Bitcoin Forum

8btc report (http://8btc.com/thread-7520-1-1.html):
BTCT.com is a bitpay-like website in China, featuring online hashrate trade.
As per the official statement (http://BTCT.com), hacker hacked the wallet server and use RPC command to dump private key and then get away with coins.

tx：https://blockchain.info/zh-cn/tx/392195d6f1f615c2a1b8fde7dbecbcbe5d332bd6ee83d0dcc3b66567c6c2af32

Currently the merchant page is down only with the statement on its frontpage.
20 btc bounty was placed to hunt down the hacker.

I'll never trust any online service be that a wallet and or an exchange.

All boast 100% secure and what not but this just goes to show again that if there is a will there is a way.

Agreed, how can you achieve "Security and control over your money" when you are trusting somebody else with it (Counter-party risk)?

I'm not surprised with this news.
It seems nothing is 100 % secure online today.
This is risk we have to accept by using online services.

When the companies are supposed to store most of their funds in cold wallets, how is it possible that they loose so much funds. Alternatively, if 107 btc's only accounts for lets say 3-5% which might be kept in the hot wallet, then it shouldn't matter as the company should be able to pay back their customers if not instantly, then within sometime by their operating incomes.

The fact however remains that if a Webserver has access to the wallets, their is always a possibility of hacking. There is not much any of us can do as the hacks keep evolving and if you dont know about a vulnerability, then there is not much you can do to prevent it. Its not like the Crypto companies are as big as google that they can be on top of everything. Thus, the only option is to sever the link between the webserver and the wallet server and still make them talk somehow. Its very difficult to do but possible.

Yeah, it sounds like they weren't following best practices for the safe keeping of their BTC if they were able to run off with that much. Never store that much BTC in a hot wallet =/

This sites never ensure enough security....

How do they sleep at night holding customer funds and not ensuring at least basic parameter of hot and cold wallet. I saw on their site, they have written that they will return the customers funds so they must be employing cold and hot wallet. This must be a very small amount compared to their deposits.

Let me guess. BTCT is one of those exchanges that tries to attract deposits via interest-bearing accounts?

Yeah - they got 'hacked'.

...and now their website is offline.

...aaaaand it's gone.

What do you mean by 'attract deposits via interest-bearing accounts' ??? And how is that relevant to hacking? Please explain.

clear.

crappy php website..

when will people learn to not have their wallets and trade engines on the exact same server as the customers GUI.

not
(user)----(whole business function server)

but it should be
(user)----(PHP echo/RUBY GUI server)-----(trade engine server)------(wallet server)

by having the important stuff on a separate server, DDos attacks wont stunt functions of the engine or wallet functions. and you can even mirror the echo/guy server if a DDOS occurs to keep connections active
aswell as allowing security precautions to be added at each server to triple secure the whole plan so that hackers can be spotted before getting to the wallet server.

Add a Separate Database Server in the chain and it should become a perfect chain and then add firewalls everywhere with a Separate VPN connection to the headoffice.

Well, as their website is offline, I can neither confirm nor deny my suspicion.

However, the general notion is that anyone willing to give you bitcoin interest for the privilege of holding onto your bitcoins (i.e. 'interest-bearing accounts') is likely engaging in partial reserve banking. IOW, they don't have all the bitcoins that clients have on deposit. They have skimmed - in order to pay the interest at minimum, but also as likely to line their own pockets. Where does that bitcoin-denominated interest come from? Other folks who think their bitcoins are held safely on their behalf.

Such a business, even if it is not lining the pockets of the owners, has a significant liquidity exposure. If anything goes astray, there is no way that such a business can repay each account holder all the bitcoins they think they own. And that's just if the business owners are not dipping into the till for their own personal gain.

But experience hath shewn that owners that operate fast and loose thusly are more often than not even more dishonest, stealing from depositors' funds.

Hence the 'hack' as opposed to the hack. The 'hack' is a time-tested tool in the bitcoin-scammers' toolbox. No _real_ hack, just a claim that the site was hacked. Allows them to run off with all the 'hacked' funds themselves.

Its a common pattern here in bitcoin-land.

It remains to be seen whether or not BTCT.com has stolen the funds or not. Heck, not knowing the details of the business, I may be way off on my suspicion. As I said, with their website drawing a 404...

In the meantime, it might be wise for all to consider the possibility that BTCT has indeed done so, and is using the 'hack' excuse to cover their tracks.

More importantly, it is wise for all to consider the fact that if you do not have sole control of your private keys, those bitcoin you think you own are as good as gone.

Nothing will ever be 100% secure, online or offline.


I'm missing Mark and MtGox dramas, sometimes.  :D

Any chance the Bash exploit was used here?

Who knows?

What is the more likely explanation?

I would agree with what you are implying. If an exchange is offering interest on bitcoin deposits then they are giving incentives for people to hold bitcoin at their exchange. They do this so when they eventually do run away with customer funds they have more money to run away with

BTCT is not a interest-bearing exchange. It's more like  taobao, allowing merchants to open shops and accept bitcoin as payment.

This is sad. but again, bitcoin should be place offline, with electrum

The fact is that offline is not possible for service providers as the customers expect instant transfers which is not possible with offline. Thus a combination of Hot and Cold works.

I thought it was a service similar to bitpay for china, thus I highly doubt they are offering interest. Its not possible to give out interest unless the bitcoins are invested which would completely defy the objective of a payment processor. If suddenly all the customers want their money back, the service provider would be screwed.

A bit off topic:
The 1st Chinese bitcoin APP channel launched on app.8btc.com (http://app.8btc.com)
https://bitcointalk.org/index.php?topic=798174.0

YOU ARE EXACTLY RIGHT! The reason exchanges keep getting hacked is because their webservers have some sort of access to the MONEY. Take a look at luapod if this is your type of area. I have already completely separated the handling of users money from the webserver. The webserver actually has no permission to handle anybodies money. It only builds and signs requests. EVEN though a request is signed that doesn't mean the backend server accepts it as true. The backend does its own check on the information. You can read up a little bit on how it works at the index page: http://luapod-web.cloudapp.net/index.lua



If I wanted to I could have my computer running a VPS with 13 GB of ram aloted and close all ports with outbound requests only. I could then use that Virtual machine to run the wallets. No ports being forwarded or any direct communications from anything. The servers decide their job based off of the Mysql Database they are connected to through a virtual network that is hub and spoke managed.

Its actually a little more complicated because if your webserver has access to the MYSQL db, then I could hypothetically just go and make changes in Mysql and take all your funds. You need to think how to ensure that even if I get access to the Mysql DB connected to the webserver, I shouldn't be able to cause any damage financially.

True. It's hard to prove who and how hacked and you get all money. Perfect plan with 100% profit

How could you make changes with a SQL user that has no write access to any of the finance tables nor any direct access to methods manipulating balances? If you were to read the description on the front page it clearly states that the SQL gives no permissions to the front-end except to view user information and to view balance information. IT can submit a request to be processed by the back end server that is structured like
create/trade/5/1000/100/5 and is signed and encrypted. Even if you managed to figure out the signing and encryption the backend servers do another check to verify the trade is even allowed to be created.

The servers all are on a closed network with communication enabled ONLY to the SQL database. Each server has its own SQL user with its own permission.



To even prove that you lacked the true effort of reading here is an excerpt from the main page:




ANOTHER THING IS you can't just change a balance on this. If you change the balance on any transaction the system comes to a halt (because it detects that there is an discrepancy between the information inside the account balance and the signature for the transaction that has been changed) NOT ONLY does it know that it has been changed, but it knows what it was changed from. So through a type of persistence I can also keep transactions from being deleted.

Somewhere in the near future.....

"The highest paying tech related job according to our latest survey is that of a Bitcoin Security Expert....."

I store most in my own wallet.

Trust me I read but the fact is that if there is no way to write something in a db, then how will the user modify data. You cannot expect to provide manual intervention to each and every data entry. Again, if someone hacks the server, the purpose wont be to perform trades but to perform withdrawals. How have you designed your system so that you know for sure that the incoming request is true and is also automated. You dont need to tell everyone but you do need to think.

Also, for this argument, assume that I have hacked the webserver and I exactly know your db username and password and even if the db server is on an internal network, I can still access it using the webserver ssh. Moreover, most probably if I have SSH access to the webserver, I will exactly know your DB encryption passwords.

I will give you the username and password for the DB right now

Mysql_User = "front-end"
Mysql_Pass = "m1taLu4ayu84vO7eVu27JOw1vIk7mo"
Mysql_Host = "25.15.147.88"


DNS NAME
luapod-sql.cloudapp.net
HOST NAME
LuaPod-Sql
PUBLIC VIRTUAL IP (VIP) ADDRESS
191.238.226.47

There you go. I already thought of the things you have said. The system is secure enough that I can give a hacker the mysql information and they would be incapable of financially harming me NOR revealing private user information other than email addresses.

The funny thing is you still couldn't get access to the database.


Also, the database isn't encrypted. The signature and hash passwords are entered upon each server boot. You would have to intercept me trying to boot the software. But good luck getting past the subversion code control with code signing.

Man I am not challenging you nor I have the time to go hack. We are discussing a topic and this is a pure discussion maybe to help someone. Also, if you really want to test out your security by disclosing passwords, I suggest you give out your password for your webserver and then see the magic happen. I am sure someone in the forum might be interested.

Server Login:

justin7674
HACKMEPLEASEorz94358




#Wastingmylifewaitingformagic

I have 1 bitcoin on that server. Almost EVERY btc exchange hack is the stupidity of the creator and programmer.  


PASSWORD WILL REMAIN THE PREVIOUS SAID FOR A MONTH

BOLD !!!

I have spent a year racking my brain on this. I have pretty good confidence in it's security and stability (Except that the webserver currently doesn't have ddos protection turned on)

So much faith that even with the authentication given out I believe that it is safe still.

https://www.youtube.com/watch?v=lu3VTngm1F0

classic

This is getting ridiculous. Would be cool to have some kind of graphics or statistic about stolen coins in similar services. I think im going to have everything in Bitcoin QT and forget about it. Too much risk.

Here is a statistic that sticks pretty well for most people:

 Over nine thousand

waw why it could happen?  :-\

should they do not keep a lot in the one bitcoin address

That's absolutely brutal.

I imagine it was an inside job but who knows.

That's why I keep my private keys in my own possession.

WTF!

Hate it when reading this. I hope they track down the thief and recover back the coins.

Here you go brother: http://mp3skull.com/search_db.php?q=george+michael+-+faith&fckh=db9b883656fad431fca6da2286edcfea (http://mp3skull.com/search_db.php?q=george+michael+-+faith&fckh=db9b883656fad431fca6da2286edcfea)

Indeed a classic!!!

then, how do you keep it? Offline wallet ??
I think, sometimes it's a little long transaction. and possible blockhain also vulnerable to hackers

The problem with Bitcoin is that you will never know whether it was an inside job or not..... lol... even the Mt Gox robbery is not solved to this date, although many believe that all the coins were stolen by that fat greedy guy.

china lol

any site that relates with them chings and japs I keep away from that's why I stopped using bter.com they are a bunch of scammers jesus christ keep thine funds in cold storage

I wonder how could these websites/exchanges still not be serious about security after several incidents already happened and everybody knows about it.

They are very serious, however bugs often slip through and are discovered by hackers who exploit them unfortunately.

I don't really see how ethnicity is relevant here. Also you might want to spell your slurs correctly.

And sometimes the 'hackers' are the people that run the exchange.

Not that I have any particular knowledge about this particular firm, nor incident. Just sayin'.