Bitcoin Heists Cause More Trouble

  /     /     /  
Publicated : 22/11/2024   Category : security


Bitcoin Heists Cause More Trouble


Attackers continue to pummel bitcoin banks, exchanges, and crypto-currency users themselves via malware that steals virtual wallets.



Self-styled bitcoin bank Flexcoin this week announced that its been forced to shut down after online thieves stole 896 bitcoins, worth nearly $600,000.
As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are
closing our doors immediately
, the Alberta, Canada, based company said in a statement. Having this be the demise of our small company, after the endless hours of work weve put in, was never our intent. Weve failed our customers, our business, and ultimatley (sic) the Bitcoin community.
The bitcoin bank generated profits by charging users 0.01 BTC (bitcoins), or 0.005% of the total transfer amount -- whichever was greater -- whenever they transferred bitcoins outside of Flexcoin. Users earned interest on their deposits in the form of discounts on their own out-of-bank transfers.
This is but the latest in a string of recent incidents that have rocked the crypto-currency system.
Flexcoin: Hackers exploit withdrawal system flaw
The Flexcoin hacker exploited the fact that bitcoins could be freely transferred from one Flexcoin account to another. By sending thousands of simultaneous requests, the attacker was able to move coins from one user account to another until the sending account was overdrawn, before balances were updated, according to the companys statement.
Anyone who had funds stored in Flexcoins Internet-connected hot wallet wont get them back. While the three-year-old Flexcoin advertised itself as the bitcoin bank, as the company noted in its terms of service,
technically were not a licensed bank,
and that Flexcoin Inc is not responsible for insuring any bitcoins stored in the Flexcoin system.
[Are bitcoins already
passé
? See
Bye, Bitcoin: Criminals Seek Other Crypto Currency
.]
On the upside, however, the attacker didnt steal bitcoins stored in Flexcoins offline, cold-storage service. Flexcoin said it would be contacting anyone with bitcoins in cold storage and transferring the virtual currency to them directly, after first verifying their identity.
Mt. Gox shutdown: Source code leaked
Flexcoins failure follows the demise of Mt. Gox, which was once the worlds third-largest bitcoin exchange. Friday, the Japan-based company filed for bankruptcy, saying that hackers
stole about $500 million in bitcoins
stored by the site.
Evidence that the 850,000 missing bitcoins were obtained via a hack attack arrived Sunday, when 1,719 lines of PHP code were
posted to Pastebin
. The code included the SSH keys required to connect to Mt. Goxs transaction-processing server, which would have allowed an attacker to
redirect transactions or drain users bitcoin wallets
, Ars Technica reported.
Last week, Flexcoin boasted about not being affected by the Mt. Gox shutdown. We hold zero coins in other companies, exchanges, etc.,
Flexcoin tweeted
. While the Mt. Gox closure is unfortunate, we at Flexcoin have not lost anything.
Figure 1:
Poloniex hacked: Owner launches bitcoin reimbursement program
Flexcoin and Mt. Gox werent the only crypto-currency exchange -- a.k.a. darkcoin trading -- sites to have been successfully exploited in recent weeks. Notably, crypto-currency exchange Poloniex Tuesday revealed that an online attacker successfully stole 12.3% of the exchanges bitcoins -- worth about $50,000, based on the
attackers Bitcoin address
and the currencys market value that day -- after exploiting a flaw in the sites withdrawal system. The attack was stopped, however, after the exchanges security controls noticed unusual withdrawal activity.
The flaw allowed the attacker to withdraw more money than his or her account balance should have allowed because the system failed to process withdrawals in a sequential fashion. The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time, Poloniex owner Busoni
said on Bitcoin Forum
. This will result in a negative balance, but valid insertions into the [Poloniex] database, which then get picked up by the withdrawal daemon.
I take full responsibility for this and am committed to repaying the debt of BTC, Busoni said. But to prevent a run on the exchanges bitcoins, he
Next Page
deducted 12.3% from every users bitcoin balance, although he promised to refund that by raising the exchange fee, as well as via donations.
That theft was in fact the second crypto-currency heist to hit Poloniex, after an anonymous attacker -- using the handle Guy Fawkes -- last month boosted 35,000 units of
Counterparty currency
(XCP). That relatively new crypto-currency is billed as being a distributed financial system built on top of the Bitcoin blockchain and was created to facilitate the use of financial instruments, such as floating company stocks, creating derivatives, and hedging trades.
The attacker converted the XCP into 150 bitcoins, then withdrew 115 of them, which as of Wednesday was worth over $70,000.
But in an odd twist, the attacker -- who claimed to work as a cleaner in a Brazilian hostel, though he dreamed of becoming a security expert -- later returned all of the stolen bitcoins, and
detailed how hed stolen the XCP
in the first place. He cited not a flaw at Poloniex, but rather in the Counterparty software used by the exchange, which has since been patched. In exchange for the safe return of the bitcoins, the owner of Poloniex agreed to not press charges.
Pony botnet steals crypto-currency wallets
Beyond those exploits of Bitcoin exchanges and banks, hackers have also continued to directly attack people who buy, sell, and store crypto-currencies. Between September 2013 and mid-January 2014, for example, attackers used an instance of the Pony botnet to steal 85 virtual wallets, which were then used to trade more than $200,000 in crypto-currency, including 355 bitcoins, 280 litecoins, 33 primecoins, and 46 feathercoins.
The source code for Pony leaked last year, which means that any cyber gang that gets access to that code can take it and make any modifications that it wants, Ziv Mador, director of security research at Trustwave SpiderLabs, which discovered the botnet, said in a phone interview. That firm was also behind the discovery of another Pony botnet, which was recently used to
steal 2 million credentials
, primarily for Facebook, Google, Yahoo, Twitter, and LinkedIn, but for a range of other sites too, including payment processor ADP.
In the latest case, however, attackers used a Pony botnet to steal 700,000 credentials, including website and email logins, as well as FTP secure shell and remote desktop credentials. But the attackers also modified their version of the Pony botnet to target crypto-currency virtual wallets, which are typically generated by Bitcoin software or other virtual currency tools, and stored as wallet.dat files. While most of those tools include an option to encrypt the wallet.dat file -- typically, its not active by default --Mador said the owners of the 85 stolen wallets failed to encrypt them.
Crypto-currency transactions lack fraud controls
Once a legitimate wallet is stolen, and if it wasnt encrypted, both the legitimate owner and the attacker can generate transactions, Mador said. Since crypto-currency transactions are anonymous -- they only carry a long number, which is their public key -- researchers cant tell who made the trades using the 85 wallets. Theres no way for us to determine whether the money was stolen, or if they were legitimate transactions, he added.
Attackers target bitcoins and other virtual currencies because of their value, as well as the degree of anonymity they afford. But another way in which theyre ideal for criminals, Mador said, is because once a transaction is made, it cant be reversed. For example, even if the owner of a virtual wallet realized hed been hacked, so long as the attacker was able to cash out the wallet before its legitimate owner, there would be nothing the owner could do.
A user in a commercial bank, for example, if theyre the victim of a fraudulent transaction, most likely the bank will pay them back or reimburse them for the loss, said Mador. Thats not the case for virtual currencies. If the site doesnt stand up to reimburse the user, then the money is lost.
Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report,
How Existing Security Data Can Help ID Potential Attacks
, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Bitcoin Heists Cause More Trouble