Robbing a bank is such a hassle in the real world, with all the complicated logistics of weapons, vaults, dye packs, and getaway cars. It’s a lot more straightforward to rob digital currency exchanges and payment processors. To paraphrase bank robber Willie Sutton, that’s where the bitcoins are.
The huge interest in bitcoin and the concurrent surge in the value of the currency—bitcoin has risen 6,000% versus the US dollar in the last year and 300% just this month—has also created a growing incentive for larcenous hackers:
- European bitcoin payment processor BIPS lost the equivalent of about $1 million last week after a distributed denial of service (DDoS) attack overwhelmed its servers and enabled attackers to gain access to customers’ online bitcoin “wallets.”
- Poland’s Bidextreme.pl was also hacked last week, and its users’ accounts emptied, though it did not disclose the amount taken.
- A week earlier, the Czech exchange Bitcash.cz was hit, with 4,000 users losing bitcoins worth about $100,000.
- Australia’s TradeFortress said it was hacked in November, leading to the loss of $1 million worth of users’ bitcoins.
- China’s GBL exchange abruptly went offline in October, with $4.1 million in users’ bitcoins going missing.
How do you actually steal a bitcoin, anyway?
Owning bitcoins, as Wired’s extensive survival guide explains, means that you have a private cryptography key that’s associated with a public internet address. You need both to access the money. By exploiting cybersecurity flaws on computer servers, PCs, and mobile phones, thieves who discover both the private key and the public address can transfer the bitcoins to their own accounts to spend as they please or convert into another currency.
Bitcoin transactions cannot be reversed without the consent of both sender and receiver, so the transfers are irrevocable. The system is designed to shield the identity of its users, but individual bitcoins are traceable.
“While the ownership of money is implicitly anonymous, its ﬂow is globally visible,” a recent research paper concluded. Forbes contributor Jon Matonis wrote last year about the theft of 46,703 bitcoins, worth $228,845 at the time of the robbery, from a New Jersey-based hosting company called Linode, which could be traced after the theft through servers in dozens of other countries.
As a one-stop despository of multiple accounts, exchanges make a tempting target, which is why the Bitcoin Foundation warns new users:
When sending money to an exchange or seller you are trusting that the operator will not abscond with your funds and that the operator maintains secure systems that protect against theft—internal or external. It is recommended that you obtain the real-world identity of the operator and ensure that sufficient recourse is available.
BIPS, the European payment processor that was hacked last week, has stopped offering online wallet services and has urged customers to avoid online wallets altogether.
Safe-guarding your own bitcoins can also be fraught, since thieves have exploited security vulnerabilities to steal bitcoins from users’ own computers. Security-conscious users recommend storing bitcoins not in “hot wallets” that are necessary for processing transactions, but rather in “cold storage,” such as a USB drive that is not connected to the internet, or even “deep cold storage,” such as a usb drive that’s stored in a (real world) safety deposit box. Private keys can even be written on pieces of paper—or engraved onto a ring.
Bitcoin is still a relatively young currency, and the criminally minded are still figuring out new ways to exploit its virtues. A malicious piece of “ransomware” called CryptoLocker has been infecting users’ computers, encrypting their files, and demanding a ransom paid bitcoins in order to unlock the precious personal data. The fee was initially two bitcoins, but as the currency’s value has risen the operators of CryptoLocker have reportedly lowered their price to half a bitcoin, or about $390.
Even more byzantine criminal schemes are likely to emerge if bitcoin continues to become more mainstream. A user on Reddit’s bitcoin forum suggested a few months back that armed robbers could conceivably find “the offices of Mtgox, Coinlab, Bitcoin24, Bitstamp, and all the other exchanges then storm them with guns,” forcing employees to hand over the private encryption codes, merging bitcoin bank robbery with the old-school real world version. It may not be long before bitcoin robbers—and the people trying to stop them—have to deal with even more complexity and complications than Willie Sutton could have ever dreamed of.