Mercado Bitcoin
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Mercado Bitcoin was a popular bitcoin exchange based in Brazil. Unfortunately, there was an issue with their platform which allowed users to be credited with funds in their account without completing an actual deposit. The Mercado Bitcoin team claimed an intent to reimburse all customers, and some customers reported being reimbursed, however there are ongoing claims that many users were never made whole.
About Mercado Bitcoin
The Mercado Bitcoin (Portuguese for Bitcoin Market) claimed to be the best place to buy and sell bitcoins in Brazil[1]. In addition to bitcoin trading, the homepage acted as a source for the latest Bitcoin news, promising to help investors make informed decisions in the cryptocurrency market[1].
In statistics gathered on March 9th, 2013, the platform boasted 2218 users, 78 open orders, and 92 bitcoins for sale, with 479 operations in the last 30 days[1]. The market showed steady activity, with fluctuations in value against the Brazilian Real[1].
The Reality
The platform had an issue where a user could generate a balance in their account without properly completing a deposit, which could be exploited to steal funds.
Some users have claimed that Bitcoin Rain was a ponzi scheme operated by Leandro, the administrator of Mercado Bitcoin[2].
What Happened
Over a few days prior to March 28th, 2013, hackers profited by exploiting a vulnerability in the Mercado Bitcoin platform.
| Date | Event | Description |
|---|---|---|
| October 3rd, 2011 | Bitcoin Rain Launch Date | The start date of the Bitcoin Rain scheme which is listed on BitcoinTalk[3]. |
| March 28th, 2013 8:32:18 AM MDT | BitcoinTalk Thread Announces Breach | A BitcoinTalk thread announces a security breach of the Mercado Bitcoin marketplace[3][4]. The breach reportedly had happened over the course of the past few days. |
| March 28th, 2013 | Bitcoin Rain Defaulted | The ponzi scheme Bitcoin Rain defaults[5][3]. |
| March 29th, 2013 | Update Provided To Users | Leandro provides an update to the community. |
| April 1st, 2013 | Withdrawals Completed | Leandro announces that all withdrawals have been completed except for 2 which reported the wrong account number[4]. |
| April 11th, 2013 | Deposits Repaid | Leandro announces that all deposits which have been identified have now been repaid[4]. |
| April 18th, 2013 3:47:29 PM MDT | BitcoinTalk Thread Claiming Ponzi | A BitcoinTalk thread started by user Erectus in Portuguese compares Mercado Bitcoin / Bitcoin Rain to the ponzi scheme run by Trendon Shavers[2]. Users compare their actions, alleging that Leandro operated a Ponzi scheme similar to Pirateat40's, based on evidence such as mixing funds from different ventures for "security." They criticize Leandro's handling of the situation, pointing out discrepancies in his claims of a hack and the movement of funds[2]. While some defend Leandro, urging for transparency and investigation, others express skepticism and advise caution in dealing with centralized exchanges. The debate underscores concerns about trust, accountability, and the security of Bitcoin investments[2]. |
| April 18th, 2013 5:25:34 PM MDT | Mercado Bitcoin Back Online | The Mercado Bitcoin exchange is reportedly brought back online in an announcement on BitcoinTalk[4]. The original thread about the security breach is updated to announce the relaunch[4]. |
| July 26th, 2013 9:38:21 PM MDT | BitcoinTalk Thread In English | A copy of the BitcoinTalk accusations is posted in English. However, this thread appears to receive only a single reply and very limited engagement[6]. |
Technical Details
There are limited details available about the breach. Known information:
- The breach lasted a few days, starting a few days prior to March 28th[4].
The Bitcoin Market suffered an attack, which unfortunately was successful, in its implementation of a network code. Due to a coding error, it was possible for the attacker to generate new credit codes, without the amount being duly debited in his final balance. Getting it like this, generate a false amount of bitcoins within the system and redeem it in a timely manner during the night.
Total Amount Lost
As Bitcoin Rain's funds were stored there, investors in Bitcoin Rain as well as account holders on Mercado Bitcoin lost money. Some money was reportedly paid back, but the vast majority is still outstanding.”
A BitcoinTalk list prepared by dree12 has estimated the amount lost as 4,000 bitcoin[7][3], which was taken from an average of known Bitcoin Rain and Mercado Bitcoin victims, as well as a donation address[7][3][8]. According to the provided spreadsheet, there were 2734.821192 bitcoin reported missing, and a donation address was able to generate 5075.181457 bitcoin in total, with an average of 3905.001325 bitcoin which was rounded to 4000[8].
BitcoinTalk user dree12 gave a further estimate of the equivalent value of 2,150 bitcoin in 2013[3]. This was reported as the amount of the loss by Kyle Gibson[5]. The value was later estimated to be equivalent to 284 bitcoin in January 2014, or $231,440 USD[7].
Victims of Bitcoin Rain
A Google Docs was compiled to list some of the victims in Bitcoin Rain[8].
| BitcoinTalk User | Claimed Loss | Source |
|---|---|---|
| yelllowsin | 180 | https://bitcointalk.org/index.php?topic=160150.msg1697855#msg1697855 |
| Kaioflores | 100 | Trust Ratings |
| TradeFortress | 70 | Trust Ratings |
| rudrigorc2 | 60 | Trust Ratings |
| andrehorta | 43 | https://bitcointalk.org/index.php?topic=179992.msg1884659#msg1884659 |
| jajajuta | 20 | https://bitcointalk.org/index.php?topic=327848.msg3529629#msg3529629 |
| Pimbox | 1.04 | https://bitcointalk.org/index.php?topic=160150.msg1882168#msg1882168 |
| Total | 474.04 |
Victims of Mercado Bitcoin
The only known victim of Mercado Bitcoin which was listed was ThiagoCMC, who was reported to have lost 2260.781192[8].
The total amount lost has been estimated at $101,000 USD.
Immediate Reactions
Leandro César claimed there was a security breach, which had happened in the last few days. An announcement was made on the BitcoinTalk forum in Portuguese. It indicated limited information at the time, but was later updated with more information.
In the last few days we have had a security breach on our website.
We are at this time raising the information and creating the necessary strategy to return operations and mainly restore our ability to pay in the shortest possible time.
We cannot provide much information at this very moment when we are working on them.
All withdrawals of requested reais that have not yet been met, will be met as of today.
All legitimate deposits in reais that have not yet been credited will be canceled and their respective users refunded within 2 to 3 business days. Just wait for contact and instructions.
I will be updating the information here on this Thread.
We ask everyone just a little more patience for more information.
Ultimate Outcome
Accusations of Bitcoin Rain Ponzi
Accusations were levied against Leandro by a user named Erectus[2]. The discussion on the BitcoinTalk forum, in Portuguese, revolves around similarities between Leandro Mercado Bitcoin and Pirateat40, focusing on potential fraudulent activities[2]. Participants highlight resemblances in the way Leandro managed Bitcoin Rain and Mercado Bitcoin, drawing parallels to the Ponzi scheme orchestrated by Pirateat40[2]. Accusations include Leandro mixing funds from different entities, failure to provide clear explanations regarding alleged theft, and suspicions arising from the sudden shutdown of Bitcoin Rain after critical posts[2]. Erectus claims that Bitcoin Rain was a ponzi scheme and pointed to evidence that bitcoins involved in Bitcoin Rain had not been moved during the theft period[2]. While some express concerns and demand transparency from Leandro, others defend him or call for further investigation. Overall, the discussion reflects a mix of skepticism, frustration, and uncertainty among forum members regarding the legitimacy of Leandro's operations[2].
Leandro César challenged Erectus to provide evidence of his claims, insinuating doubt about Erectus's involvement with the platform in question[9]. The exchange became increasingly hostile, with accusations and insults exchanged between Leandro César and another user named psy, who is also a moderator[9].
Reimbursements Announced
Thank you for your patience!
We apologize for the time without giving news and the waiting time for response of emails.
It has been a few days since we have been dedicated exclusively to solving all doubts and questions related to the market. However, as we have to update many people and at the same time, choose and execute a best possible action plan, we end up taking longer than desired.
The Bitcoin Market suffered an attack, which unfortunately was successful, in its implementation of a network code. Due to a coding error, it was possible for the attacker to generate new credit codes, without the amount being duly debited in his final balance. Getting it like this, generate a false amount of bitcoins within the system and redeem it in a timely manner during the night.
The amounts diverted were sufficient to compromise the functioning of the Bitcoin Market and another website that I also manage.
We will bear the losses with the limit of our current payment capacity.
All amounts will be paid according to the list below.
Bitcoin values will have to be paid in reais, following the last market price, also according to the list below.
Unfortunately we will not be able to take on a debt in bitcoins with the variation that is currently taking place. The last recorded Bitcoin Market quote was R$180.00 the unit of bitcoin.
We believe that we will be able to put on the air, a version of the site with the updated balances.
I honestly do not believe that it will please everyone with the decisions made, but it is the actions that we will BE ABLE to take to resolve the situation.
I appreciate the trust and partnership of the more than 2000 users who walked with us in this brief troubled period of the history of bitcoins in Brazil.
I also thank everyone who even during the silence still maintained the trust, which I promise, will never be broken.
I cannot say at the time whether or not the Bitcoin Market will continue. Only the next few days can say...
Any questions or new ideas use the Bitcoin Market administration email: admin@mercadobitcoin.com.br
Mercado Bitcoin Back Online
The Mercado Bitcoin website was brought back online with an announcement on April 18th, 2013[4].
Hello user,
I am happy to announce that I am no longer alone in this long and hard battle called Bitcoin Market.
After a long negotiation, I finally agreed on a partnership that will not only help in this time of crisis, but, how will also make the Bitcoin Market continue in its goal of popularizing and making Bitcoin as viable as possible in Brazil.
The new partners represent a large group of investors, possessing a lot of know-how and just like us, believe that Brazil can and will be the country of Bitcoin.
Inclusion In Lists
The incident was featured on multiple BitcoinTalk lists[3][7], the list put together by Kyle Gibson[5], and in the Bitcoin Exchange Guide list[10].
Total Amount Recovered
Leandro announced that customers of the exchange would be refunded.
According to BitcoinTalk, some funds were reportedly paid back, however the vast majority remained outstanding[3].
A donation address set up by Leandro César received a reported 5075.181457 bitcoin[8]. There was suspicion that Leandro César was donating to this address himself[8].
Ongoing Developments
Despite some reimbursements for losses on Mercado Bitcoin, users of Bitcoin Rain were left uncompensated[11]. Discussions continue into 2022 and touch on a reported acquisition of Mercado Bitcoin by Coinbase and the complexity of the situation, with doubts about whether Coinbase would inherit the liabilities of the previous company[11]. Users express frustration over the lack of accountability and resolution, with ongoing concerns about the whereabouts of Leandro César. Additionally, a user reports a recent issue with their Mercado Bitcoin account, indicating ongoing problems with the platform's services[11].
Individual Prevention Policies
When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.0 1.1 1.2 1.3 Mercado Bitcoin Homepage Archive March 9th, 2013 8:18:54 PM MST (Accessed Mar 12, 2024)
- ↑ 2.0 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 Semelhanças entre Leandro Mercado Bitcoin e Pirateat40 - BitcoinTalk (Feb 27, 2024)
- ↑ 3.0 3.1 3.2 3.3 3.4 3.5 3.6 3.7 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses [Old] - BitcoinTalk (Jan 28, 2020)
- ↑ 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 Problema do Mercado Bitcoin - BitcoinTalk (Feb 27, 2024)
- ↑ 5.0 5.1 5.2 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents - Kyle Gibson (Jan 25, 2020)
- ↑ New pirateat40 in Brasil! Leandro César owner of MercadoBitcoin.com.br - BitcoinTalk (Accessed Apr 2, 2024)
- ↑ 7.0 7.1 7.2 7.3 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses - BitcoinTalk (Feb 15, 2020)
- ↑ 8.0 8.1 8.2 8.3 8.4 8.5 Bitcoin Rain - Google Sheets (Accessed Feb 27, 2024)
- ↑ 9.0 9.1 Re: Semelhanças entre Leandro Mercado Bitcoin e Pirateat40 - BitcoinTalk (Accessed Apr 3, 2024)
- ↑ Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Mar 5, 2020)
- ↑ 11.0 11.1 11.2 Re: Problema do Mercado Bitcoin - BitcoinTalk (Accessed Apr 3, 2024)