BTC-E hacked - still unfolding

[dishwara]

I think this may be the root cause of hack or theft or whatever today happened/happening on btc-e

https://bitcointalk.org/index.php?topic=94573.0

btc-e dev said its not supa.
I apologize to supa & edited my post to reflect change.
sorry supa.

[1715267701]

1715267701

[1715267701]

1715267701

[1715267701]

1715267701

[1715267701]

1715267701

[check_status]

How do you "fake" USD or LR on an exchange?
Can any outsider created nonexistent currency and deposit onto an exchange?

[BkkCoins]

How do you "fake" USD or LR on an exchange?
Can any outsider created nonexistent currency and deposit onto an exchange?

There's probably at least a few ways. No one is supposed to be able to but if the programming has defects then it's possible. Hackers specialize in finding programming defects.

If you study how LR communicates account info with it's customers then you can mimic that. If the site programming does not completely authenticate any info from LR then it may take fake info at face value and credit accounts with what it believes to be real deposits. Crediting an account on BTC-E is the same as having the money, ie. fake money, that you can spend to buy BTC.

So a relatively simple act of intercepting data flow and replaying it may lead to funds to play with. This is only one way. SQL Injection into poorly designed API/site code could lead to being able to adjust account balances without proper auditing or verification. All these things result from poorly thought out and tested code but they allow altering database records that say how much money a user has.

[bg002h]

It's a little unwise to permit instantaneous irreversible withdrawals...anyone running the exchange who was watching events unfold would have known to halt trading...but once the funds are gone, you can't just roll it all back.

If you won't program your computer to halt trading when ludicrous events occur, perhaps one should build a time delay in before withdrawals are permitted to allow time for human review.

I feel bad for everyone who lost their funds.

[R-]

Has the admin of BTC-E signed on yet? My condolences go out to him, as well as the victims, because the hack doesn't appear to be an inside job.

*also equilibrium in the orderbook has been reached*

[ElectricMucus]

The track records of these "hacks" points to "we have been hacked your money is gone, make your claim here".

If this was a genuine hack not a "hack" I would be positively surprised.
Just sain' 

[bitcoinism]

The track records of these "hacks" points to "we have been hacked your money is gone, make your claim here".

If this was a genuine hack not a "hack" I would be positively surprised.
Just sain' 

I'd say it's highly unlikely it was an inside job... after the hack started there was plenty of time for people to withdraw what they could until the hot wallets were depleted.

[ElectricMucus]

The track records of these "hacks" points to "we have been hacked your money is gone, make your claim here".

If this was a genuine hack not a "hack" I would be positively surprised.
Just sain'  

I'd say it's highly unlikely it was an inside job... after the hack started there was plenty of time for people to withdraw what they could until the hot wallets were depleted.

People said exactly the same kind of thing last time.

[Vorksholk]

From https://btc-e.com/news/81:

Dear users of the Exchange Btc-e.com

The exchange is not going to close. We will refund all losses from our reserves.

Neither the servers nor the database were compromised. There were no SQL injections.

At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.

Using the key the hacker imitated LR deposits from many accounts and bought up Bitcoins, Namecoins and Litecoins.

We lost our daily volume, approx. 4500 BTC. The attacker couldn't withdraw more
as most BTC were distributed over several offline wallets.

At 10:30 we restored the database to the state it was at 04:00, right before the attack. All trades after 4:00 are reverted.

People who attempted withdrawals before 04:00 MSK will get their funds withdrawn later today.

For people who deposited BTC, LTC and NMC after 04:00 MSK the funds will be put to their balances before market opens.
We are working on the scripts for this.

If you deposited USD after 04:00 MSK you should send us your login, amount and payment system used by email or PM.

Our plan:

1. The trade will be disabled until we restore the balances to the point before market crash.

2. After that, the trade and deposit/withdrawal will be back on, approx. within 1-2 days.

Icq - 610112128
Skype - btc-e.support
E-mail - support@btc-e.com

[cryptoanarchist]

If you won't program your computer to halt trading when ludicrous events occur, perhaps one should build a time delay in before withdrawals are permitted to allow time for human review.

This is the simplest thing. All exchanges need to do to prevent this is write some code that will halt withdrawals (not trading) when something suspicious occurs.

Anywho, BTCe sent me all my coins and I got back the BTC I sold after the hack.  

People are bitchin on here, but I think they've done right and made a good name for themselves out of this. At least they didn't keep 18,000+ coins in their hot wallet like some other people we know.

[dishwara]

If you won't program your computer to halt trading when ludicrous events occur, perhaps one should build a time delay in before withdrawals are permitted to allow time for human review.

This is the simplest thing. All exchanges need to do to prevent this is write some code that will halt withdrawals (not trading) when something suspicious occurs.

Anywho, BTCe sent me all my coins and I got back the BTC I sold after the hack.  

You also got back USD for which u sold btc?

[cryptoanarchist]

If you won't program your computer to halt trading when ludicrous events occur, perhaps one should build a time delay in before withdrawals are permitted to allow time for human review.

This is the simplest thing. All exchanges need to do to prevent this is write some code that will halt withdrawals (not trading) when something suspicious occurs.

Anywho, BTCe sent me all my coins and I got back the BTC I sold after the hack.  

You also got back USD for which u sold btc?

They reversed the trade so I got back the BTC I sold. Since those coins should have been stolen by the hacker, that means they came out of BTCe's reserves. Very kind of them.

[Gabi]

Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.

[ElectricMucus]

Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.

Lets hope it stays that way.

[defxor]

From https://btc-e.com/news/81:

At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.

Really? That would make it the longest known brute forced key I've heard of.

caveat: I haven't studied the actual implementation in LR, maybe there are shortcuts. I would've just assumed to end up in the right ballpark with an estimation along these lines:

GPU brute forcing speed - let's go with 3Mhash/s (SHA-1) based on http://golubev.com/gpuest.htm

Time-to-find 16 char l/U/# at 3Mhash/s estimation using http://lastbit.com/pswcalc.asp

Result: 510892508003511 years

(Feel free to halve for each added GPU and a final halving for 50% time instead of 100% - assume a lucky hacker)

[Vorksholk]

From https://btc-e.com/news/81:

At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.

Really? That would make it the longest known brute forced key I've heard of.

caveat: I haven't studied the actual implementation in LR, maybe there are shortcuts. I would've just assumed to end up in the right ballpark with an estimation along these lines:

GPU brute forcing speed - let's go with 3Mhash/s (SHA-1) based on http://golubev.com/gpuest.htm

Time-to-find 16 char l/U/# at 3Mhash/s estimation using http://lastbit.com/pswcalc.asp

Result: 510892508003511 years

(Feel free to halve for each added GPU and a final halving for 50% time instead of 100% - assume a lucky hacker)

Any idea how LibertyReserve stores passwords?

[proudhon]

Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.

I know.  For all the crap BTC-E gets around here, it seems like this has been handled very well and they were following a lot of the standards that have emerged around here.  Keep it up BTC-E.  BTW, my balances were restored.  I didn't lose anything, as far as I can tell.

[kiba]

Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.

I know.  For all the crap BTC-E gets around here, it seems like this has been handled very well and they were following a lot of the standards that have emerged around here.  Keep it up BTC-E.  BTW, my balances were restored.  I didn't lose anything, as far as I can tell.

We have standard?

[unclescrooge]

Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.

+1

It actually gives me a lot of confidence.

[Yankee (BitInstant)]

Trading has resumed: https://bitcointalk.org/index.php?topic=96912.0;topicseen