MyBitcoin Exchange Hack/Fraud

MyBitcoin

MyBitcoin was a popular wallet service for new users of bitcoin with exact origins and founding not fully known. More than half of the funds were stolen from the service through a shopping cart vulnerability. The service ultimately stopped operating after refunding what was left to affected users.

About MyBitcoin

MyBitcoin was a wallet platform catering primarily to cryptocurrency newbies interested in buying bitcoin for the first time. The exact founding date of MyBitcoin is not fully known. One source reports that "MYBITCOIN has been in business since [the] middle of 2009"^[1], while domain name WHOIS reports that the domain first existed on April 25th, 2010^[2]. Actual content was first reported on the site by Internet Archive on February 11th, 2011^[3], although prior versions of the site may have loaded content if the user installed "CACert's security certificate"^[4].

This website showed the name MyBitcoin LLC^[5]^[3] while domain name WHOIS entries showed the mailing address to be a post office box in Nevis^[5]^[6], part of the Caribbean island nation of St. Kitts and Nevis^[7]. It is not known if this truly is an LLC and if so, where the organization was located^[5]. Domain name WHOIS and a later announcement on the website showed that the founder was someone named Tom Williams^[6]^[8].

MyBitcoin built its reputation by providing a free, user-friendly service targeted at newbie Bitcoin buyers. An excerpt from the first version of the website mentioned it as "[a]n intuitive web-interface for Bitcoin" with "[n]o software to download, install, or configure", with easy integration for merchants to send and receive funds in bitcoin^[3].

MyBitcoin sports an easy to use interface with large navigation buttons. It is suitable for those who are just trying Bitcoin out, or for those who want to use Bitcoin for commerce now, and without delay.
Downloading and installing the Bitcoin software isn't a requirement to trade with MyBitcoin. Of course, you can still use the Bitcoin software in conjunction with MyBitcoin. The choice is entirely yours!
Just like many other popular payment systems; you can easily generate and paste HTML code onto your website to accept Bitcoin payments! No more messy programming, or other headaches. You'll have your website accepting Bitcoin in minutes!
Price the goods and services on your website in any national currency, and have our SCI convert the prices into Bitcoins as each purchase is made.
You can have every single incoming payment forward to another Bitcoin address. Great for those who want to keep their coins on their desktop PC, or all in one place, but still want to use our shopping cart interface and merchant tools.
MyBitcoin is completely free. We are supported by selling small text ads that are in our login area. We are also planning on selling support packages in the near future.

Dozens of users flocked to the platform in its early days, and it reportedly had more deposits than the third largest exchange at the time, Bitomat.pl^[9]. One of the more prominent users was Bitcoin evangelist and host of The Bitcoin Show Bruce Wagner.^[10]^[9]

We have a lot of bitcoin there..... ( as has already been reported in the press )... Many -- perhaps most -- non-technical people... and businesses, I know and associate with,.... rely on MyBitcoin.com Most of my friends and family and associates.... all have all their bitcoin there too.

The Reality

It is unclear whether Tom Williams is the real name of the individual who founded MyBitcoin^[11]^[12] and some have argued he ran the entire service as a fraud.^[8]^[13]

05:10:57 < shockdiode> In Charlestown in St Kitts and Nevis?
05:11:10 < shockdiode> people use that country as a privacy cloak
05:11:44 < shockdiode> getting incorporated there pretty much gurantees your anonymity

The service was reportedly storing funds insecurely, with over half of the funds left in an online hot wallet^[8].

What Happened

As reported through an announcement on the MyBitcoin website:^[8]

"On Friday[, July 29th, 2011] we noticed that one of our pooled holding servers was missing a large amount of Bitcoins. After a prompt investigation we realized that the security of our SCI (Sopping Cart Interface) system had been breached by an unknown attacker."

Further details were later published:^[14]

After careful analysis of the intrusion we have concluded that the software that waited for Bitcoin confirmations was far too lenient. An unknown attacker was able to forge Bitcoin deposits via the Shopping Cart Interface (SCI) and withdraw confirmed/older Bitcoins. This led to a slow trickle of theft that went unnoticed for a few days. Luckily, we do keep a percentage of the holdings in cold storage so the attackers didn’t completely clean us out. Just to clarify, we weren’t “fully” hacked aka “rooted”. You can still trust our PGP, SSL, and Tor public keys.
It appears to be human error combined with a misunderstanding of how Bitcoin secures transactions into the next block. Our programmer was under the assumption that one block was good enough to secure a transaction. Two years ago when the software was written, this single confirm myth was a popular belief.
In hindsight we should have credited deposits after one confirmation so they would show up in the transaction history, and held the deposit until it reached at least 3 confirmations. Keeping track of two balances and displaying them in the login area would have been trivial.

More than half of bitcoins stored with the service were reportedly stolen in the theft.^[8]^[11]^[12]^[15]

Key Event Timeline - MyBitcoin Exchange Hack/Fraud
Date	Event	Description
July 29th, 2011, 3:41:36 PM MST	Site Reported Down	The MyBitcoin website is reported to be down for the first time on the BitcoinTalk forums^[6]. This matches the "Friday of last week" which was later reported on the MyBitcoin website^[8]^[14].
August 4th, 2011	Announcement Posted	The MyBitcoin website displays a notice to users about the theft and that they plan to enter receivership^[8].
August 8th, 2011 6:20 PM	Observer Article	A popular Observer article is published on the incident, which many have used to incorrectly attribute the date when it happened^[15]^[16]^[17].

Total Amount Lost

MyBitcoin claims that there were a total of 154,406 BTC prior to the incident, worth over $2m USD.^[15] Multiple sources incorrectly claim that this was the amount lost^[17]^[16], however only the hot portion of MyBitcoin's wallet was hacked and MyBitcoin ultimately refunded users from the 49% that remained^[15]^[5] in their cold storage through a claims process^[8]^[14].

99Bitcoins lists the total loss as 79,000 BTC though this is likely an estimation^[8], while Wikipedia simply states "more than 78,000 bitcoins" worth "roughly US$800,000"^[18]. The losses from the event were more precisely reported as 78,739.58205388 BTC^[11]^[12] on BitcoinTalk, and estimated to be equivalent to either $1,072,570 USD^[12] or $1,110,544 USD^[11]. BuyBitcoinsWorldWide lists a price of $13.49 USD on July 29th, 2011, which would give a total loss of $1,062,196.96 USD^[19]. Averaging these estimates gives a loss of $1,081,770.32 USD.

Immediate Reactions

The MyBitcoin website was shut down quickly without any immediate announcement after the theft was discovered.^[8]

"Our response was rash, but necessary. We simply switched the system off until we could have system-wide forensics performed."

Initial reactions took place largely on the BitcoinTalk forum. Some users were optimistic.^[6]

"[T]hey should be back up in 24[.]" - done

However, most were less so, and word quickly spread to worry as the site continued to remain offline.^[6]

"Quite a lot has been said about this "service" already. I'm surprised anyone is still using it for anything." - lettucebee

"Security and business processes across most Bitcoin start-ups are likely to be immature.
This sort of thing is disappointing, but shouldn't be a complete surprise.
It's only made worse by the fact that it's such an adversarial environment to operate in.
Not only are there competing services, but the systems effectively hold 'cash' on their hard drives, which of course attracts the cyber bandits." - julz
"[Y]eah, I am new to this[. A]fter investing in hardware to mine bitcoins I deposited my earnings into mybitcoin =( [I didn't] know either[.] I read from somewhere that it was a good place to have my wallet... guess not. I mean I didn[']t los[e] alot but darn =( 5bitcoins so it hurts considering I just started!" - mrbashfo

Talk began rather quickly on tracking down the operator Tom Williams.^[6]

"Lets track him down then, it shouldn't be that impossible. If anyone wanna buy me a flight ticket to Nevis[,] I'd be glad to help[.]"

Though many were not as open to the idea:^[6]

That seems like a dead end to me. It's just a PO Box. There are thousands of "Tom Williams" in the world, not to mention it's most likely a pseudonym since that's acceptable in a Nevis LLC.

Ultimate Outcome

Information was investigated within days on the domain name registration and leased server which was set up^[13]^[20]. Some users pursued a Canadian lead against someone named Dalin Owen in Edmonton, Canada^[15]^[20]. Dalin Owen has denied being involved, and claims he merely sold the domain name for the site. Tom Williams has also expressly denied being Dalin Owen^[15].

Dalin says he runs Roothosts and PrivacyShark, the latter of the two is a registered Nevis East Indies LLC setup by a company called Morning Star Holdings. MyBitcoin is also a Nevis LLC setup by the same company. Dalin says on his personal website that he was in contact with the person who registered mybitcoin.net with PrivacyShark and he recommended Morning Star.
Every system run by Dalin and his company appears to run FreeBSD, Dalin writes that he enjoys administering FreeBSD servers, "Tom Williams" the anonymous owner of MyBitcoin also claims to be running BSD and nmap operating system fingerprinting corroborates this, although results are inconclusive.
Nmap fingerprinting shows an error message given by all of Dalin's webservers which were tested. This string is known only to an obscure webserver with about 0.0012% of the market share. mybitcoin.com also shows the same error message.
PrivacyShark and all of their customers are registered through TuCows domain registry, so is mybitcoin.com
mybitcoin.net was registered with PrivacyShark on the same day that mybitcoin.com was registered. Dalin says on his website that he was asked by the MyBitcoin people about place to setup an LLC and he recommended Morning Star Holdings.
Dalin was involved in a venture called Nexis IX which provided credit card processing before closing it's doors, claiming that a bank had frozen it's assets. Currently the LLC's status with the Nevada secretary of state is listed as "Permanently Revoked". MyBitcoin's "Tom Williams" said in a statement that: "combined we have over 30 years of experience in the payment processing (credit card arena) industry."

“Dalin Owen is the one name that is linked to everything, and ppl have independently named him as the guy behind mbc,” one Bitcoin user told Betabeat in a private message, but–“there is no hard proof yet.” Dalinowen.com has been wiped and replaced with the message, “Yes, we sold a domain name to mybitcoin, but we have nothing to do with its operation. I also referred them to Morningstar Holdings as a professional courtesy as their corporate filing services have worked well for us in the past. All of the threats of bodily harm are being sent to the local authorities. I will not respond to any more threats or intimidation.”
“Many of us think Tom Williams is TheMadhatter who used to sell prepaid credit cards bought in Canada,” another said. Mr. Owen may well be TheMadhatter, he added.
On IRC, Mr. Williams denied that he was TheMadhatter or Dalin Owen. He also denied Betabeat an interview. “I’m not interested in the press. No offense implied,” he said.

A summary can be found on BitcoinTalk^[11]^[12]:

Little information was released about the MyBitcoin theft, however, many argue that Tom Williams ran it as a scam (and was not a theft per se). In terms of both dollars and bitcoins, this was by far the largest theft, however, it is possible it was simply a scam. Although MyBitcoin offered to release its code as a gift to the community, it failed to follow through on that promise. In the months ensuing, some evidence has been uncovered supporting mortgage broker Bruce Wagner; however, any evidence is inconclusive.

The theft ultimately resulted in the closure of MyBitcoin.^[8]

"After weighing all of our options, we have realized that we have no option but to go into receivership. We will settle all accounts with a online claim process that we are currently in the process of working out."

A claims process was undertaken through the MyBitcoin website.^[19]

The claim process will consist of a online form where the claimant will be required to enter their MyBitcoin username and password. Their balance will be displayed along with the percentage of remaining Bitcoins that we still have in our holdings. That percentage will be paid to a Bitcoin address of their choosing. This percentage will be based on our current total liabilities vs. our existing assets. We will disclose these figures as soon as they have been totaled. Each online claim will be written to a ledger and will be manually approved within 48 hours of being filed online. We have decided to have a manual claim approval process for better security. The last thing we all need right now is for someone to breach the claim form. We are confident clients will find this satisfactory.

MyBitcoin also promised to release their source code of their site^[19], however this was never released.

It does not appear that any prosecution was ever undertaken in this case.

Total Amount Recovered

There do not appear to have been any funds recovered from the 51% which were claimed to have been stolen from the platform. MyBitcoin allowed users to receive refunds for the 49% of funds which remained in their cold storage wallet.^[15]

Ongoing Developments

There are no ongoing developments. The MyBitcoin platform wrapped up their operations^[8] and the investigation reportedly lost steam^[21]. It does not appear that there are any recent reports or investigations into where the stolen funds have gone.

Prevention Policies

This is a case where knowing who's holding the funds and storing funds properly offline with multiple signatures would have avoided the issues. A third party review can confirm funds are stored securely. Multiple third party reviews should provide even greater certainty.

Having a platform with known entities holding keys would have ensured more accountability and visibility was possible when funds went lost.

From the standpoint of the bitcoin user, minimizing the amount of funds stored on exchanges would reduce the risk. A more certain solution would be to only use services which have been validated to store funds securely.

References

↑ Full text of "MyBitCoin" - Archived FBI Report From August 17th, 2011 (Jan 30, 2023)
↑ e wallet - When was MyBitcoin created? - Bitcoin Stack Exchange (Jan 30, 2023)
↑ ^3.0 ^3.1 ^3.2 MyBitcoin - A simple web-based Bitcoin wallet (Original Site) - Internet Archive (Jan 30, 2023)
↑ MyBitcoin - A simple web-based Bitcoin wallet (CaCert Notice) - Internet Archive (Jan 30, 2023)
↑ ^5.0 ^5.1 ^5.2 ^5.3 MyBitcoin - Bitcoin Wiki (Apr 12, 2020)
↑ ^6.0 ^6.1 ^6.2 ^6.3 ^6.4 ^6.5 ^6.6 mybitcoin down or just me? - BitcoinTalk Forum (Jan 30, 2023)
↑ Nevis - Wikipedia (Jan 30, 2023)
↑ ^8.00 ^8.01 ^8.02 ^8.03 ^8.04 ^8.05 ^8.06 ^8.07 ^8.08 ^8.09 ^8.10 ^8.11 The biggest scams in Bitcoin history (Feb 15, 2020)
↑ ^9.0 ^9.1 MyBitcoin.com Is Back: A Week After Vanishing With at Least $250 K. Worth of BTC, Site Claims It Was Hacked | Observer (Jan 30, 2023)
↑ Bruce Wagner On Use of MyBitcoin - BitcoinTalk (Jan 30, 2023)
↑ ^11.0 ^11.1 ^11.2 ^11.3 ^11.4 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses [Old] (Jan 28, 2020)
↑ ^12.0 ^12.1 ^12.2 ^12.3 ^12.4 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses (Feb 15, 2020)
↑ ^13.0 ^13.1 Jine's Response - BitcoinTalk Forum (Jan 31, 2023)
↑ ^14.0 ^14.1 ^14.2 MyBitcoin Incident Report - August 5th 2011 (Jan 31, 2023)
↑ ^15.0 ^15.1 ^15.2 ^15.3 ^15.4 ^15.5 ^15.6 MyBitcoin Spokesman Finally Comes Forward: “What Did You Think We Did After the Hack? We Got Shitfaced” | Observer (Feb 4, 2020)
↑ ^16.0 ^16.1 Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Mar 5, 2020)
↑ ^17.0 ^17.1 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents (Jan 25, 2020)
↑ History of bitcoin - Wikipedia (Jan 31, 2023)
↑ ^19.0 ^19.1 ^19.2 BuyBitcoinsWorldwide Historic Bitcoin Price Chart (Jan 30, 2023)
↑ ^20.0 ^20.1 Bitcoin CrimeUnit Report - MyBitcoin
↑ Search for Owners of MyBitcoin Loses Steam | Betabeat (Jan 31, 2023)

[fbireport-1] Full text of "MyBitCoin" - Archived FBI Report From August 17th, 2011 (Jan 30, 2023)

[stackexchange-2] wallet - When was MyBitcoin created? - Bitcoin Stack Exchange (Jan 30, 2023)

[mybitcoinarchive-3] 3.0 ^3.1 ^3.2 MyBitcoin - A simple web-based Bitcoin wallet (Original Site) - Internet Archive (Jan 30, 2023)

[mybitcoincacert-4] MyBitcoin - A simple web-based Bitcoin wallet (CaCert Notice) - Internet Archive (Jan 30, 2023)

[bitcoinwiki-5] 5.0 ^5.1 ^5.2 ^5.3 MyBitcoin - Bitcoin Wiki (Apr 12, 2020)

[mybitcoindown-6] 6.0 ^6.1 ^6.2 ^6.3 ^6.4 ^6.5 ^6.6 mybitcoin down or just me? - BitcoinTalk Forum (Jan 30, 2023)

[wikipedianevis-7] Nevis - Wikipedia (Jan 30, 2023)

[99bitcoins-8] 8.00 ^8.01 ^8.02 ^8.03 ^8.04 ^8.05 ^8.06 ^8.07 ^8.08 ^8.09 ^8.10 ^8.11 The biggest scams in Bitcoin history (Feb 15, 2020)

[observer2-9] 9.0 ^9.1 MyBitcoin.com Is Back: A Week After Vanishing With at Least $250 K. Worth of BTC, Site Claims It Was Hacked | Observer (Jan 30, 2023)

[brucewagner-10] Bruce Wagner On Use of MyBitcoin - BitcoinTalk (Jan 30, 2023)

[list-old-11] 11.0 ^11.1 ^11.2 ^11.3 ^11.4 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses [Old] (Jan 28, 2020)

[list-12] 12.0 ^12.1 ^12.2 ^12.3 ^12.4 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses (Feb 15, 2020)

[:0-13] 13.0 ^13.1 Jine's Response - BitcoinTalk Forum (Jan 31, 2023)

[mybitcoinincident-14] 14.0 ^14.1 ^14.2 MyBitcoin Incident Report - August 5th 2011 (Jan 31, 2023)

[observer-15] 15.0 ^15.1 ^15.2 ^15.3 ^15.4 ^15.5 ^15.6 MyBitcoin Spokesman Finally Comes Forward: “What Did You Think We Did After the Hack? We Got Shitfaced” | Observer (Feb 4, 2020)

[bitcoinexchangeguide-16] 16.0 ^16.1 Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Mar 5, 2020)

[kylegibson-17] 17.0 ^17.1 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents (Jan 25, 2020)

[18] History of bitcoin - Wikipedia (Jan 31, 2023)

[buybitcoinsworldwide-19] 19.0 ^19.1 ^19.2 BuyBitcoinsWorldwide Historic Bitcoin Price Chart (Jan 30, 2023)

[:1-20] 20.0 ^20.1 Bitcoin CrimeUnit Report - MyBitcoin

[21] Search for Owners of MyBitcoin Loses Steam | Betabeat (Jan 31, 2023)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

MyBitcoin Exchange Hack/Fraud

Contents

About MyBitcoin

The Reality

What Happened

Total Amount Lost

Immediate Reactions

Ultimate Outcome

Total Amount Recovered

Ongoing Developments

Prevention Policies

References

Navigation menu

MyBitcoin Exchange Hack/Fraud

About MyBitcoin

The Reality

What Happened

Total Amount Lost

Immediate Reactions

Ultimate Outcome

Total Amount Recovered

Ongoing Developments

Prevention Policies

References

Navigation menu

Search