Picostocks “Cold Wallet” Hack: Difference between revisions
(→Total Amount Lost: calculations completed.) |
(Another 30 minutes complete. Added technical analysis and prevention sections. Expanded and revised most text in the article.) |
||
| (15 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[File:Picostocks.jpg|thumb|PicoStocks Homepage]] | |||
PicoStocks was a centralized exchange based in Marshall Islands, which operated one of the earliest forms of blockchain project fundraising, where entrepreneurs could launch offerings for investors. On November 29th, 2013, the service suffered a breach of 5,896.23098163 bitcoin from two separate wallets. Ultimately, the exchange covered all user losses and relaunched successfully. It appears that the platform continued to operate until 2019. | |||
== About PicoStocks == | == About PicoStocks == | ||
PicoStocks | PicoStocks was a centralized exchange based in Marshall Islands<ref name=":6">[https://web.archive.org/web/20121228114940/http://picostocks.com/ PicoStocks Website On December 28th, 2012 - Internet Archive] (Feb 8, 2023)</ref>, which was launched on either December 21st, 2012<ref name=":7">[https://en.bitcoin.it/wiki/Picostocks PicoStocks - Bitcoin Wiki] (Feb 8, 2023)</ref> or December 24th, 2012<ref name="coinmarketcap" />. The service was primarily focused around allowing companies to raise funds using the blockchain with an "Initial PicoStocks Offering (IPO)"<ref name=":6" />. They reportedly allowed investors to invest anonymously<ref name=":6" /><ref name=":7" /> and used novel means for circumventing legal regulation<ref name="bitcointalklist" />. The service was run by the BitcoinTalk user "tytus"<ref name="bitcointalklist" /><ref name="bitcointalkannouncement">[https://bitcointalk.org/index.php?topic=133147.msg3771721#msg3771721 Quote of Original Announcement on BitcoinTalk] (Feb 8, 2023)</ref>. <blockquote>Picostocks facilitates valuation and fundraising for high tech startup projects and companies and offers valuable services and benefits for both bitcoin investors and entrepreneurs. | ||
Investors[, you] can obtain valuation of assets You own by the PicoStocks community through an Initial PicoStocks Offering (IPO). You can sell Your assets to PicoStocks if You are satisfied with the IPO evaluation results. You can obtain long term profits from the sold assets through a fixed share in future dividend payments from the asset. You can collect rewards by evaluating assets offered by other PicoStocks members. You can profit from transactions on the PicoStocks platform. You can participate in profits from dividends from assets You hold on PicoStocks. You can benefit from the anonymity of the bitcoin network. | |||
Entrepreneurs[, y]ou can obtain initial valuation of assets of Your company at any stage of development, much cheaper and much faster than through other public stock exchange platforms. You can raise capital for the company by selling stocks of the company to PicoStocks after accepting the results of the IPO. You can monitor the valuation of the company as on any other stock exchange platform but with much less formal requirements and at a much lower cost.</blockquote>The platform listed their name and address as "Picostocks Incorporated, Trust Company Complex, Ajeltake Road, Ajeltake Island, Majuro, Marshall Islands MH96960"<ref name=":6" />. They also featured an "IPO office" which was "operated by BioInfoBank, Sw. Marcin 80/82 lok. 355, 61-809 Poznan, Poland"<ref name=":6" />. Customers could contact them by email, phone, and fax<ref name=":6" />, as well as through some social media channels like the BitcoinTalk forum<ref name="bitcointalkannouncement" />. Traded stocks remained the legal property of PicoStocks and PicoStocks collected various fees throughout the investment process<ref name=":7" />. | |||
== The Reality == | == The Reality == | ||
Specific details of who ran the PicoStocks service were not provided to the public<ref name=":6" />. | |||
While Picostocks took care to separate their funds into separate cold and hot wallets, which were kept on separate computers<ref name=":0">[https://www.reddit.com/r/Bitcoin/comments/1rrnua/picostocks_hacked_even_cold_wallet_emptied/ Picostocks hacked, even cold wallet emptied - Reddit] (Feb 8, 2023)</ref>, they also kept backup copies of the private keys<ref name=":0" /> and kept operating with those same wallets. | |||
== What Happened == | == What Happened == | ||
PicoStocks has speculated that the private keys of the wallet may have been copied in the past and subsequently decrypted<ref name=":0" />. The culprit then used this access to the keys to steal funds from both wallets<ref name="bitcointalklist" />. | PicoStocks has speculated that the private keys of the wallet may have been copied in the past and subsequently decrypted<ref name=":0" />. The culprit then used this access to the keys to steal funds from both wallets<ref name="bitcointalklist" />. | ||
{| class="wikitable" | {| class="wikitable" | ||
|+Key Event Timeline - PicoStocks “Cold Wallet” Hack | |+Key Event Timeline - PicoStocks “Cold Wallet” Hack | ||
| Line 43: | Line 21: | ||
!Event | !Event | ||
!Description | !Description | ||
|- | |||
|April 19th, 2012 3:11:53 PM | |||
|tytus Registration | |||
|The BitcoinTalk user tytus first registers on the BitcoinTalk forum<ref name=":8">[https://bitcointalk.org/index.php?action=profile;u=56286 tytus User Registration - BitcoinTalk] (Feb 8, 2023)</ref>. | |||
|- | |- | ||
|December 24th, 2012 | |December 24th, 2012 | ||
| Line 55: | Line 37: | ||
|Hot Wallet Breached | |Hot Wallet Breached | ||
|A second blockchain transaction in the following block empties what is believed to be the hot wallet<ref name=":3">[https://www.blockchain.com/explorer/transactions/btc/d99281bae8acafc6c96cefb54d37f81e5f78898fd8ccb12493f89236bec476e6 Hot Wallet Breach Transaction - Blockchain.info] (Feb 8, 2023)</ref><ref name="bitcointalklist" />. | |A second blockchain transaction in the following block empties what is believed to be the hot wallet<ref name=":3">[https://www.blockchain.com/explorer/transactions/btc/d99281bae8acafc6c96cefb54d37f81e5f78898fd8ccb12493f89236bec476e6 Hot Wallet Breach Transaction - Blockchain.info] (Feb 8, 2023)</ref><ref name="bitcointalklist" />. | ||
|- | |- | ||
|November 29th, 2013 6:18:45 PM | |November 29th, 2013 6:18:45 PM | ||
|BitcoinTalk Post | |BitcoinTalk Post | ||
|BitcoinTalk user | |BitcoinTalk user tytus, suspected to be the founder of PicoStocks, posts an announcement on the BitcoinTalk forum<ref name="bitcointalkannouncement" /><ref>[https://web.archive.org/web/20140410055951/https://bitcointalk.org/index.php?topic=133147.80 tytus Theft Announcement on BitcoinTalk - Internet Archive] (Feb 8, 2023)</ref>. | ||
|- | |||
|November 30th, 2013 3:36:14 AM | |||
|Reddit Post | |||
|Reddit user "love_eggs_and_bacon" posts a copy of the original notice that was posted on BitcoinTalk to announce the situation<ref name=":0" />. | |||
|- | |- | ||
|February 15th, 2014 5:06:57 AM | |February 15th, 2014 5:06:57 AM | ||
| Line 71: | Line 53: | ||
|Cold Wallet Funds Move | |Cold Wallet Funds Move | ||
|The funds originally breached from the cold storage wallet started to move on the blockchain<ref name=":5">[https://www.blockchain.com/explorer/transactions/btc/5124554e7d87e8ea305a0bbc81b81a537fba1b5610ab52c8c7b1d9301ec29b6e Subsequent Movement of Cold Wallet Funds - Blockchain.info] (Feb 8, 2023)</ref>. | |The funds originally breached from the cold storage wallet started to move on the blockchain<ref name=":5">[https://www.blockchain.com/explorer/transactions/btc/5124554e7d87e8ea305a0bbc81b81a537fba1b5610ab52c8c7b1d9301ec29b6e Subsequent Movement of Cold Wallet Funds - Blockchain.info] (Feb 8, 2023)</ref>. | ||
|- | |||
|October 3rd, 2017 9:48:28 AM | |||
|tytus Last Active | |||
|The BitcoinTalk account for tytus is last active on the BitcoinTalk forums<ref name=":8" />. | |||
|- | |||
|February 15th, 2019 | |||
|Final Medium Post | |||
|The PicoStocks account on Medium posted the final post about how the platform prevented wash trading by publishing user IDs<ref>[https://medium.com/@picostocks/how-publishing-user-ids-with-trades-makes-a-crypto-exchange-better-for-everyone-fcc0a02059a0 How Publishing User IDs with Trades Makes a Crypto Exchange Better for Everyone - Medium] (Feb 8, 2023)</ref>. | |||
|- | |||
|March 29th, 2019 12:57 AM | |||
|Final Twitter Post | |||
|The final post of PicoStocks on Twitter<ref name=":10">[https://twitter.com/PicoStocks/status/1111522755432890368 PicoStocks Final Tweet - Twitter] (Feb 8, 2023)</ref>. | |||
|- | |||
|December 13, 2019, 12:00:36 PM | |||
|Withdrawal Problems | |||
|PicoStocks users start to report withdrawal problems and a lack of support on the BitcoinTalk forum<ref name=":9" />. | |||
|} | |} | ||
== Technical Details == | |||
Is it reported that two separate wallets were breached<ref name="bitcointalkannouncement" /><ref name=":0" />. One wallet was reportedly described as "hot" while the other wallet was reportedly described as "cold"<ref name="bitcointalkannouncement" /><ref name=":0" />. Wallets were described as being "located on different computers", which suggests that both the "hot" and "cold" wallet keys were stored and accessed from a computer<ref name="bitcointalkannouncement" /><ref name=":0" />. Many users have suggested that both wallets existed on networked computers<ref name=":1" /><ref name=":11" />. While wallet keys were believed to be encrypted, this can often be brute-forced if there is a weak password used for the encryption. | |||
'''Hot Wallet Address:''' [https://www.blockchain.com/explorer/addresses/btc/19t7RxwXdfiwQMyQ3JVB16e9HgV7omijSs 19t7RxwXdfiwQMyQ3JVB16e9HgV7omijSs] | |||
'''Cold Wallet Addresses:''' Multiple, as moved in bitcoin transaction [https://www.blockchain.com/explorer/transactions/btc/28c9d7b0b31c9262958b88c42b1703098d44574e0830173c0b5cfe2a79490881 28c9d7b0b31c9262958b88c42b1703098d44574e0830173c0b5cfe2a79490881] | |||
== Total Amount Lost == | == Total Amount Lost == | ||
The loss amount was | The loss amount was reported as 5,896.23098163<ref name="bitcointalklist" /> BTC (many sources rounded this to 5,895 BTC<ref name="kylegibson" /><ref name="bitcoinexchangeguide" />), with an estimated value of either $6,000,000 USD<ref name="kylegibson" /><ref name="bitcoinexchangeguide" /><ref>[https://www.reddit.com/r/Bitcoin/comments/1rrnua/comment/cdq6gzl/ Reddit User Godfreee's estimate - Reddit] (Feb 8, 2023)</ref> or $3,009,397 USD<ref name="bitcointalklist" />. | ||
Funds were removed from both the hot wallet and cold wallet of PicoStocks<ref name=":0" /><ref name="bitcoinexchangeguide" /><ref name="bitcointalklist" />. According to blockchain data, the hot wallet had 685.57933572 BTC<ref>[http://blockchain.info/address/1NzM1bdTKuK9z3pQUCc1raXPezYUenSNWj Picostocks Hot Wallet - Blockchain.info] (Feb 8, 2023)</ref><ref name=":3" /> and the cold wallet had 5210.65104591 BTC<ref>[https://blockchain.info/address/12RAM7r4EraZ5ESU5QJwe8sS3gj3YYEgpF Picostocks Cold Wallet - Blockchain.info] (Feb 8, 2023)</ref><ref name=":2" />. This maintains a total of 5896.23038163 BTC. Using the bitcoin market price for November 29th, 2013 of $1,037.76 USD from BuyBitcoinWorldWide<ref>[https://buybitcoinworldwide.com/price/ | Funds were removed from both the hot wallet and cold wallet of PicoStocks<ref name=":0" /><ref name="bitcoinexchangeguide" /><ref name="bitcointalklist" />. According to blockchain data, the hot wallet had 685.57933572 BTC<ref>[http://blockchain.info/address/1NzM1bdTKuK9z3pQUCc1raXPezYUenSNWj Picostocks Hot Wallet - Blockchain.info] (Feb 8, 2023)</ref><ref name=":3" /> and the cold wallet had 5210.65104591 BTC<ref>[https://blockchain.info/address/12RAM7r4EraZ5ESU5QJwe8sS3gj3YYEgpF Picostocks Cold Wallet - Blockchain.info] (Feb 8, 2023)</ref><ref name=":2" />. This maintains a total of 5896.23038163 BTC. Using the bitcoin market price for November 29th, 2013 of $1,037.76 USD from BuyBitcoinWorldWide<ref>[https://buybitcoinworldwide.com/price/ BuyBitcoinsWorldwide Historic Bitcoin Price Chart] (Feb 8, 2023)</ref>, this gives a total value of $5,407,405.23 USD. | ||
== Immediate Reactions == | == Immediate Reactions == | ||
PicoStocks posted an announcement about what happened | It does not appear that there were any changes to the PicoStocks website to announce the hack situation at the time<ref>[https://web.archive.org/web/20131028034411/https://picostocks.com/ PicoStocks Homepage On October 28th, 2013 - Internet Archive] (Feb 8, 2023)</ref><ref>[https://web.archive.org/web/20140209045011/https://picostocks.com/ PicoStocks Website On February 9th, 2014 - Internet Archive] (Feb 8, 2023)</ref>. PicoStocks posted an announcement about what happened on the BitcoinTalk forum<ref name="bitcointalkannouncement" />, which was subsequently reposted to Reddit<ref name=":0" />. The initial announcement mentioned both the hot and cold wallets were emptied, and a suspicion that the wallets may have been copied by people who previously had access to the system<ref name="bitcointalkannouncement" /><ref name=":0" />.<blockquote>PicoStocks is down for a while and will remain like this for sure over the weekend. Funds from our hot wallet and cold wallet account have been stolen. | ||
There is no sign of an intrusion into the systems. Both wallets were located on different computers. We suspect that these have been copied by people who had access to the system in the past and decrypted. | There is no sign of an intrusion into the systems. Both wallets were located on different computers. We suspect that these have been copied by people who had access to the system in the past and decrypted. | ||
This is of course a serious loss for the company, but we expect no losses for the users. the funds collected on user account will be returned. We will have to create a new hot wallet and we will change all PicoStocks addresses for all users, but the rest will remain as it was. We will open the system when we have positively reviewed the security and collected the funds for the users :-( Maybe in 1 week from now :-(</blockquote>Multiple users heavily criticized PicoStocks for operating their cold wallet on a networked computer<ref>[https://www.reddit.com/r/Bitcoin/comments/1rrnua/comment/cdq6aan/ servowire Comment - Reddit] (Feb 8, 2023)</ref><ref>[https://www.reddit.com/r/Bitcoin/comments/1rrnua/comment/cdq81rr/ thekiwi99 Comment - Reddit] (Feb 8, 2023)</ref>, but there is no indication that this was the way the wallet had operated. | This is of course a serious loss for the company, but we expect no losses for the users. the funds collected on user account will be returned. We will have to create a new hot wallet and we will change all PicoStocks addresses for all users, but the rest will remain as it was. We will open the system when we have positively reviewed the security and collected the funds for the users :-( Maybe in 1 week from now :-(</blockquote>Multiple users heavily criticized PicoStocks for operating their cold wallet on a networked computer<ref name=":1">[https://www.reddit.com/r/Bitcoin/comments/1rrnua/comment/cdq6aan/ servowire Comment - Reddit] (Feb 8, 2023)</ref><ref name=":11">[https://www.reddit.com/r/Bitcoin/comments/1rrnua/comment/cdq81rr/ thekiwi99 Comment - Reddit] (Feb 8, 2023)</ref>, but there is no indication that this was the way the wallet had operated. Many users on Reddit concluded that the PicoStocks platform was either incompetent or attempting a scam<ref>[https://www.reddit.com/r/Bitcoin/comments/1rrnua/comment/cdq680f/ riplin Comment - Reddit] (Feb 8, 2023)</ref><ref>[https://old.reddit.com/r/Bitcoin/comments/1rrnua/picostocks_hacked_even_cold_wallet_emptied/cdq680f/ riplin - "This reeks of a scam. And if not, if you are so incompetent that you actually got your cold wallet drained then you deserve to be sued by your customers for all you've got." - Reddit] (Dec 7, 2023)</ref><ref>[https://old.reddit.com/r/Bitcoin/comments/1rrnua/picostocks_hacked_even_cold_wallet_emptied/cdq84hu/ colsatre - "Scam or stupid, pick one to describe the company. They either took the funds themselves, or didn't actually have a cold wallet set up." - Reddit] (Dec 7, 2023)</ref>. Some BitcoinTalk users were similarly critical<ref name="bitcointalkannouncement" />.<blockquote>This reeks of a scam. And if not, if you are so incompetent that you actually got your cold wallet drained then you deserve to be sued by your customers for all you've got.</blockquote><blockquote>Scam or stupid, pick one to describe the company. They either took the funds themselves, or didn't actually have a cold wallet set up.</blockquote><blockquote>You're exactly the scumbag thief I said you were, back in Spring.</blockquote> | ||
== Ultimate Outcome == | == Ultimate Outcome == | ||
PicoStocks promised a timeline of 1 week to relaunch their platform<ref name=":0" /> | PicoStocks promised a timeline of 1 week to relaunch their platform<ref name=":0" />. The platform promised to completely cover all losses, which was reportedly followed through with<ref name="bitcointalklist" />. | ||
The attacker appears to have kept the breached funds in the same wallet location for the subsequent 3 months before finally starting to move those funds starting February 15th, 2014<ref name=":4" /><ref name=":5" />. | |||
== Total Amount Recovered == | == Total Amount Recovered == | ||
PicoStocks promised users that they would return all "the funds collected on user account"<ref name=":0" /> and this was reportedly followed through with<ref name="bitcointalklist" />. | PicoStocks promised users that they would return all "the funds collected on user account"<ref name=":0" /> and this was reportedly followed through with<ref name="bitcointalklist" />. | ||
== Ongoing Developments == | |||
PicoStocks continued to operate for close to a decade and remained active on social media until March 2019<ref name=":10" />, although users started to report withdrawal problems and a lack of support near the end of 2019<ref name=":9">[https://bitcointalk.org/index.php?topic=133147.msg53335839#msg53335839 Users Reporting Withdrawal Problems In 2019 - BitcoinTalk] (Feb 8, 2023)</ref><ref>[https://bitcointalk.org/index.php?topic=5138600.0 PicoStocks Withdrawals Failing in May 2019] (Feb 14, 2023)</ref>. Posts by the founder tytus on BitcoinTalk regarding the platform appear to have been deleted<ref>[https://web.archive.org/web/20160130114415/https://bitcointalk.org/index.php?action=profile;u=56286 tytus Post Count 275 Prior To Delete - BitcoinTalk] (Feb 8, 2023)</ref><ref name=":8" />.<blockquote>[I'm] trying to withdraw some ETH from picostocks.com, but since last week [I'm] unable to withdraw my balance[. I] check[ed] their [T]witter[ and] [F]ac[e]book[. I see] many people complaining [about] the[ir] withdrawal req[u]est[s] but no one is responsible and there is no proper way to contact som[e]one for support[.] So just be car[e]ful before using this exchange, because [I'm] still not sure [if] this site is [a] scam or not.</blockquote>The PicoStocks homepage was still online as of September 28th, 2021<ref>[https://web.archive.org/web/20210928043722/https://picostocks.com/about PicoStocks Website On September 28th, 2021 - Internet Archive] (Feb 8, 2023)</ref>, and the website appeared functional to log in as of January 3rd, 2022<ref>[https://web.archive.org/web/20220103200915/https://picostocks.com/login PicoStocks Website On January 3rd, 2022 - Internet Archive] (Feb 8, 2023)</ref>. However, no subsequent captures of the site have been made and it appears to be offline as of February 8th, 2023. | |||
==Individual Prevention Policies== | |||
{{Prevention:Individuals:Avoid Third Party Custodians}} | |||
{{Prevention:Individuals:Question Unrealistic Profit}} | |||
{{Prevention:Individuals:End}} | |||
== Prevention Policies == | ==Platform Prevention Policies == | ||
This situation could have been most effectively prevented by the use of a multi-signature wallet, rather than a single private key. In such a setup, the cold storage wallet would have required approvals from multiple team members to initiate a withdrawal. This, combined with a reasonable level of training for key holders, would have effectively prevented an attacker from obtaining enough private keys to perform a transfer. | This situation could have been most effectively prevented by the use of a multi-signature wallet, rather than a single private key. In such a setup, the cold storage wallet would have required approvals from multiple team members to initiate a withdrawal. This, combined with a reasonable level of training for key holders, would have effectively prevented an attacker from obtaining enough private keys to perform a transfer. | ||
{{Prevention:Platforms:Implement Multi-Signature}} | |||
{{Prevention:Platforms:Regular Audit Procedures}} | |||
{{Prevention:Platforms:Establish Industry Insurance Fund}} | |||
{{Prevention:Platforms:End}} | |||
==Regulatory Prevention Policies== | |||
{{Prevention:Regulators:Platform Security Assessments}} | |||
{{Prevention:Regulators:Establish Industry Insurance Fund}} | |||
{{Prevention:Regulators:End}} | |||
== References == | == References == | ||
<references> | <references> | ||
Latest revision as of 11:11, 8 December 2023
PicoStocks was a centralized exchange based in Marshall Islands, which operated one of the earliest forms of blockchain project fundraising, where entrepreneurs could launch offerings for investors. On November 29th, 2013, the service suffered a breach of 5,896.23098163 bitcoin from two separate wallets. Ultimately, the exchange covered all user losses and relaunched successfully. It appears that the platform continued to operate until 2019.
About PicoStocks
PicoStocks was a centralized exchange based in Marshall Islands[1], which was launched on either December 21st, 2012[2] or December 24th, 2012[3]. The service was primarily focused around allowing companies to raise funds using the blockchain with an "Initial PicoStocks Offering (IPO)"[1]. They reportedly allowed investors to invest anonymously[1][2] and used novel means for circumventing legal regulation[4]. The service was run by the BitcoinTalk user "tytus"[4][5].
Picostocks facilitates valuation and fundraising for high tech startup projects and companies and offers valuable services and benefits for both bitcoin investors and entrepreneurs.
Investors[, you] can obtain valuation of assets You own by the PicoStocks community through an Initial PicoStocks Offering (IPO). You can sell Your assets to PicoStocks if You are satisfied with the IPO evaluation results. You can obtain long term profits from the sold assets through a fixed share in future dividend payments from the asset. You can collect rewards by evaluating assets offered by other PicoStocks members. You can profit from transactions on the PicoStocks platform. You can participate in profits from dividends from assets You hold on PicoStocks. You can benefit from the anonymity of the bitcoin network.
Entrepreneurs[, y]ou can obtain initial valuation of assets of Your company at any stage of development, much cheaper and much faster than through other public stock exchange platforms. You can raise capital for the company by selling stocks of the company to PicoStocks after accepting the results of the IPO. You can monitor the valuation of the company as on any other stock exchange platform but with much less formal requirements and at a much lower cost.
The platform listed their name and address as "Picostocks Incorporated, Trust Company Complex, Ajeltake Road, Ajeltake Island, Majuro, Marshall Islands MH96960"[1]. They also featured an "IPO office" which was "operated by BioInfoBank, Sw. Marcin 80/82 lok. 355, 61-809 Poznan, Poland"[1]. Customers could contact them by email, phone, and fax[1], as well as through some social media channels like the BitcoinTalk forum[5]. Traded stocks remained the legal property of PicoStocks and PicoStocks collected various fees throughout the investment process[2].
The Reality
Specific details of who ran the PicoStocks service were not provided to the public[1].
While Picostocks took care to separate their funds into separate cold and hot wallets, which were kept on separate computers[6], they also kept backup copies of the private keys[6] and kept operating with those same wallets.
What Happened
PicoStocks has speculated that the private keys of the wallet may have been copied in the past and subsequently decrypted[6]. The culprit then used this access to the keys to steal funds from both wallets[4].
| Date | Event | Description |
|---|---|---|
| April 19th, 2012 3:11:53 PM | tytus Registration | The BitcoinTalk user tytus first registers on the BitcoinTalk forum[7]. |
| December 24th, 2012 | PicoStocks Launches | The centralized exchange service PicoStocks launches, based in the Marshall Islands[3]. |
| November 29th, 2013 10:00:41 AM | Cold Wallet Breached | The breach is reported to have occurred on November 29th, 2013[8][4][9]. The first blockchain transaction shows a timestamp of 10:00:41 AM[10][4]. |
| November 29th, 2013 10:11:59 AM | Hot Wallet Breached | A second blockchain transaction in the following block empties what is believed to be the hot wallet[11][4]. |
| November 29th, 2013 6:18:45 PM | BitcoinTalk Post | BitcoinTalk user tytus, suspected to be the founder of PicoStocks, posts an announcement on the BitcoinTalk forum[5][12]. |
| November 30th, 2013 3:36:14 AM | Reddit Post | Reddit user "love_eggs_and_bacon" posts a copy of the original notice that was posted on BitcoinTalk to announce the situation[6]. |
| February 15th, 2014 5:06:57 AM | Hot Wallet Funds Move | The funds originally breached from the hot storage wallet started to move on the blockchain[13]. |
| February 17th, 2014 6:03:47 AM | Cold Wallet Funds Move | The funds originally breached from the cold storage wallet started to move on the blockchain[14]. |
| October 3rd, 2017 9:48:28 AM | tytus Last Active | The BitcoinTalk account for tytus is last active on the BitcoinTalk forums[7]. |
| February 15th, 2019 | Final Medium Post | The PicoStocks account on Medium posted the final post about how the platform prevented wash trading by publishing user IDs[15]. |
| March 29th, 2019 12:57 AM | Final Twitter Post | The final post of PicoStocks on Twitter[16]. |
| December 13, 2019, 12:00:36 PM | Withdrawal Problems | PicoStocks users start to report withdrawal problems and a lack of support on the BitcoinTalk forum[17]. |
Technical Details
Is it reported that two separate wallets were breached[5][6]. One wallet was reportedly described as "hot" while the other wallet was reportedly described as "cold"[5][6]. Wallets were described as being "located on different computers", which suggests that both the "hot" and "cold" wallet keys were stored and accessed from a computer[5][6]. Many users have suggested that both wallets existed on networked computers[18][19]. While wallet keys were believed to be encrypted, this can often be brute-forced if there is a weak password used for the encryption.
Hot Wallet Address: 19t7RxwXdfiwQMyQ3JVB16e9HgV7omijSs
Cold Wallet Addresses: Multiple, as moved in bitcoin transaction 28c9d7b0b31c9262958b88c42b1703098d44574e0830173c0b5cfe2a79490881
Total Amount Lost
The loss amount was reported as 5,896.23098163[4] BTC (many sources rounded this to 5,895 BTC[8][9]), with an estimated value of either $6,000,000 USD[8][9][20] or $3,009,397 USD[4].
Funds were removed from both the hot wallet and cold wallet of PicoStocks[6][9][4]. According to blockchain data, the hot wallet had 685.57933572 BTC[21][11] and the cold wallet had 5210.65104591 BTC[22][10]. This maintains a total of 5896.23038163 BTC. Using the bitcoin market price for November 29th, 2013 of $1,037.76 USD from BuyBitcoinWorldWide[23], this gives a total value of $5,407,405.23 USD.
Immediate Reactions
It does not appear that there were any changes to the PicoStocks website to announce the hack situation at the time[24][25]. PicoStocks posted an announcement about what happened on the BitcoinTalk forum[5], which was subsequently reposted to Reddit[6]. The initial announcement mentioned both the hot and cold wallets were emptied, and a suspicion that the wallets may have been copied by people who previously had access to the system[5][6].
PicoStocks is down for a while and will remain like this for sure over the weekend. Funds from our hot wallet and cold wallet account have been stolen.
There is no sign of an intrusion into the systems. Both wallets were located on different computers. We suspect that these have been copied by people who had access to the system in the past and decrypted.
This is of course a serious loss for the company, but we expect no losses for the users. the funds collected on user account will be returned. We will have to create a new hot wallet and we will change all PicoStocks addresses for all users, but the rest will remain as it was. We will open the system when we have positively reviewed the security and collected the funds for the users :-( Maybe in 1 week from now :-(
Multiple users heavily criticized PicoStocks for operating their cold wallet on a networked computer[18][19], but there is no indication that this was the way the wallet had operated. Many users on Reddit concluded that the PicoStocks platform was either incompetent or attempting a scam[26][27][28]. Some BitcoinTalk users were similarly critical[5].
This reeks of a scam. And if not, if you are so incompetent that you actually got your cold wallet drained then you deserve to be sued by your customers for all you've got.
Scam or stupid, pick one to describe the company. They either took the funds themselves, or didn't actually have a cold wallet set up.
You're exactly the scumbag thief I said you were, back in Spring.
Ultimate Outcome
PicoStocks promised a timeline of 1 week to relaunch their platform[6]. The platform promised to completely cover all losses, which was reportedly followed through with[4].
The attacker appears to have kept the breached funds in the same wallet location for the subsequent 3 months before finally starting to move those funds starting February 15th, 2014[13][14].
Total Amount Recovered
PicoStocks promised users that they would return all "the funds collected on user account"[6] and this was reportedly followed through with[4].
Ongoing Developments
PicoStocks continued to operate for close to a decade and remained active on social media until March 2019[16], although users started to report withdrawal problems and a lack of support near the end of 2019[17][29]. Posts by the founder tytus on BitcoinTalk regarding the platform appear to have been deleted[30][7].
[I'm] trying to withdraw some ETH from picostocks.com, but since last week [I'm] unable to withdraw my balance[. I] check[ed] their [T]witter[ and] [F]ac[e]book[. I see] many people complaining [about] the[ir] withdrawal req[u]est[s] but no one is responsible and there is no proper way to contact som[e]one for support[.] So just be car[e]ful before using this exchange, because [I'm] still not sure [if] this site is [a] scam or not.
The PicoStocks homepage was still online as of September 28th, 2021[31], and the website appeared functional to log in as of January 3rd, 2022[32]. However, no subsequent captures of the site have been made and it appears to be offline as of February 8th, 2023.
Individual Prevention Policies
When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.
Any time that you are promised any profit or benefit in exchange for an initial payment, smart contract approval, or deposit, pay special care as to whether the entity making that offer is trustworthy, actually who they say they are, and has the means to fulfill what they're promising. There are no magic algorithms providing guaranteed returns from trading or mining. Trading on average will lose money. Mining is expensive and complex. No one is going to immediately send back more than you sent them. NFT projects will rarely announce a surprise mint in only a single location. Are you fully prepared for the event your money is kept and nothing is delivered in return?
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
This situation could have been most effectively prevented by the use of a multi-signature wallet, rather than a single private key. In such a setup, the cold storage wallet would have required approvals from multiple team members to initiate a withdrawal. This, combined with a reasonable level of training for key holders, would have effectively prevented an attacker from obtaining enough private keys to perform a transfer.
All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.0 1.1 1.2 1.3 1.4 1.5 1.6 PicoStocks Website On December 28th, 2012 - Internet Archive (Feb 8, 2023)
- ↑ 2.0 2.1 2.2 PicoStocks - Bitcoin Wiki (Feb 8, 2023)
- ↑ 3.0 3.1 Picostocks Trading Volume - CoinMarketCap (Feb 8, 2023)
- ↑ 4.00 4.01 4.02 4.03 4.04 4.05 4.06 4.07 4.08 4.09 4.10 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses (Feb 14)
- ↑ 5.0 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 Quote of Original Announcement on BitcoinTalk (Feb 8, 2023)
- ↑ 6.00 6.01 6.02 6.03 6.04 6.05 6.06 6.07 6.08 6.09 6.10 6.11 Picostocks hacked, even cold wallet emptied - Reddit (Feb 8, 2023)
- ↑ 7.0 7.1 7.2 tytus User Registration - BitcoinTalk (Feb 8, 2023)
- ↑ 8.0 8.1 8.2 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents (Jan 24)
- ↑ 9.0 9.1 9.2 9.3 Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Mar 4)
- ↑ 10.0 10.1 Cold Wallet Breach Transaction - Blockchain.info (Feb 8, 2023)
- ↑ 11.0 11.1 Hot Wallet Breach Transaction - Blockchain.info (Feb 8, 2023)
- ↑ tytus Theft Announcement on BitcoinTalk - Internet Archive (Feb 8, 2023)
- ↑ 13.0 13.1 Hot Wallet Funds Start To Move - Blockchain.info (Feb 8, 2023)
- ↑ 14.0 14.1 Subsequent Movement of Cold Wallet Funds - Blockchain.info (Feb 8, 2023)
- ↑ How Publishing User IDs with Trades Makes a Crypto Exchange Better for Everyone - Medium (Feb 8, 2023)
- ↑ 16.0 16.1 PicoStocks Final Tweet - Twitter (Feb 8, 2023)
- ↑ 17.0 17.1 Users Reporting Withdrawal Problems In 2019 - BitcoinTalk (Feb 8, 2023)
- ↑ 18.0 18.1 servowire Comment - Reddit (Feb 8, 2023)
- ↑ 19.0 19.1 thekiwi99 Comment - Reddit (Feb 8, 2023)
- ↑ Reddit User Godfreee's estimate - Reddit (Feb 8, 2023)
- ↑ Picostocks Hot Wallet - Blockchain.info (Feb 8, 2023)
- ↑ Picostocks Cold Wallet - Blockchain.info (Feb 8, 2023)
- ↑ BuyBitcoinsWorldwide Historic Bitcoin Price Chart (Feb 8, 2023)
- ↑ PicoStocks Homepage On October 28th, 2013 - Internet Archive (Feb 8, 2023)
- ↑ PicoStocks Website On February 9th, 2014 - Internet Archive (Feb 8, 2023)
- ↑ riplin Comment - Reddit (Feb 8, 2023)
- ↑ riplin - "This reeks of a scam. And if not, if you are so incompetent that you actually got your cold wallet drained then you deserve to be sued by your customers for all you've got." - Reddit (Dec 7, 2023)
- ↑ colsatre - "Scam or stupid, pick one to describe the company. They either took the funds themselves, or didn't actually have a cold wallet set up." - Reddit (Dec 7, 2023)
- ↑ PicoStocks Withdrawals Failing in May 2019 (Feb 14, 2023)
- ↑ tytus Post Count 275 Prior To Delete - BitcoinTalk (Feb 8, 2023)
- ↑ PicoStocks Website On September 28th, 2021 - Internet Archive (Feb 8, 2023)
- ↑ PicoStocks Website On January 3rd, 2022 - Internet Archive (Feb 8, 2023)