Picostocks “Cold Wallet” Hack: Difference between revisions
(Image added to wiki.) |
(History based on the status of the PicoStocks website from Internet Archive.) |
||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/picostockscoldwallethack.php}} | {{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/picostockscoldwallethack.php}} | ||
[[File:Picostocks.jpg|thumb|PicoStocks platform.]] | [[File:Picostocks.jpg|thumb|PicoStocks platform.]] | ||
PicoStocks was a centralized exchange based in Marshall Islands, which operated one of the earliest forms of offshore fundraising, where entrepreneurs could launch offerings for investors. On November 29th, 2013, the service suffered a breach of 5,896.23098163 bitcoin which were taken from two separate wallets. Ultimately, the exchange covered all affected user losses and was able to relaunch successfully. | |||
== About PicoStocks == | == About PicoStocks == | ||
PicoStocks | PicoStocks was a centralized exchange based in Marshall Islands<ref name=":6">[https://web.archive.org/web/20121228114940/http://picostocks.com/ PicoStocks Website On December 28th, 2012 - Internet Archive] (Feb 8, 2023)</ref>, which was launched on December 24th, 2012<ref name="coinmarketcap" />. The service was primarily focused around allowing companies to raise funds using the blockchain with an "Initial PicoStocks Offering (IPO)"<ref name=":6" />. They reportedly used novel means for circumventing legal regulation<ref name="bitcointalklist" /> and the service was run by the BitcoinTalk user "tytus"<ref name=":1">[https://bitcointalk.org/index.php?topic=133147.msg3771721#msg3771721 Quote of Original Announcement on BitcoinTalk] (Feb 8, 2023)</ref><ref name="bitcointalklist" />. <blockquote>Picostocks facilitates valuation and fundraising for high tech startup projects and companies and offers valuable services and benefits for both bitcoin investors and entrepreneurs. | ||
Investors[, you] can obtain valuation of assets You own by the PicoStocks community through an Initial PicoStocks Offering (IPO). You can sell Your assets to PicoStocks if You are satisfied with the IPO evaluation results. You can obtain long term profits from the sold assets through a fixed share in future dividend payments from the asset. You can collect rewards by evaluating assets offered by other PicoStocks members. You can profit from transactions on the PicoStocks platform. You can participate in profits from dividends from assets You hold on PicoStocks. You can benefit from the anonymity of the bitcoin network. | Investors[, you] can obtain valuation of assets You own by the PicoStocks community through an Initial PicoStocks Offering (IPO). You can sell Your assets to PicoStocks if You are satisfied with the IPO evaluation results. You can obtain long term profits from the sold assets through a fixed share in future dividend payments from the asset. You can collect rewards by evaluating assets offered by other PicoStocks members. You can profit from transactions on the PicoStocks platform. You can participate in profits from dividends from assets You hold on PicoStocks. You can benefit from the anonymity of the bitcoin network. | ||
Entrepreneurs[, y]ou can obtain initial valuation of assets of Your company at any stage of development, much cheaper and much faster than through other public stock exchange platforms. You can raise capital for the company by selling stocks of the company to PicoStocks after accepting the results of the IPO. You can monitor the valuation of the company as on any other stock exchange platform but with much less formal requirements and at a much lower cost.</blockquote>Include: | Entrepreneurs[, y]ou can obtain initial valuation of assets of Your company at any stage of development, much cheaper and much faster than through other public stock exchange platforms. You can raise capital for the company by selling stocks of the company to PicoStocks after accepting the results of the IPO. You can monitor the valuation of the company as on any other stock exchange platform but with much less formal requirements and at a much lower cost.</blockquote>The platform listed their name and address as "Picostocks Incorporated, Trust Company Complex, Ajeltake Road, Ajeltake Island, Majuro, Marshall Islands MH96960"<ref name=":6" />. They also featured an "IPO office" which was "operated by BioInfoBank, Sw. Marcin 80/82 lok. 355, 61-809 Poznan, Poland"<ref name=":6" />. Customers could contact them by email, phone, and fax<ref name=":6" />, as well as through some social media channels like Reddit or Bitcoin Talk. | ||
Include: | |||
* Known history of when and how the service was started. | * Known history of when and how the service was started. | ||
| Line 92: | Line 92: | ||
PicoStocks promised a timeline of 1 week to relaunch their platform<ref name=":0" /> and reportedly completely covered all losses<ref name="bitcointalklist" />. | PicoStocks promised a timeline of 1 week to relaunch their platform<ref name=":0" /> and reportedly completely covered all losses<ref name="bitcointalklist" />. | ||
The attacker appears to have kept the breached funds in the same wallet location for the subsequent 3 months before finally starting to move those funds<ref name=":4" /><ref name=":5" />. | The attacker appears to have kept the breached funds in the same wallet location for the subsequent 3 months before finally starting to move those funds starting February 15th, 2014<ref name=":4" /><ref name=":5" />. | ||
== Total Amount Recovered == | == Total Amount Recovered == | ||
| Line 106: | Line 102: | ||
== Ongoing Developments == | == Ongoing Developments == | ||
PicoStocks continued to operate for close to a decade. | |||
The PicoStocks homepage was still online as of September 28th, 2021<ref>[https://web.archive.org/web/20210928043722/https://picostocks.com/about PicoStocks Website On September 28th, 2021 - Internet Archive] (Feb 8, 2023)</ref>, and the website appeared functional to log in as of January 3rd, 2022<ref>[https://web.archive.org/web/20220103200915/https://picostocks.com/login PicoStocks Website On January 3rd, 2022 - Internet Archive] (Feb 8, 2023)</ref>. However, no subsequent captures of the site have been made and it appears to be offline as of February 8th, 2023. | |||
== Prevention Policies == | == Prevention Policies == | ||
Revision as of 15:07, 8 February 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
PicoStocks was a centralized exchange based in Marshall Islands, which operated one of the earliest forms of offshore fundraising, where entrepreneurs could launch offerings for investors. On November 29th, 2013, the service suffered a breach of 5,896.23098163 bitcoin which were taken from two separate wallets. Ultimately, the exchange covered all affected user losses and was able to relaunch successfully.
About PicoStocks
PicoStocks was a centralized exchange based in Marshall Islands[1], which was launched on December 24th, 2012[2]. The service was primarily focused around allowing companies to raise funds using the blockchain with an "Initial PicoStocks Offering (IPO)"[1]. They reportedly used novel means for circumventing legal regulation[3] and the service was run by the BitcoinTalk user "tytus"[4][3].
Picostocks facilitates valuation and fundraising for high tech startup projects and companies and offers valuable services and benefits for both bitcoin investors and entrepreneurs.
Investors[, you] can obtain valuation of assets You own by the PicoStocks community through an Initial PicoStocks Offering (IPO). You can sell Your assets to PicoStocks if You are satisfied with the IPO evaluation results. You can obtain long term profits from the sold assets through a fixed share in future dividend payments from the asset. You can collect rewards by evaluating assets offered by other PicoStocks members. You can profit from transactions on the PicoStocks platform. You can participate in profits from dividends from assets You hold on PicoStocks. You can benefit from the anonymity of the bitcoin network.
Entrepreneurs[, y]ou can obtain initial valuation of assets of Your company at any stage of development, much cheaper and much faster than through other public stock exchange platforms. You can raise capital for the company by selling stocks of the company to PicoStocks after accepting the results of the IPO. You can monitor the valuation of the company as on any other stock exchange platform but with much less formal requirements and at a much lower cost.
The platform listed their name and address as "Picostocks Incorporated, Trust Company Complex, Ajeltake Road, Ajeltake Island, Majuro, Marshall Islands MH96960"[1]. They also featured an "IPO office" which was "operated by BioInfoBank, Sw. Marcin 80/82 lok. 355, 61-809 Poznan, Poland"[1]. Customers could contact them by email, phone, and fax[1], as well as through some social media channels like Reddit or Bitcoin Talk.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
While Picostocks took care to separate their funds into separate cold and hot wallets, which were kept on separate computers[5], they also kept encrypted backup copies of the private keys[5] and kept operating with those same wallets.
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
PicoStocks has speculated that the private keys of the wallet may have been copied in the past and subsequently decrypted[5]. The culprit then used this access to the keys to steal funds from both wallets[3].
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| December 24th, 2012 | PicoStocks Launches | The centralized exchange service PicoStocks launches, based in the Marshall Islands[2]. |
| November 29th, 2013 10:00:41 AM | Cold Wallet Breached | The breach is reported to have occurred on November 29th, 2013[6][3][7]. The first blockchain transaction shows a timestamp of 10:00:41 AM[8][3]. |
| November 29th, 2013 10:11:59 AM | Hot Wallet Breached | A second blockchain transaction in the following block empties what is believed to be the hot wallet[9][3]. |
| Reddit Post | PicoStocks posts on the Bitcoin subreddit to announce the situation which happened[5]. | |
| November 29th, 2013 6:18:45 PM | BitcoinTalk Post | BitcoinTalk user "tytus", suspected to be the founder of PicoStocks, posts the same announcement on the BitcoinTalk forum[4]. |
| February 15th, 2014 5:06:57 AM | Hot Wallet Funds Move | The funds originally breached from the hot storage wallet started to move on the blockchain[10]. |
| February 17th, 2014 6:03:47 AM | Cold Wallet Funds Move | The funds originally breached from the cold storage wallet started to move on the blockchain[11]. |
Total Amount Lost
The loss amount was reportedly as 5,896.23098163[3] BTC (some sources rounded this to 5,895 BTC[6]), with an estimated value of either $6,000,000 USD[6][12] or $3,009,397 USD[3].
Funds were removed from both the hot wallet and cold wallet of PicoStocks[5][7][3]. According to blockchain data, the hot wallet had 685.57933572 BTC[13][9] and the cold wallet had 5210.65104591 BTC[14][8]. This maintains a total of 5896.23038163 BTC. Using the bitcoin market price for November 29th, 2013 of $1,037.76 USD from BuyBitcoinWorldWide[15], this gives a total value of $5,407,405.23 USD.
Immediate Reactions
PicoStocks posted an announcement about what happened in the bitcoin subreddit[5].
PicoStocks is down for a while and will remain like this for sure over the weekend. Funds from our hot wallet and cold wallet account have been stolen.
There is no sign of an intrusion into the systems. Both wallets were located on different computers. We suspect that these have been copied by people who had access to the system in the past and decrypted.
This is of course a serious loss for the company, but we expect no losses for the users. the funds collected on user account will be returned. We will have to create a new hot wallet and we will change all PicoStocks addresses for all users, but the rest will remain as it was. We will open the system when we have positively reviewed the security and collected the funds for the users :-( Maybe in 1 week from now :-(
Multiple users heavily criticized PicoStocks for operating their cold wallet on a networked computer[16][17], but there is no indication that this was the way the wallet had operated. The response with the most upvotes on Reddit concluded that the PicoStocks platform either deserved their loss or was attempting a scam[18].
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
PicoStocks promised a timeline of 1 week to relaunch their platform[5] and reportedly completely covered all losses[3].
The attacker appears to have kept the breached funds in the same wallet location for the subsequent 3 months before finally starting to move those funds starting February 15th, 2014[10][11].
Total Amount Recovered
PicoStocks promised users that they would return all "the funds collected on user account"[5] and this was reportedly followed through with[3].
It is unknown how much was recovered.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
PicoStocks continued to operate for close to a decade.
The PicoStocks homepage was still online as of September 28th, 2021[19], and the website appeared functional to log in as of January 3rd, 2022[20]. However, no subsequent captures of the site have been made and it appears to be offline as of February 8th, 2023.
Prevention Policies
This situation could have been most effectively prevented by the use of a multi-signature wallet, rather than a single private key. In such a setup, the cold storage wallet would have required approvals from multiple team members to initiate a withdrawal. This, combined with a reasonable level of training for key holders, would have effectively prevented an attacker from obtaining enough private keys to perform a transfer.
References
- ↑ 1.0 1.1 1.2 1.3 1.4 PicoStocks Website On December 28th, 2012 - Internet Archive (Feb 8, 2023)
- ↑ 2.0 2.1 Picostocks Trading Volume - CoinMarketCap (Feb 8, 2023)
- ↑ 3.00 3.01 3.02 3.03 3.04 3.05 3.06 3.07 3.08 3.09 3.10 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses (Feb 14)
- ↑ 4.0 4.1 Quote of Original Announcement on BitcoinTalk (Feb 8, 2023)
- ↑ 5.0 5.1 5.2 5.3 5.4 5.5 5.6 5.7 Picostocks hacked, even cold wallet emptied - Reddit (Feb 8, 2023)
- ↑ 6.0 6.1 6.2 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents (Jan 24)
- ↑ 7.0 7.1 Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Mar 4)
- ↑ 8.0 8.1 Cold Wallet Breach Transaction - Blockchain.info (Feb 8, 2023)
- ↑ 9.0 9.1 Hot Wallet Breach Transaction - Blockchain.info (Feb 8, 2023)
- ↑ 10.0 10.1 Hot Wallet Funds Start To Move - Blockchain.info (Feb 8, 2023)
- ↑ 11.0 11.1 Subsequent Movement of Cold Wallet Funds - Blockchain.info (Feb 8, 2023)
- ↑ Reddit User Godfreee's estimate - Reddit (Feb 8, 2023)
- ↑ Picostocks Hot Wallet - Blockchain.info (Feb 8, 2023)
- ↑ Picostocks Cold Wallet - Blockchain.info (Feb 8, 2023)
- ↑ BuyBitcoinWorldWide Price (Feb 8, 2023)
- ↑ servowire Comment - Reddit (Feb 8, 2023)
- ↑ thekiwi99 Comment - Reddit (Feb 8, 2023)
- ↑ riplin Comment - Reddit (Feb 8, 2023)
- ↑ PicoStocks Website On September 28th, 2021 - Internet Archive (Feb 8, 2023)
- ↑ PicoStocks Website On January 3rd, 2022 - Internet Archive (Feb 8, 2023)