Bitfinex Seeks Communication With Bitcoin Thief

[Esphere.in]

losing 120,000 bitcoin is just awful ,if they are holding this much value they should have spend some money on security audition from time to time that could have saved them ,if you want to cut down your budget you must expect these kind of hacks,why would they hold this much coin their wallet,just amateur stuff from the team,you can request the people behind the hack to come forward for a reward when they are holding millions worth of coins .awesome try

[mk4]

I don't see this working. Pretty much Bitfinex is offering the hacker a way-smaller bounty in exchange for the bitcoins that have been stolen?

Ofcourse the hacker wouldn't want that. Not to mention, the hacker risks a small chance of getting caught (depending on how good his/her OPSEC is).

[ObscureBean]

Ok I'm not accusing anyone and I'm not a coding expert but I've been wondering about this ever since they got hacked. And it's not really specific to Bitfinex either, I'm curious as to whether something like this would be theoretically possible: What if this multi signature security 'flaw' was purposefully baked into the design from the beginning, basically a calculated long term scam, and they were just waiting for the right time to trigger it? Could someone pull off a stunt like this?

[isen]

This is strange I can't understand Bitfinex owners,do they really expect from the hacker to show and communicate with them and then return the stolen funds?
This is never going to happen,Im sure that he has already mixed these coins,exchanged them into fiat and now enjoys a luxury life.

[Quickseller]

But I doubt it will work, because the hacker would have to trust Bitfinex that he is not exposed to risk of identification.

Bitfinex has proposed ways to communicate with that hacker that should not expose the hacker's identity:

• We believe that a combination of Tor and an anonymous email service should suffice to protect your identity and location. Encrypting your message with our PGP key further guarantees privacy from prying eyes, but to prove your authenticity to us, we ask that you provide the public key associated with 1QDBWKgfftwuraEasMGSUvj9PPrswZv19q and sign your message with the corresponding private key.
• Instead of using e-mail, you can send the authenticating information via Bitmessage and Tor. Our Bitmessage address is BM-2cW79647sMFe3fJKKGKAwXWwTSS293meq8.
• Alternatively, you can send us a message on the Blockchain using OP_RETURN. You can encrypt a message (containing your pub key) with our PGP key, split up the message into 80-byte chunks, and send transactions to 19eT7KGKo1gFjgBhEF4957wVNugkc2cakK from any one of the 2072 addresses currently holding the bitcoins in question.

But first of all it's questionable in the first place that the hacker has any motivation to make a deal, because he may have already washed all his coins and has zero problems spending them.

The hacker stole roughly 119,000 BTC. The only mixer that has been around a long time without claims of theft is bitmixer, who claims to be able to handle a maximum of ~2,500BTC, however they could only handle this one time because if the hacker were to mix 2,500BTC twice then he would simply get coins associated with what he originally sent them.

Even if you use a mixer, your coins can potentially be traced, especially if large amounts are involved via advanced blockchain analysis. Some blockchain analysis companies apparently know a portion of the various mixer's addresses.

A deal would likely be something along the lines of the hacker returning 1,000 BTC to bitfinex, then bitfinex sends the hacker 100 BTC (or whatever agreed upon amount)worth of XMR (or some other untraceable altcoin), the hacker sells said XMR on an exchange and the process is repeated 119 times.

[franky1]

now the divorce is over he if secretly holding the coins but trying to gain fiat from outside investors via
https://bnktothefuture.com/pitches/bitfinex

that way he can keep the coins and off load the debt to VC's.

Then the affected users have every right to get the authorities involved. People with criminal minds should not be allowed to get away with their exploits.

they have the right to. but technically they have been baited and switched.
by now having *cough* equity *cough* in bitfinex, they are now part of it. thus by reporting it. their own "equity" would get locked and then put into a government pot that gets eaten up by lawyers for a couple years.

its a smart thing. make users scared to lose out on something twice, if they take legal action.

so now they have to follow the carrot (hoping bitfinex pays them back), because the stick (legal action) loses them more.

afterall. its been a couple years.. how many mtgox customers have got anything at all back. but how many lawyers have got a nice christmas bonus

[Wind_FURY]

It seems to be a desperate attempt by Bitfinex to get at least part of the funds back. But I doubt it will work, because the hacker would have to trust Bitfinex that he is not exposed to risk of identification. Even if Bitfinex enters a deal with the hacker this won't stop the ongoing investigations by law enforcement.
But first of all it's questionable in the first place that the hacker has any motivation to make a deal, because he may have already washed all his coins and has zero problems spending them.

The whole announcement might even be a red herring, assuming that the alleged "hack" was an inside job by the Bitfinex operators...

ya.ya.yo!

If the hack was not an inside job then this should be viewed as a desperate last effort for Bitfinex to recover the stolen funds. This means that they might be having financial and liquidity/cash flow problems and the exchange might even shut down in the near future. It would also mean that there might be a group of whales in the exchange who might press charges if they do not get their Bitcoins back in full.

If the hacker does not communicate with Bitfinex then I would expect a bad press release from them in 2 or 3 months.

[Xester]

On August 2nd the Hong Kong-based Bitcoin exchange Bitfinex was compromised for roughly $70 million worth of Bitcoin. According to sources, the attacker managed to drain the exchange through its multi-signature security — gaining 120,000 BTC from the breach. Now the exchange is trying to reach out to the responsible party in an attempt to get its customers’ Bitcoin returned.

https://news.bitcoin.com/bitfinex-seeks-bitcoin-thief/

The question is if bitfinex itself was the mastermind in the hacking. First and foremost bitfinex is a large company and has the capability of spending millions to investigate using very highly skilled programmers. It is just an opinion but I do hope bitfinex is guilt free and will be successful taking back the coins. Whether it inside job or done by outside hacker the bitcoin is impossible to retrieve.

[jacktheking]

I am not sure about the full story but I do hope that Bitfinex will be able to contact the team that is responsible for the hack. I really hope that the hackers will consider returning those Bitcoin to its original owners and explain how they manage to bypass Bitfinex's security. This can make Bitcoin stronger which is something that I believe every good Bitcoiners and tech-savvy people (like those hackers) wants.

On August 2nd the Hong Kong-based Bitcoin exchange Bitfinex was compromised for roughly $70 million worth of Bitcoin. According to sources, the attacker managed to drain the exchange through its multi-signature security — gaining 120,000 BTC from the breach. Now the exchange is trying to reach out to the responsible party in an attempt to get its customers’ Bitcoin returned.

https://news.bitcoin.com/bitfinex-seeks-bitcoin-thief/

The question is if bitfinex itself was the mastermind in the hacking. First and foremost bitfinex is a large company and has the capability of spending millions to investigate using very highly skilled programmers. It is just an opinion but I do hope bitfinex is guilt free and will be successful taking back the coins. Whether it inside job or done by outside hacker the bitcoin is impossible to retrieve.

I really doubt that it is an inside job though. I cannot understand why Bitfinex would want to do this if they already have enough profit from trading fees.

[pawel7777]

This is strange I can't understand Bitfinex owners,do they really expect from the hacker to show and communicate with them and then return the stolen funds?
This is never going to happen,Im sure that he has already mixed these coins,exchanged them into fiat and now enjoys a luxury life.

Well, it did work for BTER, after negotiations they got 85% of stolen NXT back from the hacker:
https://cointelegraph.com/news/exclusive-key-negotiator-in-bter-nxt-hack-speaks-out

If the story is true (could've been as well an inside job), then it was definitely worth it.

[killerjoegreece]

On August 2nd the Hong Kong-based Bitcoin exchange Bitfinex was compromised for roughly $70 million worth of Bitcoin. According to sources, the attacker managed to drain the exchange through its multi-signature security — gaining 120,000 BTC from the breach. Now the exchange is trying to reach out to the responsible party in an attempt to get its customers’ Bitcoin returned.

https://news.bitcoin.com/bitfinex-seeks-bitcoin-thief/

I dont think there will be any communication whatsoever. why would he communicate? If he does it may be easier to get caught...

[cjmoles]

Well, the whole thing's fishy and if the thief returned the funds, then that would make it even fishier.  The whole thing just makes me wonder how these things are carried off in the first place.  The best thing that will come out of this is a new consumer awareness of personal security and the need for more transparent security audits before committing one's resources to a centralized platform.

[MingLee]

Well, the whole thing's fishy and if the thief returned the funds, then that would make it even fishier.  The whole thing just makes me wonder how these things are carried off in the first place.  The best thing that will come out of this is a new consumer awareness of personal security and the need for more transparent security audits before committing one's resources to a centralized platform.

Could be partly inside job (however unlikely), it is more than likely someone who legitimately hacked the website through some exploit they found (or socially engineered) and exploited it over the course of some period of time to the point where he was able to steal everything.

[cjmoles]

Well, the whole thing's fishy and if the thief returned the funds, then that would make it even fishier.  The whole thing just makes me wonder how these things are carried off in the first place.  The best thing that will come out of this is a new consumer awareness of personal security and the need for more transparent security audits before committing one's resources to a centralized platform.

Could be partly inside job (however unlikely), it is more than likely someone who legitimately hacked the website through some exploit they found (or socially engineered) and exploited it over the course of some period of time to the point where he was able to steal everything.

Either way, it just demonstrates the risk involved in trusting centralized services with our money.  There has to be a better way of insuring that we remain personally in control of our own wealth.  If we don't have to worry about an inside job, then we have to worry about the centralized service's security competence.  There has to be a way of keeping control over one's private keys while utilizing these types of services....it's too risky otherwise.

[franky1]

Either way, it just demonstrates the risk involved in trusting centralized services with our money.  There has to be a better way of insuring that we remain personally in control of our own wealth.  If we don't have to worry about an inside job, then we have to worry about the centralized service's security competence.  There has to be a way of keeping control over one's private keys while utilizing these types of services....it's too risky otherwise.

multisig. 2of2   exchange has 1, user had the other. funds cant move unless both sign.

i think LN will make this a hell of alot easier, once LN sorts out its flaws

[cjmoles]

Either way, it just demonstrates the risk involved in trusting centralized services with our money.  There has to be a better way of insuring that we remain personally in control of our own wealth.  If we don't have to worry about an inside job, then we have to worry about the centralized service's security competence.  There has to be a way of keeping control over one's private keys while utilizing these types of services....it's too risky otherwise.

multisig. 2of2   exchange has 1, user had the other. funds cant move unless both sign.

i think LN will make this a hell of alot easier, once LN sorts out its flaws

I know....it makes me wonder....obviously the system wasn't set up correctly because somehow not only were one set of keys compromised, but both sets, which demonstrates to me that they were centralized somewhere that was accessible to a single entity.  I can't wrap my mind around that being any other way yet....That's why it's fishy! 

[franky1]

Either way, it just demonstrates the risk involved in trusting centralized services with our money.  There has to be a better way of insuring that we remain personally in control of our own wealth.  If we don't have to worry about an inside job, then we have to worry about the centralized service's security competence.  There has to be a way of keeping control over one's private keys while utilizing these types of services....it's too risky otherwise.

multisig. 2of2   exchange has 1, user had the other. funds cant move unless both sign.

i think LN will make this a hell of alot easier, once LN sorts out its flaws

I know....it makes me wonder....obviously the system wasn't set up correctly because somehow not only were one set of keys compromised, but both sets, which demonstrates to me that they were centralized somewhere that was accessible to a single entity.  I can't wrap my mind around that being any other way yet....That's why it's fishy! 

issues i see with bitfinex using bitgo multisig is if:
one party makes the keys first, then hands them out. rather than each party having their own key and then telling each other it.
second issue is who is entrusted with the keys after. EG a fail safe key(2 of 3) incase one party went offline permanently. (back door access)
thirdly (also LN's flaw) if the keys are reused it makes them weaker as each use of the same key can gain more info about the keys used

exchanges need to separate the front end (trading engine server), well away from the withdrawal (key holding) server.
this can be done easily and discreetly without needing to give away the key holding servers ip address on the front end server.

[MONKEYJUNK]

I really don't know what to think about it...

1) Bitfinex is trying to hide a inside job? 

2) None knows who's the hacker, so this guy have nothing to deal

3) The guy can return the bitcoins, sleep in peace, and bitfinex can give to him X bitcoins/month for some job or whatever

We never know...

[Quickseller]

Either way, it just demonstrates the risk involved in trusting centralized services with our money.  There has to be a better way of insuring that we remain personally in control of our own wealth.  If we don't have to worry about an inside job, then we have to worry about the centralized service's security competence.  There has to be a way of keeping control over one's private keys while utilizing these types of services....it's too risky otherwise.

multisig. 2of2   exchange has 1, user had the other. funds cant move unless both sign.

i think LN will make this a hell of alot easier, once LN sorts out its flaws

This would not solve the issue of the fact that any fiat in an exchange would still be vulnerable to theft, and the fact that the customer would need to sign a transaction prior to creating a sell order above the current market price.

A hacker could still theoretically steal bitcoin by crediting his exchange account with non-existent fiat to his account, using said fiat to purchase bitcoin, then withdrawing said bitcoin that was purchased with money that does not exist to an address he controls.

[Pursuer]

On August 2nd the Hong Kong-based Bitcoin exchange Bitfinex was compromised for roughly $70 million worth of Bitcoin. According to sources, the attacker managed to drain the exchange through its multi-signature security — gaining 120,000 BTC from the breach. Now the exchange is trying to reach out to the responsible party in an attempt to get its customers’ Bitcoin returned.

https://news.bitcoin.com/bitfinex-seeks-bitcoin-thief/

this is starting to become more and more ridiculous, and I bet it was all a scam that bitfinex pulled themselves to make some ridiculous amount of money and then say it was a hack!

and even if it is all true and there was in fact a hacker, this is so pathetic calling out the hacker and begging him to come back and lets talk!