Picostocks “Cold Wallet” Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 13:06, 13 February 2023 by Azoundria (talk | contribs)
Jump to navigation Jump to search
PicoStocks platform.

PicoStocks was a centralized exchange based in Marshall Islands, which operated one of the earliest forms of offshore fundraising, where entrepreneurs could launch offerings for investors. On November 29th, 2013, the service suffered a breach of 5,896.23098163 bitcoin which were taken from two separate wallets. Ultimately, the exchange covered all affected user losses and was able to relaunch successfully.

About PicoStocks

PicoStocks was a centralized exchange based in Marshall Islands[1], which was launched on either December 21st, 2012[2] or December 24th, 2012[3]. The service was primarily focused around allowing companies to raise funds using the blockchain with an "Initial PicoStocks Offering (IPO)"[1]. They reportedly allowed investors to invest anonymously[1][2] and used novel means for circumventing legal regulation[4]. The service was run by the BitcoinTalk user "tytus"[4][5].

Picostocks facilitates valuation and fundraising for high tech startup projects and companies and offers valuable services and benefits for both bitcoin investors and entrepreneurs.

Investors[, you] can obtain valuation of assets You own by the PicoStocks community through an Initial PicoStocks Offering (IPO). You can sell Your assets to PicoStocks if You are satisfied with the IPO evaluation results. You can obtain long term profits from the sold assets through a fixed share in future dividend payments from the asset. You can collect rewards by evaluating assets offered by other PicoStocks members. You can profit from transactions on the PicoStocks platform. You can participate in profits from dividends from assets You hold on PicoStocks. You can benefit from the anonymity of the bitcoin network.

Entrepreneurs[, y]ou can obtain initial valuation of assets of Your company at any stage of development, much cheaper and much faster than through other public stock exchange platforms. You can raise capital for the company by selling stocks of the company to PicoStocks after accepting the results of the IPO. You can monitor the valuation of the company as on any other stock exchange platform but with much less formal requirements and at a much lower cost.

The platform listed their name and address as "Picostocks Incorporated, Trust Company Complex, Ajeltake Road, Ajeltake Island, Majuro, Marshall Islands MH96960"[1]. They also featured an "IPO office" which was "operated by BioInfoBank, Sw. Marcin 80/82 lok. 355, 61-809 Poznan, Poland"[1]. Customers could contact them by email, phone, and fax[1], as well as through some social media channels like the BitcoinTalk forum[5]. Traded stocks remained the legal property of PicoStocks and PicoStocks collected various fees throughout the investment process[2].

The Reality

Specific details of who ran the PicoStocks service were not provided to the public[1].

While Picostocks took care to separate their funds into separate cold and hot wallets, which were kept on separate computers[6], they also kept encrypted backup copies of the private keys[6] and kept operating with those same wallets.

What Happened

PicoStocks has speculated that the private keys of the wallet may have been copied in the past and subsequently decrypted[6]. The culprit then used this access to the keys to steal funds from both wallets[4].

Key Event Timeline - PicoStocks “Cold Wallet” Hack
Date Event Description
April 19th, 2012 3:11:53 PM tytus Registration The BitcoinTalk user tytus first registers on the BitcoinTalk forum[7].
December 24th, 2012 PicoStocks Launches The centralized exchange service PicoStocks launches, based in the Marshall Islands[3].
November 29th, 2013 10:00:41 AM Cold Wallet Breached The breach is reported to have occurred on November 29th, 2013[8][4][9]. The first blockchain transaction shows a timestamp of 10:00:41 AM[10][4].
November 29th, 2013 10:11:59 AM Hot Wallet Breached A second blockchain transaction in the following block empties what is believed to be the hot wallet[11][4].
November 29th, 2013 6:18:45 PM BitcoinTalk Post BitcoinTalk user tytus, suspected to be the founder of PicoStocks, posts an announcement on the BitcoinTalk forum[5][12].
November 30th, 2013 3:36:14 AM Reddit Post Reddit user "love_eggs_and_bacon" posts a copy of the original notice that was posted on BitcoinTalk to announce the situation[6].
February 15th, 2014 5:06:57 AM Hot Wallet Funds Move The funds originally breached from the hot storage wallet started to move on the blockchain[13].
February 17th, 2014 6:03:47 AM Cold Wallet Funds Move The funds originally breached from the cold storage wallet started to move on the blockchain[14].
October 3rd, 2017 9:48:28 AM tytus Last Active The BitcoinTalk account for tytus is last active on the BitcoinTalk forums[7].
February 15th, 2019 Final Medium Post The PicoStocks account on Medium posted the final post about how the platform prevented wash trading by publishing user IDs[15].
March 29th, 2019 12:57 AM Final Twitter Post The final post of PicoStocks on Twitter[16].
December 13, 2019, 12:00:36 PM Withdrawal Problems PicoStocks users start to report withdrawal problems and a lack of support on the BitcoinTalk forum[17].

Total Amount Lost

The loss amount was reportedly as 5,896.23098163[4] BTC (some sources rounded this to 5,895 BTC[8][9]), with an estimated value of either $6,000,000 USD[8][9][18] or $3,009,397 USD[4].

Funds were removed from both the hot wallet and cold wallet of PicoStocks[6][9][4]. According to blockchain data, the hot wallet had 685.57933572 BTC[19][11] and the cold wallet had 5210.65104591 BTC[20][10]. This maintains a total of 5896.23038163 BTC. Using the bitcoin market price for November 29th, 2013 of $1,037.76 USD from BuyBitcoinWorldWide[21], this gives a total value of $5,407,405.23 USD.

Immediate Reactions

It does not appear that there were any changed to the PicoStocks website to announce the situation at all[22][23]. PicoStocks posted an announcement about what happened on the BitcoinTalk forum[5], which was subsequently reposted to Reddit[6].

PicoStocks is down for a while and will remain like this for sure over the weekend. Funds from our hot wallet and cold wallet account have been stolen.

There is no sign of an intrusion into the systems. Both wallets were located on different computers. We suspect that these have been copied by people who had access to the system in the past and decrypted.

This is of course a serious loss for the company, but we expect no losses for the users. the funds collected on user account will be returned. We will have to create a new hot wallet and we will change all PicoStocks addresses for all users, but the rest will remain as it was. We will open the system when we have positively reviewed the security and collected the funds for the users :-( Maybe in 1 week from now :-(

Multiple users heavily criticized PicoStocks for operating their cold wallet on a networked computer[24][25], but there is no indication that this was the way the wallet had operated. The response with the most upvotes on Reddit concluded that the PicoStocks platform either deserved their loss or was attempting a scam[26], while some BitcoinTalk users were similarly critical[5].

You're exactly the scumbag thief I said you were, back in Spring.

Ultimate Outcome

PicoStocks promised a timeline of 1 week to relaunch their platform[6] and reportedly completely covered all losses[4].

The attacker appears to have kept the breached funds in the same wallet location for the subsequent 3 months before finally starting to move those funds starting February 15th, 2014[13][14].

Total Amount Recovered

PicoStocks promised users that they would return all "the funds collected on user account"[6] and this was reportedly followed through with[4].

Ongoing Developments

PicoStocks continued to operate for close to a decade and was active on social media until March 2019[16], although users started to report withdrawal problems and a lack of support near the end of 2019[17]. Posts on BitcoinTalk appear to have been deleted[27][7].

The PicoStocks homepage was still online as of September 28th, 2021[28], and the website appeared functional to log in as of January 3rd, 2022[29]. However, no subsequent captures of the site have been made and it appears to be offline as of February 8th, 2023.

Prevention Policies

This situation could have been most effectively prevented by the use of a multi-signature wallet, rather than a single private key. In such a setup, the cold storage wallet would have required approvals from multiple team members to initiate a withdrawal. This, combined with a reasonable level of training for key holders, would have effectively prevented an attacker from obtaining enough private keys to perform a transfer.

References

  1. 1.0 1.1 1.2 1.3 1.4 1.5 1.6 PicoStocks Website On December 28th, 2012 - Internet Archive (Feb 8, 2023)
  2. 2.0 2.1 2.2 PicoStocks - Bitcoin Wiki (Feb 8, 2023)
  3. 3.0 3.1 Picostocks Trading Volume - CoinMarketCap (Feb 8, 2023)
  4. 4.00 4.01 4.02 4.03 4.04 4.05 4.06 4.07 4.08 4.09 4.10 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses (Feb 14)
  5. 5.0 5.1 5.2 5.3 5.4 Quote of Original Announcement on BitcoinTalk (Feb 8, 2023)
  6. 6.0 6.1 6.2 6.3 6.4 6.5 6.6 6.7 Picostocks hacked, even cold wallet emptied - Reddit (Feb 8, 2023)
  7. 7.0 7.1 7.2 tytus User Registration - BitcoinTalk (Feb 8, 2023)
  8. 8.0 8.1 8.2 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents (Jan 24)
  9. 9.0 9.1 9.2 9.3 Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Mar 4)
  10. 10.0 10.1 Cold Wallet Breach Transaction - Blockchain.info (Feb 8, 2023)
  11. 11.0 11.1 Hot Wallet Breach Transaction - Blockchain.info (Feb 8, 2023)
  12. tytus Theft Announcement on BitcoinTalk - Internet Archive (Feb 8, 2023)
  13. 13.0 13.1 Hot Wallet Funds Start To Move - Blockchain.info (Feb 8, 2023)
  14. 14.0 14.1 Subsequent Movement of Cold Wallet Funds - Blockchain.info (Feb 8, 2023)
  15. How Publishing User IDs with Trades Makes a Crypto Exchange Better for Everyone - Medium (Feb 8, 2023)
  16. 16.0 16.1 PicoStocks Final Tweet - Twitter (Feb 8, 2023)
  17. 17.0 17.1 Users Reporting Withdrawal Problems In 2019 - BitcoinTalk (Feb 8, 2023)
  18. Reddit User Godfreee's estimate - Reddit (Feb 8, 2023)
  19. Picostocks Hot Wallet - Blockchain.info (Feb 8, 2023)
  20. Picostocks Cold Wallet - Blockchain.info (Feb 8, 2023)
  21. BuyBitcoinsWorldwide Historic Bitcoin Price Chart (Feb 8, 2023)
  22. PicoStocks Homepage On October 28th, 2013 - Internet Archive (Feb 8, 2023)
  23. PicoStocks Website On February 9th, 2014 - Internet Archive (Feb 8, 2023)
  24. servowire Comment - Reddit (Feb 8, 2023)
  25. thekiwi99 Comment - Reddit (Feb 8, 2023)
  26. riplin Comment - Reddit (Feb 8, 2023)
  27. tytus Post Count 275 Prior To Delete - BitcoinTalk (Feb 8, 2023)
  28. PicoStocks Website On September 28th, 2021 - Internet Archive (Feb 8, 2023)
  29. PicoStocks Website On January 3rd, 2022 - Internet Archive (Feb 8, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Picostocks_“Cold_Wallet”_Hack&oldid=1842"