong Kong’s MyCoin Disappears With Up To $387 Million, Reports Claim

Reports are emerging from Hong Kong that local bitcoin exchange MyCoin has shut its doors, taking with it possibly as much as HK$3bn ($386.9m) in investor funds.

If true, the supposed losses are a staggering amount, although this estimate is based on the company’s own earlier claims that it served 3,000 clients who had invested HK$1m ($129,000) each.

For perspective, bitcoin’s entire market cap today stands at around USD$3bn.

The issue came to light on Friday when about 30 people claiming to be victims of the company’s actions petitioned a local member of the Legislative Council, Leung Yiu-chung.

The victims are reportedly due to make a statement to Hong Kong police on Wednesday.

Ponzi scheme suspected

Adding to the mystery are reports the company never operated as a genuine bitcoin business at all. Testimonies from customers describe an operation more like a Ponzi scheme that used the veneer of bitcoin trading as its lure.

http://www.coindesk.com/hong-kong-exchange-mycoin-disappears-387m-reports-claim/ (Feb 9, 2015)

MyCoin Customers Report $8.1 Million in Losses to Hong Kong Police

The Hong Kong Commercial Crime Bureau (CCB) is conducting a preliminary investigation into alleged unlawful activities that may have occurred at defunct bitcoin exchange MyCoin.

The CCB reports that 43 investors between the ages of 21 and 71 years old lost anywhere between HK$50,000 to HK$15m each when the exchange ceased operations. Such estimates would place the total consumer loss at HK$63m, or $8.12m at press time.

Local media reported Monday that the total losses could have been as high as $387m, however, these figures were based on the exchange’s own estimates of its business volume.

http://www.coindesk.com/mycoin-hong-kong-police-8-1-million/ (Feb 11, 2015)

Police Arrest Five in MyCoin Bitcoin Exchange Scheme Case

Five individuals have been arrested by Hong Kong police forces in connection with the collapse of MyCoin, an alleged bitcoin trading platform.

The arrests were made as part of a broader hunt for individuals associated with MyCoin, which is believed to have cost investors millions of dollars in losses for fraudulent activities. The five were arrested for conspiracy to defraud, according to the South China Morning Post.

The individuals taken into custody on 5th March were allegedly involved with soliciting funds for the scheme and holding events to attract potential investors. Hong Kong police searched the home of at least one of those arrested the same evening, the newspaper said.

http://www.coindesk.com/police-arrest-mycoin-bitcoin-exchange/ (March 5, 2015)

http://www.coindesk.com/150-mycoin-bitcoin-scheme-victims/ (March 11, 2015)


4. Wallet theft

Case studies:

4.1. Kelihos campaign (Bitdefender) (Aug 6, 2014)

4.2. Cryptsy Dogecoin (DOGE) Live Ticker malicious Chrome plugin (April 21, 2014)

4.3. LocalBitcoins incident (Feb 27, 2014)

4.4. ‘CoinThief’ Mac Malware (Feb 10, 2014)

4.5. MSIL/PSW.LiteCoin.A Litecoin stealer (ESET) (July 5, 2013)

4.6. Pony 30-currency stealer (TrustWave) (Feb 24, 2014)

4.7. Allinvain incident (June 13, 2011)

4.8. Bitcoinica Mt. Gox account breach (July 13, 2012)

4.9. 2012 BTC trojan (Oct 18, 2012)

4.10. Mt. Gox account syndicate breach (July 4, 2012)

4.11. Leo Treasure 750 BTC Theft (Sep 30, 2014)


4.A. Kaspersky ‘IT Threat Evolution Q2 2014’ report

4.B. Dell SecureWorks 150 strains of Bitcoin wallet stealers

4.C. Kaspersky “Financial Cyberthreats in 2013″

[4.1] Bitcoin Malware Attack Exploits Russia-Ukraine Crisis (Aug 6, 2014)

A hacker group is trying to leverage the ongoing conflict between Russia and Ukraine as it distributes malware that is capable of targeting bitcoin wallets.

A report by Bitdefender Labs, a cybersecurity firm that focuses on the digital currency market, highlights how an alleged hacker group disguised one form of malware as another. According to the report, the perpetrators distributed software that they described as capable of disrupting the digital activities of Western governments fighting against Russia.

In reality, the program secretly installs a malware package called Kelihos. This malicious program, first identified nearly five years ago, is capable of stealing the contents of a user’s bitcoin wallets, among other negative effects.

http://www.coindesk.com/bitcoin-malware-exploits-russia-ukraine-crisis/ (Aug 27, 2014)

[4.A] Report: Bitcoin Targeted in 22% of Financial Malware Attacks

Security firm Kaspersky Lab has found that bitcoin is the target in more than one fifth of all malware attacks aimed at victims’ money.

According to Kaspersky’s latest threat report, entitled ‘IT Threat Evolution Q2 2014’, bitcoin mining malware accounted for 14% of attacks in the second quarter of 2014, while bitcoin wallet stealers accounted for 8%.

Keyloggers, which can be used to compromise both bitcoin and banking services, also made the list, with 4% of all attacks attributed to various forms of keylogging malware.

Traditional banking malware still leads the way with 74%, but considering the size of the bitcoin economy it is clear that bitcoin users and operators face a significant likelihood of being subjected to an attack.

Bitcoin attacks declining

“Fraudsters are also happy to use computing resources to generate crypto currency: bitcoin miners account for 14% of all financial attacks,” the report warns. “Criminals also use keyloggers to collect user credentials for online banking and payment systems in another bid to access bank accounts.”

Although the figures are disturbing, the relative number of bitcoin-related malware attacks has actually gone down since Kaspersky’s last annual report.

In the 2013 report, bitcoin wallet stealers accounted for 20.18% of all financial malware attacks, while mining malware accounted for 8.91%, giving a combined total of 29%.

In the meantime, the number of threats has gone down, but the threat landscape has evolved — as wallet stealers fell out of favour, mining malware took their place as the predominant form of bitcoin-related malware.

http://www.coindesk.com/report-bitcoin-targeted-22-financial-malware-attacks/ (Aug 6, 2014)

[4.2] Chrome Extension Could Be Vulnerable to Cryptocurrency Malware (April 21, 2014)

A browser extension for Google Chrome is reportedly capable of stealing bitcoin and other altcoins from its users.

Called the ‘Cryptsy Dogecoin (DOGE) Live Ticker’ in the Chrome Web Store, the extension is susceptible to updates that begin monitoring visits to cryptocurrency exchanges and wallet sites. A representative from Cryptsy has told CoinDesk that the exchange is not affiliated with the extension in any way.

The warning about the extension was posted on reddit, along with the following advice:

“Be careful of what you install on your devices you use to access your wallets.”

How it steals coins

Software within the extension monitors web activity and looks for users who go to exchange sites such as Coinbase. During a transaction, the extension attempts to replace the receiving address with one of its own.

A reddit user reported this happening in a withdrawal from cryptocurrency exchange MintPal, having had the extension installed.

Extensions or add-ons that are related to cryptocurrencies are a logical tool for would-be thieves, as cryptocurrency-related software is generally used by those who hold onto digital coins.

http://www.coindesk.com/chrome-extension-could-vulnerable-malware/ (April 21, 2014)

[4.3] LocalBitcoins Names Malware As Cause of Wallet Issues (Feb 27, 2014)

LocalBitcoins users took to reddit and official LocalBitcoins forums today (17th April), reporting that some bitcoin wallets managed by the company have been emptied, and that transactions have been delayed.

The Finland-based bitcoin buying and selling service has now issued an official response to these claims via its blog, stating that the problem is likely the result of a malware intrusion.

In the post, LocalBitcoins announced it would limit hot wallet activity on its services while it addresses the issue.

Further, it released its initial assessment of the situation:

“So far, we have found one systematic and recent attack against LocalBitcoins users, and right now it seems that the amount of users attacked have been under 30, and amount of bitcoins reported has been less than that.”

The company also downplayed that there were larger issues with the site, stating:

“Nothing indicates that this [may] have been a security flaw on the website itself, but we are going to continue investigating the case.”

LocalBitcoins said it would investigate the issue further over the weekend,

http://www.coindesk.com/localbitcoins-names-malware-cause-wallet-issues/ (April 17, 2014)

LocalBitcoins Releases Investigation Report on Site Wallet Issues

Following yesterday’s statement from LocalBitcoins regarding issues with its wallet service, the website has released its follow-up investigation report.

The report focused in part on claims that the site’s two-factor authentication failed to prevent a wallet breach. LocalBitcoins also addressed the cause of withdrawal delays that took place as users tried to move their bitcoins away from the site following the posting of user concerns on reddit.

The LocalBitcoins team wrote in the report’s introduction:

“LocalBitcoins team did not found any evidence of compromised site security.”

Report walks through hack claims

LocalBitcoins presented an activity timeline of user don4of4 (who initially posted on reddit), including 17th April when the wallet intrusion took place.

The site’s team identified that unlike previous logins by the user, someone accessed the site via a Tor browser and had access to don4of4′s two-factor authentication key generator.

LocalBitcoins surmised that whoever accessed the user’s account had gained access to his mobile device, which don4of4 told the team was used to store the two-factor codes.

The report read:

“In this case if the user used this particular Android device to access LocalBitcoins and the device was compromised, the attacker gained access to user password, user session ID and two-factor codes. Furthermore, it was reported on the reddit that the credentials of this particular user have been found on known compromised user account lists spreading in the internet.”

http://www.coindesk.com/localbitcoins-releases-investigation-report-site-wallet-issues/ (April 18, 2014)

[4.B] Nearly 150 Strains of Malware Are After Your Bitcoins

Computer security firm Dell SecureWorks has managed to identify 146 types of bitcoin malware in the wild.

The company’s researchers found the distinct breeds of malware had been specifically designed to steal bitcoins — a number of them presenting quite a danger to owners with coins stored either online or on their computers.

The firm concluded that the number of Windows-compatible cryptocurrency stealing malware (CCSM) strains has gone up in line with bitcoin’s increase in value.

The total of 146 strains is up from 45 a year ago, and 13 two years ago, the researchers say. The biggest spike came after bitcoin briefly broke the $1,000 mark late last year.

Cyber criminals tend to pursue high-growth markets. There has been a lot of focus on smartphones lately, and bitcoin is an obvious target on more than one level.

While most smartphone malware will steal personal info and cause various problems, bitcoin-targeted strains offer the added benefit to the criminals of stealing money with relative ease, and it appears that many can’t resist the allure of bitcoiners’ digital wallets.

http://www.coindesk.com/nearly-150-strains-malware-bitcoins/ (Feb 27, 2014)

[4.C] Study: Bitcoin Wallet Attacks Rose Sharply in 2013

There were nearly 6 million detections of malware capable of stealing data from bitcoin wallets in 2013, according to a new report released by cybersecurity firm Kapersky Labs.

Entitled “Financial Cyberthreats in 2013″, Kapersky’s report looked more broadly at a range of cyberattacks — from phishing to mobile malware, but put a special emphasis on examining how digital currency wallet users are being targeted by criminals online.

Perhaps most notably, Kapersky found that 1 million wallet owners fell victim to a malware attack in 2013, up from less than 600,000 in 2012. Attacks on digital currency wallets constituted roughly 20% of all attacks that involved financial malware last year.

Read the report:

“Among all finance-related malware, tools associated with bitcoin demonstrated the most dynamic development.”

http://www.coindesk.com/study-nearly-6-million-bitcoin-wallets-attacked-2013/ (April 10, 2014)

[4.4] ‘CoinThief’ Mac Malware Steals Bitcoins From Your Wallet (Feb 10, 2014)

UPDATE (12th February, 11:35 GMT): SecureMac reports the bitcoin-stealing malware has spread to popular download sites like Download.com and MacUpdate, under several different names. If you think your machine could be infected, take a screenshot of the instructions here and disconnect from the internet immediately.

A Mac OS X trojan horse masquerading as a private bitcoin wallet app is responsible for “multiple” bitcoin thefts, according to Mac security researchers.

SecureMac, a Mac security consultancy that develops the MacScan anti-malware application and blogs about its research, released a report today warning of ‘CoinThief.A’.

Hidden within the open-source OS X bitcoin wallet app StealthBit, CoinThief.A monitors users’ web traffic to steal login credentials for software wallets and popular bitcoin sites, including BTC-e, Mt. Gox, and Blockchain.info.

The StealthBit app had been available on GitHub both as source code and a precompiled download, but the page has now been removed.

Update: Versions of the malware have been found with numerous different names on other popular software download sites, such as Download.com and MacUpdate.com. BitVanity and StealthBit were distributed on Github, while Bitcoin Ticker TTM and Litecoin Ticker were distributed on Download.com and MacUpdate.com. It seems both app names were copied from legitimate apps in the Mac App Store, but the malicious payload was not found in the official Mac App Store copies of these apps.

http://www.coindesk.com/cointhief-mac-malware-steals-bitcoins/ (Feb 10, 2014)

[4.5] Litecoin targeted by trojan malware (July 5, 2013)

ESET, a security firm, has published a report showing that there is a piece of malware aimed at stealing Litecoin wallet files. ESET says that the Trojan, named MSIL/PSW.LiteCoin.A, is not widespread just now, and extremely unsophisticated. The report suggests that this malware or others like it could become more prevalent if Litecoin enjoys a wider adoption and popularity.

Bitcoin has already been the target of malware attacks. For example, Win32/Delf.QCZ will, among other things, install bitcoin mining software on the target computer, and have it join a network of zombified mining PCs. There have also been cases where a bitcoin wallet was stolen.

This is the first time that malware has been targeted at Litecoin users. ESET describes the Trojan as extremely unsophisticated, and that its only function is to send the user’s wallet.dat file to an FTP server, which the attacker controls. ESET showed the decompiled C# program — a mere 38 lines of code.

ESET say that the provider of the FTP server used by the attacker has been informed. The provider has now blocked requests to the server, and redirects browsers to a page that reads:

User **** from BTC-E exchange uses this ftp address to steal wallets from cryptocoiners! BEWARE!!!!

http://www.coindesk.com/litecoin-targeted-by-trojan-malware/ (July 5, 2013)

[4.6] Pony Botnet Virus Steals $220k from 30 Types of Digital Wallets (Feb 24, 2014)

In what is being called one of the most ambitious cyberattacks affecting virtual currency to date, Chicago-based IT security services provider Trustwave has revealed that a crybercrime ring known as Pony botnet is using a Trojan virus to steal from 30 types of digital currency wallets.

Trustwave researchers found that credentials for approximately 700,000 digital wallet, email and desktop accounts have been compromised, and that up to $220,000 had been stolen from 85 digital currency wallets as of the time of writing.

Ziv Mador, director of security research at Trustwave, told CoinDesk that consumer and merchant wallets were both affected, and that bitcoins, litecoins, primecoins and feathercoins had been stolen in the attack.

But, what makes the Pony botnet unique, Mador said, is the breadth of its assault:

“The new thing about this complaint is that it was widely spread. The Pony malware affected hundreds of thousands of machines and scanned for digital wallets from 30 virtual currencies on those computers.”

Trustwave indicates that while the attack has been persisting for months, it stopped suddenly on 24th February. However, in talks with other media outlets, Trustwave suggested it believes the cybercriminal network is still operating.

http://www.coindesk.com/pony-botnet-virus-steals-220000-30-digital-wallets/ (Feb 24, 2014)

[4.7] Allinvain Theft (June 13, 2011)

Hi everyone. I am totally devastated today. I just woke up to see a very large chunk of my bitcoin balance gone to the following address:


Transaction date: 6/13/2011 12:52 (EST)

I feel like killing myself now (edit: a little too dramatic, I’m since calmed down a bit) . If only the wallet file was encrypted on the HD. I do feel like this is my fault for not moving that money to a separate non windows computer. I backed up my wallet.dat file religiously and encrypted it but that does not do me much good when someone or some trojan or something had direct access to my computer somehow.

The theft occurred right after someone broke into my slush’s pool account. In a moment of sheer stupidity I did not think that maybe my whole system was compromised. I merely thought that someone brute forced my slush’s pool password. I then proceeded to change the password on the pool from a secure computer.

The transaction sent belongs rightfully to this address: 1J18yk7D353z3gRVcdbS7PV5Q8h5w6oWWG

Block explorer is down so I cannot even see where the funds went. Edit: It’s working now and I’m keeping an eye on it.

I tried restoring an earler backup of my wallet but naturally that does not work because the transaction has already been validated.

If anyone have any ideas what I can do, tips, tools, ways of tracking the stolen funds or anything of use please do share with me here on this thread PM me.

Edit: Screenshots available here:


Edit: I’d like to thank those that came up with constructive comments and suggestions.

Let this be an example to take the security of your wallet.dat files very seriously. I never thought bitcoin would attract criminals so quickly but yet here it is.

Update: You can keep track of my stolen coins via these 3 links:




Update: The latest bitcoin tracking info can be found here — http://allinvain.4shared.com

I’ve also shared the C program that I used to track them. Hope you find it useful somehow.

https://bitcointalk.org/index.php?topic=16457.msg214423#msg214423 (June 13, 2011)

[4.8] July 2012 Bitcoinica Theft (July 13, 2012)

On July 13, 2012, a thief compromised the Bitcoinica Mt. Gox account. The thief made off with around 30% of Bitcoinica’s bitcoin assets, which are likely to cost claimants of Bitcoinica debt. Additionally, 40000 USD was also reported to be stolen. The thief is still unknown at this point, but the theft has supposedly been entirely returned. This theft further complicated the [#=may_2012_bitcoinica_hack]May 2012 Bitcoinica Hack[/iurl].

https://bitcointalk.org/index.php?topic=576337#post_july_2012_bitcoinica_theft (July 13, 2012)

[4.9] 2012 Trojan (Oct 18, 2012)

A trojan horse stole thousands of BTC between September and November of 2012. BitcoinTalk user “mralbi” was a major victim, losing almost 2600 BTC.[47] The same hacker also stole 200 BTC from Mt. Gox accounts, supposedly with the same trojan which doubled as a keylogger.

https://bitcointalk.org/index.php?topic=576337#post_trojan_2012 (Oct 18, 2012)

Dear all,

stupid as i am i allowed some hacker to somehow install a trojan horse on my pc where i stored some of my bitcoins. (around 2600), With keylogger he got all my passwords and, of course stole my local wallet file (encryption did not help)

The hacker sent the bitcoins to the address: 1Q3KFL7Z1BTpUboDaU6Qj3t9xCXWpzNntS

https://bitcointalk.org/index.php?topic=125641 (Nov 17, 2012)

[4.10]. Bitcoin Syndicate Theft (July 4, 2012)

A hacker infiltrated the Mt. Gox account used by Bitcoin Syndicate, sold off the USD owned, and withdrew all balances.

https://bitcointalk.org/index.php?topic=576337#post_bitcoin_syndicate_theft (July 4, 2012)

[4.11]. Early Bitcoin Adopter Calls for Multi-Sig Solutions After 750 BTC Theft (Sep 30, 2014)

Treasure, a former computer science student and bitcoin entrepreneur from Perth, Australia, told CoinDesk he was traveling in Bali and didn’t think connecting to public Wi-Fi could be a security issue as his bitcoins were stored locally.

Upon reading about the ‘Bash Bug’, he checked one of his bitcoin addresses on the block chain and noticed an unfamiliar transaction.

Once he synchronized the Bitcoin-Qt client on his MacBook, the ‘sent’ records confirmed the worst. A series of transactions leading to unfamiliar addresses had occurred from his wallet.

It was no small hack — the amount stolen represented the majority of Treasure’s bitcoin holdings, leaving him with only small amounts stored elsewhere.

http://www.coindesk.com/early-bitcoin-adopter-calls-multi-sig-solutions-750-btc-theft/ (Sep 30, 2014)


5. Crime and terrorism

Case studies:

5.1. Spain Bitcoin gambling crackdown (Sep 11, 2014)

5.2. Ross Ulbricht drug charges(Sep 5, 2014)

5.3. ‘wOrm’ stolen CNET database stunt(July 16, 2014)

5.4. ISIS Bitcion funding proposal (July 7, 2014)

5.5. Japan Bitcoin crime crackdown (May 9, 2014)

5.6. IRS-NCFTA research (May 8 , 2014)

5.7. US DoD CTTSO Bitcoin terrorism investigation (May 5, 2014)

5.8. Silk Road 2.0’s thrive after crisis (April 27, 2014)

5.9. Tony Silk Road scam (April 20, 2012)

5.10. TorRAT Bitcion money laundry (Oct 30, 2013)

5.11. Silk Road 2.0 crackdown (Nov 6, 2014)

[5.1] Spain Cracks Down on Bitcoin Gambling Loopholes (Sep 11, 2014)

The Spanish government agency that oversees matters of finance and taxation has issued a new ruling stating that bitcoin should be treated as an electronic payment system, a decision that could have a far-ranging impact on Spain’s bitcoin economy.

El Ministerio de Hacienda y Administraciones Públicas issued the ruling in response to questions from Coinffeine, a Spain-based, open-source bitcoin exchange platform. Abanlex, the company’s law firm, had previously reached out to both El Ministerio de Hacienda and the country’s Congress seeking clarity on two issues in April.

With its response, El Ministerio de Hacienda found that bitcoin-based online gambling companies in Spain must now apply for licenses. Further, the ruling, coupled with new statements from Congress, suggests that bitcoin transactions involving a business may be subject to existing laws that impose a cap on cash transactions of €2,500 or more.

http://www.coindesk.com/spain-cracks-bitcoin-gambling-loopholes/ (Sep 11, 2014)

[5.2] Ross Ulbricht Pleads Not Guilty to New Drug Charges (Sep 5, 2014)

Ross Ulbricht, the accused ringleader of the now-defunct online black marketplace Silk Road, has plead not guilty to a series of new charges levied against him by federal prosecutors.

Filed on 21st August, the charges include narcotics trafficking, conspiracy to traffic fraudulent identification documents and distribution of narcotics by means of the Internet. Those charges followed previous allegations that Ulbricht had engaged in drug trafficking, computer hacking, money laundering and engaging in a criminal enterprise.

The 30-year-old Texas native appeared in a Manhattan federal court today to answer to the charges issued in the latest indictment, Bloomberg reports.

http://www.coindesk.com/ross-ulbricht-pleads-guilty-new-drug-charges/ (Sep 5, 2014)

[5.3] Hackers Offer Stolen CNET Database for Bitcoin in Publicity Stunt (July 16, 2014)

A group of Russian hackers that managed to steal CNET’s user database has made that information available for bitcoin, in what seems like a publicity stunt.

The group, which calls itself ‘wOrm’, says the database contains the accounts of more than a million users, including their usernames, emails, passwords and other information.

The asking price for the source code and the database was 1 BTC, roughly $615 at the time of writing. However, CNET was later told that the group has no plans to decrypt the passwords or to complete the sale of the database.

The offer, which was apparently made to gain attention for the group’s “altruistic” work, was quickly rescinded. WOrm has previously carried out similar attacks on websites belonging to the BBC, Adobe Systems and Bank of America.

CNET admits breach

CNET confirmed the attack and admitted that several servers were accessed and compromised. The security flaw that allowed the breach has since been patched, but the hackers managed to steal a significant amount of data before the attack was detected and addressed.

The hackers say they exploited a hole in CNET’s implementation of the Symfony PHP framework. Although the group initially offered to sell the database, it insists its main motivation is security awareness.

“We are driven to make the Internet a better and safer [place] rather than a desire to protect copyright. I want to note that the experts responsible for bezopastnost [security] in cnet very good work but not without flaws,” a wOrm member told CNET via twitter.

http://www.coindesk.com/hackers-offer-stolen-cnet-database-bitcoin-publicity-stunt/ (July 16, 2014)

[5.4] ISIS-Linked Blog: Bitcoin Can Fund Terrorist Movements Worldwide (July 7, 2014)

The Islamic State of Iraq and Syria (ISIS) has proposed using bitcoin to fund global jihadist efforts.

A blog post entitled ‘Bitcoin and the Charity of Violent Physical Struggle’ outlines a use case for bitcoin as a vehicle for terrorist financing, noting that its pseudonymous transaction capability fits well within the needs of jihadist organizers. Its author claims to be connected with the Islamic State, the so-called jihadi nation established by the ISIS leadership.

The concept that bitcoin could be used to help fund terrorists has been a long-standing concern among law enforcement and government agencies worldwide. Indeed, many restrictions placed on the use of digital currencies stem from these concerns.

According to the blog post, originally reported on by Sky News, bitcoin makes it difficult for anti-terrorist financing authorities to stop transactions from taking place. Services such as DarkWallet were specifically cited as methods for making bitcoin payments between terrorists even more untraceable. The blog author noted that bitcoin presents tax evasion benefits as well.

The blog states:

“This system has the potential to revive the lost sunnah of donating to the mujahideen, it is simple, easy, and we ask Allah to hasten its usage for us.”

http://www.coindesk.com/isis-bitcoin-donations-fund-jihadist-movements/ (July 7, 2014)

[5.5] Japan to Crack Down on Bitcoin Crime, Court Industry Investment (May 9, 2014)

The government of Japan has announced that it intends to increase oversight of illegal transactions that are carried out using digital currencies like bitcoin.

The news comes amid increasing fears in the country that criminal organizations are using bitcoin for money laundering and drug dealing, according to a new report from Kyodo News International.

Japan’s Ministry of Economy, Trade and Industry is now expected to set in motion a plan for how it will monitor illicit trade involving digital currency, working with other government agencies such as the Financial Services Agency and National Police Agency in the process.

Notably, domestic law enforcement officials completed their first bitcoin-related drug arrest last week when a 38-year-old citizen was arrested for allegedly importing illegal stimulants.

Defining bitcoin

Kyodo News reports that Prime Minister Shinzo Abe’s administration also plans to issue a formal classification for digital currencies.

Under the proposal, bitcoin and other similar technologies would be labeled as a new type of “value-added electronic record” — similar to credit card and electronic money records, not as a currency.

Government officials further suggested that they will not be seeking to apply capital gains taxes to bitcoin transactions, as the US has done, though it may apply taxes to purchases.

http://www.coindesk.com/japan-crack-down-bitcoin-crime-court-industry-investment/ (May 13, 2014)

Japan Makes First Bitcoin-Related Drug Arrest

Japanese authorities have arrested a suspected drug importer who allegedly used bitcoin to pay his Mexican suppliers.

According to Channel News Asia, the case is the first of its kind in the country — an arrest for a crime involving both drugs and digital currency.

The suspect has been named as 38-year-old Ayumu Teramoto and his arrest was carried out by police forces in Tokyo and Fukuoka.

Teramoto is suspected of buying and importing illegal stimulants — terms usually used in the Japanese media to describe cocaine and methamphetamines.

Bitcoin payment

The suspect allegedly used ¥3.5m ($34,500) worth of bitcoin to pay for a drug deal involving 50g of the unnamed drug, according to CNA.

The drugs were then shipped to an airport near Tokyo, reportedly concealed inside a tablet computer. It is unclear what raised suspicions, but it is clear that police managed to identify and successfully intercept the shipment.

Police claim Teramoto used an online service to procure the drugs, but they did not reveal any details, other than the fact that the transaction was carried out in bitcoin.

http://www.coindesk.com/japan-makes-first-bitcoin-related-drug-arrest/ (May 9, 2014)

[5.6] US Government Taps Nonprofit to Research Digital Currency Crime (May 8 , 2014)

The US Internal Revenue Service (IRS) has announced it will award the National Cyber-Forensic Training Alliance (NCFTA), a cybersecurity nonprofit organization, with a contract to research crimes involving digital currencies.

The one-year sole source order, published yesterday on behalf of the US Treasury Department, the Office of Illicit Finance (OIF) and the Office of Intelligence and Analysis (OIA), establishes that the NCFTA would study virtual currency and virtual currency exchanges to provide the federal government with real-time cyber threat intelligence.

In a redacted justification document, the US government states its need for broader capabilities in tracking crimes involving digital currencies.

The document reads:

“[The NCFTA] will support OIF’s efforts to identify significant cybercriminals engaged in financial crimes, as well as initiatives that highlight virtual currencies and virtual currency exchangers that service criminal clientele.”

The order justification goes on to cite NCFTA’s existing infrastructure and access to private information. It is not clear how much the one-year contract award is worth.

CoinDesk reached out to the IRS for comment but did not receive a response.

http://www.coindesk.com/us-government-taps-nonprofit-research-digital-currency-crime/ (May 8 , 2014)

[5.7] Department of Defense to Investigate Bitcoin’s Terrorism Potential (May 5, 2014)

An office within the US Department of Defense is conducting a study into bitcoin and other technologies as a potential terrorist threat, according to news reports.

The move is part of the Combatting Terrorism Technical Support Office (CTTSO) programme aimed to assist the military in understanding if and how various new technologies might be used to threaten US national security.

The news first appeared on investment consultant Bruce Fenton’s blog on Friday, with a link to CTTSO’s request for vendors to apply as information sources.

Before bitcoin fans get too alarmed, however, the CTTSO’s list of technology keywords is over 250 lines long and includes Android, Motorola, social media and virtual reality.

http://www.coindesk.com/department-defense-office-investigate-bitcoins-terrorism-potential/ (May 5, 2014)

[5.8] How Deep Web Scams Helped Silk Road 2.0 Turn Crisis into Opportunity (April 27, 2014)

The online trade in illicit drugs is bigger than ever, according to a new report published this week.

This is despite the closure of the original Silk Road marketplace by the FBI in October last year, and a crisis in the Internet’s underworld following arrests, scams and hacking attacks.

Last Sunday, CoinDesk reported on how, when US authorities closed Silk Road and arrested its alleged mastermind Ross Ulbricht, it didn’t spell the end for online drugs markets. Silk Road reopened, new marketplaces quickly materialised, and existing ones grew to accommodate displaced buyers and sellers.

Now, despite the theft of thousands of bitcoins in February, Silk Road 2.0 is seeing an influx of customers jaded by scams and hacks on other sites, and trade is even better than in the heyday of the original site.

http://www.coindesk.com/dark-web-scams-helped-silk-road-2-0-turn-crisis-opportunity/ (May 1 , 2014)

Scams, Hacks and Poor Management: Life After Silk Road

When US authorities busted up the Silk Road and arrested alleged kingpin Ross Ulbricht last fall, it didn’t mean the end of online drugs-for-bitcoin markets. Alternative trading posts popped up immediately, and existing ones expanded to accommodate displaced buyers and sellers.

However the sites have been rocked by thefts, more arrests and other troubles, leading some customers and even investigators to wax nostalgic about the “original” Dread Pirate Roberts, as Silk Road’s founder called himself.

One customer, who goes by the nickname ‘hugs’, wrote in a message to CoinDesk:

“[Chaos] is the word that I would choose to describe the landscape as it has morphed and changed after SilkRoad’s seizure. Many sites have come and gone […] many of them developing quite a following before being shut down or hacked. Buyers and vendors alike have been on a constant search for a stable market, one that will be around for longer than a couple of months.”

http://www.coindesk.com/scams-hacks-poor-management-life-silk-road/ (April 27, 2014)

[5.9] Tony Silk Road Scam (April 20, 2012)

Users of Silk Road, an underground drug market using Bitcoin as the default currency, bought significant quantities of illicit drugs from trusted vendor “Tony76”. Although Silk Road has an escrow system, trusted vendors are allowed to bypass the system and request that the buyers pay first. On April 20, which is a popular day for drug sales in American culture, Tony76 offered drugs at a significant discount. However, none of the products made it to the customers, revealing the sale as an elaborate sham.

https://bitcointalk.org/index.php?topic=576337#post_tony_silk_road_scam (April 20, 2012)

[5.10]. Malware gang steals $1.4 Million and sets up bitcoin exchange to launder it (Oct 30, 2013)

Last week, four men were arrested in the Netherlands for spreading a type of malware that allowed them to obtain Dutch bank account information. And they used a bitcoin exchange to launder some of $1.4 million that was stolen from approximately 150 bank accounts.

The malware, known as TorRAT, targeted only Dutch speakers. TorRAT used the anonymizing network Tor to use its command and control (C&C) servers. The men also paid for a Turkish crypting service to circumvent antivirus software and utilized the hosted tormail.org in order to communicate.

http://www.coindesk.com/malware-gang-steals-1-4m-bitcoin-exchange-launder/ (Oct 30, 2013)

[5.11]. Silk Road 2.0 Seized, Alleged Operator Unmasked in FBI Crackdown (Nov 6, 2014)

The Federal Bureau of Investigation (FBI) together with the US Attorney for the Southern District of New York have announced that they have arrested ‘Defcon’, the operator of illicit black market website Silk Road 2.0.

At press time, the Silk Road 2.0 marketplace was no longer operational, with the website displaying a disclaimer that it had been taken down by Europol, Eurojust, the FBI, US Department of Justice and US Immigration and Customs Enforcement.

Authorities arrested 26-year-old San Francisco native Blake Benthall yesterday in his home city. He will appear in federal court today to face charges for activities he allegedly perpetrated while running the website.

In statements, Manhattan US Attorney Preet Bharara called Silk Road 2.0 a “nearly identical criminal enterprise” to its predecessor, Silk Road, which was seized and shut down in October 2013 following the arrest of its alleged operator Ross Ulbricht. Silk Road 2.0 has sought to provide an open, bitcoin-enabled online marketplace in the wake of Silk Road’s shutdown.

http://www.coindesk.com/silk-road-2-0-seized-alleged-admins-unmasked-fbi-crackdown/ (Nov 6, 2014)

Alleged Silk Road 2.0 Accomplice Arrested on Conspiracy Charges

ederal investigators have confirmed that another arrest has taken place in connection with black market website Silk Road 2.0.

Acting US attorney Annette Hayes announced that Brian Richard Farrell, 26, was arrested on Tuesday on suspicion of being a “key administrator” of Silk Road 2.0 under the pseudonym “Doctor Clu”.

Farrell’s arrest comes two months after Blake Benthall, the alleged leader of Silk Road 2.0 was arrested by federal authorities on counts of conspiring to commit drug trafficking, computer hacking, dealing in fraudulent documents and a count of money laundering conspiracy.

Farrell, who drew the attention of Homeland Security Investigations agents last July has been charged with conspiracy to distribute heroin, methamphetamine and cocaine.

When the search warrant was served at Farrell’s residence in Seattle, agents seized $35,000 in cash as well as varied drug paraphernalia.

According to the criminal complaint, Farrell was allegedly involved “in activities such as approving new staff and vendors for the website, and organising a denial of service attack on a competitor”.

http://www.coindesk.com/alleged-silk-road-2-0-accomplice-arrested-conspiracy-charges/ (Jan 21, 2015)

http://www.coindesk.com/silk-road-2-0-seized-alleged-admins-unmasked-fbi-crackdown/ (Nov 6, 2014)


6. Insider threat

Case studies:

6.1. Sheep Maretplace incident (Dec 2, 2013)

6.2. Silk Road 2.0 Feb ’14 incident (Feb 13, 2014)

6.3. PicoStocks incident (Nov 22, 2013)

6.4. Inputs.io TradeFortress incident (Oct 26, 2013)

6.5. ZigGap incident (Feb, 2013)

6.6. Bit LC incident (Feb 13, 2013)

6.7. Kronos.io incident (Aug 17, 2012)

6.8. Bitcoin7 incident (Oct 5, 2011)

6.9. SilkRoad Federal Agent Shaun Bridges & Carl Mark Force IV incident(March 30, 2015)

[6.1] Sheep Marketplace Incident (Dec 2, 2013)

Czech-based underground marketplace Sheep supposedly suffered a major breach causing the loss of 5400 BTC, which was passed down to its users. This official story is disputed, with many claiming the actual loss was far more severe. However, estimates of over 90000 BTC being stolen by the operator of Sheep were found to have accidentally tracked BTC-E internal wallet movements, thus discrediting this alternative explanation.[82]

https://bitcointalk.org/index.php?topic=576337#post_sheep_marketplace_incident (Dec 2, 2013)

[6.2] Silk Road 2 Incident (Feb 13, 2014)

Defcon, an administrator at underground marketplace Silk Road 2 (not to be confused with Silk Road), noticed that funds held for the escrow service were stolen in February 2014. “Transaction malleability”, an issue with the Bitcoin protocol at the time that also affected some other services, was blamed for the theft.[83] Others note that transaction malleability is unlikely to result in coins being stolen and belive the Silk Road 2 incident to be an inside job.

Several months after the incident, it was reported that Silk Road 2 is paying users back with funds earned from commissions[85]

https://bitcointalk.org/index.php?topic=576337#post_silk_road_2_incident (Feb 13, 2014)

[6.3] PicoStocks Hack (Nov 22, 2013)

PicoStocks, a stock exchange using a novel means of circumventing legal regulation, reported that someone that previously had access to PicoStocks keys used them to defund both hot and cold wallets. Creditors were reportedly unaffected as, despite the magnitude of the loss, PicoStocks covered it completely.

https://bitcointalk.org/index.php?topic=576337#post_picostocks_hack (Nov 29, 2013)

https://bitcointalk.org/index.php?topic=252308.msg3675013#msg3675013 (Nov 22, 2013)

https://bitcointalk.org/index.php?topic=133147.msg3769061#msg3769061 (Nov 29, 2013)

[6.4] Inputs.io TradeFortress Hack (Oct 26, 2013)

Inputs.io, a web wallet service run by BitcoinTalk user TradeFortress, was supposedly “hacked” in October 2013 and was unable to repay user balances in full. There are many accusations of the hack being an inside job. TradeFortress had a contentious reputation and had supposedly scammed two separate people before this incident.[75][76] When the theft was announced in November 2013, TradeFortress began offering partial refunds; however, 4100 BTC was not paid back as that was the shortfall from the supposed “hack”. THEY SHUT DOWN.

https://bitcointalk.org/index.php?topic=576337#post_inputs_io_hack (Oct 26, 2013)

Hackers steal $1.2 Million of bitcoins from Inputs.io, a supposedly secure wallet service

UPDATE (8th November, 13:06 GMT):

In a phone interview with Australia’s AM radio show Tradefortress responded to challenges that the theft was ‘an inside job’, though he insisted that he wouldn’t be reporting the theft to the police because the bitcoins are untraceable and it would be impossible to track the culprit.

When asked about his age, Tradefortress told the publication: “I’m over 18 but not much over.”

Tradefortresses’ public identity still remains unknown, however his reputation on Bitcointalk seems to be questionable, with at least two members claiming to have been scammed by him for failing to deliver on coding projects he had already been paid for. He has said that he wishes to retain his anonymity as he now fears for his safety in light of this recent heist.

Tradefortress also runs coinchat.com as well as coinlenders.com.

http://www.coindesk.com/hackers-steal-bitcoins-inputs-io-wallet-service/ (Nov 7, 2013)

[6.5] ZigGap (Feb, 2013)

User aethero, who was originally a reputable Bitcoiner, founded ZigGap after two previously succesful ventures, including BitPantry. Purporting to offer easy ways to purchase BTC, ZigGap saw little business. The founder seems to have also suffered mental illness in the latter stages of business operation.[54]

https://bitcointalk.org/index.php?topic=576337#post_ziggap (Feb, 2013)

The reason ZIGGAP is not currently up is because my competition has been selectively scamming me. You see the following organizations are all ran by the same group of organized crime and money launderers:

http://www.reddit.com/r/Bitcoin/comments/1crk44/did_anybody_else_just_see_this_posted_and_quickly/ (April 20, 2013)

[6.6] Bit LC Theft(Feb 13, 2013)

This alleged theft was unique in that coins held in the hot wallet were safe, but coins held in a cold wallet compromised. The thief is not expected to have access to the coins regardless, so there was little financial gain from this theft. Erick, allegedly the only one with physical access to Bit LC Inc.’s cold wallet, has failed to communicate and withdraw coins. Bit LC Inc. therefore was required to declare bankruptcy. There is no proof that Erick intentionally stole the coins; indeed, some evidence asserts that he or she may simply have disappeared in some manner.

https://bitcointalk.org/index.php?topic=576337#post_bitlc_theft (Feb 13, 2013)


This “press release” will start of a explaining the situation that have going on for the last month or so, if you’re only interested in what’s going to happen now — please scroll down to today’s date below.

January 2013

This was when we first got a warning from our internal monitoring system that there wasn’t enough funds in our primary hot-wallet (which is used for payments out from the service and for deposits — a full system layout is available at the bottom of the page).

In January we have quite a few larger (1–200 BTC+) outgoing transactions which caused a few warnings.

This has happened many times before, it was just a warning, the system auto-adjusts the amount of funds available in all our wallets, based upon (amount others) the number of incoming and outgoing transactions and the total amount of Bitcoins in those transactions and the amount of solved blocks.

It pretty much tries to guess to next week’s outgoing transactions to never have more than a fixed amount of Bitcoins in the hot-wallet, in case of an security breach (which never have happen).

About a week or two after the first notification by the system, a more serious report was sent by the system. This time, both the hot-wallet and secure storage-wallet was close to depleted! Unfortunately, I had a fever at the time

http://web.archive.org/web/20130302231015/https://www.bitlc.net/ (Feb 13, 2013)

[6.7] Kronos Hack (Aug 17, 2012)

Kronos.io, a Bitcoinica-esque startup, was hacked in an event shrouded in mystery even today. Led by Jonathon Ryan Owens, who was simultaneously running other new startups on GLBSE (an upstart Bitcoin “stock exchange”), Kronos.io hired several well-known Bitcoin personalities to do work with HTML and coding. One of these was Alberto Armandi, who was related to Bitscalper, a scam earlier that year.[36]

Alberto Armandi reportedly hacked into the website he himself helped code. The vulnerability was in the withdrawal script that Alberto coded, reportedly intentionally as a backdoor.[36] Although incredible, Armandi has also released a story denying he hacked the website. Instead, he blamed the theft on Jonathon Ryan Owens intentionally pocketing the majority of the funds with only 1000 BTC being stolen by an unknown hacker.[37]

https://bitcointalk.org/index.php?topic=576337#post_kronos_hack (Aug, 2012)

https://bitcointalk.org/index.php?topic=93445.msg1716297#msg1716297 (April 1 , 2013)

My name is Alberto Armandi, i was born in Italy, 19/09/1983. I’m an internet entrepreneur who got caught in the Bitcoin phenomena about one and a half year ago.

Before Bitcoin, i have tried to launch several startups on my own, Wozad being one, a system for targeting digital ads based on your browsing history. It was doing well until Google Inc decided to include the same type of targeting into their pervasive Adsense. The next effort was an hardware startup, Enso Limited, with which i’ve launched the highly controversial Zenpad. An early 5 inches tablet powered by Android operating system.

Enso managed to fail too, because of lack of funding but my failed endeavours did not leave a trail of destruction behind as i had and still have the determination to face any kind of trouble.

https://bitcointalk.org/index.php?topic=101109.msg1105479#msg1105479 (Aug 17, 2012)

[6.8] Bitcoin7 Incident (Oct 5, 2011)

An upstart exchange at the time, Bitcoin7, rapidly grew to the third-largest USD exchange (behind then-leaders Mt. Gox and Tradehill) but then suffered a major debilitating hack, or so the official story goes. It is widely suspected that there was no hack and Bitcoin7's operators simply ran away with the funds.

Bitcoin7 shut down because of this hack. The magnitude served as a reminder to the Bitcoin community to stop trusting new exchanges without identification. The platform was however later sold for $10000 in 2013, and has since relaunched at Bitcoiner7.com but being branded still as Bitcoin7.

https://bitcointalk.org/index.php?topic=576337#post_bitcoin7_incident (Oct 5, 2011)

https://flippa.com/2999232-bitcoin-exchange-ready-to-launch-immediately-multi-currency-14-languages (June, 2012)

https://bitcointalk.org/index.php?topic=17043.msg559342#msg559342(Oct 6, 2011)

[6.9] SilkRoad Federal Agent Shaun Bridges & Carl Mark Force IV incident(March 30, 2015)

Two federal agents who took part in the US government’s efforts to take down illicit online black market Silk Road have been charged with fraud for allegedly misusing funds denominated in bitcoin while on assignment.

Perhaps most notably, the Department of Justice (DOJ) alleges special agent with the US Secret Service (USSS) Shaun Bridges “diverted” more than $800,000 in digital currency to his personal accounts without authorization during the investigation.

Likewise, Drug Enforcement Administration (DEA) agent Carl Mark Force IV is purported to have “solicited and received” digital currency as part of the investigation into Silk Road, using “fake online personas” to “steal from the government and targets of the investigation”.

Both Bridges and Force are being charged with money laundering and wire fraud. Force has also been separately charged with the theft of government property.

http://www.coindesk.com/federal-agents-face-arrest-for-alleged-silk-road-bitcoin-theft/ (March 30, 2015)


7. DDoS

Case studies:

7.1. Silk Road 2.0 “Defcon” Sep ’14 DDoS (Sep 15, 2014)

7.2. BTC-E Apr ’14 DDoS (April 14, 2014)

7.3. Huobi Mar ’14 DDoS (March 26, 2014)

7.4. MPOS cross-industry Feb ’14 DDoS (March 2, 2014)

7.5. No-shock-awe Apr ’13 DDoS (April 24, 2013)

7.6. SatoshiDice Sep ’13 DDoS (Sep 6, 2013)

7.7. Bitcoin core Jun ’13 DDoS (June 25, 2013)

7.8. Bitcoin Mining Pools Mar ’15 DDoS (March 12, 2015)

[7.1] Silk Road 2.0 Hit by ‘Sophisticated’ DDoS Attack (Sep 15, 2014)

Online black market Silk Road 2.0 experienced a distributed denial-of-service (DDoS) attack last week, which forced the site’s administrators to temporarily suspend services.

News of the attack broke on bitcoin forums hours after it started, with the Silk Road team soon confirming the news via its own forums.

For reasons that are less clear, black market Agora has faced outage issues problems of its own in the last few days.

Silk Road remains defiant

Silk Road 2.0 moderator ‘Defcon’ issued a statement saying that the site was facing a “very sophisticated” DDoS attack using the most advanced methods the site has experienced to date.

The moderator said:

“The dev team is working around the clock to get marketplace service restored, as well as watch the security of our systems closely. Much of the downtime you have seen is intentional on our part: if this is an attempt to locate our servers through packet analysis, we do not want to make it easy for our adversary and would rather be offline while we adapt our defences.”

http://www.coindesk.com/silk-road-2-0-shrugs-sophisticated-ddos-attack/ (Sep 15, 2014)

[7.2] BTC-e Back Online Following DDoS Attack (April 14, 2014)

BTC-e was down briefly on Sunday, following a powerful distributed denial of service (DDoS) attack against its servers.

DDoS attacks against bitcoin exchanges have gained notoriety since the ‘massive and concerted’ attack which targeted multiple organisations earlier this year.

However, in the current climate of uncertainty even a harmless attack can be misinterpreted, with speculation spreading like wildfire on social media. Luckily BTC-e was quick to confirm the attack and dismiss fears — it was just another DDoS attack, now all too common in the world of bitcoin.

DDoS attack on our server

— BTC-E (@btcecom) April 13, 2014

http://www.coindesk.com/btc-e-online-following-ddos-attack/ (April 14, 2014)

[7.3] Rumours, Panic and a DDoS Attack: Huobi’s Wild Week (March 26, 2014)

While everyone was preoccupied with bitcoin price drops after last Friday’s ‘fake Chinese bitcoin ban‘ news incident, something even more dramatic was happening at China’s largest exchange, Huobi, and its new litecoin trading system.

A ‘flash crash’ on the exchange saw the price plunge to just 1 RMB (Chinese yuan) a short time after a hoax news report of a complete government ban on digital currencies was posted on microblogging site Sina Weibo and reported by Sina’s financial news service.

The number of trades executed at that price is unknown, as is the total amount of money lost — either by the company or by traders who lost due to margin calls. However, soon after the incident, Huobi agreed to make its customers whole again at 70 RMB ($11.29) per LTC for anyone who sold below that level.

Furthermore, the company said, negative balances would be reset to zero — even those still in the red after the 70 RMB redress.

Huobi CEO Leon Li said litecoin volumes had recovered by about 80% since, and users seemed to be satisfied with Huobi’s resolution, but predicted that the full 100% recovery would more time.

This incident was very similar to the bitcoin flash crash at BTC-e on 10th February, supposedly induced by panic in the aftermath of Mt. Gox’s suspension of all withdrawals. The price of 1 BTC dropped to $100 for just under two minutes, but that was long enough to do damage.

DDoS attack

That wasn’t the end of Huobi’s wild week, however. On Sunday 23rd March, the exchange suffered a crippling distributed denial of service (DDoS) attack that took its site offline for the whole day.

http://www.coindesk.com/rumours-panic-ddos-attack-huobis-wild-week/ (March 26, 2014)

[7.4] Coin Miners Dogged By Mining Pool Security Flaws (Feb 11 ,2014)

Distributed denial-of-service attacks have posed an increasingly severe problem for cryptocurrency exchanges and mining pools in recent weeks.

Last month, several major pools in the mining community suffered debilitating DDoS attacks that resulted in significant delays, lost mining time and frustration for miners.

In extreme cases, as explained by TeamDoge administrator Forrest Fuqua, some pools received ransom messages from hackers demanding payoffs in exchange for pulling back their attacks.

Fuqua said that security flaws in the Mining Portal Open Source (MPOS) pool software commonly used throughout the community have made it all too easy for cyber attackers to disrupt mining activities and extract ransoms from pools.

He cited the example of Dogepool.pw, which suffered a serious attack on its database. He added:

“Dogepool.pw actually got their database hacked at one point, due to the fact of insecurities in the main pool software that everyobody owns. Even the biggest mining pool for Litecoin uses it as their backend. It’s everywhere in their templates — they’re using the exact same framework. So some of these security exploits affect us all.”

http://www.coindesk.com/coin-miners-dogged-mining-pool-security-flaws/ (March 2, 2014)

[7.5] Bitcoin Exchanges Under ‘Massive and Concerted Attack’

A “massive and concerted attack” has been launched by a bot system on numerous bitcoin exchanges, Andreas Antonopoulos has revealed.

This has lead to popular exchange Bitstamp putting a temporary halt on all bitcoin withdrawals, and BTC-e announcing possible delays on transaction crediting.

Antonopoulos, who is the chief security officer of Blockchain.info, said a DDoS attack is taking Bitcoin’s transaction malleability problem and applying it to many transactions in the network, simultaneously.

“So as transactions are being created, malformed/parallel transactions are also being created so as to create a fog of confusion over the entire network, which then affects almost every single implementation out there,” he added.

Antonopoulos went on to say that Blockchain.info’s implementation is not affected, but some exchanges have been affected — their internal accounting systems are gradually going out of sync with the network.

He emphasised that this isn’t affecting withdrawals, because most exchanges are not processing them automatically.

Mt. Gox is the exchange that has suffered the most over the past few days, due to a number of factors, said Antonopoulos. One problem is that it was using a custom client (not the core Bitcoin software), on top of that there is the DDoS attack, plus it was using an automated system to approve withdrawals.

“This is not happening to other exchanges because they’re not stupid enough to issue withdrawals without checking them out first,” he explained.

Antonopoulos said we will see a few exchanges suspend withdrawals temporarily while they re-work their accounting systems to ensure they are not confused by the attack.

http://www.coindesk.com/massive-concerted-attack-launched-bitcoin-exchanges/ (Feb 11 ,2014)

‘Shock and awe’ DDoS campaign does neither (April 24, 2013)

A much-hyped distributed denial of service (DDoS) attack on several bitcoin exchanges failed to materialize this week.

A post (since deleted) on the text-sharing site Pastebin.com over the weekend had promised a massive attack on the bitcoin infrastructure for Monday, April 22. The stated goal was to bring the price of bitcoin down to $30 (US).

The promised attack, set to start at 15:30 UTC, was to involve the distribution of bogus press releases suggesting that the bitcoin exchange Mt. Gox was under investigation for securities fraud. Shortly afterward, the story was to be spammed on Reddit and updated with fake accounts.

“Several sellers lined up for a co-ordinated dump of 250,000+ BTC which will crash the price to under 100 to correlate in time with publication of bogus AP reports,” the attack blueprint stated. The dump was to be followed by a massive DDoS attack on nine major exchanges, including Mt. Gox.

The attacker(s) then promised to buy bitcoins from the Bitstamp exchange, which would be spared a DDoS attack, but would have been used earlier to dump bitcoins.

“You all know your stations, distribute this paste to the rest of the group as it won’t last long on the hidden wiki,” the text concluded. “Don’t let this get out to the public, we need the price to remain high at 120 leading up to the event for maximum effect.”

There were few reports of any extraordinary DDoS activity on Monday, and the price didn’t fall anywhere close to $30. In fact, Mt. Gox pricing finished slightly up on the day, at $127.50.

“It was a troll to begin with,” Mikko Hyponnen, chief research officer at the security software company F-Secure, told CoinDesk. “I don’t think there was any attack at all.”

Prior to the promised attack, Hyponnen had tweeted:

“Troll: ‘Operation Shock And Awe … Goal: Bring bitcoin price < $30 US dollars … ‘




http://www.coindesk.com/shock-and-awe-ddos-campaign-does-neither/ (April 24, 2013)

[7.6] SatoshiDice hit by DDoS attack, but bets continue (Sep 6, 2013)

Bitcoin gambling site SatoshiDice has recovered after being felled for several days by a DDoS attack.

The site went down several days ago, and was inaccessible from the Internet. Erik Voorhees, who created the site and sold it for $11.5 million in July, no longer runs the site, but naturally still has insights into how it operates. DDoS attacks happen a lot to bitcoin gambling sites, he said.

“They largely wasted their money,” he said of the attackers, pointing out that the website isn’t needed for the placing of bets. It simply provides information about bet statistics, and bitcoin addresses to send to.

http://www.coindesk.com/satoshidice-hit-by-ddos-attack-but-bets-continue/ (Sep 6, 2013)

[7.7] Bitcoin network recovering from DDoS attack (June 25, 2013)

Last week, the Bitcoin network suffered from a denial-of-service attack that forced the core development team to patch the core reference design.

Details are sketchy. CoinDesk first received word of the problem from core developer Jeff Garzik. “Currently dealing with an ongoing, network-wide event,” he told us in a hurried email.

Last Friday, Gavin Andreesen announced a forthcoming 0.8.3 release of the reference implementation. “This will fix a denial of service attack that affects some network nodes,” he said, adding that details would be released after the fix.

Garzik differentiates between miners and nodes in the Bitcoin network. Non-mining nodes are not revenue generating, but instead relay transactions on a voluntary basis, for the good of the network. These nodes can be a point of attack for those wanting to harm the bitcoin network.

http://www.coindesk.com/bitcoin-network-recovering-from-ddos-attack/ (June 25, 2013)

[7.8] Bitcoin Mining Pools Targeted in Wave of DDOS Attacks (March 12, 2015)

AntPool, BW.com, NiceHash, CKPool and GHash.io are among a number of bitcoin mining pools and operations that have been hit by distributed denial-of-service (DDOS) attacks in recent days.

The incidents appear to have begun in the first week of March. For example, on 11th March, AntPool owner Bitmain sent an email to customers disclosing the DDOS attacks and advising external pool users to set up failsafe pools in the event of an outage.

According to many of the companies affected by the incidents, those behind the attacks demanded payment in bitcoin in return for stopping the attacks.

BW.com alerted customers via its official blog to possible service disruptions owing to DDOS attacks, but did not say whether or not a ransom notice had been sent. Other pools took to Bitcoin Talk to warn users about the DDOS attacks.

GHash.io operator CEX.io suggested that affected pools are seeing escalating DDOS threats, and said that the source of recent attacks on its pool came with increasing ransom demands.

http://www.coindesk.com/bitcoin-mining-pools-ddos-attacks/ (March 12, 2015)


8. Phishing

Case studies:

8.1. Blockchain wallet mass phishing incident (Aug 22, 2014)

8.2. Silk Road auction enquirers spear phishing incident(July 4, 2014)

8.3. Bitstamp phishing incident(Feb 20, 2014)

8.4. Coinbase phishing incident (Feb 7, 2014)

8.5. Bitcoin-24 phishing incident(May 2, 2013)

8.6. Blockchain.info phishing incident(April s29, 2013)

[8.1] Bitcoin’s Popularity Boosts Phishing Scam Success (Aug 22, 2014)

Bitcoin has fired the public imagination so intensely that even non-bitcoin users are falling for phishing scams that dangle the prospect of cryptocurrency riches in front of them, according to new research from digital security firm Proofpoint.

Proofpoint found that thousands of phishing messages disguised to look like emails from a Blockchain wallet were sent to addresses with no direct link to bitcoin. This is a departure from typical bitcoin phishing attacks that target known and active cryptocurrency users, according to the security firm.

The new attacks yielded a “staggeringly high” response rate of 2.7% from victims, suggesting that members of the general public were sufficiently attracted by a bitcoin lure to click on the malicious links.

http://www.coindesk.com/bitcoins-popularity-boosts-phishing-scam-success/ (Aug 22, 2014)

[8.2] Phishing Scam Targets US Marshals Service Bitcoin Auction List (July 4, 2014)

Individuals on the recipients list of the leaked US Marshals Service email to Silk Road auction enquirers are being targeted in a phishing attack, and at least one individual has fallen for the scam.

The Wall Street Journal confirmed that several individuals on the list received phishing emails from the same source. However, not all the individuals on the leaked email recipients list were targeted.

The unfortunate victim of the attack was Sam Lee of bitcoin arbitrage fund Bitcoins Reserve, which lost 100 BTC as a result.

The funds were sent by the firm’s chief technology officer, Jim Chen, after he received what seemed like an email request to do so from Lee. In fact, the funds ended up being sent outside the company to the attacker’s wallet. The transaction can be seen here, according to Lee.

http://www.coindesk.com/phishing-scam-targets-us-marshals-service-bitcoin-auction-list/ (July 4, 2014)

[8.3] Bitstamp Restores Withdrawals Following Security Scare (Feb 20, 2014)

Bitstamp is in the process of restoring full services to all accounts following an issue that prompted the bitcoin exchange to disable withdrawals to some users.

The move was a security precaution and the affected accounts have been notified of the problem.

Nejc Kodrič, Bitstamp’s CEO, told CoinDesk that some accounts have already regained withdrawal functionality.

Phishing fears

The decision to halt the withdrawals was made after Bitstamp detected an increased number of phishing attempts over the last few days.

Bitstamp says some clients had reported receiving suspicious emails. The correspondences were examined and were found to contain malware, so Bitstamp then took the ‘better-safe-than-sorry’ approach and temporarily disabled the accounts.

At the time of writing, no Bitstamp user has reported any missing funds. It is possible that the attack was completely unsuccessful, although it is still too early to say with certainty.

Bitstamp believes the attack was targeted at bitcoin users only, and its sole intent was to steal bitcoins.

Warning message

In an email sent to affected clients, the Bitstamp team stressed that the tech team’s response to the phishing attack was a necessary precaution given the risks of the situation, and gave advice on how to deal with any malware.

“As a precaution we have also applied this security measure to your account,” the exchange wrote. “If you have received any emails with suspicious content and have opened links or attachments, we highly recommend that you immediately contact a computer expert.”

Even if you think your computer is clean, it is probably best to play it safe, Bitstamp says:

“If you consider that your system was not affected we kindly ask you to contact security@bitstamp.net to re-enable the withdrawal function on your account.”

The company added that the decision to disable withdrawals is an inconvenience, but it should be viewed as part of the exchange’s important security measures, which were put in place to safeguard users’ accounts — and their funds.

http://www.coindesk.com/bitstamp-restores-withdrawals-following-security-scare/ (Feb 20, 2014)

[8.4] Coinbase Moves to Calm Security Concerns Amid Theft Reports (Feb 7, 2014)

Andreessen Horowitz-backed bitcoin wallet provider Coinbase confirmed via a company blog post on 7th February that “a small handful” of its customers have fallen victim to phishing attacks.

The reports of bitcoin wallet security vulnerabilities, however small, have nonetheless reverberated widely in an industry that is being increasingly cast in a shroud of uncertainty by the mainstream media.

A separate account of the incidents by online news source The Verge paints a very different picture of the situation, suggesting that the thefts, while in some cases the fault of Coinbase‘s users, were sizable and perhaps more frequent than has been reported.

The Verge confirmed what it called “a string of Bitcoin thefts that have hit the service in recent weeks”.

In its piece, it profiled the story of a Coinbase user named Jeff, who lost 10.6 BTC in bitcoins due to theft this December. What’s most unique about Jeff’s story, however, is that one month later, his refunded money was stolen from the service yet again.

The media outlet revealed that it has confirmed two separate thefts occurred to users on the service in addition to Jeff’s multiple thefts, for amounts of $16,000 and $5,000, respectively.

The sum total of the thefts, as noted by the piece, is roughly $40,000.

http://www.coindesk.com/coinbase-security-concerns-amid-theft-reports/ (Feb 7, 2014)

[8.5] The end for Bitcoin-24 exchange? (May 2, 2013)

in Europe, has been offline for the last two weeks after its Polish and German bank accounts were closed.

Simon Hausdorf, the owner of the exchange, is currently awaiting legal action from the German prosecutor’s office, which has said he is suspected of fraud in connection with bitcoin sales via Bitcoin-24.

The exchange’s customers began complaining earlier in the month, after the site began refusing withdrawals.

“Our Service is momentarily not available,” the website stated.

On April 12, one customer posted a threat of legal action against Hausdorf.

Eventually, posting under his username TAIS46 on the popular Reddit site, Hausdorf blamed the problem on German and Polish banks. He complained they were alarmed by fraudulent transactions sent to his exchange after criminals hacked his customers’ accounts via phishing attacks.

http://www.coindesk.com/the-end-for-bitcoin-24-exchange/ (May 2, 2013)

http://www.reddit.com/r/Bitcoin/comments/1c7utl/bitcoin24com_the_polish_authority_closed_your_our/ (2013)

[8.6] Blockchain.info gets tough on phishing(April s29, 2013)

Wallet and block exploring service Blockchain.info has upgraded its security, apparently in response to a phishing campaign.

The company has beefed up the security on its Android wallet app, adding a PIN to the application to stop people from unauthorized access.

According to reports from users, the company has also begun notifying people who attempt logins from untrusted computers. It asks them to confirm their login attempts, and informs them of the time, the IP address and the browser type being used to request access.

“If this login attempt was not made by you this email can be safely ignored however be aware someone may know your wallet alias,” the email reportedly says.

http://www.coindesk.com/blockchaininfo-gets-tough-on-phishing/ (April s29, 2013)


9. Coin loss

Case studies:

9.1. Bitomat.pl Loss

9.2. James Howells £4m loss

9.3. Stefan Thomas Loss

9.4. Stone Man Loss

[9.1] Bitomat.pl Loss

Bitomat.pl, during a server restart, had its remote Amazon service that housed the wallet wiped. No backups were kept. Mt. Gox later bailed bitomat.pl out, and neither customers nor original owners suffered any loss from the incident.


[9.2] Missing: hard drive containing Bitcoins worth £4m in Newport landfill site

A digital ‘wallet’ containing 7,500 Bitcoins that James Howells generated on his laptop is buried under four feet of rubbish buried somewhere under four feet of mud and rubbish, in the Docksway landfill site near Newport, Wales, in a space about the size of a football pitch is a computer hard drive worth more than £4m.


James Howells Loss

A hard drive containing keys to bitcoins generated in 2009 were accidentally thrown away in 2013 after a period of meteoric price rallies. The owner, James Howells, reportedly attempted to retrieve the money by going to the landfill where the hard drive was buried, but gave up after learning of the difficulty of retrieving trash.[61]


[9.3] Stefan Thomas Loss

Stefan Thomas, an early adopter (and eventually developer) of Bitcoin, uses this loss to teach other Bitcoiners the importance of backups — many of them. He had three copies of his wallet, and yet lost all of them.


But even some sophisticated early adopters had trouble keeping their bitcoins safe. Stefan Thomas had three copies of his wallet yet inadvertently managed to erase two of them and lose his password for the third. In a stroke, he lost about 7,000 bitcoins, at the time worth about $140,000. “I spent a week trying to recover it,” he says. “It was pretty painful.” Most people who have cash to protect put it in a bank, an institution about which the more zealous bitcoiners were deeply leery. Instead, for this new currency, a primitive and unregulated financial-services industry began to develop. Fly-by-night online “wallet services” promised to safeguard clients’ digital assets.


[9.4] Stone Man Loss

Due to not keeping proper wallet backups, 8999 BTC sent as change were effectively destroyed when the private key controlling them was lost.



10. Software bug or human mistake


10.1. Huobi sends $400k to wrong user accounts

10.2. Blockchain.info database glitch

10.3. Just-Dice ‘dooglus’ incident

[10.1] Huobi Sends $400k to Wrong User Accounts (Sep 25, 2014)

One of China’s top exchanges, Huobi, revealed that it temporarily lost 920 BTC and 8,100 LTC — worth about $411,000 — yesterday, but added that it had recovered the majority of the assets.

Huobi posted on its official Weibo account that a customer service representative had erroneously deposited the coins to 27 user accounts.

http://www.coindesk.com/huobi-sends-400k-wrong-user-accounts/ (Sep 25, 2014)

[10.2] Database Glitch Causes Blockchain.info Outage (March 18, 2014)

The bitcoin wallet and block explorer service Blockchain.info has been down since late last night (17th March) and it seems the issue is bigger than originally anticipated.

A problem first came to light when a reddit user started a thread about a failed ‘shared coin’ transaction. Blockchain.info responded to his post and quickly moved to disable shared coin functionality.

The move was followed with a tweet letting users know that shared coin transactions had been suspended pending the outcome of an investigation:

“We have temporarily suspended shared coin transactions while investigating some transactions that are ‘stuck’. The particular transaction in question is https://blockchain.info/tx-index/115315411/10. Rebroadcasting this transaction in bitcoind results in Error code -22.”

Shared coin transactions were re-enabled four hours later, but further issues came to light and blockchain.info was taken down soon after.

http://www.coindesk.com/blockchain-info-outage-caused-database-glitch/ (March 18, 2014)

[10.3] Bitcoin gambler cheats SatoshiDice competitor Just-Dice out of 1,300 BTC (July 15, 2013)

The owner of bitcoin betting site Just-Dice, a rival to SatoshiDice, had a severe moment of panic a few days ago when a user taking advantage of a human error caused him to lose 1,300 bitcoins (around $116,090 at the time of writing).

Known only as ‘dooglus’, the owner revealed on the Bitcoin Talk forum that he had made something of a colossal mistake. What happened was this: a player won a load of bitcoins on the site and asked to withdraw them, dooglus paid out, but forgot to remove the balance from the user’s Just-Dice account. The user then gambled — and lost — the bitcoins that were left in his account and dooglus covered the loss out of his own pocket.

When he realised his mistake, dooglus contacted the user, who claimed he had left his laptop in a café and that someone else logged onto his Just-Dice account and gambled the money.

http://www.coindesk.com/bitcoin-gambler-cheats-satoshidice-competitor-just-dice-out-of-1300-btc/ (July, 19, 2013)

(Just Dice Incident)

A player on Just-Dice.com with an especially large balance asked to withdraw 1300 BTC. Because the hot wallet did not contain that much money, Just-Dice.com operator “dooglus” manually processed the transaction from the cold wallet. However, “dooglus” forgot to remove the balance in Just-Dice.com’s database. The Just-Dice.com user then proceeded to bet the fake balance on the gambling website and subsequently lost it all. Because of the manner Just-Dice.com is structured, the website lost money even though the malicious user did not earn any money from the theft.

To recoup losses, the operator rolled back the gambling losses and corrected the wrong balance. This resulted in losses for all “investors” of Just-Dice.com; however, the operator explains that nobody actually lost money because the bet should never have happened. In conclusion, it seems that odd decisions on the malicious user’s part and probability ensured no actual loss from the incident, even though 1300 BTC was stolen. The amount was simply lost back to Just-Dice.com thanks to luck in the website’s favour.

https://bitcointalk.org/index.php?topic=576337#post_justdice_incident (July 15, 2013)


11. Hoax news to manipulate market

Case studies:

11.1. Russian Prosecutor’s Office: BTC-e Investigation Report was a Hoax (Feb 3, 2014)

11.2. BTC Price Declines Following False Report of Bitcoin Ban in China(March 21, 2014)

[11.1] Russian Prosecutor’s Office: BTC-e Investigation Report was a Hoax (Feb 3, 2014)

BTC-e, one of the largest bitcoin exchanges on the market, was rocked following an announcement published on the website of the Prosecutor’s Office of the Volgograd region on Monday. The statement claimed BTC-e was “under investigation” by the office and it quickly generated plenty of fear, uncertainty and doubt (FUD).

However, it now seems fear mongering was the sole goal of the statement, which was apparently fake. The prosecutor’s office has issued another statement, saying its website had been hacked and the initial announcement was posted by hackers.

Very good timing

This is not the first time Russian government institutions have been piggybacked to disseminate FUD. Last month a number of sites and forums published a set of amendments put before Russian lawmakers, wrongly implying that Russia could move to ban digital currencies altogether. Last week the Bank of Russia issued a statement saying that the issuance of alternative currencies in the Russian Federation is prohibited.

http://www.coindesk.com/russian-prosecutors-office-btc-e-investigation-hoax/ (Feb 4, 2014)

BTC-e Downplays Concerns of Criminal Investigation, Now Revealed as Hoax

UPDATE (4th February, 08:43 GMT):

New information has come to light that shows the criminal investigation may have in fact been a hoax.

— — — — — — — — — — -

The eighth largest bitcoin exchange by volume, BTC-e is now “under investigation” by the Prosecutor’s Office of the Volgograd region in Russia.

http://www.coindesk.com/btc-e-concerns-russian-criminal-investigation/ (Feb 3, 2014)

[11.2] BTC Price Declines Following False Report of Bitcoin Ban in China (March 21, 2014)

Updated 15:00 GMT: Updated with commentary from co-founder of BitAngelsClub Eric Gu.

A false report published on a financial news feed run by Chinese microblogging site Sina Weibo was responsible for the sharp decline in bitcoin prices across China’s biggest exchanges today (21st March).

At 10:22 am GMT, Sina’s financial live feed issued a now-retracted news report indicating that China’s central bank, the People’s Bank of China (PBOC), would move to halt all bitcoin transactions in the country effective 15th April.

If true, the news would have interrupted a period of improved relations between the burgeoning bitcoin ecosystem and the nation’s lawmakers, but coincided with the PBOC’s temporary ban on QR codes issued last week.

Read the initial news statement from Sina:

“It is rumored that on March 18th the PBOC had issued a notice calling for all bitcoin transactions to be halted by April 15th. As of today the PBOC has not confirmed nor denied the statement.”

http://www.coindesk.com/bitcoin-price-declines-following-false-report-chinas-bitcoin-ban/ (March 21, 2014)


12. 51% attack

Case studies:

12.1. Feathercoin hit by 51% attack (June 10, 2013)

[12.1] Feathercoin hit by massive attack (June 10, 2013)

Feathercoin, the new Scrypt-based coin based on Litecoin, suffered a widespread attack over the weekend, leaving its founder scrabbling for fixes.

The method for the assault was a 51-percent attack, which occurs when someone gains enough hash rate to create his or her own blockchain. This gives the attacker the ability to bring the authority of the original blockchain into question, and creates “orphan” blocks in that blockchain.

It was the latest in a series of attacks against the coin, said Peter Bushnell, the UK-based founder of the altcurrency — but this one was different.

http://www.coindesk.com/feathercoin-hit-by-massive-attack/ (June 10, 2013)


13. Government bans

Case studies:

13.1. Bitcoin Foundation Bangladesh Suspends Operations (Sep 19, 2014)

[13.1] Bitcoin Foundation Bangladesh Suspends Operations(Sep 19, 2014)

The Bitcoin Foundation has issued a new statement suggesting that it is currently investigating whether bitcoin and digital currency transactions are now illegal in Bangladesh.

However, citing general uncertainty surrounding this week’s statements from the Bangladesh Bank, the Bitcoin Foundation Bangladesh, the organisation’s first Asia-based affiliate, will suspend operations.

http://www.coindesk.com/bitcoin-foundation-bangladesh-ban-bitcoin/ (Sep 19, 2014)


14. Social engineering

Case studies:

14.1 Canadian Bitcoin Exchange Loses $100k in Unorthodox Attack (March 16, 2014)

[14.1] Canadian Bitcoin Exchange Loses $100k in Unorthodox Attack (March 16, 2014)

Ontario-based bitcoin buying and selling service Canadian Bitcoins has revealed that it was the victim of an unusual attack last October that resulted in the loss of 149.94 BTC ($100,000).

The Ottawa Citizen reports that an unidentified scammer contacted a technical support agent at its now former web hosting service, Granite Networks, claiming to be owner James Grant. Using only the owner’s name, the thief was allegedly able to have the site reboot into recovery mode, allowing him to bypass all protections on the server.

The media outlet indicates that it has obtained a text copy of the chat transcript between the web hosting company and the male suspect, and that the results are particularly damning for Granite Networks.

The newspaper concluded:

“At no point during the nearly two-hour-long conversation was the caller asked to verify his identity.”

The news follows several high-profile attacks that were more sophisticated in nature, including most notably the loss of millions in customer funds by now-bankrupt Japan-based exchange Mt. Gox and the theft of 12.3% of Poloniex’s bitcoins earlier this March.

http://www.coindesk.com/canadian-bitcoin-exchange-lose-100000-in-attack/ (March 20, 2014)

Ottawa bitcoin exchange defrauded of $100,000 in cyber currency

“It’s ridiculous,” said the real James Grant when asked about the incident. “There was absolutely zero verification of who it actually was.”

According to a text copy of the chat session obtained by the Citizen, at no point during the nearly two-hour-long conversation was the caller asked to verify his identity. After being asked, the technical support worker gained access to Grant’s locked server pen, plugged in a laptop and then manually gave the fraudster access to Canadian Bitcoins servers, where he cleaned out a wallet containing 149.94 bitcoins, valued at around $100,000.

http://www.ottawacitizen.com/business/Ottawa+bitcoin+exchange+defrauded+cyber+currency/9628321/story.html (March 16, 2014)



Wayne Huang

CEO & Co-Founder, XREX. Security expert, entrepreneur, ex Proofpoint (NASDAQ: PFPT), Co-Founder & CEO, Armorize. https://wayne.xrex.io