Bitcoin Forum
April 17, 2014, 07:47:45 AM *
News: ♦♦ A bug in OpenSSL, used by Bitcoin-Qt/Bitcoin Core, could allow your bitcoins to be stolen. Immediately updating Bitcoin Core to 0.9.1 is required in some cases, especially if you're using 0.9.0. Download. More info.
The same bug also affected the forum. Changing your forum password is recommended.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
  Print  
Author Topic: bitfloor needs your help!  (Read 92016 times)
shtylman
Sr. Member
****
Offline Offline

Activity: 243



View Profile

Ignore
September 04, 2012, 05:08:52 PM
 #1

As much as I regret the post I am about to write I feel that it is only fair and holding to the spirit of BitFloor that I disclose everything that is going on and make the information available. Please read the entirety of the post. As always, if you have any questions please post them here versus contacting support so that other users may benefit from the answer (unless it is private).

Last night, a few of our servers were compromised. As a result, the attacker gained accesses to an unencrypted backup of the wallet keys (the actual keys live in an encrypted area). Using these keys they were able to transfer the coins. This attack took the vast majority of the coins BitFloor was holding on hand. As a result, I have paused all exchange operations. Even tho only a small majority of the coins are ever in use at any time, I felt it inappropriate to continue operating not having the capability to cover all account balances for BTC at the time.

Due to the serious nature of what has happened I am currently evaluating options for BitFloor. One of the last things I want to happen is for BitFloor to shutdown and cause more panic in the bitcoin community. The platform itself is very valuable and provides an important and friendly service to many users.
BitFloor is very much focused on the end user and creating a reliable and trusted platform for everyone. Through exchange user support, I can continue to operate BitFloor. I believe that posting the exchange source and being even more transparent about operations would be a step in this direction if we were to continue operating. BitFloor is currently the #4 USD exchange and #1 in the US.

As a last resort, I will be forced to fully shut BitFloor down and initiate account repayment using current available funds. I still have all of the logs for accounts, trades, transfers. I know exactly how much each user currently has in their account for both USD and BTC. No records were lost in this attack.

I realize that saying that I appreciate everyone's understanding is a moot point, however I do wish to re-iterate that my goal is to find the best and most reasonable way forward for BitFloor customers and the exchange and not create more panic that the community has already seen time and time again.

I would like to keep this thread focused on evaluating ideas of BitFloor operation and will create a separate thread for discussion (see below) about the actual transactions and tracing the coin theft. I will not speak at detail about the actual breach at this time as my current focus is on the future and not the past.

In the intrest of information for tracking stolen coins:
https://bitcointalk.org/index.php?topic=105819.0

~Roman
GAWMiners.com - FREE Hosting & Electricity for 1 Year!
Exclusive Offer Code: GAWHOST1
Mining Made Easy
For Everyone

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1397720865
Hero Member
*
Offline Offline

Posts: 1397720865

View Profile Personal Message (Offline)

Ignore
1397720865
Reply with quote  #2

1397720865
Report to moderator
DeathAndTaxes
Donator
Hero Member
*
Offline Offline

Activity: 966



View Profile WWW

Ignore
September 04, 2012, 05:16:19 PM
 #2

Please quantify the amount of BTC lost as well as the total BTC owed.
What % of BTC were lost?

From the tx it looks like 30K BTC in outputs (although one involved two large outputs so it is unclear what is going on there).

Was there a loss of any USD funds?

Gerald Davis  CEO, Tangible Cryptography Inc.
BitSimple. A simpler way to buy and sell bitcoins
shtylman
Sr. Member
****
Offline Offline

Activity: 243



View Profile

Ignore
September 04, 2012, 05:18:16 PM
 #3

Please quantify the amount of BTC lost as well as the total BTC owed.
What % of BTC were lost?

From the tx it looks like 30K BTC in outputs (although one involved two large outputs so it is unclear what is going on there).

This was almost all of the BTC.

Was there a loss of any USD funds?

No. All USD bank accounts are secure. And all records for the current status of the exchange (accounts, trades, etc) are all also secure.
jojo69
Hero Member
*****
Offline Offline

Activity: 672



View Profile

Ignore
September 04, 2012, 05:19:25 PM
 #4

unencrypted backup HuhHuh

This is not some pseudoeconomic post-modern Libertarian cult, it's an un-led, crowd-sourced mega startup organized around mutual self-interest where problems, whether of the theoretical or purely practical variety, are treated as temporary and, ultimately, solvable.
Censorship of e-gold was easy. Censorship of Bitcoin will be… entertaining.
shtylman
Sr. Member
****
Offline Offline

Activity: 243



View Profile

Ignore
September 04, 2012, 05:21:02 PM
 #5

unencrypted backup HuhHuh

Yes. It was made when I manually did an upgrade and was put in the unencrypted area on disk. I realize the details of the failure and attack are interesting but I am currently focused on user accounts and exchange status going forward.
nimda
Hero Member
*****
Offline Offline

Activity: 700


1Nimda | FB0D8D1534241423


View Profile WWW

Ignore
September 04, 2012, 05:21:37 PM
 #6

How long, given average operation, would it take to regain the 25K in fees?

BTC.sx - Leveraged Bitcoin Trading. Simply use Bitcoin to take advantage of a rising or falling Bitcoin price.
I recommend asking me for a signature from my firstbits or GPG key before doing a trade. I will NEVER deny such a request.
DeathAndTaxes
Donator
Hero Member
*
Offline Offline

Activity: 966



View Profile WWW

Ignore
September 04, 2012, 05:21:41 PM
 #7

Oh well that is worse by the description above I thought only the hot wallet funds were lost.  So there was an online plaintext copy of the cold wallet?

So ~30K of ~30K in BTC has been lost?

Gerald Davis  CEO, Tangible Cryptography Inc.
BitSimple. A simpler way to buy and sell bitcoins
shtylman
Sr. Member
****
Offline Offline

Activity: 243



View Profile

Ignore
September 04, 2012, 05:23:02 PM
 #8

So ~30K of ~30K in BTC has been lost?

The amount totals to ~24K BTC.
1nject0r
Newbie
*
Offline Offline

Activity: 28


View Profile WWW

Ignore
September 04, 2012, 05:24:18 PM
 #9

I understand they can decrypt and use that coin tell me your website or even anything if u want me to secure Smiley email us we will investigate

cyberwings.gov.pk@gmail.com

Buy premium script shopping item and much more via LR AND BITCOIN http://searchnow.pro Donate Us via Liberty reserve account U5110163 Or Bitcoin 1NecBPZ7mvJ37bJLFSpWf9pNezpcQQU6NU If u wanna donate Us via Western Union contact Us on lovecreatmafia@gmail.com
SkRRJyTC
Hero Member
*****
Offline Offline

Activity: 770


View Profile

Ignore
September 04, 2012, 05:24:43 PM
 #10

So ~30K of ~30K in BTC has been lost?

The amount totals to ~24K BTC.

Why was the majority of this not in a cold wallet?

How long under normal operation would it take for BitFloor to recoup the loss in the form of fees?
edd
Donator
Hero Member
*
Offline Offline

Activity: 1064



View Profile WWW

Ignore
September 04, 2012, 05:25:39 PM
 #11

What kind of help do you need?

Bitfloor provided a great service and I'm willing to forego collecting my meager holdings of 2.98 BTC if it helps at all with paying out other customers wishing to withdraw.

If there is any way I can help as a bitcoin business owner, please PM me.

BitBrew - Buy Coffee for BTC, The Bitcoin List - Online Directory of BTC Sites, Operation Fabulous - BTC Based Advertising Platform, Bitcoin General Store - Buy All Kinds of Physical Goods for BTC
shtylman
Sr. Member
****
Offline Offline

Activity: 243



View Profile

Ignore
September 04, 2012, 05:26:47 PM
 #12

How long, given average operation, would it take to regain the 25K in fees?

We have seen steady growth over the last few months but our 30 day volume is ~64K BTC (717K USD) and given that we get 0.3% from each trade this means we make roughly 2.1k per month in USD (210 BTC at current rate). So quite a long time if trading did not ramp up. Regardless of the recovery time I felt it important to make this announcement as it impacts many users and the community.
DeathAndTaxes
Donator
Hero Member
*
Offline Offline

Activity: 966



View Profile WWW

Ignore
September 04, 2012, 05:28:28 PM
 #13

Why was the majority of this not in a cold wallet?

This. 

Based on the OP I assumed (incorrectly) that the attacker "only" got 100% of the hot wallet.

Quote
Even tho only a small majority of the coins are ever in use at any time

Gerald Davis  CEO, Tangible Cryptography Inc.
BitSimple. A simpler way to buy and sell bitcoins
jojo69
Hero Member
*****
Offline Offline

Activity: 672



View Profile

Ignore
September 04, 2012, 05:28:47 PM
 #14


Why was the majority of this not in a cold wallet?




hey, I realize this is an interesting question, but we are focused on the future here

 Roll Eyes

This is not some pseudoeconomic post-modern Libertarian cult, it's an un-led, crowd-sourced mega startup organized around mutual self-interest where problems, whether of the theoretical or purely practical variety, are treated as temporary and, ultimately, solvable.
Censorship of e-gold was easy. Censorship of Bitcoin will be… entertaining.
shtylman
Sr. Member
****
Offline Offline

Activity: 243



View Profile

Ignore
September 04, 2012, 05:29:56 PM
 #15

Why was the majority of this not in a cold wallet?

This. 

Based on the OP I assumed (incorrectly) that the attacker "only" got 100% of the hot wallet.

Quote
Even tho only a small majority of the coins are ever in use at any time


Yes. I realize this. I cannot undo it (believe me, I would if I could).
TangibleCryptography
Sr. Member
****
Offline Offline

Activity: 476


Tangible Cryptography LLC


View Profile WWW

Ignore
September 04, 2012, 05:33:47 PM
 #16

Since neither the USD balances nor account records have been compromised please process scheduled ACH withdraws.

We have a pending ACH withdraw which should be processed today.
Should we send ACH withdraw request for the balance by email since the site will be down for the immediate future?
SkRRJyTC
Hero Member
*****
Offline Offline

Activity: 770


View Profile

Ignore
September 04, 2012, 05:34:46 PM
 #17

Quote
Even tho only a small majority of the coins are ever in use at any time

I guess what this means is that he realizes that he could have continued operating under a fractional banking model but chose not to.  Which is good.

This also means most of the coins should have been in cold storage, but they weren't.  Which is bad.


So far BitFloor has been great.  I would want the service to continue operation.

Could you secure some investor funds to pay back losses to customers now, and payback the investor after your business picks back up?
shtylman
Sr. Member
****
Offline Offline

Activity: 243



View Profile

Ignore
September 04, 2012, 05:35:21 PM
 #18

Since neither the USD balances nor account records have been compromised please process scheduled ACH withdraws.

We have a pending ACH withdraw which should be processed today.
Should we send ACH withdraw request for the balance by email since the site will be down for the immediate future?

ACH withdrawals placed before the compromise have been processed. New withdrawals are currently on hold while I work through the future of the exchange.
BoardGameCoin
Sr. Member
****
Offline Offline

Activity: 283



View Profile

Ignore
September 04, 2012, 05:36:52 PM
 #19

So far BitFloor has been great.  I would want the service to continue operation.

Could you secure some investor funds to pay back losses to customers now, and payback the investor after your business picks back up?

+1

I'm out ~ 30 BTC on this one. Probably not as many, but I was intending to get those coins off the exchange soon.

I'm selling great Minion Games like The Manhattan Project, Kingdom of Solomon and Venture Forth at 4% off retail starting June 2012. PM me or go to my thread in the Marketplace if you're interested.

For Settlers/Dominion/Carcassone etc., I do email gift cards on Amazon for a 5% fee. PM if you're interested.
shtylman
Sr. Member
****
Offline Offline

Activity: 243



View Profile

Ignore
September 04, 2012, 05:37:01 PM
 #20

Could you secure some investor funds to pay back losses to customers now, and payback the investor after your business picks back up?

This would be a possibility if investors interested in helping continue operations show interest. It is certainly something I am thinking about.
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!