Expert Input Only: How Is A Cold Wallet Bter Exchange Hack Possible?

[Fernandez]

They are saying it happened when they were transferring funds. So
a) the hacker knew about it and was waiting for sometime for the opportunity
b) it was not a cold wallet.

[1715512524]

1715512524

[1715512524]

1715512524

[1715512524]

1715512524

[1715512524]

1715512524

[hilariousandco]

But they should know to use an air gap / safe computer for that. Not much point keeping your funds offline if you're just going to put the wallet on an unsecure comp. Exchanges should be overly paranoid when dealing with their funds as should any other bitcoiner really.

[redsn0w]

As everyone of us told : a cold wallet supposed to be "disconnected" or better never be connected to Internet. Their definition of cold wallet is wrong.

[Fernandez]

But they should know to use an air gap / safe computer for that. Not much point keeping your funds offline if you're just going to put the wallet on an unsecure comp. Exchanges should be overly paranoid when dealing with their funds as should any other bitcoiner really.

They even kept all the 7k BTC together. I think there is a chance that they stole the money.

[sidhujag]

Ok forget who did it but cant we capture the funds by getting all exchanges a tool that will detect if the deposits are from that bad transaction? (i have the tool to do it)

[redsn0w]

Ok forget who did it but cant we capture the funds by getting all exchanges a tool that will detect if the deposits are from that bad transaction? (i have the tool to do it)

It is a decentralized coin, you can detect whatever you want but no one can stop a transaction (only the various miners can refuse to accept a tx from a determinate bitcoin address but they will lost the fees).

[Fernandez]

Ok forget who did it but cant we capture the funds by getting all exchanges a tool that will detect if the deposits are from that bad transaction? (i have the tool to do it)

You won't be able to get all the exchanges, gambling sites, mixers and merchants accepting Bitcoins to agree. There will always be places which will allow laundering of the stolen funds.

[turvarya]

So, did I get this right?
They had a computer, that was usually switched off and when they had to transfer funds, they switched it on, made the transaction and switched it off again. And they called THIS a cold wallet?

[Rampion]

Yo simply cannot hack a cold wallet, therefore:

a) it wasn't a cold wallet
b) somebody who had physical access to the wallet stole the coins.

There are other options (wallet created with compromised software; RNG/entropy problem) but those are extremely unlikely. You can put all your money on either a) or b).

[redsn0w]

So, did I get this right?
They had a computer, that was usually switched off and when they had to transfer funds, they switched it on, made the transaction and switched it off again. And they called THIS a cold wallet?

A cold wallet should never be connected on internet, I think their "definition" of cold wallet is a little bit wrong. Let see if they will reimburse all the customers (at least a % of each personal fund).

[CIYAM]

It seems very unlikely to me that this could be anything other than an inside job.

You'd think an exchange holding 7K BTC would actually have bothered to work out how to properly secure them (and should know what a "cold wallet" is).

[itod]

We spent months thinking about vectors of attack at Ethereum regarding the ether sale funds. Generally speaking, if the funds are in a cold wallet then either social engineering or inside theft are the two viable attacks. this said, it is possible if the cold wallet is stored in a digital format on a computer not connected to the internet that one could perform a stuxnet style attack piggybacking on a flash drive to introduce an APT. But no, someone internal stole the funds most likely. 

Strictly speaking flash drive management is part of the cold wallet, one can not use just about any flash drive to transfer signed transaction, flash drive must be as secured as cold wallet machine and not used for anything else, without bootloader, possible hidden executable in flash drive driver etc. Someone with 7000 BTC of other people's money in his hands should have a professional handling the security.

Calling the cold wallet "hacked" is just pushing away responsibility for negligence, and playing dumb.

[redsn0w]

So do we agree their cold wallet wasn't a real "cold wallet"? Definition :

Cold storage in the context of Bitcoin refers to keeping a reserve of Bitcoins offline.

For example, a Bitcoin exchange typically offers an instant withdrawal feature, and might be a steward over hundreds of thousands of Bitcoins. To minimize the possibility that an intruder could steal the entire reserve in a security breach, the operator of the website follows a best practice by keeping the majority of the reserve in cold storage, or in other words, not present on the web server or any other computer.

The only amount kept on the server is the amount needed to cover anticipated withdrawals.

Source : https://en.bitcoin.it/wiki/Cold_storage

[Fernandez]

So, did I get this right?
They had a computer, that was usually switched off and when they had to transfer funds, they switched it on, made the transaction and switched it off again. And they called THIS a cold wallet?

Something similar. Amateurish to the extreme especially when they have been hacked earlier.

[kokojie]

At the moment of the hack, it was a hot wallet. They brought their cold wallet online, to refill another hot wallet, so both were hot wallets at the time. The hacker was patiently waiting for them to do this, because he had already compromised their system, and just waiting for BTER to bring their cold wallet online for funding the hot wallet.

[turvarya]

At the moment of the hack, it was a hot wallet. They brought their cold wallet online, to refill another hot wallet, so both were hot wallets at the time. The hacker was patiently waiting for them to do this, because he had already compromised their system, and just waiting for BTER to bring their cold wallet online for funding the hot wallet.

Not a cold wallet than.
Could somebody make a "What is a cold wallet?"-YouTube-Video and send it to these exchanges?

[kolloh]

Yeah, it is not a COLD wallet once it touches the internet. Looks like they may have been incorrectly using their "COLD" wallet.

[DeathAndTaxes]

Yeah, it is not a COLD wallet once it touches the internet. Looks like they may have been incorrectly using their "COLD" wallet.

Now would be a good time for users of other services to question exactly that their exchange or wallet operate means when they say 'cold wallet'.  Cold wallet is just words.  Security is in the details.  I would not be surprised if there are other exchanges operating right now which believe bringing a wallet online for spending is still a 'cold' wallet.

[RockMinerOops]

Cold Wallet to Bter meant that the computer was located in a room air conditioned to 60F

[redsn0w]

Yeah, it is not a COLD wallet once it touches the internet. Looks like they may have been incorrectly using their "COLD" wallet.

Now would be a good time for users of other services to question exactly that their exchange or wallet operate means when they say 'cold wallet'.  Cold wallet is just words.  Security is in the details.  I would not be surprised if there are other exchanges operating right now which believe bringing a wallet online for spending is still a 'cold' wallet.

I agree with that, their definition of cold wallet "was wrong". If they was connected on internet (also for 5 minutes) it wasn't more a cold wallet .