Tracking a Bitcoin Thief

An anonymous reader writes A small group of researchers were able to publish an investigative report on the hacking of a popular Bitcoin exchange earlier this year by the name of CryptoRush.in. Close to a million dollars stolen in crypto currency lead the group to discover evidence, track down the attacker and put together a timeline of what exactly happened. A captivating read for a community desensitized by thefts, hackings and lack of reporting. With pictures, and logs to prove it all.

Queue misguided bitcoin comments in....3....2....

[Anonymous Coward]

They'll involve ponzi accusations, pedophilia, "non-backing", etc....the usual lame arguments.

Re:

[Anonymous Coward]

That would be refreshing then. Slashdot is usually quite pro-Bitcoin.

Re:

[Applehu Akbar]

I wonder what would happen here is someone used Bitcoin to buy an Apple?

Re:

[CaptainDork]

What varying degrees of anonymity did the perps in TFS use?

Re:

[Applehu Akbar]

I'm wondering what would happen here in the Slashdot community if such a transaction came to light.

Re:

[Anonymous Coward]

Calm your butthurt Bennett. You've never written a "proper" article ever.

Pictures and Logs Prove What Exactly?

[l0ungeb0y]

Both these things can easily be faked, so unless they have something more damning, I'd hardly call this proven as presented on it's own. Now, take it to trial and allow the other side to refute the allegations and provide their own evidence and I will give it merit as "proof".

Re:Pictures and Logs Prove What Exactly?

[PRMan]

The Blockchain can't be faked. Everyone has a copy.

Re:

[jones_supa]

But those are trusted pools, right? So we have no reason to worry about such attack.

Re:

[Richard_at_work]

The blockchain doesn't tie in anything that irrefutably proves real world identity, just another bitcoin wallet address which could be controlled by anyone at anytime.

Mass analysis

[DrYak]

1 single transaction tracked ? Yes, you mostly get just 1 other bitcoin wallet.

Massively track thousands of such transaction? (that's beyond the capabilities of a small budget research team. But that's well within the capabilities of any decent government) And correlate them with "end-point transaction" (transaction that can be traced to a real-world identity: buying something from an e-shop using bitcoins and ordering it delivered to an address) ?
then, if the tracked person isn't using an insanely high nu

Re:

[Richard_at_work]

How is a research group with non-privileged access to third party data going to determine such things as shipping addresses? The bitcoin blockchain doesn't extend verification to those shipping addresses etc, so the point stands - it doesn't tie in anything which cannot be faked, all you actually get with the blockchain is "random number X did something with second random number Y".

Great, the bitcoin blockchain can't be faked - but what about these logs that say "bitcoin wallet X purchased some cocaine and

Fail ...

[CaptainDork]

I don't have a copy.

Criminals are dumb

[radarskiy]

Steal a million dollars... in a perfectly traceable currency where every transaction is public.

Re:

[arbiter1]

Um consider there are a lot of countries that don't even see bit coin as a real currency. Claiming million $ loss for digital item is like haveing item stole in warcraft. Proven real harm is hard when its something purely digital.

Re:

[Anonymous Coward]

The RIAA and MPAA don't seem to have any problems.

Re:

[idontgno]

Because for good or ill, almost every nation has signed off [wikipedia.org] on the idea that the form of fantasy property called "copyright" is legitimate property. Show me a Berne Convention equivalent that "legitimizes" bitcoins and its ilk, and you'll have a serious point instead of vague nerd-rage trolling.

Re:

[Anonymous Coward]

If this is true, why haven't the mtgox bucks been recovered yet?

Re:

[AmiMoJo]

They aren't in jail, and it remains to be seen if they launder the money successfully. Also, not all Bitcoin transactions are public. If you put a Bitcoin wallet on a USB flash drive and hand it to someone the transaction is not recorded anywhere. There is no way to know how many people the wallet passed through before the coins resurface in public transactions again.

Re:

[ultranova]

If you put a Bitcoin wallet on a USB flash drive and hand it to someone the transaction is not recorded anywhere.

Which means there's nothing stopping me from going home and moving the coins in the wallet I just gave to another one, leaving it empty.

There is no way to know how many people the wallet passed through before the coins resurface in public transactions again.

If I give away a wallet I received from someone else I risk being held accountable if whoever gave it to me spends the coins in it. So even

Re:

[Kjella]

So what? Since there's no central authority to block transactions or seize funds they'll simply be passed around until any relation with the crime is meaningless with almost everybody in the transaction chain is blissfully unaware that somewhere they were stolen. Then what? If you find the person behind the wallet and seize the "stolen property", you introduce a massive transaction risk that totally undermines the cryptographic guarantee that the transaction is final and irreversible. Imagine the following

Will they ?

[DrYak]

So what? Since there's no central authority to block transactions or seize funds they'll simply be passed around until any relation with the crime is meaningless with almost everybody in the transaction chain is blissfully unaware that somewhere they were stolen.

Will they pass them around? Enough to blur any relation ship? In a secure way that never leaks any identity?
(oops, one of the exchange I sent money to managed to record my IP address. No matter how much I keep mixing downstream, part of identity are leaked here)

Remember that they have adversaries like government who (as recently proven for the NSA, for example) have quite a few ressources.
A single policeman might not be able to pull enough data and analysis.
But if goverment suspects that some big danger as

Re:

[Cramer]

He stole "coins", not money. He might as well have stolen rabbit droppings, or lawn clippings. The real-world money ("leafy green spendy money") came from people (read: "fools") who will trade real money for those things.

The only crime here is fraud and computer hacking ("unauthorized access", etc.) But as he's in one part of the world, breaking into systems in various other parts of the world, taking things from people in yet other parts of the world... nobody will bother pursuing him.

Amateur hour

[kharchenko]

Whipping up a few lame PHP scripts, leaving all the logs, using real name, your own static IP and a personal Dropbox account?! Is that what cuts for a hacker these days? With a million dollar payoff? I am starting to think I am not optimizing my earnings potential :)

Re:Amateur hour

[Lord_Jeremy]

Note that basically the only hacking technique he used was running a couple websites with malicious code that stole user's email and passwords. Then trying those credentials at lots of other sites looking for stuff to take. In particular, he discovered that the founder/administrator of CryptoRush used the same password for everything and he was able to download server backups that contained the necessary information (private keys?) to access the exchange wallets. So basically everyone involved was participating in amateur hour.

Re:

[rmstar]

Fools fooling fools in bitcoinland. Shocking!

Images are broken

[rebelwarlock]

I actually tried to read the article, but their images which are supposedly irrefutable proof are all broken. Good job, geniuses.

Bennett Haselton on crypo currencies

[Anonymous Coward]

I read the article, but do we have any record of Bennett's thoughts on crypto currency? I would like to read any insight he has before drawing my conclusions. He's a frequent contributor.

Sekrit anti-government crypto currency

[__aaltlg1547]

turns out to be much more traceable than the old fashioned kind, because you need the traceability to verify the transaction and establish who "has" the bitcoins.

Look out, Mark Karpeles.

Re:

[TeknoHog]

It's great that Bitcoin is the only cryptocurrency out there, and there are absolutely no advanced alternatives with serious anonymity. After all, Bitcoin was released in 2009 and there's no way for the scene to evolve significantly in mere 5 years.

Re:

[chad_r]

Oh my God! Ebola hysteria is imfecting other Slashdot threads! Why are they telling us it's so hard to spread! The only sensible solution is to prevent people from posting in other discussions after being in the daily Ebola discussion thread! Shame on the Slashdot administrators for not implementing such a trivial solution that would be guaranteed to stop the spread of Ebola hysteria to unrelated discussions!

Re:

[CaptainDork]

I wear those cool blue CSI rubber evidence gloves when I type and handle my mouse. Also, I an careful to wear a mask when I lean in a squint at my small screen.

People who post Ebola shit on /. are putting us all at risk.

It's very hard to discern, just from screen names (and the ACs), who, exactly is from NYC or Dallas and stuff.

What not to do with an exchange

[dermoth666]

Well that sounds like the solution to http://xkcd.com/792/ [xkcd.com] 's problems...

On a serious note though, I won't shed a tear for CryptoRush.in. Using the same password on a small, no-reputation mining pool as the admin access to a currency exchange!?! That's a huge fail even by the lowest security standards, and these guys should know better.

Then what about getting coins stolen from the hot wallet and not even flagging the loss? What's even the point of an offline wallet when you don't reconcile the hot wallet be

Re:

[dermoth666]

I have a problem! somebody all my fleshcoins! the whole thing!

lead != led

[Anonymous Coward]

Sorry if I misunderstood and the crypto currency is actually made out of lead....