MyBitcoin Exchange Hack/Fraud: Difference between revisions
(Various changes.) |
|||
| Line 16: | Line 16: | ||
You can have every single incoming payment forward to another Bitcoin address. Great for those who want to keep their coins on their desktop PC, or all in one place, but still want to use our shopping cart interface and merchant tools. | You can have every single incoming payment forward to another Bitcoin address. Great for those who want to keep their coins on their desktop PC, or all in one place, but still want to use our shopping cart interface and merchant tools. | ||
MyBitcoin is completely free. We are supported by selling small text ads that are in our login area. We are also planning on selling support packages in the near future.</blockquote>Dozens of users flocked to the platform in its early days, and it reportedly had more deposits than the third largest exchange at the time, Bitomat.pl<ref name="r14" />. | MyBitcoin is completely free. We are supported by selling small text ads that are in our login area. We are also planning on selling support packages in the near future.</blockquote>Dozens of users flocked to the platform in its early days, and it reportedly had more deposits than the third largest exchange at the time, Bitomat.pl<ref name="r14" />. One of the more prominent users was Bitcoin evangelist and host of The Bitcoin Show Bruce Wagner.<ref name="r17" /><ref name="r14" /> <blockquote>We have a lot of bitcoin there..... ( as has already been reported in the press )... Many -- perhaps most -- non-technical people... and businesses, I know and associate with,.... rely on MyBitcoin.com | ||
One of the more prominent users was Bitcoin evangelist and host of The Bitcoin Show Bruce Wagner.<ref name="r17" /> <blockquote>We have a lot of bitcoin there..... ( as has already been reported in the press )... Many -- perhaps most -- non-technical people... and businesses, I know and associate with,.... rely on MyBitcoin.com | |||
Most of my friends and family and associates.... all have all their bitcoin there too.</blockquote> | Most of my friends and family and associates.... all have all their bitcoin there too.</blockquote> | ||
== The Reality == | |||
It is unclear whether Tom Williams is the real name of the individual who founded MyBitcoin<ref name="r2" /><ref name="r7" /> and some have argued he ran the entire service as a fraud.<ref name="r4" /><ref>[https://bitcointalk.org/index.php?topic=32900.msg411839#msg411839 Jine's Response - BitcoinTalk Forum] (Jan 31, 2023)</ref><blockquote>05:10:57 < shockdiode> In Charlestown in St Kitts and Nevis? | |||
05:11:10 < shockdiode> people use that country as a privacy cloak | |||
05:11:44 < shockdiode> getting incorporated there pretty much gurantees your anonymity</blockquote>The service was reportedly storing funds insecurely, with over half of the funds left in an online hot wallet.<ref name="r4" /> | |||
== What Happened == | == What Happened == | ||
As reported through an announcement on the MyBitcoin website:<ref name="r4" /><blockquote>"On Friday[, July 29th, 2011] we noticed that one of our pooled holding servers was missing a large amount of Bitcoins. After a prompt investigation we realized that the security of our SCI (Sopping Cart Interface) system had been breached by an unknown attacker."</blockquote> | |||
{| class="wikitable" | {| class="wikitable" | ||
|+Key Event Timeline - MyBitcoin Exchange Hack/Fraud | |+Key Event Timeline - MyBitcoin Exchange Hack/Fraud | ||
| Line 51: | Line 36: | ||
|July 29, 2011, 3:41:36 PM MST | |July 29, 2011, 3:41:36 PM MST | ||
|Site Reported Down | |Site Reported Down | ||
|The MyBitcoin website is reported to be down for the first time on the BitcoinTalk forums.<ref name="r13" /> | |The MyBitcoin website is reported to be down for the first time on the BitcoinTalk forums.<ref name="r13" /> This matches the "Friday of last week" which was later reported on the MyBitcoin website.<ref name="r4" /> | ||
|- | |- | ||
|August 4, 2011 | |August 4, 2011 | ||
| Line 63: | Line 48: | ||
== Total Amount Lost == | == Total Amount Lost == | ||
MyBitcoin claims that there were a total of 154,406 BTC prior to the incident, worth over $2m USD.<ref name="r3" /> Multiple sources incorrectly claim that this was the amount lost<ref name="r6" /><ref name="r8" />, however only the hot portion of MyBitcoin's wallet was hacked and MyBitcoin | MyBitcoin claims that there were a total of 154,406 BTC prior to the incident, worth over $2m USD.<ref name="r3" /> Multiple sources incorrectly claim that this was the amount lost<ref name="r6" /><ref name="r8" />, however only the hot portion of MyBitcoin's wallet was hacked and MyBitcoin ultimately refunded users from the 49% that remained<ref name="r3" /> in their cold storage through a claims process<ref name="r4" />. | ||
The losses from the event were reported as 78,739.58205388 BTC<ref name="r2" /><ref name="r7" /> on BitcoinTalk, and estimated to be equivalent to either $1,072,570 USD<ref name="r7" /> or $1,110,544 USD<ref name="r2 | 99Bitcoins lists the total loss as 79,000 BTC though this is likely an estimation<ref name="r4" />. The losses from the event were more precisely reported as 78,739.58205388 BTC<ref name="r2" /><ref name="r7" /> on BitcoinTalk, and estimated to be equivalent to either $1,072,570 USD<ref name="r7" /> or $1,110,544 USD<ref name="r2" />. BuyBitcoinsWorldWide lists a price of $13.49 USD on July 29th, 2011, which would give a total loss of $1,062,196.96 USD<ref name="r15" />. Averaging these estimates gives a value of $1,081,770.32 USD. | ||
== Immediate Reactions == | == Immediate Reactions == | ||
The MyBitcoin website was shut down quickly without any immediate announcement after the theft was discovered.<ref name="r4" /><blockquote>"Our response was rash, but necessary. We simply switched the system off until we could have system-wide forensics performed."</blockquote>Initial reactions took place largely on the BitcoinTalk forum. Some users were optimistic.<ref name="r13" /><blockquote>"[T]hey should be back up in 24[.]" - done</blockquote>However, most were less so, and word quickly spread to worry as the site continued to remain offline.<ref name="r13" /><blockquote>"Quite a lot has been said about this "service" already. I'm surprised anyone is still using it for anything." - lettucebee | |||
"Security and business processes across most Bitcoin start-ups are likely to be immature. | |||
This sort of thing is disappointing, but shouldn't be a complete surprise. | This sort of thing is disappointing, but shouldn't be a complete surprise. | ||
| Line 78: | Line 62: | ||
It's only made worse by the fact that it's such an adversarial environment to operate in. | It's only made worse by the fact that it's such an adversarial environment to operate in. | ||
Not only are there competing services, but the systems effectively hold 'cash' on their hard drives, which of course attracts the cyber bandits. | Not only are there competing services, but the systems effectively hold 'cash' on their hard drives, which of course attracts the cyber bandits." - julz | ||
== | "[Y]eah, I am new to this[. A]fter investing in hardware to mine bitcoins I deposited my earnings into mybitcoin =( [I didn't] know either[.] I read from somewhere that it was a good place to have my wallet... guess not. I mean I didn[']t los[e] alot but darn =( 5bitcoins so it hurts considering I just started!" - mrbashfo</blockquote>Talk began rather quickly on tracking down the operator Tom Williams.<ref name="r13" /><blockquote>"Lets track him down then, it shouldn't be that impossible. | ||
If anyone wanna buy me a flight ticket to Nevis[,] I'd be glad to help[.]"</blockquote>How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed? | |||
<blockquote></blockquote> | |||
A summary can be found on BitcoinTalk<ref name="r2" /><ref name="r7" />:<blockquote>Little information was released about the MyBitcoin theft, however, many argue that Tom Williams ran it as a scam (and was not a theft per se). In terms of both dollars and bitcoins, this was by far the largest theft, however, it is possible it was simply a scam. Although MyBitcoin offered to release its code as a gift to the community, it failed to follow through on that promise. In the months ensuing, some evidence has been uncovered supporting mortgage broker Bruce Wagner; however, any evidence is inconclusive. | == Ultimate Outcome == | ||
Information was investigated within days on the domain name registration and leased server which was set up, however the community did <blockquote> | |||
That seems like a dead end to me. It's just a PO Box. There are thousands of "Tom Williams" in the world, not to mention it's most likely a pseudonym since that's acceptable in a Nevis LLC.</blockquote>A summary can be found on BitcoinTalk<ref name="r2" /><ref name="r7" />:<blockquote>Little information was released about the MyBitcoin theft, however, many argue that Tom Williams ran it as a scam (and was not a theft per se). In terms of both dollars and bitcoins, this was by far the largest theft, however, it is possible it was simply a scam. Although MyBitcoin offered to release its code as a gift to the community, it failed to follow through on that promise. In the months ensuing, some evidence has been uncovered supporting mortgage broker Bruce Wagner; however, any evidence is inconclusive. | |||
The theft resulted in the closure of MyBitcoin, which was once a successful Bitcoin company in Bitcoin's early days.</blockquote>It does not appear that any prosecution was ever undertaken in this case. | The theft resulted in the closure of MyBitcoin, which was once a successful Bitcoin company in Bitcoin's early days.</blockquote>It does not appear that any prosecution was ever undertaken in this case. | ||
"After weighing all of our options, we have realized that we have | |||
== Total Amount Recovered == | == Total Amount Recovered == | ||
| Line 92: | Line 82: | ||
== Ongoing Developments == | == Ongoing Developments == | ||
There are no ongoing developments. The MyBitcoin platform wrapped up their operations<ref name="r4" /> and it does not appear that there are any recent reports or investigations into where the stolen funds have gone. | |||
== Prevention Policies == | == Prevention Policies == | ||
This is a case where | This is a case where knowing who's holding the funds and storing funds properly offline with multiple signatures would have avoided the issues. A third party review can confirm funds are stored securely. Multiple third party reviews should provide even greater certainty. | ||
Having a platform with known entities holding keys would have ensured more accountability and visibility was possible when funds went lost. | |||
From the standpoint of the bitcoin user, minimizing the amount of funds stored on exchanges would reduce the risk. A more certain solution would be to only use services which have been validated to store funds securely. | |||
== References == | == References == | ||
Revision as of 12:44, 31 January 2023
MyBitcoin was a popular wallet service for new users of bitcoin. The exact origins and founding of the service are not fully known.
About MyBitcoin
MyBitcoin was a wallet platform catering primarily to cryptocurrency newbies interested in buying bitcoin for the first time. The exact founding date of MyBitcoin is not fully known. One source reports that "MYBITCOIN has been in business since [the] middle of 2009"[1], while domain name WHOIS reports that the domain first existed on April 25th, 2010[2]. Actual content was first reported on the site by Internet Archive on February 11th, 2011[3], although prior versions of the site may have loaded content if the user installed "CACert's security certificate"[4].
This website showed the name MyBitcoin LLC[5][3] while domain name WHOIS entries showed the mailing address to be a post office box in Nevis[5][6], part of the Caribbean island nation of St. Kitts and Nevis[7]. It is not known if this truly is an LLC and if so, where the organization was located[5]. Domain name WHOIS showed that the founder was someone named Tom Williams[6].
MyBitcoin built its reputation by providing a free, user-friendly service targeted at newbie Bitcoin buyers. An excerpt from the first version of the website mentioned it as "[a]n intuitive web-interface for Bitcoin" with "[n]o software to download, install, or configure", with easy integration for merchants to send and receive funds in bitcoin[3].
MyBitcoin sports an easy to use interface with large navigation buttons. It is suitable for those who are just trying Bitcoin out, or for those who want to use Bitcoin for commerce now, and without delay.
Downloading and installing the Bitcoin software isn't a requirement to trade with MyBitcoin. Of course, you can still use the Bitcoin software in conjunction with MyBitcoin. The choice is entirely yours!
Just like many other popular payment systems; you can easily generate and paste HTML code onto your website to accept Bitcoin payments! No more messy programming, or other headaches. You'll have your website accepting Bitcoin in minutes!
Price the goods and services on your website in any national currency, and have our SCI convert the prices into Bitcoins as each purchase is made.
You can have every single incoming payment forward to another Bitcoin address. Great for those who want to keep their coins on their desktop PC, or all in one place, but still want to use our shopping cart interface and merchant tools.
MyBitcoin is completely free. We are supported by selling small text ads that are in our login area. We are also planning on selling support packages in the near future.
Dozens of users flocked to the platform in its early days, and it reportedly had more deposits than the third largest exchange at the time, Bitomat.pl[8]. One of the more prominent users was Bitcoin evangelist and host of The Bitcoin Show Bruce Wagner.[9][8]
We have a lot of bitcoin there..... ( as has already been reported in the press )... Many -- perhaps most -- non-technical people... and businesses, I know and associate with,.... rely on MyBitcoin.com Most of my friends and family and associates.... all have all their bitcoin there too.
The Reality
It is unclear whether Tom Williams is the real name of the individual who founded MyBitcoin[10][11] and some have argued he ran the entire service as a fraud.[12][13]
05:10:57 < shockdiode> In Charlestown in St Kitts and Nevis?
05:11:10 < shockdiode> people use that country as a privacy cloak
05:11:44 < shockdiode> getting incorporated there pretty much gurantees your anonymity
The service was reportedly storing funds insecurely, with over half of the funds left in an online hot wallet.[12]
What Happened
As reported through an announcement on the MyBitcoin website:[12]
"On Friday[, July 29th, 2011] we noticed that one of our pooled holding servers was missing a large amount of Bitcoins. After a prompt investigation we realized that the security of our SCI (Sopping Cart Interface) system had been breached by an unknown attacker."
| Date | Event | Description |
|---|---|---|
| July 29, 2011, 3:41:36 PM MST | Site Reported Down | The MyBitcoin website is reported to be down for the first time on the BitcoinTalk forums.[6] This matches the "Friday of last week" which was later reported on the MyBitcoin website.[12] |
| August 4, 2011 | Announcement Posted | The MyBitcoin website displays a notice to users about the theft and that they plan to enter receivership.[12] |
Total Amount Lost
MyBitcoin claims that there were a total of 154,406 BTC prior to the incident, worth over $2m USD.[14] Multiple sources incorrectly claim that this was the amount lost[15][16], however only the hot portion of MyBitcoin's wallet was hacked and MyBitcoin ultimately refunded users from the 49% that remained[14] in their cold storage through a claims process[12].
99Bitcoins lists the total loss as 79,000 BTC though this is likely an estimation[12]. The losses from the event were more precisely reported as 78,739.58205388 BTC[10][11] on BitcoinTalk, and estimated to be equivalent to either $1,072,570 USD[11] or $1,110,544 USD[10]. BuyBitcoinsWorldWide lists a price of $13.49 USD on July 29th, 2011, which would give a total loss of $1,062,196.96 USD[17]. Averaging these estimates gives a value of $1,081,770.32 USD.
Immediate Reactions
The MyBitcoin website was shut down quickly without any immediate announcement after the theft was discovered.[12]
"Our response was rash, but necessary. We simply switched the system off until we could have system-wide forensics performed."
Initial reactions took place largely on the BitcoinTalk forum. Some users were optimistic.[6]
"[T]hey should be back up in 24[.]" - done
However, most were less so, and word quickly spread to worry as the site continued to remain offline.[6]
"Quite a lot has been said about this "service" already. I'm surprised anyone is still using it for anything." - lettucebee
"Security and business processes across most Bitcoin start-ups are likely to be immature.This sort of thing is disappointing, but shouldn't be a complete surprise.
It's only made worse by the fact that it's such an adversarial environment to operate in.
Not only are there competing services, but the systems effectively hold 'cash' on their hard drives, which of course attracts the cyber bandits." - julz
"[Y]eah, I am new to this[. A]fter investing in hardware to mine bitcoins I deposited my earnings into mybitcoin =( [I didn't] know either[.] I read from somewhere that it was a good place to have my wallet... guess not. I mean I didn[']t los[e] alot but darn =( 5bitcoins so it hurts considering I just started!" - mrbashfo
Talk began rather quickly on tracking down the operator Tom Williams.[6]
"Lets track him down then, it shouldn't be that impossible. If anyone wanna buy me a flight ticket to Nevis[,] I'd be glad to help[.]"
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
Information was investigated within days on the domain name registration and leased server which was set up, however the community did
That seems like a dead end to me. It's just a PO Box. There are thousands of "Tom Williams" in the world, not to mention it's most likely a pseudonym since that's acceptable in a Nevis LLC.
A summary can be found on BitcoinTalk[10][11]:
Little information was released about the MyBitcoin theft, however, many argue that Tom Williams ran it as a scam (and was not a theft per se). In terms of both dollars and bitcoins, this was by far the largest theft, however, it is possible it was simply a scam. Although MyBitcoin offered to release its code as a gift to the community, it failed to follow through on that promise. In the months ensuing, some evidence has been uncovered supporting mortgage broker Bruce Wagner; however, any evidence is inconclusive. The theft resulted in the closure of MyBitcoin, which was once a successful Bitcoin company in Bitcoin's early days.
It does not appear that any prosecution was ever undertaken in this case.
"After weighing all of our options, we have realized that we have
Total Amount Recovered
There do not appear to have been any funds recovered in this case. MyBitcoin allowed users to receive refunds for the 49% of funds which remained in their cold storage wallet.[14]
Ongoing Developments
There are no ongoing developments. The MyBitcoin platform wrapped up their operations[12] and it does not appear that there are any recent reports or investigations into where the stolen funds have gone.
Prevention Policies
This is a case where knowing who's holding the funds and storing funds properly offline with multiple signatures would have avoided the issues. A third party review can confirm funds are stored securely. Multiple third party reviews should provide even greater certainty.
Having a platform with known entities holding keys would have ensured more accountability and visibility was possible when funds went lost.
From the standpoint of the bitcoin user, minimizing the amount of funds stored on exchanges would reduce the risk. A more certain solution would be to only use services which have been validated to store funds securely.
References
- ↑ Full text of "MyBitCoin" - Archived FBI Report From August 17th, 2011 (Jan 30, 2023)
- ↑ e wallet - When was MyBitcoin created? - Bitcoin Stack Exchange (Jan 30, 2023)
- ↑ 3.0 3.1 3.2 MyBitcoin - A simple web-based Bitcoin wallet (Original Site) - Internet Archive (Jan 30, 2023)
- ↑ MyBitcoin - A simple web-based Bitcoin wallet (CaCert Notice) - Internet Archive (Jan 30, 2023)
- ↑ 5.0 5.1 5.2 MyBitcoin - Bitcoin Wiki (Apr 12, 2020)
- ↑ 6.0 6.1 6.2 6.3 6.4 6.5 mybitcoin down or just me? - BitcoinTalk Forum (Jan 30, 2023)
- ↑ Nevis - Wikipedia (Jan 30, 2023)
- ↑ 8.0 8.1 MyBitcoin.com Is Back: A Week After Vanishing With at Least $250 K. Worth of BTC, Site Claims It Was Hacked | Observer (Jan 30, 2023)
- ↑ Bruce Wagner On Use of MyBitcoin - BitcoinTalk (Jan 30, 2023)
- ↑ 10.0 10.1 10.2 10.3 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses [Old] (Jan 28, 2020)
- ↑ 11.0 11.1 11.2 11.3 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses (Feb 15, 2020)
- ↑ 12.0 12.1 12.2 12.3 12.4 12.5 12.6 12.7 12.8 The biggest scams in Bitcoin history (Feb 15, 2020)
- ↑ Jine's Response - BitcoinTalk Forum (Jan 31, 2023)
- ↑ 14.0 14.1 14.2 MyBitcoin Spokesman Finally Comes Forward: “What Did You Think We Did After the Hack? We Got Shitfaced” | Observer (Feb 4, 2020)
- ↑ 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents (Jan 25, 2020)
- ↑ Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Mar 5, 2020)
- ↑ BuyBitcoinsWorldwide Historic Bitcoin Price Chart (Jan 30, 2023)