BTC-e Hack
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
It appears that the balance stolen was in Liberty Reserve currency and that this was then traded for BTC. Liberty Reserve provided a centralized payment network with coins backed by USD and EUR (similar to present-day stablecoins), which featured an API. The API key allowed for automation of payments, and if compromised would thus allow a perpetrator to spend or transfer funds, similar to a private key. Thus, the exploit was simply that this key (effectively a hot wallet as far as the centralized Liberty Reserve was concerned) was compromised, so very similar to a standard hot wallet hack.
[1][2][3][4][5][6][7][8][9][10][11][12]
About BTC-e
BTC-e was Russia's oldest cryptocurrency exchange[13].
The Reality
BTC-e is considered to have been one of the top locations for laundering criminal proceeds[13].
“Th[e Liberty Reserve] key was shorter than it needed to be at only 16 characters long.”
What Happened
“On July 31, 2012, the BTC-E Liberty Reserve API secret key was broken.”
| Date | Event | Description |
|---|---|---|
| July 30th, 2012 6:07:00 PM MDT | BTC-e Exchange Hack Start | The hack of the BTC-e exchange starts, according to BitcoinTalk[14]. |
| July 31st, 2012 12:30:00 AM MDT | BTC-e Exchange Hack Action Taken | The time that action was taken, according to BitcoinTalk[14]. |
| March 4th, 2019 10:20:47 AM MST | Mention In TheNextWeb | The BTC-e exchange gets a brief mention in an article about WEX/BTC-e funds being laundered[13]. There is no information provided about this particular hacking situation in 2012[13]. |
Technical Analysis
“The attacker initiated many Liberty Reserve deposits and injected large amounts of USD into the system, which were quickly sold for BTC. Not all BTC was withdrawn; official estimates state that the scope was limited to 4500 BTC.”
The breach took place through the Liberty Reserve API secret key being broken[14]. This was reportedly because the key was only 16 characters long, which is shorter than recommended[14]. The attacker was then able to use this key to initiate many Liberty Reserve deposits and inject large amount of USD into their account[14]. Most of the USD was sold for bitcoin, which was then withdrawn[14]. The amount withdrawn was limited to 4500 BTC[14].
Total Amount Lost
The BTC-e hack is listed as having lost 4500 BTC on BitcoinTalk[14]. BitcoinTalk estimates this amount as $42,000 USD[14]. BitcoinTalk estimates that this amount is equivalent to 340 bitcoin in June 2013[14].
The total amount lost has been estimated at $42,000 USD.
Immediate Reactions
“Similar to the June 2011 Mt. Gox Incident, the BTC-E market was disturbed during the duration of the hack. The handling of this hack was widely applauded after BTC-E revealed they would cover the losses and revert to a backup made just before the hack.”
In the chaos of the attack, one user decided to claim responsibility for the theft. There is no evidence that user ever was involved.
MrWubbles Takes Responsibility
In the immediate aftermath of the theft, and individual using the aliases MrWubbles, FelicityWubwell, SupaDupaJenkins, SupaDupaTweetz, and SupaDupaDotBit took responsibility for the theft[14]. However, they later denied committing the theft and evidence supports that they were more likely an online troll[14].
Ultimate Outcome
While some have speculated that the hack was an inside job[14], BTC-e reportedly reimbursed all affected customers[14], which limits any benefit they may have received from staging such an attack[14].
MrWubbles stopped using their BitcoinTalk account[14].
BTC-e Cover Losses And Revert
BTC-e revealed that they would cover the losses and revert to backup made just before the hack[14]. This was reportedly widely applauded by the bitcoin community[14].
Total Amount Recovered
BTC-e reportedly reimbursed all affected customers[14].
Ongoing Developments
There are no ongoing developments in this case.
Individual Prevention Policies
Individuals should custody their own assets and store them properly offline whenever possible.
When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
The stolen funds were not cryptocurrency, and thus it was not possible to store them in a multi-signature wallet. However, there are algorithms which can create an equivalent system with a secret. Instead, the BTC-e platform was using a weak security key.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
BTC-e was operated largely outside of regulatory oversight. Through the establishment of regulated
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses - BitcoinTalk (Accessed Feb 15, 2020)
- ↑ FelicityWubwell @BitcoinTalk
- ↑ SupaDupaJenkins @BitcoinTalk†
- ↑ SupaDupaJenkins @bitcoin-otc
- ↑ SupaDupaTweetz @Twitter
- ↑ SupaDupaDotBit @YouTube
- ↑ Victim: btc-e.com
- ↑ https://imgur.com/k29wV
- ↑ https://www.reddit.com/r/Bitcoin/comments/xf684/btcusd_ask_price_at_40_on_btce/ (Accessed Sep 3, 2024)
- ↑ https://bitcointalk.org/index.php?topic=96802.20
- ↑ https://bitcointalk.org/index.php?topic=96802.msg1066989#msg1066989
- ↑ https://www.reddit.com/r/CryptoCurrency/comments/r34tot/meanwhile_the_third_largest_bitcoin_address_just/
- ↑ 13.0 13.1 13.2 13.3 Cryptocurrency exchange WEX/BTC-e tied to Bitcoin ransomware hackers - TheNextWeb (Accessed Feb 2, 2020)
- ↑ 14.00 14.01 14.02 14.03 14.04 14.05 14.06 14.07 14.08 14.09 14.10 14.11 14.12 14.13 14.14 14.15 14.16 14.17 14.18 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses [Old] - BitcoinTalk (Accessed Jan 28, 2020)