One poor security choice results in $250,000 Bitcoin heist

Bitfloor operator admits to leaving unencrypted wallet keys laying around, leading to theft of 24,000 Bitcoins

Bitcoin exchange Bitfloor reportedly suffered a virtual heist of 24,000 BTCs, worth a cool quarter-million U.S. dollars. The incident not only raises questions about the long-term viability of the digital currency but also highlights how seemingly minor lapses in IT security judgment can have devastating implications.

For the uninitiated, Bitcoins are a form of virtual currency that's been around since 2009. They have zero government backing; rather, they're backed by the continued actions of the computing power within the Bitcoin network. Investors can acquire them as payment or purchase them through exchanges such as Bitfloor, which is the largest of its kind in the United States and the fourth largest on the planet.

In a thread on the Bitcoin Forum, Bitfloor founder Roman Shtylman posted that an attacker had compromised a few of the exchange's servers and gained access to an unencrypted backup of the wallet keys. Using the keys, he wrote, they were able to make off with "the vast majority of the coins Bitfloor was holding on hand."

Bitfloor has since shut down all exchange operations for an indefinite period. All ACH withdrawals placed before the compromise were processed, according to Shtylman; new withdrawals and other transactions are on hold until he figures out the next step. Shtylman indicated that he is exploring his options. "As a last resort, I will be forced to fully shut Bitfloor down and initiate account repayment using current available funds. I still have all of the logs for accounts, trades, transfers. I know exactly how much each user currently has in their account for both USD and BTC. No records were lost in this attack."

No surprise, Shtylman's declaration generated plenty of feedback from Bitcoin investors and Bitfloor customers, ranging from critical to supportive to highly suspicious.

Several users took Shtylman to task for poor security practices, primarily leaving so many Bitcoins laying around in an unencrypted cold wallet on a machine that could be breached by a skilled hacker. "Why was the majority of this not in a cold wallet?" asked Bitcoin Forum user SkRRJyTC.

Shtylman's reply to these questions: "Yes. It was made when I manually did an upgrade and was put in the unencrypted area on disk. I realize the details of the failure and attack are interesting but I am currently focused on user accounts and exchange status going forward. ... I cannot undo it (believe me, I would if I could)."

The challenge for Bitcoin exchanges such as Bitfloor: The Bitcoin platform is an irresistible target to malicious hackers. The anonymous nature of the peer-to-peer exchange makes them effectively impossible to track when they're transferred. Thus, a criminal can swipe them and liquidate them online far more quickly and easily than with regular currency.

Additionally, these exchanges aren't saddled with the same compliance and security requirements as federal financial institutions, which means the folks running them don't risk the ire of the Federal Reserve if they, say, fail to employ robust security, maintain paper trails, and so forth. That could contribute to the rash of reported Bitcoin robberies over the past year. According to Cnet, "the platform has been the target of frequent thefts, hacks, and scams, with more than 290,000 BTC lost in 10 heists since June 2011, according to tallies on the BitcoinTalk forum."

Meanwhile, users of Bitcoin exchange Bitcoinica filed a lawsuit against the company, alleging it was negligent in protecting users' funds, according to Ars Technica. Bitcoinica has repotedly suffered two hacks earlier this year. The plaintiffs are seeking the sum of around $460,000.

Some critics have gone so far as to question whether someone at Bitfloor was, in fact, behind the theft. "It's simply not believable that anyone involved enough with Bitcoin to make such a site, who has undoubtedly heard about all the other large-scale hacks, would simply leave an unencrypted wallet file worth a quarter mil lying around waiting to be hacked. Right now, the owner should be desperately trying to convince us he didn't steal the money himself," wrote user barbarousrelic.

Fueling that theory was the fact that Bitfloor has reportedly not contacted any law enforcement agencies about the theft. User Rassah's counterpoint: "Regarding reporting this to police, other than covering his butt and adding to their list of crimes, I just don't think police have the resources to track this theft down. If it's through an anonymous proxy, from Russia, and in a currency that's easily 'mixed,' there's really nothing they can do. Not even sure the FBI would have the resources to track this down."

It's tough to predict what effect this incident will have on the future of the Bitcoin exchange, particularly in light of the other rash of thefts carried off in the past year alone. One obvious solution is for exchanges such as Bitfloor and Bitcoinica to take security more seriously if it wants to retain customers. After all, the FDIC isn't guaranteeing those electronic funds, and Bitcoin investors need peace of mind if they are going to continue backing the currency.

This article, "One poor security choice results in $250,000 Bitcoin heist," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.


Copyright © 2012 IDG Communications, Inc.