The story of bitcoin’s biggest hacks and thefts is the story of bitcoin itself. From its early days and its first hack, to the biggest theft of all time, bitcoin’s utopian promises often turned into a dystopian reality where scammers, thieves, unaccountable and often amateur exchanges, some, even fully anonymous, proliferated in a wild west of euphoria and hope for a new future combined with devastating, and at times, tragic loss.
It is estimated 10% to 20%, if not more, of all bitcoin in existence is held by criminals who exploited distrust in governments and their laws to give themselves freedom from any accountability whatsoever. Code is law so theft is right in some quarters, so much so that some argue the thief, in fact, is to be hailed as the smartest of them all. Moral rules should not apply, according to some, instead the free market and self-interest will magically provide the best exchanges. When things go wrong, it is always the victim’s fault.
For your pleasure, entertainment, and hopefully some information, I present below the wall of shame, starting with a less obvious and perhaps incorrect choice for the repugnant honor of the biggest bitcoin hack and theft of all time.
Bitcoin’s Defining Event – MT Gox’s Hack in 2011
As the world was looking for an answer to the banks going under, bitcoin rose on the promise of no more boom and bust, no fractional reserve money printing, cheap if not free and fast if not instant global transactions. Price skyrocketed from pennies to around $12 with general opinion, while overall balanced, mainly positive and moving towards considering bitcoin as the next big thing. Then…
Jed McCaleb, founder of Ripple (publicly announced he was to sell around one billion of them crashing the price to less than pennies) who then found Stellar (a Ripple like currency), created MT Gox to trade Magic the Gathering Cards sometime in 2010, but adapted the exchange for bitcoin trading and sold it to Mark Karpeles in March 2011.
The details of the sale are not fully known, except that McCaleb was entitled to audit MT Gox to ensure he receives part of the profits for six months or so after the sale. That auditing account was allegedly hacked in June 2011 with the hacker selling around 500,000 bitcoins, sending the price to pennies.
This is probably the most defining event in bitcoin’s history for the digital currency was, for the first time, shown to be insecure and easily stolen. Coders and the general public dismissed the new currency as unworkable. Wired called it dead. Almost everyone left with bitcoin price going down and down, but some remained – ancaps (and we assume some techies) – who saw an opportunity to turn bitcoin into a vehicle for mainstream acceptance of ancap ideology (while the techies, now very much a minority, of course just liked the tech bit).
It is at this point, just six months after Nakamoto left (the bitcoin creator), where bitcoin stopped being primarily a technology and became more of an ideology. The focus shifted from cheaper, faster, to a metaphorical Trojan horse that somehow was to bring down governments and banks in a utopia where we all will live happily ever after.
What followed next is probably nature’s way of teaching those who proclaim universal laws, while undertaking as good as no analysis, how they are, just, wrong.
The Biggest Theft in the World – MT Gox 2014
When people found out bitcoin was somehow still around and not forgotten to a dusty archive page for there was still the technology aspect which offered cheap, fast, permissionless, trustless, programmable money, they flocked once more in early 2013, not least because a guy went around reddit giving away hundreds of thousands worth of bitcoin, amazing everyone. Euphoria, once more, was in the air, with price up and up every day. China came, Overstock, Dell, Microsoft, even Times Inc. Then…
As bitcoin reached gold parity with an all-time high of around $1,200, MT Gox, the biggest bitcoin exchange, announced bankruptcy. Almost one million bitcoin, worth at the time more than $700 million, were stolen, creating a new meme, the Bitcoin CEO – a gruesome reminder of the people who were driven to suicide by this tragic event.
MT Gox claimed at the time hackers had exploited a bug in bitcoin’s protocol called transaction malleability which allows coders to change transaction ids, making it possible to, in effect, double spend. Mark Karpeles, the CEO of MT Gox, was not fully lying. An academic study found hackers had indeed stolen from MT Gox by exploiting transaction malleability, but only 2,000 bitcoins, an insignificant amount compared to the overall theft.
What happened to the rest we don’t know. 200,000 was found through blockchain analysis, forcing MT Gox to release the assets to the bankruptcy trustee, leaving 650,000 unaccounted. Speculation abounds. There were reports Karpeles, who was arrested and imprisoned last year, recently released, presumably awaiting trial, was spendthrift. The main theory, however, focused on 2011.
A report of MT Gox’s internal transactions, which were leaked, shows bitcoins started missing, if not all of them disappeared, around June-November 2011:
New reports state at least 80,000 bitcoins were never there to begin with, suggesting, quite ironically, that it was a fractional reserve from the start.
With a probable trial of Karpeles around the corner, we’re likely to hear more, periodically, about the biggest theft in the world, but many have now moved on, except the creditors who, after almost three years, are still waiting for the distribution of 200,000 bitcoins, worth around $120 million, which should, at this point, happen soon… ish.
Bitfinex – The Faceless Exchange
People woke up last month to hear Bitfinex had a “security breach” which led to the theft of around $70 million. Bitcoin’s price instantly fell by around $200, to then almost instantly recover, somehow, with the theft now as good as not reflected in the price at all.
After more than a month and a half we still have no idea what happened at Bitfinex. They instructed a company no one heard of, Ledger Labs, to investigate, but although you’d think the company would shout from the rooftop that they are so awesome others entrust them with investigating one of the biggest theft in the world, their blog and twitter is very much silent which makes us wonder whether the company is a one-man show contracting out to very, very, busy big names.
As far as we know, there has been no third party confirmation of a hack or theft, so like the previous two, it remains an alleged “security breach”. Zane Tackett, former customer services representative at OKcoin, currently wearing a nicer title as Director of Community & Product Development at Bitfinex, stated they reported the theft to FBI, the world famous criminal investigations authority, which is mainly concerned with domestic matters while Bitfinex is based in…
Well, we don’t really know. Their Hong Kong registered address belongs to a company that specializes in providing a local presence. There is no office as such and it’s not really clear who the directors are either or whether these people even exist.
However, the incident has also been reported to “European authorities,” according to Tackett, which is far more specific than the number of their general loss of 36.067% of total assets. Many bitfinex customers, however, are happy they instantly received 63.933% back of their own money, rather than having to go through a three or four yearlong bankruptcy process. For the remaining 36.067%, BFX IOU tokens from a bankrupt company were issued and an amazingly accurate 1.1812% was recently redeemed.
Bitstamp
Bitstamp gained goodwill by being the only alternative to MT Gox, increasing its market-share while Gox went under. Unlike the previous two, they list their personnel, but although they state they are “The First Nationally Licensed Bitcoin Exchange,” their page doesn’t provide much information, such as license numbers.
However, you can now insta-buy at Bitstamp with a debit or credit card, so we don’t have much reason to disbelieve their claim, but they lost some trust when they were hacked out of around $5 million in 2015.
The theft seems to have been a sophisticated attack, with phishing emails targeting bitstamp’s personnel. However, as the theft was limited to just hot wallets, they were able to fully cover it, leading to no direct customer losses.
Poloniex
Poloniex has risen as one of the biggest altcoin exchange with trading volumes of 100,000 btc or more in just one coin on one day. However, no one really knows who they are – they have no about us page – and of course they are not regulated, so it’s probably a disaster waiting to happen.
Furthermore, their team hasn’t really shown much competence. On March the 4th 2014, someone stole 12.3% of their btc (two decimal points are impossible in this space I’m afraid), which at the time was a pretty small amount as almost no one had heard of them. The way they stole them is by, apparently, just clicking withdraw more than once. An easy oversight because, as everyone knows, you can’t really prevent double spending in a centralized database (you can), that’s why we have bitcoin (it’s not).
He just covered the loss, presumably so that we can trust his exploited exchange, and that’s exactly what happened with the faceless exchange now controlling hundreds of millions.
BTC-E
The anonymous Russian exchange makes you wonder whether it is more trustworthy than even regulated exchanges or whether they will run with your money in the next few seconds.
No one really knows much about them, but their team doesn’t seem very competent as they had all their data stolen this month and in 2012 they had about 5k btc stolen:
“On July 31, 2012, the BTC-E Liberty Reserve API secret key was broken. This key was shorter than it needed to be at only 16 characters long. The attacker initiated many Liberty Reserve deposits and injected large amounts of USD into the system, which were quickly sold for BTC.”
It wasn’t much at the time, so we assume they covered the losses, but people keep reporting losses from the data breach which we doubt they’ll cover.
BitcoinTalk
It doesn’t really feel like bitcoin without some occasional news about bitcointalk being hacked. Amazingly, people still go there with around 4,000 online if their stats are to be trusted.
The most recent hack in May 2015. How did it happen? Who knows, they hardly communicate anything and it’s doubtful anyone even looks after the website which has not changed in years.
Its current owner, Michael Marquardt (aka Theymos), who was just gifted the forum by Nakamoto, raised millions in dollars’ worth of bitcoin for a less hackable site a few years ago, but web development takes time, a lot of time, years in fact (it doesn’t).
One Billion Bitcoin Out of Thin Air
Many like to say bitcoin, the protocol, was never hacked, but it was and very early on. Some clever unknown guy found on August the 6th 2010 an exploit which allowed him to “print” one billion coins or however much he liked – 184 billion.
Jeff Garzik sounded the alarm while Nakamoto solved the problem by hard forking. It is the only known instance of protocol exploitation as far as we know – thankfully at a time of no hardfork phobia – if you exclude transaction malleability. Hopefully it stays that way.
Evolution
We can’t have a bitcoin biggest hacks list without some inclusion of drug markets. There have been many, with most taking the form of exist scams since operators are anonymous, therefore they don’t need bother with any made up hacking story.
The biggest, I think, is SheepMarket and Evolution. The latter is a bit more interesting because someone came out stating that evolution’s admins, a fairly big marketplace where you could buy drugs with bitcoin, were exit scamming. Apparently, 120,000 bitcoins were stolen, around $70million.
Mt Gox 2013
This is another not really a hack, but deserves mention because it shows a different sort of hack, a hack of human nature – specifically, a hacking of emotions.
As bitcoin was rising to $260, MT Gox, at the time practically the only bitcoin exchange, froze and went offline. Euphoria quickly gave way to panic and fear with r/bitcoin having almost everyone online. The selloff was brutal, but $50 held and bitcoin (or willy the bot) went on to $1,200 a few months later.
MT Gox was DDOSed, claiming at the time it was a victim of its own success with apparently millions of accounts registering. In response, people left, with other exchanges gaining market share, but MT Gox still had almost a million bitcoin when it went under.
How, is anyone’s guess, with the obvious explanation being that people are lazy, so they just park their bitcoin somewhere and don’t want to bother any further, raising some interesting questions about the extreme end of the free market and just how easily trust and power can be given and abused.
Lessons Learned
It is amazing that five years after bitcoin’s biggest weakness – security – was revealed, which bitcoin barely survived, little if anything seems to have been done to address this very important – if not the most important – matter as shown by the occurrence of one of the biggest theft just last month.
Although segwit is now addressing transaction malleability, the loss it caused was far too small with the main issue seemingly being at a human, rather than protocol, level. However, there are way too many more things that can be done at the protocol level, such as Bitcoin Vaults, but for some reason, they are not even being considered for implementation.
At the social level, what is obvious and does not need mentioning (although some, amazingly, dispute it) is that individuals who handle our money should be public figures with their full background on display for otherwise they cannot be held accountable. Lacking such accountability, hundreds of millions, understandably, is far too tempting as we have often seen.
An equally important point is that bitcoin security is very hard. Exchanges, in particular, require highly experienced developers who are fully familiar with the bitcoin protocol, the many aspects of exchange coding and how to secure hard digital assets for, to truly secure bitcoin, exchanges need layers and layers amounting to metaphorical armed guards defending iron gates with vaults deep underground behind a thousand doors.
My biggest criticism is however reserved for CFTC because, although there is little that can be done about some incompetents putting up a website, CFTC can, should and must provide an alternative and allow, in my view as a matter of urgency, professional exchanges such as GDAX and Gemini and others, to provide margin and future trading.
Of course the culprits – the thieves, hackers, scammers and amateurs – have the repugnant honor of primary blame, but CFTC holds an almost equal level of blame for they are denying the people the right to flock and trade at professional exchanges which comply with the law and have their USD balances FDIC insured with some even having insurance for hacks or theft with incompetent websites, therefore, ignored and one hopes, eventually, becoming a thing of the past.
Although we are talking about abstract numbers and entities with bitcoin, even after almost eight years, still being something very new, every theft has a human tragedy at the other end. Fathers losing all their savings, mothers left with no retirement, entrepreneurs sent to bankruptcy, young industrious men sent back to nothing. We can of course criticize them and repeat that this space remains incredibly high risk, you might and perhaps will lose everything, but mistakes are made, people naturally dream of a better, richer, future, while traders and some entrepreneurs have no choice at all.
It is crucial, therefore, that my inevitable question of who is next to be hacked of millions finds no answer, at least for a decade, but alas, looking around at exchanges – Poloniex, Bitfinex, OKcoin, Houbi and others – and the lack of choice of professional exchanges, that is, unfortunately, unlikely.