BTCT.com hacked and lost 107 btc

[hl5460]

8btc report:
BTCT.com is a bitpay-like website in China, featuring online hashrate trade.
As per the official statement, hacker hacked the wallet server and use RPC command to dump private key and then get away with coins.

tx：https://blockchain.info/zh-cn/tx/392195d6f1f615c2a1b8fde7dbecbcbe5d332bd6ee83d0dcc3b66567c6c2af32

Currently the merchant page is down only with the statement on its frontpage.
20 btc bounty was placed to hunt down the hacker.

[RustyNomad]

I'll never trust any online service be that a wallet and or an exchange.

All boast 100% secure and what not but this just goes to show again that if there is a will there is a way.

[V8x8d]

I'll never trust any online service be that a wallet and or an exchange.

All boast 100% secure and what not but this just goes to show again that if there is a will there is a way.

Agreed, how can you achieve "Security and control over your money" when you are trusting somebody else with it (Counter-party risk)?

[Daniel91]

8btc report:
BTCT.com is a bitpay-like website in China, featuring online hashrate trade.
As per the official statement, hacker hacked the wallet server and use RPC command to dump private key and then get away with coins.

tx：https://blockchain.info/zh-cn/tx/392195d6f1f615c2a1b8fde7dbecbcbe5d332bd6ee83d0dcc3b66567c6c2af32

Currently the merchant page is down only with the statement on its frontpage.
20 btc bounty was placed to hunt down the hacker.

I'm not surprised with this news.
It seems nothing is 100 % secure online today.
This is risk we have to accept by using online services.

[neha]

When the companies are supposed to store most of their funds in cold wallets, how is it possible that they loose so much funds. Alternatively, if 107 btc's only accounts for lets say 3-5% which might be kept in the hot wallet, then it shouldn't matter as the company should be able to pay back their customers if not instantly, then within sometime by their operating incomes.

The fact however remains that if a Webserver has access to the wallets, their is always a possibility of hacking. There is not much any of us can do as the hacks keep evolving and if you dont know about a vulnerability, then there is not much you can do to prevent it. Its not like the Crypto companies are as big as google that they can be on top of everything. Thus, the only option is to sever the link between the webserver and the wallet server and still make them talk somehow. Its very difficult to do but possible.

[kolloh]

Yeah, it sounds like they weren't following best practices for the safe keeping of their BTC if they were able to run off with that much. Never store that much BTC in a hot wallet =/

[bornil267645]

This sites never ensure enough security....

[neha]

How do they sleep at night holding customer funds and not ensuring at least basic parameter of hot and cold wallet. I saw on their site, they have written that they will return the customers funds so they must be employing cold and hot wallet. This must be a very small amount compared to their deposits.

[jbreher]

Let me guess. BTCT is one of those exchanges that tries to attract deposits via interest-bearing accounts?

Yeah - they got 'hacked'.

[jbreher]

Let me guess. BTCT is one of those exchanges that tries to attract deposits via interest-bearing accounts?

Yeah - they got 'hacked'.

...and now their website is offline.

...aaaaand it's gone.

[neha]

Let me guess. BTCT is one of those exchanges that tries to attract deposits via interest-bearing accounts?

Yeah - they got 'hacked'.

What do you mean by 'attract deposits via interest-bearing accounts' And how is that relevant to hacking? Please explain.

[Meuh6879]

I'll never trust any online service be that a wallet and or an exchange.

clear.

[Meuh6879]

...and now their website is offline.

...aaaaand it's gone.

[franky1]

crappy php website..

when will people learn to not have their wallets and trade engines on the exact same server as the customers GUI.

not
(user)----(whole business function server)

but it should be
(user)----(PHP echo/RUBY GUI server)-----(trade engine server)------(wallet server)

by having the important stuff on a separate server, DDos attacks wont stunt functions of the engine or wallet functions. and you can even mirror the echo/guy server if a DDOS occurs to keep connections active
aswell as allowing security precautions to be added at each server to triple secure the whole plan so that hackers can be spotted before getting to the wallet server.

[neha]

crappy php website..

when will people learn to not have their wallets and trade engines on the exact same server as the customers GUI.

not
(user)----(whole business function server)

but it should be
(user)----(PHP echo/RUBY GUI server)-----(trade engine server)------(wallet server)

by having the important stuff on a separate server, DDos attacks wont stunt functions of the engine or wallet functions. and you can even mirror the echo/guy server if a DDOS occurs to keep connections active
aswell as allowing security precautions to be added at each server to triple secure the whole plan so that hackers can be spotted before getting to the wallet server.

Add a Separate Database Server in the chain and it should become a perfect chain and then add firewalls everywhere with a Separate VPN connection to the headoffice.

[jbreher]

Let me guess. BTCT is one of those exchanges that tries to attract deposits via interest-bearing accounts?

Yeah - they got 'hacked'.

What do you mean by 'attract deposits via interest-bearing accounts' And how is that relevant to hacking? Please explain.

Well, as their website is offline, I can neither confirm nor deny my suspicion.

However, the general notion is that anyone willing to give you bitcoin interest for the privilege of holding onto your bitcoins (i.e. 'interest-bearing accounts') is likely engaging in partial reserve banking. IOW, they don't have all the bitcoins that clients have on deposit. They have skimmed - in order to pay the interest at minimum, but also as likely to line their own pockets. Where does that bitcoin-denominated interest come from? Other folks who think their bitcoins are held safely on their behalf.

Such a business, even if it is not lining the pockets of the owners, has a significant liquidity exposure. If anything goes astray, there is no way that such a business can repay each account holder all the bitcoins they think they own. And that's just if the business owners are not dipping into the till for their own personal gain.

But experience hath shewn that owners that operate fast and loose thusly are more often than not even more dishonest, stealing from depositors' funds.

Hence the 'hack' as opposed to the hack. The 'hack' is a time-tested tool in the bitcoin-scammers' toolbox. No _real_ hack, just a claim that the site was hacked. Allows them to run off with all the 'hacked' funds themselves.

Its a common pattern here in bitcoin-land.

It remains to be seen whether or not BTCT.com has stolen the funds or not. Heck, not knowing the details of the business, I may be way off on my suspicion. As I said, with their website drawing a 404...

In the meantime, it might be wise for all to consider the possibility that BTCT has indeed done so, and is using the 'hack' excuse to cover their tracks.

More importantly, it is wise for all to consider the fact that if you do not have sole control of your private keys, those bitcoin you think you own are as good as gone.

[subSTRATA]

It seems nothing is 100 % secure online today.

Nothing will ever be 100% secure, online or offline.

...and now their website is offline.

...aaaaand it's gone.

I'm missing Mark and MtGox dramas, sometimes.  

[Remember remember the 5th of November]

Any chance the Bash exploit was used here?

[jbreher]

Any chance the Bash exploit was used here?

Who knows?

What is the more likely explanation?

[santaClause]

Let me guess. BTCT is one of those exchanges that tries to attract deposits via interest-bearing accounts?

Yeah - they got 'hacked'.

I would agree with what you are implying. If an exchange is offering interest on bitcoin deposits then they are giving incentives for people to hold bitcoin at their exchange. They do this so when they eventually do run away with customer funds they have more money to run away with