Bitcoin Forum

Perhaps someone at BTC-E got hacked, and bought all the BTC they could.

If so, they may not be able to withdraw.

Though how much USD would it have taken to get to $40?

I just deposited 20BTC to sell at these ridiculous prices. I think the strategy here is to deposit no more than you're willing to lose!

Good luck getting USD out of there.  ;)

Good luck getting USD out of there.  ;)

Damn it, I was about to go to bed as well!

Can we then conclude that these massive amounts of BTC will then make their way to other exchanges for the cash out, thus causing those prices to fall?

Sold a handful at $30-$32. Trying to deposit more. We'll see the results. I'll be a buyer at $15 tonight though if anyone is willing to jump into this....

Latest block contains 64,516.55 BTC.

Latest block contains 64,516.55 BTC.

What's happened is for real then!

Latest block contains 64,516.55 BTC.

Well people. This may be the end of BTC-e.

I'll laugh so hard when all the people rushing their BTC there to sell high and buy back low will be ultimately left with nothing because a hacker found a way to fill sell orders without actually having any USD..

Perhaps this might have something to do with it?

http://www.it-networks.org/security/hacker-breaches-50000-itwallstreet-com-accounts-posts-data-online

Tempted to wait a couple hours, and see what happens. Could get a bunch of BTC cheap maybe.

^Who's Pirate?

... a hacker found a way to fill sell orders without actually having any USD..

https://i.imgur.com/4BGw9.png

There is the payout

I just sent 1BTC to my btc-e.com account, lol

Mayyyybee... this is for real

??? Sold at $30+, bought at ~$20. Withdrew, BTC in my wallet

MrWubbles: now logging in as support to troll more
MrWubbles: dev account has been deleted
MrWubbles: dev account has been deleted
MrWubbles: support is being deleted now
MrWubbles: dumping everyone's wallets
MrWubbles: bitinstant reserves have been leaked for days
MrWubbles: all your base
MrWubbles: I'm Mr Wubbles of wub fame
MrWubbles: Expect Mass Database Leak Soon
MrWubbles: wub database destroyed

From the BTC-E chat box:

All confirmed??

Sucks their withdraw limit is .1 BTC. Now how am I supposed to get my 0.00933138 BTC out of there? I'm ruined! :-P

Consider yourself lucky. I have 0.0098578 on there that I fear may be lost forever  :(

From the BTC-E chat box:

I chickened out, ran away with my bitcoins while I still could.  :P

That can't be good, but how do we know he wasn't just trollololing?

There is no reason not to suspect a database leak.

The hacker must have gotten the fake USD in either through remote execution or SQL injection. Both these allow access to the database.

What confuses me is why they did not simply hack the BTC in.

https://bitcointalk.org/index.php?action=profile;u=62595 (https://bitcointalk.org/index.php?action=profile;u=62595)

your hacker

They wouldn't be able to withdraw fake BTC.

Um... no. 2.18 of it to: 12JGzgb7ezdp5UT4EoJN3Spcn3P8fyyFav

Site is down now.

Why not?

They wouldn't be able to withdraw any USD since it's fake. Saying you have 500000 fake BTC on BTC-e doesn't mean anything if you don't actually have the keys to those coins in an actual wallet. They used fake USD to buy real BTC then ride off into the sunset laughing.

OMG... I had 180 Bitcoins there... Jesus...

My latest withdraw at btc-e webpage says "confirmed", but nothing reached my wallet yet.

40 Bitcoins was "sold" there... And 140 Bitcoins are stucked at some point there... In Russia... Damn!

They wouldn't be able to withdraw any USD since it's fake. Saying you have 500000 fake BTC on BTC-e doesn't mean anything if you don't actually have the keys to those coins in an actual wallet. They used fake USD to buy real BTC then ride off into the sunset laughing.

http://blockexplorer.com/address/12JGzgb7ezdp5UT4EoJN3Spcn3P8fyyFav
0BTC
Did you get any out successfully?

Dude.  All exchanges use a pooled wallet.  There is no such things "your" BTC or "your BTC" wallet on BTC-E, MtGox or any other exchange.  The exchange simply has one (or more) hot and/or cold wallets.  Then they maintain a database of each user's balance, and trades change those balance.     One could withdraw "fake" BTC just as easily as selling "fake" USD for BTC and withdrawing that.

The likely reason for faking USD is simply because that is the exploit the hacker founds.  Hacker found a way to add USD to his USD balance.  Once had had that why try hacking any further.  Give yourself huge amounts of USD, buy BTC and remove them from the exchange.

Dude.  All exchanges use a pooled wallet.  There is no such things "your" BTC or "your BTC" wallet on BTC-E, MtGox or any other exchange.  The exchange simply has one (or more) hot and/or cold wallets.  Then they maintain a database of each user's balance, and trades change those balance.     One could withdraw "fake" BTC just as easily as selling "fake" USD for BTC and withdrawing that.

The likely reason for faking USD is simply because that is the exploit the hacker founds.  Hacker found a way to add USD to his USD balance.  Once had had that why try hacking any further.  Give yourself huge amounts of USD, buy BTC and remove them from the exchange.

Perhaps someone at BTC-E got hacked, and bought all the BTC they could.

If so, they may not be able to withdraw.

If it was a SQL injection (extremely likely), it should have been just as easy to add BTC. I suspect the hacker may be intentionally messing with the exchange.

I vote hack vs. scam vs. clever stunt by the exchange to get more deposits.

While mildly exiting, it is actually no fun. Are you, guys, saying that someone can ‘inject’ fake btc into major exchange/service provider, then exchange between the currencies/withdraw and the surplus of the coins would be recorded into the blockchain?

I understand all that. What I was saying is that simply putting 50000 in the BTC balance box doesn't mean there is actually 500000 BTC there.

If it was a SQL injection (extremely likely), it should have been just as easy to add BTC. I suspect the hacker may be intentionally messing with the exchange.

While mildly exiting, it is actually no fun. Are you, guys, saying that someone can ‘inject’ fake btc into major exchange/service provider, then exchange between the currencies/withdraw and the surplus of the coins would be recorded into the blockchain?

New theory: hacker emptied the BTC-e BTC wallet first and all that's happening now is him having some fun with the other users..

No.  Any "faking" of USD or BTC would be on BTC-E books.  The bad news is that the victims are now left with more coins on the books (BTC-e internal books) than actual coins.  No amount of hacking can produce BTC from nothing.

No.  Any "faking" of USD or BTC would be on BTC-E books.  The bad news is that the victims are now left with more coins on the books (BTC-e internal books) than actual coins.  No amount of hacking can produce BTC from nothing.

This is probably not good news, but check on the spike on the picture, and the timing of it:

http://i50.tinypic.com/o7678m.png

Somebody is cleaning house I believe. I think those trying to deposit and speculate are in for a rude awakening.

Assuming the chat image pasted earlier was the real hacker comments, then the entire database is going to get purged. So if BTC-e didn't back up regularly, this is going to burn a ton of people.

Not really. I was able to withdraw from btce many minutes after the price spiked to 40s.

Hmmm. Let's see. What's the time zone in Russia. I'm guessing about 4AM roughly.
Anyone know who to call to wake them up and freeze the exchange?

It is 6:37 in Moscow.

The hacker injected fake usd ? My money is on Ben Bernanke.

No, that is first few. Waiting for some confirms.

Jesus no, please no...

Not really. I was able to withdraw from btce many minutes after the price spiked to 40s.

1 confirm on the withdraws. Still 20 bid for 13.45, but able to sleep now.

Please... no... Oh God...  lol

My documentation:

https://bitcointalk.org/index.php?topic=40889.msg1066779#msg1066779

I have screenshots... To remember...  Damn...  :-/

OMG, just what we need, another bitcoin disaster.

Btter hope this does not hit mainstream media...another BTC robbery will only shake the BTC tree more and eventually result in a collapse

.....

Your bitcoin, as long as you withdraw it, should still arrive. Good luck.

Unfortunately, you might have to write off your USD, or sell it at a massive loss. There is no way BTC-E has enough to pay out the USD.

1. Sell ALL USD immediately. There is almost certainly not enough USD to pay out.

2. Withdraw ALL BTC immediately. Unless fractional reserve was employed, there should be enough. No BTC was reported to have injected, so this may be your only option of financial recovery.

3. Change passwords for other websites immediately. The database is likely to leak, if a SQL injection was the culprit.

Here are my suggestions for all victims.
2. Withdraw ALL BTC immediately. Unless fractional reserve was employed, there should be enough. No BTC was reported to have injected, so this may be your only option of financial recovery.

Best of luck to all victims.

I do not want withdraw "fake USD" from BTC-e... I will not touch that USD.

I just want, at least, those 140 BTC (total is 180 I had there for sure), withdraw still "pending" (i.e. not reached my wallet)...  :-/

Good luck for those that feel a bit lost now...  :-P

This is less worse than the "life with the government and banks"... lol

How? By buying BTC at $45?

I agree that people should do this, but it's not going to work. The exchange has no rational justification for fully reimbursing bitcoin holders while screwing over usd holders.

Definitely. Better safe than sorry.

That can't be good, but how do we know he wasn't just trollololing?

If what he said was true, then no one could withdraw bitcoins. People have claimed to have been able to withdraw as recently as the last 5-10 minutes.

Unless one of the following is true, your BTC withdrawal will still go through.

• The hacker hacked in BTC as well.
• BTC-E used fractional reserve.
• BTC-E had a cold wallet.
• BTC-E wakes up and discovers the hack.

I strongly suggest you discard the USD by selling it, while it is still worth ~1/5 of its actual value. The 40 BTC that is missing has been converted to USD, most likely. You can still retrieve some of that value from it.

Yes, I'm telling the truth. It is all here registered in my btc-e account anyway...  ;-)

How so?!

Well, Zhou needed to get the money to pay back everyone from somewhere I guess :D

Smart and as a bonus you dont have to feel guilty about contributing to the death of another exchange just to make a fast buck...

Btter hope this does not hit mainstream media...another BTC robbery will only shake the BTC tree more and eventually result in a collapse

FWIW, I do believe the hacker is using the name 'MrWubbles'.

FWIW, I do believe the hacker is using the name 'MrWubbles'.

I do believe MrWubbles is falsely taking credit. SupaDupaJenkins may be the culprit, however.

It's possible it's false, but it seems convincing to me. Maybe I'm too quick to trust people when they say I can't trust them.

I'm monitoring the btc-e chat, and they seem to believe Mr. Wubbles is trolling.

He had obviously lied before about deleting the database. If Mr. Wubbles had the ability to do that, there would be a much easier way of "hurting the exchange" without hurting its users: withdraw the hot wallet directly.

I'm pretty sure that would 'hurt the users' too. Though it wouldn't lure others in.

Which payment processors and exchanges accept BTC-e codes?

I'm monitoring the btc-e chat, and they seem to believe Mr. Wubbles is trolling.

He had obviously lied before about deleting the database. If Mr. Wubbles had the ability to do that, there would be a much easier way of "hurting the exchange" without hurting its users: withdraw the hot wallet directly.

So as an experiment I deposited BTC sold if for USD, bought the BTC back and withdrew.  I got my "test" 0.8 BTC out of the exchange (minus some trading losses).

This makes me very confident that my (and others) original theory was correct.  The attacker ONLY increased the amount of USD.  Period.  Nothing else.  There also appears to be some (at least 0.8 BTC as of 2 minute ago) BTC left.  Likely the hacker hit some per account limit. 

So what that means if you will very soon see HYPER INFLATION on the BTC-E exchange.  Think of BTC as the "goods".  The BTC-E USD money supply has been massively inflated.  As people realize this they will dump USD for BTC driving the price higher and higher and higher.  $50, $100, $500, maybe even $25,000 USD per BTC.

There is SOME (who knows how much) real BTC on the exchange but anyone hanging on to USD "profits" is an idiot.  Selling USD for BTC at 50%, 70% even 90% loss is better than holding on to a hyperinflating currency.  You may say "the money supply is no longer inflating" while that is true price action often lags the actual increase in the money supply.  If the hacker increased the USD money supply by say a factor of 50x then eventually USD:BTC will rise by a factor of 50x. 

No way BTC-E can pay out all the fake USD so get into the store of value ... BTC.

Maybe btce had their own reserve stacked on the sells, thats a lot of coins.

Why the btc-e is still running?!?!

Why the btc-e is still running?!?!

So what that means if you will very soon see HYPER INFLATION on the BTC-E exchange.  Think of BTC as the "goods" in the BTC-E economy.  The BTC-E USD money supply has been massively inflated but the amount of "goods" (BTC) hasn't.  This is the recipe for massive inflation.  It was inflated by the hacker/counterfeiter.  Normally we think of central banks as the one doing inflating and generally that is true in major economies however any increase in money supply  (even illegal ones like counterfeiting) causes inflation  As people realize this they will dump USD for BTC driving the price higher and higher and higher.  $50, $100, $500, maybe even $25,000 USD per BTC.

Huge spam of small transfers just stopped on bitcoin monitor

They have not woken up yet; it's still 7:47 in Moscow.

Any luck on your withdrawal? You should be hoping BTC-E still runs!

Firstly, it is unlikely btc-e has a cold storage wallet. Secondly, you'd have to be a moron to believe that it can be stolen (as that would require physical access to the computer.

Why is it unlikely btc-e have no cold storage wallet. Doesn't all exchange have a cold wallet?

Clearly, Mr. Wubbles is trolling. He claimed he:


Firstly, it is unlikely btc-e has a cold storage wallet. Secondly, you'd have to be a moron to believe that it can be stolen (as that would require physical access to the computer.

Agreed, unlikely they have cold storage.

However, there may be people who have backups of the cold storage wallet on the same live system, and if the vps (if it runs on a vps) is compromised, there may be clues leading to further compromise of personal computers for instance, if more servers are used.

Poor admin (unless he's in on it of course)

It is only remotely likely that the VPS was compromised. If it was, there would be more constructive things for the hacker to do than buy up all those coins. The hacker obviously isn't stupid, so the chance the VPS was compromised is low.

Given the bitcoinica hack, you shouldn't build your exchange on a VPS?

You don't use MySQL or any database template for finances. You can't go any less than custom for these types of things.

BTC-E learned the hard way.

Why is it unlikely btc-e have no cold storage wallet. Doesn't all exchange have a cold wallet?

Why can't I talk in btc-e chat?

No database template... So what sort of custom solutions are you suggesting? Custom database software? I would have thought that a properly set up and designed database would be excellent for financial purposes due to the ACID nature of them. Please do share your thoughts on this, I am very interested.

Has anyone tried buying/selling with success?

that's not the problem, the problem is withdrawing any USD (that doesn't exist)

that's not the problem, the problem is withdrawing any USD (that doesn't exist)

Has anyone been thinking.. That MAYBE this is REAL? Think about it, It is possible someone threw a million dollars onto btc-e from LR and fucked up the market. MAYBE YOU COULD SELL YOUR COINS FOR $60 RIGHT NOW.

Why would they do that when they could buy on other exchanges for much less

Just found out about this. Anyone else able to withdraw their BTC? The site shows my BTC withdraw as completed but its not showing up on my end yet.

Has anyone been thinking.. That MAYBE this is REAL? Think about it, It is possible someone threw a million dollars onto btc-e from LR and fucked up the market. MAYBE YOU COULD SELL YOUR COINS FOR $60 RIGHT NOW.

Not a remote chance imo because:
1. Millionaires don't become millionaires by paying 5x-10x more than something is worth.
2. A millionaire wouldn't use a site like BTC-e.
3. There are way better methods to launder money without making a scene.

 :D

Anyone who wants, is free to deposit their coins and sell them on BTC-E.

There are currently <20 BTC total depth, with roughly $200,000 USD worth of buy orders  ::)

Like I said before, I x4'd my money because of whatever happened. I'm sure he may have bought a few hundred REALLY LOW (~8.80), then sold that few hundred REALLY HIGH ($60) Rofl

BTC-E should be waking up now.

Will post an update when I speak to Alexey

Like I said before, I x4'd my money because of whatever happened. I'm sure he may have bought a few hundred REALLY LOW (~8.80), then sold that few hundred REALLY HIGH ($60) Rofl

Well were you able to withdraw your money successfully?

Anyone who wants, is free to deposit their coins and sell them on BTC-E.

There are currently <20 BTC total depth, with roughly $200,000 USD worth of buy orders  ::)

An admin just logged on to BTC-E, he has yet to say anything

An admin just logged on to BTC-E, he has yet to say anything

BTC-E should be waking up now.

Will post an update when I speak to Alexey

BTC-E should be waking up now.

Will post an update when I speak to Alexey

[03:32:07 EEST] Hero: hi, u there ?
[03:32:14 EEST] btc-e.support: yes
[03:32:20 EEST] btc-e.support: (handshake)
[03:32:22 EEST] Hero: did you see the huge buy ?
[03:32:48 EEST] Hero: does not seem normal
[03:34:09 EEST] btc-e.support: yes
[03:34:38 EEST] Hero: could you look into it ?
[03:34:47 EEST] Hero: seems like somebody got hold of a lot of cash
[03:35:09 EEST] Hero: and wants to flee with btc
[03:36:22 EEST] btc-e.support: nikname. link
[03:36:51 EEST] Hero: there is no bitcoin left man
[03:36:59 EEST] Hero: somebody is buying everything on btc-e
[03:37:17 EEST] Hero: nobody in their right mind would do that
[03:37:25 EEST] Hero: unles they didn't care about cash
[03:37:49 EEST] Hero: my nick is Hero2
[03:37:53 EEST] Hero: but my account is 0-0
[03:38:16 EEST] btc-e.support: scam?
[03:38:22 EEST] Hero: I don't know
[03:38:25 EEST] Hero: but look into it
[03:38:33 EEST] Hero: you can see who's buying
[03:38:38 EEST] Hero: I can't
[03:38:52 EEST] Hero: people already made small fortunes
[03:39:37 EEST] btc-e.support: well I see, thank you for the information
[03:42:07 EEST] btc-e.support: гoвopитe пo pyccки?
[03:42:31 EEST] Hero: I understand English
[03:42:40 EEST] btc-e.support: oк
[03:55:29 EEST] Hero: at least halt withdrawals
[03:55:33 EEST] Hero: till this is sorted out
[03:55:42 EEST] Hero: more than likely, the USD used to buy are not real
[03:55:50 EEST] Hero: fake account, or stolen USD
[03:57:33 EEST] btc-e.support: resort to the assistance of the police?
[03:57:57 EEST] Hero: man, just stop things now
[03:58:06 EEST] Hero: until u see what happened
[03:58:15 EEST] Hero: then you can go to police
[03:59:03 EEST] btc-e.support: okey
[03:59:16 EEST] Hero: if possible plug out the database
[03:59:30 EEST] Hero: and secure btc wallets
[03:59:47 EEST] Hero: in case u got hacked
[04:00:38 EEST] btc-e.support: [4:44:28] Hero3: Awesome! Listen, I just made a 140.06 Bitcoin deposit... 1 confirmation already...

Can you "release it" for me now?! Is that possible?! Please!  

I want to sell!  $_$



<<<
[04:01:17 EEST] Hero: exactly,
[04:01:25 EEST] Hero: somebody is buying all
[04:01:47 EEST] Hero: and people are selling
[04:01:52 EEST] Hero: they want the money
[04:01:56 EEST] Hero: it's crazy
[04:02:01 EEST] Hero: gold rush
[04:02:31 EEST] Hero: but somebody has already lost a lot of USD
[04:02:35 EEST] Hero: I don't know if you
[04:02:44 EEST] Hero: or clients
[04:02:46 EEST] Hero: or who
[04:03:27 EEST] btc-e.support: rather, I
[04:03:31 EEST] Hero: stop it man
[04:03:37 EEST] Hero: trading is still on
[04:03:40 EEST] Hero: wtf are you doing
[04:04:16 EEST] btc-e.support: you need to time. this is the same system
[04:06:26 EEST] * btc-e.support left the chat (Only people who have accepted contact request can be added).

Somebody was giving answers on skype:

The guy/girl didn't seem to understand much of what was going on.

Hes talking on the russian side, no idea what hes saying...

This is a hack.!

This is a hack.!

The guy/girl didn't seem to understand much of what was going on.

This is a hack.!

This is a hack.!

This is a hack.!

This is a hack.!

3 hours after it started ... sigh

About 4.5 hours after the trading started. Someone needs a hotline.

Withdrawal BTC is temporary off.

Sooo... I transfered btc from mt.gox over to btc-e before i saw the price issue/hack. My coins still have not appeared after 6 confs, what are the chances Ill see those coins again?

They halted trading!!  :o

That will depend on the scope of their losses, whether they're able and willing to make them up, and if not, how they apportion them.

Hmm I think Ill stick to gox after this...

Seriously, how hard would it be to write some code which starts ringing your phone/activates an alarm in your home or whatever when this kind of unusual activity takes place?  It's ridiculous how often these things don't get stopped at the outset because there's no system in place for the owner to be contacted and notified immediately.

It would not be very hard. But what about cost of implementation? Who in the right mind would pay to implement that type of system for the thousands of users of BTC-E?

It would not be very hard. But what about cost of implementation? Who in the right mind would pay to implement that type of system for the thousands of users of BTC-E?

Sorry, I meant only for the alarm to notify the site owner so that they can suspend trading, back up the database, take the site offline or whatever.  More than once, bad stuff has happened while owners are asleep and no-one's been able to contact them to let them know strange shit is happening.  In the physical business world, there's usually a system in place for businesses to be contacted if they're broken into out of hours.

I think this guy had the right idea :

https://bitcointalk.org/index.php?topic=96840.msg1067100#msg1067100

I agree. Every exchange and Bitcoin holder should implement and build something to this sort.

My exchange in development already have a different wallet for each user.

So you don't plan to do hot/cold wallets? Or you are going to have two wallets for each user?

that's more than 1.6 million $ of most likely fake USD to purchase and withdraw BTCs at prices arround 40btc

Any chance the money came from sold LTC that were forked due to successful 51% attack?

Any chance the money came from sold LTC that were forked due to successful 51% attack?

This stuff has to happen if we are ever to learn. Bitcoins will always be solid, but exchanges have  aways to go.

Pretty slow learners then.  It's not like any of the hack/cracks to date have been sophisticated or involved zero day exploits.

So, how low do you all think BTC will go with tomorrow's inevitable post-hack panic sales? I'm calling $4.50.

Just wait until BTC-E reverses transactions and/or refuses USD withdrawals.

bitcoin

better than television any day of the week

...
Any chance the money came from sold LTC that were forked due to successful 51% attack?

dev: we got some fake LR deposits so they just bought btc and withdraw

dev: karl1982, exchange not hacked, we just receive fake LR USD

Did they shut down deposits?  Some are claiming that they sent BTC to the exchange during the hack and that they have not confirmed, i.e. the deposits are in limbo or the hackers fucked with the deposit addresses.

dev: we got some fake LR deposits so they just bought btc and withdraw

dev: karl1982, exchange not hacked, we just receive fake LR USD

dev: we do rollback right now

dev: ian85, i think it was secret brute

I took a bunch of screenshots of the chat window during the madness if anyone is interested:

http://www.bitcointrading.com/forum/index.php?topic=938.0

and after that point I just recorded a video of the chat window with Freez Screen.  Let me know there is enough interest to upload.

There isn't a publicly avaiable timestamped log of their chatroom?

dev: we got some fake LR deposits so they just bought btc and withdraw

dev: karl1982, exchange not hacked, we just receive fake LR USD

I'm kind of having a hard time seeing what the difference is. If you can get fake USD into an exchange, you've hacked it.

I'm kind of having a hard time seeing what the difference is. If you can get fake USD into an exchange, you've hacked it.

Maybe he means that the hack was LR side?

Maybe he means that the hack was LR side?

That would be good - that would mean that LR is up to cover the money and all the BTC-e transactions should all be unchanged ...

dev: we do rollback right now

...

They can reverse all the trades and restore balance to pre-hack time. But they will not be able to give back BTC that have been withdrawn. So either they make good and buy it in the market, or they say tough luck and customers lose. I expect they'll reverse everything and then see how much BTC they would need to buy. And at that point they'll decide who loses.

No limit(

That's why you make backup, so in case of problems you do a rollback and problem solved. Not like the scammers of bitcoinica that "we have no backups lol"

Not true. there is a 2000BTC limit. Asshole doesnt know what the fuck he is talking about.

well, theres no meneaning in being rude.

"Our advantages:

 •Trading in automatic mode.
•Addition USD deposits within 24 hour
•Instant deposit/withdrawal all coin
•USD Withdrawal within 24 hours

i havent tried withdrowing more than 2000 btc.
so if im wrong, than its good.

Unfortunately, it's not problem solved for at least two reasons. First, you can't rollback coin withdrawals. (They may have a similar problem with LR withdrawals, but I doubt it.) Second, you will have customers who will, in many cases justifiably, feel that rolling back legitimate trades rips them off. (You'll also have a bunch of jerks demanding to keep their ill-gotten gains, such as people who deposited BTC, sold them for $50 each, and then tried to withdraw USD. But screw them.)

For example, consider someone who saw the price rise at BTC-e and then bought a Mt. Gox code and then bought bitcoins at Mt. Gox, withdrew them from Gox and deposited them at BTC-e. A rollback would give them their bitcoins back. That still leaves them out the commission they paid for the Gox code plus  two Mt. Gox commissions (buying the bitcoins and then having to sell them). They also may take exchange losses depending on the timing and are left having to withdraw USD from Mt. Gox.

After the price rose above $12, it was extremely obvious that this was a hack. Anyone who traded elsewhere with the assumption that the btc-e trade was legit deserves to have the trade rolled-back.

After the price rose above $12, it was extremely obvious that this was a hack. Anyone who traded elsewhere with the assumption that the btc-e trade was legit deserves to have the trade rolled-back.

Also, watching it happen, it wasn't obvious to me that it was an exchange hack until much later. In fact, until very late I considered it still a possibility that someone was using a large amount of real LR.

Equilibrium restored
https://i.imgur.com/3awQU.png

Not yet. They can draw USD and BTC balances as they were before the hack, but what will happen if everyone try to withdraw all their money? Does BTC-e have enough funds to cover every claim?

Withdrawal BTC is temporary off.

Dear users of the Exchange Btc-e.com

The exchange is not going to close. We will refund all losses from our reserves.

Neither the servers nor the database were compromised. There were no SQL injections.

At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.

Using the key the hacker imitated LR deposits from many accounts and bought up Bitcoins, Namecoins and Litecoins.

We lost our daily volume, approx. 4500 BTC. The attacker couldn't withdraw more
as most BTC were distributed over several offline wallets.

At 10:30 we restored the database to the state it was at 04:00, right before the attack. All trades after 4:00 are reverted.

People who attempted withdrawals before 04:00 MSK will get their funds withdrawn later today.

For people who deposited BTC, LTC and NMC after 04:00 MSK the funds will be put to their balances before market opens.
We are working on the scripts for this.

If you deposited USD after 04:00 MSK you should send us your login, amount and payment system used by email or PM.

Our plan:

1. The trade will be disabled until we restore the balances to the point before market crash.

2. After that, the trade and deposit/withdrawal will be back on, approx. within 1-2 days.

Icq - 610112128
Skype - btc-e.support
E-mail - support@btc-e.com

Neither the servers nor the database were compromised. There were no SQL injections.

At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.

Using the key the hacker imitated LR deposits from many accounts and bought up Bitcoins, Namecoins and Litecoins.

I wonder how the attack worked... You think there's a way to brute force the API key offline? Did btce or LR allow millions of attempts at guessing it? Probably got hacked some other way.

After the price rose above $12, it was extremely obvious that this was a hack. Anyone who traded elsewhere with the assumption that the btc-e trade was legit deserves to have the trade rolled-back.

I agree..... Some people are just greedy...

Btw, they had backups, they reverted the trades and they will pay everything, to me it seems BTC-E is facing the problem in the best way. Not like the idiots/scammers of bitcoinica

Oh please, it has nothing to do with being greedy (we all are). The trades got rolled back because they weren't real trades. If you sold for $50 of fake LR, you can't expect the exchange to pay you out in real LR.

Don't forget the worlds most powerful brute force cracking machine is being built, it's hard to know what is safe from some of the mining rigs out there now and there is custom hardware on the way...

How do you figure it has nothing to do with being greedy? The second people saw a problem, they ran and tried to sell coins.. How is that not greedy?

Brute Force a 16 character password? I don't think so. Somehow the hacker found it.

It looks like some hacker/scammer injected a huge amount of FAKE capital and bought the ACTUAL coins on the market.

I don't think a hack like this means they have access to the wallet, it just looks like they pumped a bunch of funny money USD into the market to make the transactions legit. I suspect the coins are giggity-gone at this point.

I love being right  :P

Everybody, please, repeat after me:

"The bitcoins I have on an exchange are not my bitcoins. They are an obligation of the exchange to pay me back said number of bitcoins."

If the exchange gets hacked and loses its bitcoins, it cannot meet that obligation, and you will have no bitcoins to withdraw. Hence, they were not and are not your bitcoins, they belonged to the exchange.

It's like having money in a bank without deposit insurance. It's not actually your money, it's a bank's obligation to pay you back the money on demand. Will they be able to meet that obligation? Who knows.

Everybody, please, repeat after me:

"The bitcoins I have on an exchange are not my bitcoins. They are an obligation of the exchange to pay me back said number of bitcoins."

If the exchange gets hacked and loses its bitcoins, it cannot meet that obligation, and you will have no bitcoins to withdraw. Hence, they were not and are not your bitcoins, they belonged to the exchange.

It's like having money in a bank without deposit insurance. It's not actually your money, it's a bank's obligation to pay you back the money on demand. Will they be able to meet that obligation? Who knows.

They are still your bitcoins, because they can be used as them on demand. That's like saying the money I have at the bank is not my money. Really, all money is just an obligation of someone to pay me back for something.

They are still your bitcoins, because they can be used as them on demand.

Really, all money is just an obligation of someone to pay me back for something.

Tell that to ThiagoCMC.

No. Money is not necessarily an obligation. Money is the most fungible commodity in an economy. And just like with every other commodity, no one is obligated to give you anything for the money commodity.

Now, currencies - or money substitutes - are obligations. Traditionally, the dollar was an obligation (of the Federal Reserve) to pay someone back in gold, on demand. The British Pound was an obligation of the Bank of England to pay back the holder of said currency in sterling silver. Neither of these currencies are obligations any longer.

There is no such infrastructure in place for bitcoin, and there likely will never be.

Money is an obligation in the sense that it only has value if people pay you back for it.

I don't like how people tell others that the deposits aren't money, because for practical purposes they are. They aren't risk-free though, but nothing is.

That's not what an obligation is. Just because something only has value (to you) if people are willing to exchange it for something doesn't make it an obligation. No obligation has been entered into by anyone.

No, for practical purposes, the bitcoins you have at BTC-e right now are not money. They are numbers on a website called btc-e.com.

Hoвocти / Trade is stopped

16:04 31.07.12 from support
Dear users of the Exchange Btc-e.com

The exchange is not going to close. We will refund all losses from our reserves.

Neither the servers nor the database were compromised. There were no SQL injections.

At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.

Using the key the hacker imitated LR deposits from many accounts and bought up Bitcoins, Namecoins and Litecoins.

We lost our daily volume, approx. 4500 BTC. The attacker couldn't withdraw more
as most BTC were distributed over several offline wallets.

At 10:30 we restored the database to the state it was at 04:00, right before the attack. All trades after 4:00 are reverted.

People who attempted withdrawals before 04:00 MSK will get their funds withdrawn later today.

For people who deposited BTC, LTC and NMC after 04:00 MSK the funds will be put to their balances before market opens.
We are working on the scripts for this.

If you deposited USD after 04:00 MSK you should send us your login, amount and payment system used by email or PM.

Our plan:

1. The trade will be disabled until we restore the balances to the point before market crash.

2. After that, the trade and deposit/withdrawal will be back on, approx. within 1-2 days.

Icq - 610112128
Skype - btc-e.support
E-mail - support@btc-e.com

The bitcoins you have right now are also not money, if you define it that way. They are numbers on your computer.

Also, BTC-E codes were accepted by companies before the hack. These people are (or were) willing to exchange BTC-E codes.

No. Because these numbers I have on my computer are actually exchangeable for something. The numbers on btc-e.com are not.

I imagine that will change very quickly. But if this is the case then you are completely correct, a balance at btc-e.com is a sort of money, just not as widely accepted as bitcoins.

I guess my basic point was that it is an error to view as equivalent bitcoins and a bitcoin balance on an exchange. They are not equivalent. Bitcoinica is, perhaps, a better example of this than BTC-E.

Why do you say so?
I see a demand for deposit insurance in bitcoin world. If nobody has offered that yet is probably because nobody has the skills and money to start one, or those who eventually have the skills (and money) are not aware, or do not believe in, such demand. In any case, this may change.

Modern day deposit insurance is a moral hazard that only exists because the ability to print fiat from nothing exists.

Since bitcoins can't just be created out of thin air, I think it would be very difficult to insure them.

runeks, I think there's a lot of confusion around here about things like securities, obligations, commodities, currency, money, etc.  You're addressing a nuance that I don't think most people grasp, because a year and half ago I know I didn't.  But I appreciate your effort.  People like you helped me better understand these things.

Modern day deposit insurance is a moral hazard that only exists because the ability to print fiat from nothing exists.

Since bitcoins can't just be created out of thin air, I think it would be very difficult to insure them.

Trading has resumed: https://bitcointalk.org/index.php?topic=96912.0;topicseen

The platform should not resume its operations before understanding what happened and taking measures for it not to happen again. At least Liberty Reserves deposits and withdraws should be temporarily closed, since that's what leaked.

Insuring willful failure only disrupts progress and growth. Deposit insurance will hopefully disappear one day.

This worries me.
Have they figure out how the password leaked?

It definitely was not brute-forced. In the best case, it was "guessed" or "dictionary attacked" if it was not random enough, and then changing it should be enough. But if it has leaked (what I find most likely), and BTC-e doesn't know how it leaked, then the same thing may just happen again.

The platform should not resume its operations before understanding what happened and taking measures for it not to happen again. At least Liberty Reserves deposits and withdraws should be temporarily closed, since that's what leaked.

This worries me.
Have they figure out how the password leaked?

It definitely was not brute-forced. In the best case, it was "guessed" or "dictionary attacked" if it was not random enough, and then changing it should be enough. But if it has leaked (what I find most likely), and BTC-e doesn't know how it leaked, then the same thing may just happen again.

The platform should not resume its operations before understanding what happened and taking measures for it not to happen again. At least Liberty Reserves deposits and withdraws should be temporarily closed, since that's what leaked.

I'm no expert, but I don't think it was "guessed" or "dictionary attacked" because it wasn't that kind of password. An API key would just be a random string, like a btc address. (like "wE7rtGvs19EImfY5")

No reason we cant have financial insurance with bitcoin, put in perspective of the East India Company, Lloyds insurance and pirates on the high seas there isn't a whole lot in the difference.

No reason we cant have financial insurance with bitcoin, put in perspective of the East India Company, Lloyds insurance and pirates on the high seas there isn't a whole lot in the difference.

The only way someone could insure bitcoins would be to collect enough in premiums to cover a certain amount - which would be the premiums MINUS the insurers operating costs.

Each company would be better off using their money for their own reserves rather than paying premiums to an insurer. Sounds like BTCe had it right, and kept a small enough percentage of their holdings in their hot wallet to prevent catastrophe.

YAY! Got my coins back!!
Thanks BTC-e!!

according to some quick calculation, a password that uses a 62 characters big alphabet, and is 16 characters long has a maximum theoretical security of 2^80 (this figure is only a very poor estimation)you dont actually need to try all 2^80. you only need to go through 2^40 before you have 50% chance of hitting it. the attacker would compute this offline.2^80 requires a non trivial amount of work but anything below 2^128 is considered theoretically possible.

a 256 bit hash function gives a maximum theoretical security of 2^128.

a 256 bit hash function gives a maximum theoretical security of 2^128.

You need to specify which attack you are talking about in order to claim that the "security" of a hash function is so-and-so. For a collision attack - finding two messages that hash to the same value - 2^128 attempts is required (to have a 50% possibility of finding it) for a 256-bit hash function. But in order to find which message hashes to a certain hash you need to try 2^256 combinations (for a 50% probability of succeeding).

Also, if a password has 2^80 combinations you need to try 2^80 combinations in order to have a 50% probability of finding the correct password, not 2^40.

Shouldn't that be 2^(N-1). ? In this case, 2^79 tries gives equal odds of finding the key.

Shouldn't that be 2^(N-1). ? In this case, 2^79 tries gives equal odds of finding the key.

and again the attacker does not have to try this against lr's servers, once you have access to the hash you can do the attack in an offline manner, with the limit to how many hashes you an compute only being limited by your computing power.

and a hash function that has had a single collision found is considered cryptographically broken. so that is correct as well.

I hope they will at least honour the 40 BTC deposit. I highly doubt they will honour the sells at the high price yesterday.

Having trouble buying this.

Having trouble buying this.

I think it should be pretty obvious that nobody bruteforced sha-256 or the key, you are overcomplicating - there are so many ways the password can be leaked and so few ways it could be cracked, that I'd bet my car against a beer on chances of crack vs leak  :)

In most of these API implementations, they key is checked by an endpoint, and in some badly written systems it stores the key for verification directly in code or config files, which in some badly managed systems can be seen by developers or god knows who while in transit. Even if they key only exists on production servers where only trusted admin has access to, who can be sure that their cheap hosting company (interserver) which does backups for them does proper encryption?

All in all, if site operators really believe in what they posted, then it's a good enough reason to never put any BTC on that exchange, as they obviously don't understand what happened. Or lied. Or both :)

PS but at least they handled the situation well. Better than most other victims of the bitcoin economy :)

I think it should be pretty obvious that nobody bruteforced sha-256 or the key, you are overcomplicating - there are so many ways the password can be leaked and so few ways it could be cracked, that I'd bet my car against a beer on chances of crack vs leak  :)

In most of these API implementations, they key is checked by an endpoint, and in some badly written systems it stores the key for verification directly in code or config files, which in some badly managed systems can be seen by developers or god knows who while in transit. Even if they key only exists on production servers where only trusted admin has access to, who can be sure that their cheap hosting company (interserver) which does backups for them does proper encryption?

All in all, if site operators really believe in what they posted, then it's a good enough reason to never put any BTC on that exchange, as they obviously don't understand what happened. Or lied. Or both :)

PS but at least they handled the situation well. Better than most other victims of the bitcoin economy :)

It seems more like a Man-in-the-Middle attack, there would have been sniffing involved in uncovering the secret keys. It is also possible that a simple XSS "Cross-Site-Scripting" vulnerability been involved in revealing the secrets "it could be the account number field ;)".

Except this API key shouldn't be doing anything that would be overly vulnerable to XSS.  MiM is possible, but if LR isn't using HTTPS, or they were not verifying the certificate chain (entirely possible) then someone is an idiot.

I often hear man-in-the-middle attacks mentioned, but how do they work exactly? I mean, I know the attacker is able to position himself between the target and whatever server the target is trying to reach, but how on earth does he do this? By poisoning the DNS cache of the target? Or through some other means? I mean, I find it pretty hard to understand how I can connect to a site, and someone can somehow inject himself into the path between me and the site.

...
DNS poisoning, ARP poisoning, script kiddie at your ISP, malware editing your hosts file, etc.

Well unless they were hacked, none of those should work over a secure link ...

I often hear man-in-the-middle attacks mentioned, but how do they work exactly? I mean, I know the attacker is able to position himself between the target and whatever server the target is trying to reach, but how on earth does he do this? By poisoning the DNS cache of the target? Or through some other means? I mean, I find it pretty hard to understand how I can connect to a site, and someone can somehow inject himself into the path between me and the site.

There are multiple MITM techniques. The simplest ones are the ones that take place in the same local network where you and the attacker are connected to the same network/subnet. Anyways, what I mean by MITM attack here is that the secret keys were not cracked but been captured. It could have been done by an insider or even someone in the ISP!

Not even ISP. BGP is very insecure, anyone able to publish routes can have traffic for any address on the internet routed to them.

BGP is very insecure, anyone able to publish routes can have traffic for any address on the internet routed to them.

I often hear man-in-the-middle attacks mentioned, but how do they work exactly? I mean, I know the attacker is able to position himself between the target and whatever server the target is trying to reach, but how on earth does he do this? By poisoning the DNS cache of the target? Or through some other means? I mean, I find it pretty hard to understand how I can connect to a site, and someone can somehow inject himself into the path between me and the site.

However the above scenario is HIGHLY unlikely, to the point I have a better chance of answering my door to find mila kunis there ready to be my sex slave AND my wife being ok with it.

However the above scenario is HIGHLY unlikely, to the point I have a better chance of answering my door to find mila kunis there ready to be my sex slave AND my wife being ok with it.

Tell that to ThiagoCMC.

No. Money is not necessarily an obligation. Money is the most fungible commodity in an economy. And just like with every other commodity, no one is obligated to give you anything for the money commodity.

Now, currencies - or money substitutes - are obligations. Traditionally, the dollar was an obligation (of the Federal Reserve) to pay someone back in gold, on demand. The British Pound was an obligation of the Bank of England to pay back the holder of said currency in sterling silver. Neither of these currencies are obligations any longer.

I'm not sure if, when using a "secret prefix" (as its known), one is able to replace the last part of the message, or if it's just possible to add something to the end though.

if indeed they dont use any scheme to integrity protect their messages, someone that is sitting ANYWHERE between lr and btc-e can modify/inject anything they want into the messages...this could give the person essentially free reign to do whatever it wanted actually.

What if Mila Kunis is your wife?

What if Mila Kunis is your wife?