Bitcoinica Linode Web Host Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Bitcoinica Logo/Homepage

In the early days of bitcoin, security was often a secondary concern. Many people stored wallets online and accessible, including the popular cryptocurrency exchange Bitcoinica. After being hacked for 43,000 bitcoins, Bitcoinica promised to compensate all users for their losses. The platform would go on to be attacked two more times before shutting down.

[1][2][3][4][5][6][7][8][9]

About Bitcoinica

The Bitcoinica exchange platform was based in New Zealand, and founded by Zhou Tong[10].

Despite his position as the creator of a financial speculation service and his strong belief in libertarian capitalist ideals, Bitcoinica to him has never been about the profit. “Bitcoinica is not a money making machine,” he writes. “It’s just a product that sets a high standard for the Bitcoin community.”[10]

About Linode

Linode was a web hosting provider[11] located in New Jersey[12].

The Reality

The Bitcoinica platform was to suffer from a series of vulnerabilities.

What Happened

On March 1st, an attacker managed to gain access to 43,554 bitcoins from the Bitcoinica exchange by exploiting a vulnerability in the Linode web hosting provider.

Key Event Timeline - Bitcoinica Linode Web Host Hack
Date Event Description
March 1st, 2012 Hacking Event The platform server is restarted as part of a root password reset process, and the attacker then helps themselves to all the bitcoin in the wallet.
March 1st, 2012 8:37:39 PM MST BitcoinTalk Thread Started Bitcoinica CEO Zhou Tong posts on BitcoinTalk about the hacking which happened[13]. Zhou Tong confirms that Bitcoinica has enough historical profit to cover the losses and pledges to implement additional security measures to prevent future incidents[13].
May 14th, 2012 6:12:46 AM MDT Bitcoin Magazine Obituary Bitcoin Magazine publishes an obituary of the Bitcoinica exchange, written by Vitalik Buterin[10]. The significant thefts from Bitcoinica's reserves are described as causing the platform's immediate shutdown due to financial strain[10]. However, reassurances were given that users with balances on the platform would be compensated, with Intersango taking over Bitcoinica's operations[10]. Bitcoinica's founder Zhou Tong decided to depart from the Bitcoin sphere[10]. Despite accusations against Zhou, his actions were interpreted as those of a young entrepreneur exploring opportunities rather than deliberate malfeasance[10]. The episode underscored the importance of failure as part of the learning process and the Bitcoin community's commitment to innovation[10].
August 13th, 2012 11:18:00 AM MDT Finextra Lawsuit Article Finextra reports that four former users of Bitcoinica have filed a lawsuit alleging that they are owed nearly half a million dollars in missing funds, as well as damages. Bitcoinica, once a successful exchange created by teenager Zhou Tong, suffered two major hacking incidents earlier this year, resulting in the theft of thousands of Bitcoins[1]. Despite assurances from Bitcoinica that the stolen funds were from the exchange itself and not customers, the site has remained offline, leaving users uncertain about the fate of their investments[1]. Additionally, Bitcoinica had initially promised to honor all withdrawal requests but later informed users that only half of their funds would be returned, prompting speculation about the exchange's integrity[1]. Amidst rumors implicating Tong in the hacks, the plaintiffs filed a complaint in San Francisco alleging that Bitcoinica, its successor Intersango, and associated individuals conspired to deprive them of their rights regarding the missing funds[1].
February 3rd, 2017 10:00:04 AM MST Bitcoin.com Forgotten Theft List Published Bitcoin.com publishes the attack on a list of Bitcoin Exchange Thefts you may have forgotten about[12].

Technical Details

“On March 2, 2012, a hacker was able to obtain customer support privileges for Linode, giving the hacker a unique level of access to customer information. The hacker was able to find out which customers were holding bitcoin wallets. Using that information, the thief logged into individual accounts using a weakness in the Linode manager, a platform customers were using to configure their virtual machines. The hacker rebooted the virtual machines to change the root passwords, giving the hacker access to any account and the bitcoins inside.”

The attacker reportedly got into Bitcoinica along with 8 other bitcoin businesses by exploiting the New-Jersey based Linode hosting service[12]. Bitcoinica was the largest of the breaches[12].

Total Amount Lost

Sources have generally placed the amount lost at 43,000 BTC[11][12][14], while the original number from BitcoinTalk was 43,554 BTC[13] and one source stated that 46,703 BTC was stolen. Some sources have grouped the multiple attacks that Bitcoinica suffered together[11].

The amount lost is typically translated to $228,000.

"Online bandits made off with at least $228,000 worth of the virtual currency known as Bitcoin after exploiting a vulnerability in a widely used Webhost that gave unfettered access to eight victims' digital wallets."

“A total of 46,703 BTC was stolen, worth $228,000 at the time.”

Table Of Amount Lost:

Amount Lost By Source
Source Amount Date
BitcoinTalk[13] 43,554 BTC March 1st, 2012
Bitcoin Magazine[14] 43,000 BTC March 1st, 2012
Bitcoin.com 43,000 BTC Spring 2012

The total amount lost has been estimated at $228,000 USD.

Immediate Reactions

The incident was initially reported on BitcoinTalk before being subsequently reported in other news media.

BitcoinTalk Thread And Reactions

The incident was initially reported on BitcoinTalk, which describes a significant security breach that resulted in the loss of 43,554 BTC from Bitcoinica due to a compromise of Linode servers[13]. Zhou Tong, Bitcoinica's founder, acknowledges the incident and assures users that they will be fully reimbursed for their losses. Despite initial concerns about the feasibility of such reimbursement, Zhou Tong confirms that Bitcoinica has enough historical profit to cover the losses and pledges to implement additional security measures to prevent future incidents[13].

The community reacts with shock and concern over the extent of the breach and the potential implications for Bitcoin security. Some speculate about the involvement of Linode employees in the attack, while others express sympathy for Bitcoinica and its users. Discussions also revolve around the security practices of Bitcoin-related services and the need for stronger safeguards, such as encryption and reduced hot wallet sizes[13].

Meanwhile, questions are raised about Linode's responsibility and accountability in the matter, prompting calls for the company to address the situation transparently and provide compensation[13]. Suggestions are made for cooperation between affected Bitcoin services like Bitcoinica and larger platforms like MtGox to track and intercept stolen funds if they are used for trading[13].

Throughout the thread, there is a mix of concern, frustration, and solidarity within the Bitcoin community, as members grapple with the implications of the security breach and strive to support affected parties while advocating for improved security practices across the industry[13].


The Bitcoin community faced a significant setback on March 1 when Linode's servers were hacked, resulting in the theft of 43,000 BTC from Bitcoinica, among other losses[14]. This incident, along with previous Bitcoin thefts, raised concerns about the security of Bitcoin and its lack of reversibility and effective audit trails[14]. However, it's important to approach the issue with a rational perspective rather than succumbing to hysteria[14]. Despite the severity of the theft, there are reasons to believe that it is less consequential than it appears at first glance[14].

Bitcoin's security measures have improved over time and will continue to do so in the future. While the theft was substantial, Bitcoinica managed to reimburse all its customers and remain operational[14]. Moreover, advancements like multi-signature transactions promise to enhance security further. Additionally, while the value of the stolen bitcoins is significant, it's worth noting that other businesses, such as Sony and Stratfor, have faced more substantial losses due to data breaches[14].

Bitcoinica's situation underscores the risks inherent in financial services businesses, which must navigate such challenges differently from other industries[14]. Despite the risks, Bitcoinica's ability to remain solvent demonstrates a level of resilience[14]. Importantly, individual Bitcoin users were not directly affected by the theft, highlighting the security of Bitcoin for the average user. This aligns with one of Bitcoin's core principles: the ability to choose between self-custody and third-party services, providing users with freedom and flexibility in managing their assets[14]. As Bitcoin adoption grows, more options for secure storage and financial services are expected to emerge, catering to users' varying needs and preferences[14]. Ultimately, the incident emphasizes the importance of maintaining a balanced perspective on Bitcoin's security challenges and its potential for continued innovation and adoption[14].

Ultimate Outcome

The event was included in lists put together by Bitcoin Magazine[10][11], and the Bitcoin Exchange Guide[15].

Lawsuit Against Platform

Finextra reports that four former users of Bitcoinica have filed a lawsuit alleging that they are owed nearly half a million dollars in missing funds, as well as damages[1]. Bitcoinica, once a successful exchange created by teenager Zhou Tong, suffered two major hacking incidents earlier this year, resulting in the theft of thousands of Bitcoins[1]. Despite assurances from Bitcoinica that the stolen funds were from the exchange itself and not customers, the site has remained offline, leaving users uncertain about the fate of their investments[1]. Additionally, Bitcoinica had initially promised to honor all withdrawal requests but later informed users that only half of their funds would be returned, prompting speculation about the exchange's integrity[1]. Amidst rumors implicating Tong in the hacks, the plaintiffs filed a complaint in San Francisco alleging that Bitcoinica, its successor Intersango, and associated individuals conspired to deprive them of their rights regarding the missing funds[1].


It's reported that the thief involved in these attacks is unknown[12]. One potential theory is that it was a Linode employee[12].

Some sources claim that this attack led to the ultimate demise of the Bitcoinica platform[11], however Bitcoinica would go on to be hacked 2 more times in 2012[12].

Total Amount Recovered

While users were assured that they would be compensated multiple times[13], a lawsuit suggests that the losses suffered by users were still very substantial[1].

Ongoing Developments

The Bitcoinica exchange ultimately shut down and hasn't come back. It's unclear if any investigation is underway into where the stolen funds ended up.

Individual Prevention Policies

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

This is a case where simply knowing who's holding the funds and storing them properly offline with multiple signatures would have avoided the issues.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 Users sue Bitcoin exchange over $460k in missing funds - FinExtra (Feb 3, 2020)
  2. List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses [Old] - BitcoinTalk (Jan 28, 2020)
  3. Bitcoinica - Bitcoin Wiki (Feb 4, 2020)
  4. Bitcoins worth $228,000 stolen from customers of hacked Webhost - Arstechnica (Feb 4, 2020)
  5. 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents (Jan 25, 2020)
  6. List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses - BitcoinTalk (Feb 15, 2020)
  7. SlowMist Hacked - SlowMist Zone (Jun 26, 2021)
  8. security - What is the story behind the "Linode problem"? - Bitcoin Stack Exchange (Mar 14, 2022)
  9. Brian Cartmell et al vs Bitcoinica LP - Scribd (Accessed Feb 27, 2024)
  10. 10.0 10.1 10.2 10.3 10.4 10.5 10.6 10.7 10.8 Bitcoinica: An Obituary - Bitcoin Magazine (Feb 4, 2020)
  11. 11.0 11.1 11.2 11.3 11.4 Infographic: An Overview of Compromised Bitcoin Exchange Events - Bitcoin Magazine (Jan 30, 2020)
  12. 12.0 12.1 12.2 12.3 12.4 12.5 12.6 12.7 The Bitcoin Exchange Thefts You May Have Forgotten - Bitcoin.com (Jan 29, 2020)
  13. 13.00 13.01 13.02 13.03 13.04 13.05 13.06 13.07 13.08 13.09 13.10 Bitcoinica lost 43,554 BTC from Linode compromise, suspicious TXIDs publicized - BitcoinTalk (Accessed Mar 1, 2023)
  14. 14.00 14.01 14.02 14.03 14.04 14.05 14.06 14.07 14.08 14.09 14.10 14.11 14.12 The Bitcoinica Linode Theft and What it Means for Bitcoin - Bitcoin Magazine (Accessed Mar 1, 2024)
  15. Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Mar 5, 2020)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Bitcoinica_Linode_Web_Host_Hack&oldid=5593"