Skip to comments.Bitcoin Incentive for Fraud; Two More Exchanges Hacked
Posted on 03/05/2014 7:48:57 AM PST by Kaslin
Two more bitcoin exchanges were robbed in the past few days. "Flexcoin" lost all online coins and shut its doors.
Flexcoin admitted it did not have resources to cover 896 stolen bitcoins, worth £365,000 (about $608,200). Bitcoins in Flexcoin's "cold storage" (offline), for which depositors have to pay a fee, were not affected.
"Poloniex", the other hacked bitcoin site, admitted that it is missing 12.3% of its assets because of a flaw in its transaction system. Its owner apologized and will keep its exchange running.
The Guardian reports Bitcoin Bank Flexcoin Closes After Hack Attack.
Flexcoin has been forced to close after hackers stole 896 bitcoins, worth £365,000, in an attack on Sunday. The company shut its website and posted a statement on Tuesday morning detailing the loss.
On March 2nd 2014 Flexcoin was attacked and robbed of all coins in the hot wallet, the statement read. As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing our doors immediately.
Not all of the companys assets were stolen. In line with best practices for running a bitcoin financial service, Flexcoin held some bitcoins in cold storage, keeping them on devices not connected to the internet. Those bitcoins are safe, but only users who explicitly requested their bitcoins be held in cold storage (and paid a 0.5% fee) benefit.
Users who put their coins into cold storage will be contacted by Flexcoin and asked to verify their identity, the statement continues. Once identified, cold storage coins will be transferred out free of charge. Cold storage coins were held offline and not within reach of the attacker. Flexcoin will attempt to work with law enforcement to trace the source of the hack.
Just six days ago, the company was boasting that it was unscathed by the closure of MtGox, once the worlds largest bitcoin exchange:
The same day the company came clean about its losses, a second bitcoin firm, Poloniex, also admitted that 12.3% of its reserves had been stolen by hackers. Poloniex is a bitcoin exchange, and the company has committed to operating at a fractional reserve until it can replenish the losses itself.
"Poloniex" Robbed of 12.3% of Assets, Owner Apologizes
The problem at Poloniex stems from a flaw in Poloniex's system that processed bitcoin transactions simultaneously rather than sequentially, ultimately allowing negative balances.
On the Bitcoin Forum, Poloniex owner Busoni explained how it happened and apologized to the bitcoin holders.
What Did Poloniex Do Wrong?
The major problem here is that the auditing and security features were not explicitly looking for negative balances. Another design flaw is that withdrawals should be queued at every step of the way. This could not have happened if withdrawals requests were processed sequentially instead of simultaneously.
What Did Poloniex Do Right?
The existing security features noticed unusual withdrawal activity and froze BTC. That is how the activity was discovered.
What Happens Now?
I take full responsibility for this and am committed to repaying the debt of BTC. The exchange funds are 12.3% short. Because there is not enough BTC to cover everyone's balances, all balances will temporarily be deducted by 12.3%. Please understand that this is an absolute necessity--if I did not make this adjustment, people would most likely withdraw all their BTC as soon as possible in order to make sure they weren't left in that remaining 12.3%. Aside from the obvious drawback of most of the BTC being taken out of the exchange, this would not be fair--some people would get all of their money right away, and a few would get none right away.
The amount deducted from everyone's balances will be recorded, and funds raised from exchange fees, as well as donations from my own pocket (which is not very deep, I'm afraid), will be distributed regularly to all users who have had BTC deducted. Exchange fees will be raised to expedite the recovery of the debt. 1.5% has been suggested by many people, but I will take input on this.
If I had the money to cover the entire debt right now, I would cover it in a heartbeat. I simply don't, and I can't just pull it out of thin air.
Right now, all markets and withdrawals are still frozen, and they will remain that way until the negative balance watcher is written and in place and balance deductions are calculated. Please do not bother placing withdrawals right now, as they will not be processed and will probably all be cancelled before functionality resumes. ETA on availability of withdrawals is approximately 12 hours. I am afraid it is 3 AM where I am right now, and I think it is wise for me to get some rest before proceeding.
I sincerely apologize for this, and I am very grateful to the many people who have already expressed their support and belief in my character. I take full responsibility; I will be donating some of my own money, and I will not be taking profit before the debt is paid.
I welcome your opinions on how to proceed, but please be constructive. I do not have the money to wave away the debt, so we'll need to work together.
Given that a log makes a record of every transaction, and given this hack recently occurred, it should be possible to track the missing bitcoins.
Bitcoins.Com explains "All newly mined Bitcoins, along with every transaction, are publicly recorded and verified through the network. This record is known as the Blockchain and is one of the features that helps keep the system secure from fraud and abuse. Bitcoins cannot be duplicated or forged."
Tracking the stolen bitcoins is easy enough, recovering the stolen money is another matter. The thieves likely traded the bitcoins for cash and now a third party is holding the coins.
Sense some lawsuits regarding ownership of the stolen bitcoins?
Incentive for Fraud
Note the huge incentive for insider fraud at these sites. The owner or owners of these bitcoin exchanges can easily arrange for bitcoins to be stolen.
I do not propose that happened in either case above, I just mention the possibility.
Inside Japans Bitcoin Heist
Some do accuse Mt.Gox of fraud but the Daily Beast dismisses that idea. Please consider Inside Japans Bitcoin Heist
The Daily Beast was able to speak with a former employee of Mt. Gox, on the condition of anonymity, due to a nondisclosure agreement with the company. According to the former employees testimony and other expert analysis, it seems very likely that the collapse of Mt. Gox was not a criminal fraud but the result of poor management, faulty accounting, and system bugs that went unfixed many months after being recognized by the CEO himself. The final nail in the coffin was the unauthorized release of an internal document that was supposed to serve as the groundwork for saving the company. It is unclear who leaked the documentwhich was an unfinished draft of a plan of action.
Essentially, said the former employee, Mt. Gox was a dysfunctional organization. Nobody was doing accounting reconciliation and there was an exploitable fault in the transaction system that allowed people to get paid twiceor in other words, withdraw more or less the same amount of Bitcoins two times.
And it does seem true that Bitcoins are very hard to forge or duplicate. Unfortunately, if you know what youre doing, they may be easy to steal. Or if youre not careful, they may be very easy to lose.
Karpeles informed the former employee that an estimated 820,000 Bitcoins were unaccounted forat the time, the equivalent of close to $500 million. The former employee was told the Bitcoins had possibly been siphoned off over several months by users exploiting flaws in the system. In particular, there seemed to be a system glitch that made it possible to get a payment reissued even after it had been already received. He says that because the firm hadnt hired an accounting firm to keep the books or an auditor, the theft was undetected.
Teikoku Data Bank, Japans largest and most respected credit-rating agency, in July of last year reviewed the company and gave it a D4, the worst possible rating a company can receive on their scale. One of the reasons for the low rating was the lack of qualified accounting staff at the company.
Are you holding bitcoins? If so, what kind of auditing is in place at the exchange you hold them? Are they in cold storage? Should they be?
Accounting procedures at Mt.Gox were so bad it did not matter whether or not you had the transactions in cold storage.
Bitcoin Price and Fraud Go Hand in Hand
One final question: Is the runup in price directly related to fraud and theft?
Yes, two ways.
1. Increasing value of bitcoins made them an ideal target
2. Fraudsters who stole bitcoins had an incentive to artificially drive price higher knowing they could take out more than they put in, at more than one bitcoin exchange, and in more than one way.
How high would the price of bitcoin had gotten in the absence of those incentives?
How much do you suppose those Bitcoin signs will be bringing on eBay in a couple of months?
Is this take-down being orchestrated by our government?
What I don’t understand is that the whole lure of Bitcoin was it’s decentralization of the control of the assets.
Then people put their Bitcoins in a centralized location (Hot Wallet on the site) when they could have kept all of their Bitcoins on a local machine, with backups, and would not be affected by anything that happened at a transaction site other than the possible loss of Bitcoins that were involved in an active transaction.
If they gave up the security of decentralization simply for the added convenience, then I can’t really drum up a whole lot of sympathy.
Been following the Bitcoin stuff out of curiosity. Not surprised by any of this. Even banks still battle with fraudulent withdrawals.
No. Probably being done by the Chinese government, who realized Bitcoin was being used by Chinese nationals to expatriate capital against their laws.
Thirty trillion Bitcoins.
Some of the biggest BTC exchanges are in China, and the Chinese are still active traders.
According to Chinese officials, bitcoin has no legal status or monetary equivalent and financial institutions shouldnt treat it as legal tender, however it can be traded as a commodity on the internet.and
Following the collapse of Bitcoin exchange Mt. Gox, Japanese regulators are laying down the law -- and considering treating the digital currency in the same manner as gold.Treating BTC as a commodity is the exact correct approach. If you have gold in a bank's security deposit box, don't hold your breath waiting for a refund if it's stolen.
This is why I keep mine in a jar buried in the backyard.
I have them and will NOT give them back!!!
No problem; as AlGore has just revealed that they are safe - hidden away in a lockbox.
It’s the illusion of security. People are afraid their computer will be hacked, or they’ll grab a virus, or their computer will crash, but some central repository says they’re secure... I wouldn’t want to keep thousand of dollars of virtual money on my PC, especially not my old PC that was going through death throws. Of course I wouldn’t keep it in some random website either. If I got a bitcoin my #1 goal would be to turn it into cash in my normal bank by the end of the day.
No, it’s people that don’t actually understand security learning hard lessons that the normal banking industry had to learn a long time ago. They didn’t realize that when there’s hundreds of thousands or even millions of dollars in your web exposed 1s and 0s you’re a target. Just look at the hauls these thieves are getting, that’s a lot of motivation.
At least with Iraqi Dinars you can paper your wall with them...
Not to worry. This is just more bad-apple-shakism occurring. As soon as all of the BitCoins have been stolen, the rest will be a safe investment.
That’s why you keep a copy of your Bitcoins on some type of external storage. Something as simple as a USB thumb drive is fine. You can spread copies to several devices for redundancy.
If someone steals a copy, they can’t so anything with them as they do not have the private keys (which hopefully you made sure you have somewhere safe in a separate location from the Bitcoins) for them.
I don’t have any Bitcoins either, I just find the tech fascinating.
External storage will protect against crash, but not theft because eventually you have to have a copy plugged into your computer and if you have wallet stealing malware it’s gone.
And keys only matter if that’s how you store them, for usage bitcoins are their own key. Which is part of why they’re so stealable. For all intents and purposed they’re the real version of movie bad guys’ favorite target German Bearer Bonds, only you can sell them in minutes.
If I were to sell my shares of gold, wouldn't I get dollars, not actual gold? Would I be allowed to get gold if I cashed out?
As far as the bank security box, I hadn't thought about that. I would assume that one could take it out, but if it's stolen, what proof would you have that it was in there to begin with?
This bitcoin thing never won me over. If it's not something you can physically possess, it's a matter of faith that you actually own it. Or in this case, that it actually exists.