How to rob a cyber bank
Blockchain technology is about as tough to crack as we can get, so how can somebody steal $72 million worth of bitcoins?
Blockchain is the hot Fintech topic of 2016. The distributed transaction ledger sits at the heart of the revolutionary crypto-currency Bitcoin but its applications, far reaching as they already are, could go well beyond reinventing money.
The Guardian recently summed it all up, rather breathlessly:
[Blockchain] has the power to revolutionise not just financial technology, stock markets and banking, but also the music industry, digital access in some of the world’s poorest nations, and could even ensure your Italian extra-virgin olive oil really is from Italy.
Blockchain’s power comes from its decentralised structure and its use of sophisticated public-key cryptography to underpin assertions about what’s happened, in what order and who was involved.
Everyone has a copy of every transaction that’s ever occurred and the public keys used to sign those transactions would take billions of years to crack. In other words the blockchain is secure.
Which begs the question: how did somebody steal $72 million worth of bitcoins?
On 2 August 2016 the world’s largest bitcoin-US Dollar exchange announced to the world that it had been robbed, and it didn’t know how. Two weeks later the exchange was still in the dark about exactly what happened.
What we do know is that 119,756 bitcoins were stolen, an amount worth somewhere between $72m and $65m depending on whether you use the price at the time of the theft or after the crash that followed it.
The exchange allowed people to buy and sell the digital currency and also provided facilities for margin trading. Although successful it was dogged by technical problems prior to the theft. A little known fact to most of its account holders was that Bitfinex was the new name for another exchange, Bitcoinica. Inauspiciously, Bitcoinica lost about 47,000 bitcoins following a hack of their systems in 2012.
The Bitfinex theft is the largest heist since the collapse of another exchange, MtGox, which filed for bankruptcy in early 2014 following its failure to spot the syphoning off of 850,000 bitcoins currently worth about £425 million pounds. Oops.
So what’s the MO?
The Achilles heel of the bitcoin system is that in order to be really useful it has to leave its ivory tower and mix with other less illustrious software and that perennial weakest security link – people.
Bitcoins don’t physically exist; they are just numbers recorded against an ID in a massively redundant financial ledger. Those numbers can only be changed by transactions signed by private keys and it’s those private keys that contain the real value in the system. Control the keys and you control the money.
As with anything that relies on public-key cryptography, the transaction is only as secure as the private keys. If somebody steals your digital wallet (a file containing one or more private keys) then they can use your keys to send all of your bitcoins somewhere else. Storing the private keys offline is possible, but inconvenient. Particularly if you are trading in bitcoin and want other people to manage your accounts for you.
Enter the Bitcoin exchange, the convenient way to trade bitcoin and exchange them for other currencies.
An exchange is just another financial services website, a software stack that’s designed to authenticate users and then do things with their money. It’s a cyber bank. And a bitcoin exchange can only trade currencies for you if it has your trust, and your private keys. As with anything online, the systems and data upon which the exchange operates are vulnerable to malicious insiders and every hacker with an internet connection.
That doesn’t mean that your money isn’t safe in an exchange, but it does mean that it’s the skill of the developers who built the exchange and not the brilliance of Satoshi Nakamoto that stands between the thieves and your hard earned bitcoins.
The short history of bitcoin theft isn’t a catalogue of brilliant hackers squeezing through the blockchain’s gossamer cracks, it’s a history of exchange website hacks and abused or plundered private keys.
In other words, you steal bitcoins by robbing the bank.
We don’t yet know that happened to Bitfinex on 2 August 2016 but it’s clear from the company’s most recent announcement that the website’s code is an important focus of their investigation:
“The exact attack vector is as yet unknown, but Ledger Labs has already identified certain areas in our architecture that can be improved”
You don’t say.