Strongcoin.com owner stole user money - are my Bitcoins safe online?

[Lotuss]

Hello!

I first wanted to take this post in the Ozcoin thread, but maybe its best to give it an own thread. Not that I have a choice since I am newly registered



So I have been following the latest weeks post in Ozcoin thread, where owner Graet got hacked and lost 923 BitCoins. It was posted to me by a friend that wanted to point out to me how there is much unsafty with bitcoins.
I told him that the problem was not with BitCoins as a system, but Graets lack in security and drew a parallel to people getting their cards skimmed or computers infected with a virus.
Since then People have "chased" the money, and debated about a system to catch stolen money.



Graets money seems to have ended up in a Strongcoin online Wallet according to this post https://bitcointalk.org/index.php?topic=14085.msg1910151#msg1910151 .

As I understand it owner of Strongcoin dogisland then stole this money from the alligated thief and returned it to Graet.

To be honest, I think this is a bigger issue then Graets first loss of money.

I am sorry for your loss Graet but as you said it was your own fault, leaving your system open to such a exploit.
But here dogisland, a "Bank" of bitcoins, took the matter in his own hand as #1 world police and hijacked one of his customers money and gave them to his friend (?) Graet.

What if dogisland one day decides to hijack all his customers money?


First I quote strongcoin.com's firstpage:

What is a hybrid wallet ?
A hybrid wallet allows you to send and receive Bitcoins just like any other wallet. However, the Bitcoin private key which is required to send money is encrypted in your browser before it reaches our servers.

Therefore our servers only hold encrypted private keys and neither we nor anyone else can spend your Bitcoins. Only you.

Only you. OR, well, dogisland also. And who know who else...?

I hope I have missed something essential here, does anyone care to explain..?


Edit: As a newbie I am not allowed to send messages. I hope someone that can would send them a PM asking them to answer here.
Edit2: Nametypo.

Best of wishes,
Lotus

[1713267875]

1713267875

[1713267875]

1713267875

[1713267875]

1713267875

[1713267875]

1713267875

[simonk83]

I hope I have missed something essential here

Graet, not Garet

[John (John K.)]

Well, you got a point there actually. What happened to this? :

What is a hybrid wallet ?
A hybrid wallet allows you to send and receive Bitcoins just like any other wallet. However, the Bitcoin private key which is required to send money is encrypted in your browser before it reaches our servers.

Therefore our servers only hold encrypted private keys and neither we nor anyone else can spend your Bitcoins. Only you.

Please do not use any online wallets if you value your coins. If strong coin.com was rooted, funds would be stolen easily from users despite that statement above.

[Lotuss]

I hope I have missed something essential here

Graet, not Garet

heh Fixed! Sorry Graet!

[Lotuss]

"but Graets lack in security and drew a parallel to people getting their cards skimmed or computers infected with a virus."
I'm sorry, but WHAT? What does this have anything to do with card skimming and viruses?

I drew the parallel between real life where people lose real money to skimming and viruses.
and that tts not the bitcoins faults that graet got hacked. its due to careless, its not the goverment or the bitcoins fault.

It's well known that online wallets are always vulnerable to hackings, and can be used to steal your bitcoins. Just because the Private key is encrypted in your browser means nothing. You can add one line of code to log the Private key. A sort of.. phisher, per-se.
To do this, the hacker would have to have enough time to gain knowledge on how the system works, which usually takes a while.

The statement "However, the Bitcoin private key which is required to send money is encrypted in your browser before it reaches our servers." means it's encrypted through HTTPS(SSL), so that anybody snooping on your network cannot steal your money.

Ok, its' only https?

Then the quote "neither we nor anyone else can spend your Bitcoins. Only you." from the homepage is a complete lie.

[Badabing]

I am sorry for your loss Graet but as you said it was your own fault, leaving your system open to such a exploit.
But here dogisland, a "Bank" of bitcoins, took the matter in his own hand as #1 world police and hijacked one of his customers money and gave them to his friend (?) Graet.

What if dogisland one day decides to hijack all his customers money?

You raise a valid question with regards to how the funds were transferred from your account, however, the lack of empathy and holier-than-thou tone of your post makes it sound more like "I hacked a website and stole funds. Then, someone sole them back and gave them to their original owner."

I'd be interested to see how external law enforcement would react to this sort of claim - especially considering the lack of recognition of BTC as currency, as far as I am aware. This is of course assuming that you are going to contact someone regarding this 'theft'; I assume you will, considering you lost close to USD$60K?

Let us know how you go.

[QuiveringGibbage]

I just signed up for an account with StrongCoin.com. It's pretty neat.

1aQGjTHindCLvophoeu4kNsZMm7XzHgca

QG

[Lotuss]

I am sorry for your loss Graet but as you said it was your own fault, leaving your system open to such a exploit.
But here dogisland, a "Bank" of bitcoins, took the matter in his own hand as #1 world police and hijacked one of his customers money and gave them to his friend (?) Graet.

What if dogisland one day decides to hijack all his customers money?

You raise a valid question with regards to how the funds were transferred from your account, however, the lack of empathy and holier-than-thou tone of your post makes it sound more like "I hacked a website and stole funds. Then, someone sole them back and gave them to their original owner."

I'd be interested to see how external law enforcement would react to this sort of claim - especially considering the lack of recognition of BTC as currency, as far as I am aware. This is of course assuming that you are going to contact someone regarding this 'theft'; I assume you will, considering you lost close to USD$60K?

Let us know how you go.

I am sorry to say I am only a observer, taking interest in BTCs lately, that tries to shine light on this situation from another perspective.

Probably since I am new to the scene I saw strongcoin.com with its professional website as a serious player, and I did not think such serious players would take law in their own hand and compromise its customers integrity and money so easily, without publishing any real proof.

I hope you can see how this endanger the reputation of bitcoin as a serious currency.

[knedle]

But what is the problem?

You were contacted by owner of StrongCoin and asked where did you get that money and to explain on the forums your involvement, which you didn't do. I think that right now best option is to contact Graet and talk with him, even meet somewhere IRL and show him the proof you are telling truth. That is of course if you have proof.

[itsgoldbaby]

If he just started stealing coins then I would think differently, but in this scenario he just saved a percentage of a fairly popular pools bitcoins. So I guess if you are going to steal bitcoins from people, don't trust sending them to this service after you do it. He will stop you from profiting from being a piece of shit.

[Arvicco]

I am sorry to say I am only a observer, taking interest in BTCs lately, that tries to shine light on this situation from another perspective.

Sure, sure, this is totally believable. Someone just signs up out of nowhere, and their very first post on Bitcointalk is regarding this situation which in no way concerns them personally. No, it does not look like a disgruntled thief created a sock puppet account to vent their frustration about the lost spoils. Not at all.

[binaryFate]

Maybe it would be more valuable to forget wondering who is he and focus on what he says?
Even if he is the thief, I've never heard of this story before and I'm concerned about the
home-made justice made to this case, so somehow, I don't care from whom is the story
coming from.

[JohnsonX]

900 bitcoins is a fortune

I would never trust the online wallets.

[muggerbee]

I am sorry to say I am only a observer, taking interest in BTCs lately, that tries to shine light on this situation from another perspective.

Sure, sure, this is totally believable. Someone just signs up out of nowhere, and their very first post on Bitcointalk is regarding this situation which in no way concerns them personally. No, it does not look like a disgruntled thief created a sock puppet account to vent their frustration about the lost spoils. Not at all.

I just started mining a week ago with Oz and so i've followed this very closely and all I can say is Lotuss P@wned   lmao

[SgtSpike]

Well, you got a point there actually. What happened to this? :

What is a hybrid wallet ?
A hybrid wallet allows you to send and receive Bitcoins just like any other wallet. However, the Bitcoin private key which is required to send money is encrypted in your browser before it reaches our servers.

Therefore our servers only hold encrypted private keys and neither we nor anyone else can spend your Bitcoins. Only you.

Please do not use any online wallets if you value your coins. If strong coin.com was rooted, funds would be stolen easily from users despite that statement above.

That's a blatant lie from Strongcoin then, unless not all of their wallets are hybrid wallets.

[haveagr8day]

They could have done all of that with a JS change even without knowing the private keys.

[FireBlazzer]

I hope I have missed something essential here

Graet, not Garet

o.0 did you say garet???

(hides valuables)

[Rampion]

Well, what happened to this?

What is a hybrid wallet ?
A hybrid wallet allows you to send and receive Bitcoins just like any other wallet. However, the Bitcoin private key which is required to send money is encrypted in your browser before it reaches our servers.

Therefore our servers only hold encrypted private keys and neither we nor anyone else can spend your Bitcoins. Only you.

How was dogisland able to "seize" those funds to return them back to Graet? Maybe he modified the site, so all the transaction originated by the thief went to an address controlled by him?

IMO this confirms again that shared wallet/third party services are insecure by nature and thus should be avoided, regardless of super strong passwords, encryption, 2 factor authorization, etc. etc. etc.

It's a pity because really secure third party services are need for BTC (for example for trading)

[Rampion]

So, no answer on this. Admin was able to "intercept" the funds as easily as stealing a candy to a baby. I really don't know how they can then write things like this:

Therefore our servers only hold encrypted private keys and neither we nor anyone else can spend your Bitcoins. Only you.

Utter bullshit. They can do whatever they want with your funds

[cp1]

It's pretty close to true.  The hacker did spend them -- he was just tricked into sending them to the strongcoin operator.

No online wallet is 100% safe.