BTC-E.COM NICE RECOVERY FROM THE HACK! =)

[jwzguy]

While mildly exiting, it is actually no fun. Are you, guys, saying that someone can ‘inject’ fake btc into major exchange/service provider, then exchange between the currencies/withdraw and the surplus of the coins would be recorded into the blockchain?

Major doesn't mean secure. BTC-e always looked sketchy as hell to me.

[DeathAndTaxes]

I understand all that. What I was saying is that simply putting 50000 in the BTC balance box doesn't mean there is actually 500000 BTC there.

Well obviously the attacker can only withdraw the max in the hot wallet (or any per day limit unless compromised). 
That limit is the same regardless of if the attacker "fakes" BTC or "faked" USD to build up his BTC balance.

Say the hot wallet only had 10,000 BTC (hopefully it had a lot less) and the hacker was able to compromise the withdraw limit (by using multiple accounts).

"fake" 50,000 BTC you can only withdraw 10,000 BTC
"fake" $1M USD and buy 50,000 BTC you can still only withdraw 10,000 BTC.

Once the hot wallet is empty the hacker is "maxed out" regardless of what tricks he pulls.

Unless BTC-E is very stupid incoming deposits should go to the COLD WALLET thus not increase the amount stolen.

[hazek]

They wouldn't be able to withdraw any USD since it's fake. Saying you have 500000 fake BTC on BTC-e doesn't mean anything if you don't actually have the keys to those coins in an actual wallet. They used fake USD to buy real BTC then ride off into the sunset laughing.

Dude.  All exchanges use a pooled wallet.  There is no such things "your" BTC or "your BTC" wallet on BTC-E, MtGox or any other exchange.  The exchange simply has one (or more) hot and/or cold wallets.  Then they maintain a database of each user's balance, and trades change those balance.     One could withdraw "fake" BTC just as easily as selling "fake" USD for BTC and withdrawing that.

The likely reason for faking USD is simply because that is the exploit the hacker founds.  Hacker found a way to add USD to his USD balance.  Once had had that why try hacking any further.  Give yourself huge amounts of USD, buy BTC and remove them from the exchange.

If it was a SQL injection (extremely likely), it should have been just as easy to add BTC. I suspect the hacker may be intentionally messing with the exchange.

New theory: hacker emptied the BTC-e BTC wallet first and all that's happening now is him having some fun with the other users..

[DeathAndTaxes]

While mildly exiting, it is actually no fun. Are you, guys, saying that someone can ‘inject’ fake btc into major exchange/service provider, then exchange between the currencies/withdraw and the surplus of the coins would be recorded into the blockchain?

No.  Any "faking" of USD or BTC would be on BTC-E books.  The bad news is that the victims are now left with more coins & dollars on the books (BTC-e internal books) than actual coins.  No amount of hacking can produce BTC from nothing.  The attacker merely transfered the real wealth of victims with fake balances on BTC-e books.


The "good news" is hopefully BTC-e wasn't totally stupid and after Bitcoinica reduced the size of their hot wallet.   If the attacker cleaned out the hot wallet then the % that users will lose is the % that the hot wallet makes up of total funds. 

Example (numbers out of my ass):

Say prior to the hack BTC-e had
5,000 BTC in hot wallet
50,000 BTC in cold wallet (plus all new deposit going directly to cold wallet)
50,000 BTC equivelent in USD.

The 5,000 BTC may be gone but victims should still get $0.90 on the dollar of their combined BTC/USD balances.  Now if BTC-e ran one giant hot wallet with all incoming deposits going directly into the hot wallet then victims may have lost everything.

[BkkCoins]

Only 36 BTC left. Game over soon... who's selling the last 5 BTC @ 99 each?

Maybe they don't have a COLD wallet. Maybe any amount of BTC you can buy in your account can be transferred out immediately. Maybe later today we'll hear that everyone who sold their BTC for super high was in fact giving them away because there are no USD anywhere to be found.

[Aggro]

This is probably not good news, but check on the spike on the picture, and the timing of it:



Somebody is cleaning house I believe. I think those trying to deposit and speculate are in for a rude awakening.

[JoelKatz]

New theory: hacker emptied the BTC-e BTC wallet first and all that's happening now is him having some fun with the other users..

Close. He's using the high price to induce others to refill it with real BTC deposits.

[bitcool]

While mildly exiting, it is actually no fun. Are you, guys, saying that someone can ‘inject’ fake btc into major exchange/service provider, then exchange between the currencies/withdraw and the surplus of the coins would be recorded into the blockchain?

No.  Any "faking" of USD or BTC would be on BTC-E books.  The bad news is that the victims are now left with more coins on the books (BTC-e internal books) than actual coins.  No amount of hacking can produce BTC from nothing.

book entries vs cash on hand.

Ironically over there at btc-e, because too much fake usd was injected into the system, no one wants dollar and everybody try to get some BTC or LTC. It's what to come in the future.

btc-e is just ahead of us.

[ydenys]

While mildly exiting, it is actually no fun. Are you, guys, saying that someone can ‘inject’ fake btc into major exchange/service provider, then exchange between the currencies/withdraw and the surplus of the coins would be recorded into the blockchain?

No.  Any "faking" of USD or BTC would be on BTC-E books.  The bad news is that the victims are now left with more coins on the books (BTC-e internal books) than actual coins.  No amount of hacking can produce BTC from nothing.

Yep, thanks D&T, i was worried there for a while – late hour here, wine. So, basically, both owner's and user's accounts were promptly emptied by the hackers, and then some remaining users emptied each other's accounts out of pure greed, plus all who was awake withdrew all funds. No more BTC-e.

I guess their withdrawal limits were too high then.

[EnergyVampire]

Assuming the chat image pasted earlier was the real hacker comments, then the entire database is going to get purged. So if BTC-e didn't back up regularly, this is going to burn a ton of people.

Edit: this post of the comments: https://bitcointalk.org/index.php?topic=96802.msg1066651#msg1066651

[bitcool]

This is probably not good news, but check on the spike on the picture, and the timing of it:



Somebody is cleaning house I believe. I think those trying to deposit and speculate are in for a rude awakening.

Not really. I was able to withdraw from btce many minutes after the price spiked to 40s.

[dree12]

Assuming the chat image pasted earlier was the real hacker comments, then the entire database is going to get purged. So if BTC-e didn't back up regularly, this is going to burn a ton of people.

They are probably not.

I believe this was a SQL injection. There are a few telltale signs:

• The event was sudden.
• The hacking was weak. If the hacker had access to the server, they may be able to empty the hot wallet directly. Instead, the hacker had to rely on BTC-E withdrawal.
• The hacking seemed to involve a simple UPDATE of the USD value.

[Shadow383]

This is probably not good news, but check on the spike on the picture, and the timing of it:



Somebody is cleaning house I believe. I think those trying to deposit and speculate are in for a rude awakening.

Not really. I was able to withdraw from btce many minutes after the price spiked to 40s.

Suggesting that they probably don't have cold storage in place - sounds an awful lot like the maximum amount that can be withdrawn is everything on the exchange.

Are people still getting BTC out?
Does anyone there even still have any?  

[BkkCoins]

Hmmm. Let's see. What's the time zone in Russia. I'm guessing about 4AM roughly.
Anyone know who to call to wake them up and freeze the exchange?

[dree12]

Hmmm. Let's see. What's the time zone in Russia. I'm guessing about 4AM roughly.
Anyone know who to call to wake them up and freeze the exchange?

It is 6:37 in Moscow.

[Herodes]

Hmmm. Let's see. What's the time zone in Russia. I'm guessing about 4AM roughly.
Anyone know who to call to wake them up and freeze the exchange?

It is 6:37 in Moscow.

Time for the first vodka of the day then ! 

[Bitcoin Oz]

The hacker injected fake usd ? My money is on Ben Bernanke.

[terrytibbs]

The hacker injected fake usd ? My money is on Ben Bernanke.

...or his Russian doppelgänger.

[TTBit]

Um... no. 2.18 of it to: 12JGzgb7ezdp5UT4EoJN3Spcn3P8fyyFav

http://blockexplorer.com/address/12JGzgb7ezdp5UT4EoJN3Spcn3P8fyyFav
0BTC
Did you get any out successfully?

No, that is first few. Waiting for some confirms.

1 confirm on the withdraws. Still 20 bid for 13.45, but able to sleep now.

[ThiagoCMC]

OMG... I had 180 Bitcoins there... Jesus...

My latest withdraw at btc-e webpage says "confirmed", but nothing reached my wallet yet.

40 Bitcoins was "sold" there... And 140 Bitcoins are stucked at some point there... In Russia... Damn!

Jesus no, please no...

Please... no... Oh God...  lol

My documentation:

https://bitcointalk.org/index.php?topic=40889.msg1066779#msg1066779

I have screenshots... To remember...  Damn...  :-/