MyBitcoin Exchange Hack/Fraud: Difference between revisions

MyBitcoin Logo/Homepage

MyBitcoin was a popular wallet service for new users of bitcoin. The exact origins and founding of the service is not fully known. More than half of the funds were stolen from the service, reportedly through a shopping cart vulnerability. The service ultimately stopped operating after refunding what was left to affected users.

TBD:^[1]

About MyBitcoin

MyBitcoin was an early wallet platform catering primarily to cryptocurrency newbies interested in buying bitcoin for the first time. MyBitcoin was founded prior to February 11th, 2011^[2].

The original website showed the name MyBitcoin LLC^[3][2]. Domain name WHOIS and a later announcement on the website showed that the founder was Tom Williams^[4][5].

MyBitcoin built its reputation by providing a free, user-friendly service targeted at newbie Bitcoin buyers. An excerpt from the first version of the website mentioned it as "[a]n intuitive web-interface for Bitcoin" with "[n]o software to download, install, or configure", with easy integration for merchants to send and receive funds in bitcoin^[2].

MyBitcoin sports an easy to use interface with large navigation buttons. It is suitable for those who are just trying Bitcoin out, or for those who want to use Bitcoin for commerce now, and without delay.

Downloading and installing the Bitcoin software isn't a requirement to trade with MyBitcoin. Of course, you can still use the Bitcoin software in conjunction with MyBitcoin. The choice is entirely yours!

Just like many other popular payment systems; you can easily generate and paste HTML code onto your website to accept Bitcoin payments! No more messy programming, or other headaches. You'll have your website accepting Bitcoin in minutes!

Price the goods and services on your website in any national currency, and have our SCI convert the prices into Bitcoins as each purchase is made.

You can have every single incoming payment forward to another Bitcoin address. Great for those who want to keep their coins on their desktop PC, or all in one place, but still want to use our shopping cart interface and merchant tools.

MyBitcoin is completely free. We are supported by selling small text ads that are in our login area. We are also planning on selling support packages in the near future.

Dozens of users flocked to the platform in its early days, and it reportedly had more deposits than the third largest exchange at the time, Bitomat.pl^[6]. One of the more prominent users was Bitcoin evangelist and host of The Bitcoin Show Bruce Wagner.^[7][6]

We have a lot of bitcoin there..... ( as has already been reported in the press )...    Many -- perhaps most -- non-technical people... and businesses, I know and associate with,....  rely on MyBitcoin.com     

Most of my friends and family and associates.... all have all their bitcoin there too.

The Reality

The exact founding date of MyBitcoin is not fully known. One source reports that "MYBITCOIN ha[d] been in business since [the] middle of 2009"^[8], while domain name WHOIS reports that the domain first existed on April 25th, 2010^[9]. Actual content was first reported on the site by Internet Archive on February 11th, 2011^[2], although prior versions of the site appear to have loaded content if the user installed "CACert's security certificate"^[10].

Domain name WHOIS entries showed the mailing address to be a post office box in Nevis^[3][4], part of the Caribbean island nation of St. Kitts and Nevis^[11]. It is not known if this truly was truly an LLC (Limited Liability Corporation) and if so, where the organization was located^[3].

It is unclear whether Tom Williams is the real name of the individual who founded MyBitcoin^[12][13] and some have argued he ran the entire service as a fraud.^[5][14]

05:10:57 <shockdiode> In Charlestown in St Kitts and Nevis?

05:11:10 <shockdiode> people use that country as a privacy cloak

05:11:44 <shockdiode> getting incorporated there pretty much gu[a]rantees your anonymity

The service was reportedly storing funds insecurely, with over half of the bitcoin left in an online hot wallet^[5].

It appears that MyBitcoin was using an OpenCart software^[15]. Some users had expressed concerns that the service accepted bitcoin deposits with only a single blockchain confirmation^[16].

What Happened

As reported through an announcement on the MyBitcoin website:^[5]

"On Friday[, July 29th, 2011] we noticed that one of our pooled holding servers was missing a large amount of Bitcoins. After a prompt investigation we realized that the security of our SCI (S[h]opping Cart Interface) system had been breached by an unknown attacker."

Further details were later published:^[17]

After careful analysis of the intrusion we have concluded that the software that waited for Bitcoin confirmations was far too lenient. An unknown attacker was able to forge Bitcoin deposits via the Shopping Cart Interface (SCI) and withdraw confirmed/older Bitcoins. This led to a slow trickle of theft that went unnoticed for a few days. Luckily, we do keep a percentage of the holdings in cold storage so the attackers didn’t completely clean us out. Just to clarify, we weren’t “fully” hacked aka “rooted”. You can still trust our PGP, SSL, and Tor public keys.

It appears to be human error combined with a misunderstanding of how Bitcoin secures transactions into the next block. Our programmer was under the assumption that one block was good enough to secure a transaction. Two years ago when the software was written, this single confirm myth was a popular belief.

In hindsight we should have credited deposits after one confirmation so they would show up in the transaction history, and held the deposit until it reached at least 3 confirmations. Keeping track of two balances and displaying them in the login area would have been trivial.

More than half of bitcoins stored with the service were reportedly stolen in the theft.^{[5][12][13][18]}

Technical Details

Bitcoin were reportedly extracted using the shopping cart interface of the MyBitcoin service. Deposits into the MyBitcoin platform were accepted after a single on-chain confirmation^[16]. It appears that exploiter were able to create fake deposits of bitcoin into the service, which were not actually paid on-chain. One potential exploit may have been the reuse of previous deposit transaction IDs when submitting a new request. The fake bitcoin were then withdrawn from the shared fund pool, which was actually withdrawing bitcoin funds deposited by other users^[17].

Details Provided By MyBitcoin

Much of the technical information came from an initial announcement^[5] and details provided by MyBitcoin^[17].

"On Friday[, July 29th, 2011] we noticed that one of our pooled holding servers was missing a large amount of Bitcoins. After a prompt investigation we realized that the security of our SCI (S[h]opping Cart Interface) system had been breached by an unknown attacker."

After careful analysis of the intrusion we have concluded that the software that waited for Bitcoin confirmations was far too lenient. An unknown attacker was able to forge Bitcoin deposits via the Shopping Cart Interface (SCI) and withdraw confirmed/older Bitcoins. This led to a slow trickle of theft that went unnoticed for a few days. Luckily, we do keep a percentage of the holdings in cold storage so the attackers didn’t completely clean us out. Just to clarify, we weren’t “fully” hacked aka “rooted”. You can still trust our PGP, SSL, and Tor public keys.

It appears to be human error combined with a misunderstanding of how Bitcoin secures transactions into the next block. Our programmer was under the assumption that one block was good enough to secure a transaction. Two years ago when the software was written, this single confirm myth was a popular belief.

In hindsight we should have credited deposits after one confirmation so they would show up in the transaction history, and held the deposit until it reached at least 3 confirmations. Keeping track of two balances and displaying them in the login area would have been trivial.

Potential Vulnerability By Theymos

On July 1st, another BitcoinTalk user theymos posted that the MyBitcoin website was accepting payments after just a single confirmation^[16]. There was a concern that this could allow a double-spend of funds.

MyBitcoin is still accepting payments with only 1 confirmation. This is insane for a bank. Any miner capable of mining two blocks in a row can steal money from MyBitcoin pretty easily. I'm surprised no one has attempted it yet. There's another attack made possible by accepting payments with less than 6 confirmations that would allow you to see exactly which coins MyBitcoin has, and possibly do other damage.

There is no evidence to suggest that this was the exploit used in this case. It is more likely that the adversary found a way to forge the confirmation, fooling the site into believing it had received funds on-chain.

Total Amount Lost

MyBitcoin claims that there were a total of 154,406 BTC prior to the incident, worth over $2m USD.^[18] Multiple sources incorrectly claim that this was the amount lost^[22][21], however only the hot portion of MyBitcoin's wallet was hacked and MyBitcoin ultimately refunded users from the 49% that remained^[18][3] in their cold storage through a claims process^[5][17].

99Bitcoins lists the total loss as 79,000 BTC though this is likely an estimation^[5], while Wikipedia simply states "more than 78,000 bitcoins" worth "roughly US$800,000"^[24]. The losses from the event were more precisely reported as 78,739.58205388 BTC^[12][13] on BitcoinTalk, and estimated to be equivalent to either $1,072,570 USD^[13] or $1,110,544 USD^[12]. BuyBitcoinsWorldWide lists a price of $13.49 USD on July 29th, 2011, which would give a total loss of $1,062,196.96 USD^[25]. Averaging these estimates gives a loss figure of $1,081,770.32 USD.

Immediate Reactions

The MyBitcoin website was shut down quickly without any immediate announcement after the theft was discovered^[5][26].

"Our response was rash, but necessary. We simply switched the system off until we could have system-wide forensics performed."

Initial reactions took place largely on the BitcoinTalk forum. Some users were optimistic.^[4]

"[T]hey should be back up in 24[.]" - done

However, most were less so, and discussion quickly spread to worry as the site continued to remain offline.^[4]

"Quite a lot has been said about this "service" already. I'm surprised anyone is still using it for anything." - lettucebee

"Security and business processes across most Bitcoin start-ups are likely to be immature.

This sort of thing is disappointing, but shouldn't be a complete surprise.

It's only made worse by the fact that it's such an adversarial environment to operate in.

Not only are there competing services, but the systems effectively hold 'cash' on their hard drives, which of course attracts the cyber bandits." - julz

"[Y]eah, I am new to this[. A]fter investing in hardware to mine bitcoins I deposited my earnings into mybitcoin =( [I didn't] know either[.] I read from somewhere that it was a good place to have my wallet... guess not. I mean I didn[']t los[e] alot but darn =( 5bitcoins so it hurts considering I just started!" - mrbashfo

Talk began rather quickly on tracking down the operator Tom Williams.^[4]

"Lets track him down then, it shouldn't be that impossible. If anyone wanna buy me a flight ticket to Nevis[,] I'd be glad to help[.]"

Though many were not as open to the idea:^[4]

That seems like a dead end to me. It's just a PO Box. There are thousands of "Tom Williams" in the world, not to mention it's most likely a pseudonym since that's acceptable in a Nevis LLC.

On August 2nd, a troll account posted a fake announcement about the events, claiming to be in contact with the FBI^[20].

This is Tom Williams, and as you probably know, I'm the current owner of MyBitcoin.com.  As you've noticed at this point, our site has been down for several days now.  It is with great sadness that I announce that the current downtime has been caused by a major security breach in our network.  The attackers seem to have been completely indiscriminate, deleting everything that they could get their hands on, including the wallet.dat files stored on the network.

At this point I've been essentially paralyzed with shock for the last several days and sick to my stomach with the realization of what happened.  I have completely lost access to the files that were hosted on the website and did not have a local backup of that data.  The FBI have been contacted and they have instructed me to leave the site untouched while they conduct their investigation.  Hopefully they'll be able to recover the lost files and find the culprit.  If they can't, then I don't know what to do. I'm a simple computer science major who had planned to use the site as part of my senior project and I can't even get close to covering the losses on my own.

I plan to get in touch with my lawyer in the coming days and I will post more information when I have a better understanding of my responsibilities regarding the situation. Hopefully at that point I will have an update regarding the FBI investigation as well, though they seemed somewhat less than interested in recovering the bitcoins themselves when I spoke with them.

An actual notice about the situation was finally posted at some point between August 4th and August 5th^[5][26].

As you have probably noticed, MyBitcoin.com had been down for almost a week due to an unfortunate event.

On Friday of last week we noticed that one of our pooled holding servers was missing a large amount of Bitcoins. After a prompt investigation we realized that the security of our SCI (Shopping Cart Interface) system had been breached by an unknown attacker.

Our response was rash, but necessary. We simply switched the system off until we could have system-wide forensics performed. The forensics took some time, as the system is quite complex by nature.

After weighing all of our options, we have realized that we have no option but to go into receivership. We will settle all accounts with a online claim process that we are currently in the process of working out.

We will release more detailed information about the security breach, the claim process, and our balance sheet in the next few days.

Bruce Wagner's has been assisting with an investigation and plans to feature the story on his Bitcoin web show^[27].

He’s told Bitcoiners to file complaints with the FBI in the past, as he believes there was foul play involved, but could not confirm whether there is an active investigation. “They stole (denied access) to EVERYONE’s money,” Mr. Wagner said over Gchat. “They later–after MUCH COMMUNITY INVESTIGATION AND FBI INVOLVEMENT — suddenly re-appeared. NO ONE who understands ANYTHING about bitcoin believes their lies about … being hacked.” Mr. Wagner plans to produce four episodes of his Bitcoin web show today where he will talk about MyBitcoin.

Ultimate Outcome

A claims process was later undertaken through the MyBitcoin website.^[25]

The claim process will consist of a online form where the claimant will be required to enter their MyBitcoin username and password. Their balance will be displayed along with the percentage of remaining Bitcoins that we still have in our holdings. That percentage will be paid to a Bitcoin address of their choosing. This percentage will be based on our current total liabilities vs. our existing assets. We will disclose these figures as soon as they have been totaled. Each online claim will be written to a ledger and will be manually approved within 48 hours of being filed online. We have decided to have a manual claim approval process for better security. The last thing we all need right now is for someone to breach the claim form. We are confident clients will find this satisfactory.

MyBitcoin promised to release their source code of their site^[25], however this was never released^[12][13]. Information was investigated within days on the domain name registration and leased server which was set up^[14][23] and some users started crowdsourcing information on the freenode #bitcoin-police IRC channel^[6][28]. Some users pursued a Canadian lead against someone named Dalin Owen in Edmonton, Canada^[18][23]. Dalin Owen has denied being involved, and claims he merely sold the domain name for the site. Tom Williams has also expressly denied being Dalin Owen^[18].

Dalin says he runs Roothosts and PrivacyShark, the latter of the two is a registered Nevis East Indies LLC setup by a company called Morning Star Holdings. MyBitcoin is also a Nevis LLC setup by the same company. Dalin says on his personal website that he was in contact with the person who registered mybitcoin.net with PrivacyShark and he recommended Morning Star.

Every system run by Dalin and his company appears to run FreeBSD, Dalin writes that he enjoys administering FreeBSD servers, "Tom Williams" the anonymous owner of MyBitcoin also claims to be running BSD and nmap operating system fingerprinting corroborates this, although results are inconclusive.

Nmap fingerprinting shows an error message given by all of Dalin's webservers which were tested. This string is known only to an obscure webserver with about 0.0012% of the market share. mybitcoin.com also shows the same error message.

PrivacyShark and all of their customers are registered through TuCows domain registry, so is mybitcoin.com

mybitcoin.net was registered with PrivacyShark on the same day that mybitcoin.com was registered. Dalin says on his website that he was asked by the MyBitcoin people about place to setup an LLC and he recommended Morning Star Holdings.

Dalin was involved in a venture called Nexis IX which provided credit card processing before closing it's doors, claiming that a bank had frozen it's assets. Currently the LLC's status with the Nevada secretary of state is listed as "Permanently Revoked". MyBitcoin's "Tom Williams" said in a statement that: "combined we have over 30 years of experience in the payment processing (credit card arena) industry."

“Dalin Owen is the one name that is linked to everything, and ppl have independently named him as the guy behind mbc,” one Bitcoin user told Betabeat in a private message, but–“there is no hard proof yet.” Dalinowen.com has been wiped and replaced with the message, “Yes, we sold a domain name to mybitcoin, but we have nothing to do with its operation. I also referred them to Morningstar Holdings as a professional courtesy as their corporate filing services have worked well for us in the past. All of the threats of bodily harm are being sent to the local authorities. I will not respond to any more threats or intimidation.”

“Many of us think Tom Williams is TheMadhatter who used to sell prepaid credit cards bought in Canada,” another said. Mr. Owen may well be TheMadhatter, he added.

On IRC, Mr. Williams denied that he was TheMadhatter or Dalin Owen. He also denied Betabeat an interview. “I’m not interested in the press. No offense implied,” he said.

Another potential candidate considered was Bruce Wagner.^[12][13]:

In the months ensuing, some evidence has been uncovered supporting mortgage broker Bruce Wagner; however, any evidence is inconclusive.

At one point, it was noted that some keys for the MyBitcoin website were certified by an individual named Tobias LLoyd in April 2011, who may be the owner or know the owner^[19].

Not the way I read it

That post seems legit.

I also did a gpg verify on a mybitcoin deposit email someone posted online and got a similar result

The signature isn't 'trusted' in that it's not verified by a certifying agency - but I think we can know that it's the same person who had control of the mybitcoin response email system.

I found the same public key in some python software which interfaced with mybitcoin.

Interestingly.. that key does seem to have been certified on 2011-04-02 and 2011-04-12 by one Tobias LLoyd and there are a couple of email addresses for him.

As far as I know.. you shouldn't certify unless you've met and properly verified the person.. so maybe Tobias has some information?

It does not appear that any prosecution by authorities was ever undertaken in this case.

Total Amount Recovered

There do not appear to have been any funds recovered from the 51% which were claimed to have been stolen from the platform. MyBitcoin allowed users to receive refunds for the 49% of funds which remained in their cold storage wallet^[18][27], although the refund process stopped after August 13th, 2011 and it's unclear what portion of users received their funds prior to this deadline^[8].

Ongoing Developments

The MyBitcoin platform wrapped up their operations^[5] and while the investigation reportedly lost steam^[27], there has been speculation as recently as 2019 about the identity of Tom Williams^[29]. Even though MyBitcoin promised to release their source code, this was never done^[12][13]. It does not appear that there are any recent reports or investigations into where the stolen funds have gone.

Individual Prevention Policies

From the standpoint of the bitcoin user, minimizing the amount of funds stored on exchanges would reduce the risk. A more certain solution would be to only use services which have been validated to store funds securely.

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

This is a case where knowing who's holding the funds and storing funds properly offline with multiple signatures would have avoided the issues. A third party review can confirm funds are stored securely. Multiple third party reviews should provide even greater certainty.

Having a platform with known entities holding keys would have ensured more accountability and visibility was possible when funds went lost. An industry insurance fund can help validate and have funds aside to assist victims.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

This is a case where knowing who's holding the funds and storing funds properly offline with multiple signatures would have avoided the issues. A third party review can confirm funds are stored securely. Multiple third party reviews should provide even greater certainty.

Having a platform with known entities holding keys would have ensured more accountability and visibility was possible when funds went lost. An industry insurance fund can help validate and have funds aside to assist victims.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

References