S3052
Legendary
 Offline
Activity: 2100
Merit: 1000
|
 |
January 06, 2015, 06:54:13 AM |
|
I agree. I am not sure if they have enough capital to swallow the 5.2 million $ value of the loss. |
|
|
|
|
|
|
|
|
|
|
Remember that Bitcoin is still beta software. Don't put all of your money into BTC!
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
sgk
Legendary
Offline
Activity: 1470
Merit: 1002
!! HODL !!
|
|
January 06, 2015, 07:05:37 AM |
|
I agree. I am not sure if they have enough capital to swallow the 5.2 million $ value of the loss. They say this is only a small fraction of their Bitcoin holdings: "This breach represents a small fraction of Bitstamp’s total bitcoin reserves, the overwhelming majority of which are held in secure offline cold storage systems." |
|
|
|
|
pawel7777
Legendary
Offline
Activity: 2422
Merit: 1559
|
|
January 06, 2015, 09:45:57 AM |
|
They say this is only a small fraction of their Bitcoin holdings:
"This breach represents a small fraction of Bitstamp’s total bitcoin reserves, the overwhelming majority of which are held in secure offline cold storage systems."
Doesn't matter. What's relevant is the amount lost and how are they going to repay that. Both cold and hot wallets are customers' deposit, BitStamp just holds those on their behalf and cannot dispose such funds at free will. |
|
|
|
sgk
Legendary
Offline
Activity: 1470
Merit: 1002
!! HODL !!
|
|
January 06, 2015, 10:11:34 AM |
|
They say this is only a small fraction of their Bitcoin holdings:
"This breach represents a small fraction of Bitstamp’s total bitcoin reserves, the overwhelming majority of which are held in secure offline cold storage systems."
Doesn't matter. What's relevant is the amount lost and how are they going to repay that. Both cold and hot wallets are customers' deposit, BitStamp just holds those on their behalf and cannot dispose such funds at free will. They should repay. Given the clean record of the exchange until now, I would be tend to believe that they'll pay all lost BTC of their customers from their own pocket. After all, they must have earned a lot more from their operational profits until now. Or at least that's what they should do. |
|
|
|
|
oda.krell
Legendary
Offline
Activity: 1470
Merit: 1007
|
|
January 06, 2015, 11:34:52 AM |
|
I agree. I am not sure if they have enough capital to swallow the 5.2 million $ value of the loss. It's all speculation anyway, but keep in mind: 10-12% of their total BTC holdings represents only about half of that percentage of their /total/ holdings, probably less if the last orderbook sums are to be taken as representative. Assuming the 19k btc loss is really the end of it, I'd be surprised if they lost more than 5% of their total assets. Pretty bad for a company, but not necessarily catastrophic. |
Not sure which Bitcoin wallet you should use? Get Electrum!Electrum is an open-source lightweight client: fast, user friendly, and 100% secure. Download the source or executables for Windows/OSX/Linux/Android from, and only from, the official Electrum homepage.
|
|
|
Rampion
Legendary
Offline
Activity: 1148
Merit: 1018
|
|
January 08, 2015, 09:46:19 AM
Last edit: January 08, 2015, 10:00:01 AM by Rampion |
|
I agree. I am not sure if they have enough capital to swallow the 5.2 million $ value of the loss. It's all speculation anyway, but keep in mind: 10-12% of their total BTC holdings represents only about half of that percentage of their /total/ holdings, probably less if the last orderbook sums are to be taken as representative. Assuming the 19k btc loss is really the end of it, I'd be surprised if they lost more than 5% of their total assets. Pretty bad for a company, but not necessarily catastrophic. First of all: 19k cannot be 5% of "their assets" - customers deposits ARE NOT Bitstamp's assets, they cannot use customers money to cover the hole (Gox anyone?  ). Taking into account Bitstamp's average commission and volume, 19k is the income they would generate in 8/12 months - the commissions are basically the money with which they can operate, those are "their assets" and NOT customers money. For a company to lose one full year of income is indeed catastrophic in my book. I know by heart my company would have to file for bankruptcy almost immediately  . Unless they were very wise with their money management (I really hope they were), saving a lot of BTC back in the day, etc. they will have a very rough year ahead. Let's hope that they are a healthy company and that Pantera and/or other investors are willing to help them out. |
|
|
|
hashie
Full Member
Offline
Activity: 322
Merit: 100
DATABLOCKCHAIN.IO SALE IS LIVE | MVP @ DBC.IO
|
|
January 08, 2015, 09:59:20 AM |
|
So, what's a good exchange to trade on nowdays?
|
|
|
|
Rampion
Legendary
Offline
Activity: 1148
Merit: 1018
|
|
January 08, 2015, 10:02:04 AM |
|
So, what's a good exchange to trade on nowdays?
Bitfinex? Honestly, I did quite a lot of trading back in the early to mid 2013, but I stopped as soon as Gox showed the first signs of insolvency (April/May 2013) and then I used Bitstamp just to cash out a bit in December 2013, but I never had any balance for more than 24 hours on it. I'd say that there is no "super-safe" exchange for bitcoin. Not controlling directly your private keys is inherently risky. Do not have on any exchange more than you can afford to lose. Sad but true. |
|
|
|
oda.krell
Legendary
Offline
Activity: 1470
Merit: 1007
|
|
January 08, 2015, 10:07:59 AM |
|
I agree. I am not sure if they have enough capital to swallow the 5.2 million $ value of the loss. It's all speculation anyway, but keep in mind: 10-12% of their total BTC holdings represents only about half of that percentage of their /total/ holdings, probably less if the last orderbook sums are to be taken as representative. Assuming the 19k btc loss is really the end of it, I'd be surprised if they lost more than 5% of their total assets. Pretty bad for a company, but not necessarily catastrophic. First of all: 19k cannot be 5% of "their assets" - customers deposits ARE NOT Bitstamp's assets, they cannot use customers money to cover the hole (Gox anyone? ). Taking into account Bitstamp's average commission and volume, 19k is the income they would generate in 8/12 months - the commissions are basically the money with which they can operate, those are "their assets" and NOT customers money. For a company to lose one full year of income is indeed catastrophic in my book. I know by heart my company would have to file for bankruptcy almost immediately . Unless they were very wise with their money management (I really hope they were), saving a lot of BTC back in the day, etc. they will have a very rough year ahead. Let's hope that they are a healthy company and that Pantera and/or other investors are willing to help them out. Yes, I realized this after I posted: 'asset' isn't the right word. My bad. But I'm sure you got the point though: It does make a substantial difference whether they lost 80%, 40% or, as I claim, at most 5% of their total customers' funds, because: - their ability to cover the loss is based on their revenue (and their company assets) - their own revenue is based on their trading volume (and the market price, of course) - which in turn is related to total customers' funds So, the higher the share of customers' funds lost, the less likely is that a company will be able to refund it. That was the basic idea. I'm not defending them, by the way: No idea why they had 19k coins in a hot wallet. Seems absolutely excessive. And unless they provide some very good information explaining the hack, how it came to it, and how they're improving their internal security from now on, I will leave Bitstamp behind as a customer. That is, of course, assuming that I get my funds back. For all I know, this could still turn out to be another gox. I had a pretty high opinion of Bitstamp so far, and the fact that they have large outside investors is reassuring, but until I can log in again and trade or withdraw my funds, I remain extremely skeptic. |
Not sure which Bitcoin wallet you should use? Get Electrum!Electrum is an open-source lightweight client: fast, user friendly, and 100% secure. Download the source or executables for Windows/OSX/Linux/Android from, and only from, the official Electrum homepage.
|
|
|
Rampion
Legendary
Offline
Activity: 1148
Merit: 1018
|
|
January 08, 2015, 10:19:30 AM |
|
I agree. I am not sure if they have enough capital to swallow the 5.2 million $ value of the loss. It's all speculation anyway, but keep in mind: 10-12% of their total BTC holdings represents only about half of that percentage of their /total/ holdings, probably less if the last orderbook sums are to be taken as representative. Assuming the 19k btc loss is really the end of it, I'd be surprised if they lost more than 5% of their total assets. Pretty bad for a company, but not necessarily catastrophic. First of all: 19k cannot be 5% of "their assets" - customers deposits ARE NOT Bitstamp's assets, they cannot use customers money to cover the hole (Gox anyone? ). Taking into account Bitstamp's average commission and volume, 19k is the income they would generate in 8/12 months - the commissions are basically the money with which they can operate, those are "their assets" and NOT customers money. For a company to lose one full year of income is indeed catastrophic in my book. I know by heart my company would have to file for bankruptcy almost immediately . Unless they were very wise with their money management (I really hope they were), saving a lot of BTC back in the day, etc. they will have a very rough year ahead. Let's hope that they are a healthy company and that Pantera and/or other investors are willing to help them out. Yes, I realized this after I posted: 'asset' isn't the right word. My bad. But I'm sure you got the point though: It does make a substantial difference whether they lost 80%, 40% or, as I claim, at most 5% of their total customers' funds, because: - their ability to cover the loss is based on their revenue (and their company assets) - their own revenue is based on their trading volume (and the market price, of course) - which in turn is related to total customers' funds So, the higher the share of customers' funds lost, the less likely is that a company will be able to refund it. That was the basic idea. I'm not defending them, by the way: No idea why they had 19k coins in a hot wallet. Seems absolutely excessive. And unless they provide some very good information explaining the hack, how it came to it, and how they're improving their internal security from now on, I will leave Bitstamp behind as a customer. That is, of course, assuming that I get my funds back. For all I know, this could still turn out to be another gox. I had a pretty high opinion of Bitstamp so far, and the fact that they have large outside investors is reassuring, but until I can log in again and trade or withdraw my funds, I remain extremely skeptic. They just had 3.100BTC in the hot wallet at the moment of the hack. But they did not realize they were hacked until 24 hours after the hack. Check the transactions. During that 24 hours the hacker kept stealing all the money that was deposited on bitstamp. This is what the transaction history tells us: - the first transaction is the bigger one: 3.100 BTC. Probably all that was on Bitstamp's hot wallet at that time. - after that, the hacker sweeps every coin that is deposited on Bitstamp during 24 hours. - after a full day, he managed to steal almost 19k. - after Bitstamp realizes is hacked, transactions slow down, but we still see some transactions going in to the hacker address. This is probably people that did not realize Bitstamp was hacked, so they are still depositing BTC from their clients address book. It could also be some ATM or automated service - anyhow after the announcement only peanuts coming in. |
|
|
|
Rampion
Legendary
Offline
Activity: 1148
Merit: 1018
|
|
January 08, 2015, 10:21:33 AM |
|
The above is also consistent with the crazy fees the hacker used: probably he shit his pants when he realized he controlled the wallet, so he started using CRAZY fees in the hope his transactions would have priority in case Bitstamp realized they were hacked and tried to sweep the funds to a secure wallet. In other words, he was preventively defending himself from a "double spend" from Bitstamp. The reality is he just wasted the coins, because Bitstamp did not realize anything until 24 hours later  |
|
|
|
|
spin
|
|
January 08, 2015, 10:42:38 AM |
|
I agree. I am not sure if they have enough capital to swallow the 5.2 million $ value of the loss. It's all speculation anyway, but keep in mind: 10-12% of their total BTC holdings represents only about half of that percentage of their /total/ holdings, probably less if the last orderbook sums are to be taken as representative. Assuming the 19k btc loss is really the end of it, I'd be surprised if they lost more than 5% of their total assets. Pretty bad for a company, but not necessarily catastrophic. First of all: 19k cannot be 5% of "their assets" - customers deposits ARE NOT Bitstamp's assets, they cannot use customers money to cover the hole (Gox anyone? ). Taking into account Bitstamp's average commission and volume, 19k is the income they would generate in 8/12 months - the commissions are basically the money with which they can operate, those are "their assets" and NOT customers money. For a company to lose one full year of income is indeed catastrophic in my book. I know by heart my company would have to file for bankruptcy almost immediately . Unless they were very wise with their money management (I really hope they were), saving a lot of BTC back in the day, etc. they will have a very rough year ahead. Let's hope that they are a healthy company and that Pantera and/or other investors are willing to help them out. Yes, I realized this after I posted: 'asset' isn't the right word. My bad. But I'm sure you got the point though: It does make a substantial difference whether they lost 80%, 40% or, as I claim, at most 5% of their total customers' funds, because: - their ability to cover the loss is based on their revenue (and their company assets) - their own revenue is based on their trading volume (and the market price, of course) - which in turn is related to total customers' funds So, the higher the share of customers' funds lost, the less likely is that a company will be able to refund it. That was the basic idea. I'm not defending them, by the way: No idea why they had 19k coins in a hot wallet. Seems absolutely excessive. And unless they provide some very good information explaining the hack, how it came to it, and how they're improving their internal security from now on, I will leave Bitstamp behind as a customer. That is, of course, assuming that I get my funds back. For all I know, this could still turn out to be another gox. I had a pretty high opinion of Bitstamp so far, and the fact that they have large outside investors is reassuring, but until I can log in again and trade or withdraw my funds, I remain extremely skeptic. They just had 3.100BTC in the hot wallet at the moment of the hack. But they did not realize they were hacked until 24 hours after the hack. Check the transactions. During that 24 hours the hacker kept stealing all the money that was deposited on bitstamp. This is what the transaction history tells us: - the first transaction is the bigger one: 3.100 BTC. Probably all that was on Bitstamp's hot wallet at that time. - after that, the hacker sweeps every coin that is deposited on Bitstamp during 24 hours. - after a full day, he managed to steal almost 19k. - after Bitstamp realizes is hacked, transactions slow down, but we still see some transactions going in to the hacker address. This is probably people that did not realize Bitstamp was hacked, so they are still depositing BTC from their clients address book. It could also be some ATM or automated service - anyhow after the announcement only peanuts coming in. An alternative theory to the above: I am not sure what bistamp realised and when but regular withdrawals were blocked quite soon after things started. I.e. I submitted a withdrawal request only a couple of hours after the first hack transaction. It was about 4-5am UTC on 4 Jan. That withdrawal remained pending until that evening and was never processed. Usually it's quite quick to process. So something stopped allowing withdrawals soon after the hack started. Unfortunately the thief was able to continue taking funds because he was presumably using some other vector that did not need the regular withdrawal. E.g. he had control of the private keys. He was (and is?) able to continue taking funds if he had private keys. My theory is that some automated control system picked up mismatch with what balances should be vs what they actually had and stopped withdrawals. Bitstamp management then at some point figured out what was happening. The hacker is however not blocked by this as he is using another vector (e.g. control of the keys). My suggestion to improve this would be that the automated control system that picked up the error should on mismatch of balances automatically transfer all at risk funds to cold storage (and continue to do so). Not sure if this occured, but this might be what the thief was trying to prevent with his high fees. Was their any attempted double spends on the affected addresses? |
If you liked this post buy me a beer. Beers are quite cheap where I live!
bc1q707guwp9pc73r08jw23lvecpywtazjjk399daa
|
|
|
Rampion
Legendary
Offline
Activity: 1148
Merit: 1018
|
|
January 08, 2015, 10:45:32 AM |
|
I am not sure what bistamp realised and when but regular withdrawals were blocked quite soon after things started. I.e. I submitted a withdrawal request only a couple of hours after the first hack transaction. It was about 4-5am UTC on 4 Jan. That withdrawal remained pending until that evening and was never processed. Usually it's quite quick to process.
So something stopped allowing withdrawals soon after the hack started. Unfortunately the thief was able to continue taking funds because he was presumably using some other vector that did not need the regular withdrawal. E.g. he had control of the private keys. He was (and is?) able to continue taking funds if he had private keys.
My theory is that some automated control system picked up mismatch with what balances should be vs what they actually had and stopped withdrawals. Bitstamp management then at some point figured out what was happening. The hacker is however not blocked by this as he is using another vector (e.g. control of the keys).
It's pretty clear what stopped withdrawals. As soon as money entered the hot wallet, the hacker emptied it. So there was NO money on the hot wallet to honor withdrawals since the very first moment the hack started. Bitstamp did not realize this on time so the hacker kept emptying the hot wallet during 24 hours - money came in from deposits, money went out to hacker's address. As soon as Bitstamp told customers "DO NOT DEPOSIT TO OLD ADDRESSES" the amount of coins stolen went down dramatically. We still had some coins stolen after Bitstamp shut down, probably from people who did not realize Bitstamp was hacked and deposited directly from the address book of their client. If Bitstamp realized this immediately after the first 3.100 BTC theft, they would have probably saved +14k BTC. |
|
|
|
|
spin
|
|
January 08, 2015, 10:51:03 AM |
|
An alternative theory to the above:
I am not sure what bistamp realised and when but regular withdrawals were blocked quite soon after things started. I.e. I submitted a withdrawal request only a couple of hours after the first hack transaction. It was about 4-5am UTC on 4 Jan. That withdrawal remained pending until that evening and was never processed. Usually it's quite quick to process.
So something stopped allowing withdrawals soon after the hack started. Unfortunately the thief was able to continue taking funds because he was presumably using some other vector that did not need the regular withdrawal. E.g. he had control of the private keys. He was (and is?) able to continue taking funds if he had private keys.
My theory is that some automated control system picked up mismatch with what balances should be vs what they actually had and stopped withdrawals. Bitstamp management then at some point figured out what was happening. The hacker is however not blocked by this as he is using another vector (e.g. control of the keys).
It's pretty clear what stopped withdrawals. As soon as money entered the hot wallet, the hacked emptied it. So there was NO money on the hot wallet to honor withdrawals since the very first moment the hack started. Yeah of course. I assumed that the hacker didn't have control of the full hot wallet. But if he did then that could be the simplest explanation... I guess I'm hoping they had a control system, that checked for mismatched balances (or unauthorised tx on their wallets). And locked down withdrawals in case of an issue. It should also move funds to safe cold storage. |
If you liked this post buy me a beer. Beers are quite cheap where I live!
bc1q707guwp9pc73r08jw23lvecpywtazjjk399daa
|
|
|
Rampion
Legendary
Offline
Activity: 1148
Merit: 1018
|
|
January 08, 2015, 10:52:10 AM |
|
An alternative theory to the above:
I am not sure what bistamp realised and when but regular withdrawals were blocked quite soon after things started. I.e. I submitted a withdrawal request only a couple of hours after the first hack transaction. It was about 4-5am UTC on 4 Jan. That withdrawal remained pending until that evening and was never processed. Usually it's quite quick to process.
So something stopped allowing withdrawals soon after the hack started. Unfortunately the thief was able to continue taking funds because he was presumably using some other vector that did not need the regular withdrawal. E.g. he had control of the private keys. He was (and is?) able to continue taking funds if he had private keys.
My theory is that some automated control system picked up mismatch with what balances should be vs what they actually had and stopped withdrawals. Bitstamp management then at some point figured out what was happening. The hacker is however not blocked by this as he is using another vector (e.g. control of the keys).
It's pretty clear what stopped withdrawals. As soon as money entered the hot wallet, the hacked emptied it. So there was NO money on the hot wallet to honor withdrawals since the very first moment the hack started. Yeah of course. I assumed that the hacker didn't have control of the full hot wallet. But if he did then that could be the simplest explanation... I guess I'm hoping they had a control system, that checked for mismatched balances (or unauthorised tx on their wallets). And locked down withdrawals in case of an issue. It should also move funds to safe cold storage. Occam Razor: it's much simpler to hack a full wallet just by stealing it and seizing the encryption key from the server's memory, that to discover a single private key by other means. |
|
|
|
oda.krell
Legendary
Offline
Activity: 1470
Merit: 1007
|
|
January 08, 2015, 11:09:35 AM |
|
Solid analysis of the hack, Rampion. The 'warm wallet' architecture outlined here should be a way to decrease the likelihood of this type of attack (assuming it played out as described above). |
Not sure which Bitcoin wallet you should use? Get Electrum!Electrum is an open-source lightweight client: fast, user friendly, and 100% secure. Download the source or executables for Windows/OSX/Linux/Android from, and only from, the official Electrum homepage.
|
|
|
Rampion
Legendary
Offline
Activity: 1148
Merit: 1018
|
|
January 08, 2015, 11:18:06 AM |
|
Egor is a boss - the solution he proposes is indeed a good one. The fact is that Bitstamp operation was not very sophisticated. They should improve now. |
|
|
|
bernard75
Legendary
Offline
Activity: 1316
Merit: 1003
|
|
January 08, 2015, 01:27:38 PM |
|
Call me an optonist, but theyv been upfront with it and im sure they can cover it from their reserves.
|
|
|
|
|
suchmoon
Legendary
Offline
Activity: 3654
Merit: 8909
https://bpip.org
|
|
January 09, 2015, 06:19:23 PM |
|
So, what's a good exchange to trade on nowdays?
Looking to launder your loot dipshit? |
|
|
|
|
|
SpanishSoldier
|
|
January 09, 2015, 06:22:10 PM |
|
So, what's a good exchange to trade on nowdays?
Looking to launder your loot dipshit? I wish their deposited coins get locked at Bitstamp. |
|
|
|
|
|
