The Biggest Bitcoin Hacks and Thefts of All Time



The story of bitcoin’s most significant hacks and thefts is the story of bitcoin itself. From its early days and its first hack to the biggest theft of all time, bitcoin’s utopian promises often turned into a dystopian reality where scammers, thieves, unaccountable and often amateur exchanges, some even fully anonymous, proliferated in a wild west of euphoria and hope for a new future combined with devastating, and at times, tragic loss.

It is estimated 10% to 20%, if not more, of all bitcoin in existence is held by criminals who exploit distrust in governments and their laws to give themselves freedom from any accountability whatsoever. Code is law, so theft is right in some quarters, so much so that some argue the thief is to be hailed as the smartest. Moral rules should not apply, according to some. Instead, the free market and self-interest will magically provide the best exchanges. When things go wrong, it is always the victim’s fault.

For your pleasure, entertainment, and hopefully some information, I present below the wall of shame, starting with a less obvious and perhaps incorrect choice for the repugnant honor of the biggest bitcoin hack and theft of all time.

Bitcoin’s Defining Event – MT Gox’s Hack in 2011

As the world sought an answer to the banks going under, bitcoin rose on the promise of no more boom and bust, no fractional reserve money printing, cheap if not free, and fast if not instant global transactions. The price skyrocketed from pennies to around $12 with general opinion, while overall balanced, mainly positive, and moving towards considering bitcoin as the next big thing.

Jed McCaleb, founder of Ripple (publicly announced he was to sell around one billion of them, crashing the price to less than pennies), who then found Stellar (a Ripple-like currency), created MT Gox to trade Magic the Gathering Cards sometime in 2010, but adapted the exchange for bitcoin trading and sold it to Mark Karpeles in March 2011.

The sale details are unknown, except that McCaleb was entitled to audit MT Gox to ensure he receives part of the profits for six months or so after the sale. That auditing account was allegedly hacked in June 2011 with the hacker selling around 500,000 bitcoins, sending the price to pennies.

This is probably the most defining event in bitcoin’s history for the digital currency was, for the first time, shown to be insecure and easily stolen. Coders and the general public dismissed the new currency as unworkable. Wired called it dead. Almost everyone left with bitcoin price going down and down. Still, some remained – ancaps (and we assume some techies) – who saw an opportunity to turn bitcoin into a vehicle for mainstream acceptance of ancap ideology (while the techies, now very much a minority, of course just liked the tech bit).

At this point, just six months after Nakamoto left (the bitcoin creator), that bitcoin stopped being primarily a technology and became more of an ideology. The focus shifted from cheaper and faster to a metaphorical Trojan horse that somehow was to bring down governments and banks in a utopia where we all will live happily ever after.

The Biggest Theft in the World – MT Gox 2014

When people found out bitcoin was somehow still around and not forgotten to a dusty archive page for there was still the technology aspect which offered cheap, fast, permissionless, trustless, programmable money, they flocked once more in early 2013, not least because a guy went around Reddit giving away hundreds of thousands worth of bitcoin, amazing everyone. Once more, Euphoria was in the air, with the price increasing every day. China came, Overstock, Dell, Microsoft, and even Times Inc.

As bitcoin reached gold parity with an all-time high of around $1,200, MT Gox, the biggest bitcoin exchange, announced bankruptcy. Almost one million bitcoin, worth at the time more than $700 million, were stolen, creating a new meme, the Bitcoin CEO – a gruesome reminder of the people who were driven to suicide by this tragic event.

MT Gox claimed at the time, hackers had exploited a bug in Bitcoin’s protocol called transaction malleability which allows coders to change transaction ids, making it possible to, in effect, double spend. Mark Karpeles, the CEO of MT Gox, was not wholly lying. An academic study found hackers had indeed stolen from MT Gox by exploiting transaction malleability, but only 2,000 bitcoins, an insignificant amount compared to the overall theft.

Mark Karpeles, out on bail in 2016. Image courtesy: news24

What happened to the rest we don’t know. 200,000 was found through blockchain analysis, forcing MT Gox to release the assets to the bankruptcy trustee, leaving 650,000 unaccounted. Speculation abounds. There were reports Karpeles, who was arrested and imprisoned last year, recently released, presumably awaiting trial, was spendthrift. The leading theory, however, focused on 2011.

A report of MT Gox’s internal transactions, which were leaked, shows bitcoins started missing, if not all of them disappeared, around June-November 2011:

New reports state that at least 80,000 bitcoins were never there to begin with, suggesting, quite ironically, that it was a fractional reserve.

With a probable trial of Karpeles around the corner, we’re likely to hear more, periodically, about the most significant theft in the world. However, many have now moved on, except the creditors who, after almost three years, are still waiting for the distribution of 200,000 bitcoins, worth around $120 million, which should, at this point, happen soon.

Bitfinex – The Faceless Exchange

People woke up last month to hear Bitfinex had a “security breach,” leading to around $70 million theft. Bitcoin’s price instantly fell by around $200, to almost immediately recover, somehow, with the theft now as good as not reflected in the price.

After over a month and a half, we still have no idea what happened at Bitfinex. They instructed a company no one had heard of, Ledger Labs, to investigate. Still, although you’d think the company would shout from the rooftop that they are so excellent others entrust them with investigating one of the biggest theft in the world, their blog and Twitter is very much silent, which makes us wonder whether the company is a one-man show contracting out to very, very, busy big names.

As far as we know, there has been no third-party confirmation of a hack or theft, so like the previous two, it remains an alleged “security breach.” Zane Tackett, former customer services representative at OKcoin, currently wearing a nicer title as Director of Community & Product Development at Bitfinex, stated they reported the theft to the FBI, the world-famous criminal investigations authority, which is mainly concerned with domestic matters, while Bitfinex is based in.

Well, we don’t know. Their Hong Kong-registered address belongs to a company that provides a local presence. There is no office, and it’s not clear who the directors are either or whether these people exist.

However, the incident has also been reported to “European authorities,” according to Tackett, which is far more specific than the number of their general loss of 36.067% of total assets. Many bitfinex customers, however, are happy they instantly received 63.933% back of their own money, rather than having to go through a three or four yearlong bankruptcy process. For the remaining 36.067%, BFX IOU tokens from a bankrupt company were issued, and an amazingly accurate 1.1812% was recently redeemed.

Bitstamp

Bitstamp gained goodwill by being the only alternative to MT Gox, increasing its market share while Gox went under. Unlike the previous two, they list their personnel, but although they state they are “The First Nationally Licensed Bitcoin Exchange,” their page doesn’t provide much information, such as license numbers.

However, you can now insta-buy at Bitstamp with a debit or credit card, so we don’t have much reason to disbelieve their claim, but they lost some trust when they were hacked out of around $5 million in 2015.

The theft seems to have been a sophisticated attack, with phishing emails targeting Bitstamp’s personnel. However, as the theft was limited to just hot wallets, they could cover it, leading to no direct customer losses fully.

Poloniex

Poloniex has risen as one of the biggest altcoin exchanges, with trading volumes of 100,000 BTC or more in just one coin daily. However, no one knows who they are – they have no about us page – and of course, they are not regulated, so it’s probably a disaster waiting to happen.

Furthermore, their team hasn’t shown much competence. On March the 4th, 2014, someone stole 12.3% of their btc (two decimal points are impossible in this space, I’m afraid), which at the time was a pretty small amount as almost no one had heard of them. The way they stole them is by, apparently, just clicking withdraw more than once. An easy oversight because, as everyone knows, you can’t prevent double spending in a centralized database (you can); that’s why we have bitcoin (it’s not).

He just covered the loss, presumably so that we can trust his exploited exchange, and that’s exactly what happened with the faceless exchange now controlling hundreds of millions.

BTC-E

The anonymous Russian exchange makes you wonder whether it is more trustworthy than even regulated exchanges or whether they will run with your money in the next few seconds.

No one knows much about them, but their team doesn’t seem very competent as they had all their data stolen this month, and in 2012, they had about 5k BTC stolen:

“On July 31, 2012, the BTC-E Liberty Reserve API secret key was broken. This key was shorter than it needed to be at only 16 characters long. The attacker initiated many Liberty Reserve deposits and injected large amounts of USD into the system, which were quickly sold for BTC.”

It wasn’t much then, so we assume they covered the losses, but people keep reporting losses from the data breach, which we doubt they’ll cover.

BitcoinTalk

It doesn’t feel like bitcoin without occasional news about bitcointalk being hacked. Amazingly, people still go there with around 4,000 online if their stats are to be trusted.

The most recent hack was in May 2015. How did it happen? Who knows? They hardly communicate anything, and it’s doubtful anyone even looks after the website, which has not changed in years.

Its current owner, Michael Marquardt (aka Theymos), who Nakamoto just gifted the forum, raised millions in dollars’ worth of bitcoin for a less hackable site a few years ago. Still, web development takes a lot of time, years, in fact (it doesn’t).

One Billion Bitcoin Out of Thin Air

Many like to say bitcoin, the protocol, was never hacked, but it was and very early on. Some clever unknown guy found on August the 6th 2010 an exploit that allowed him to “print” one billion coins or however much he liked – 184 billion.

Jeff Garzik sounded the alarm while Nakamoto solved the problem by hard forking. It is the only known instance of protocol exploitation as far as we know – thankfully, at a time of no hard fork phobia – if you exclude transaction malleability. Hopefully, it stays that way.

Evolution

We can’t have a bitcoin biggest hacks list without some inclusion of drug markets. There have been many, with most taking the form of existing scams since operators are anonymous, therefore, they don’t need to bother with any made-up hacking story.

The biggest, I think, is SheepMarket and Evolution. The latter is a bit more interesting because someone stated that evolution’s admins, a fairly big marketplace where you could buy drugs with bitcoin, were exit scamming. One hundred twenty thousand bitcoins were stolen, around $ 70 million.

Mt Gox 2013

This is another not really a hack but deserves mention because it shows a different sort of hack, a hack of human nature – specifically, a hacking of emotions.

As bitcoin rose to $260, MT Gox, practically the only bitcoin exchange, froze and went offline. Euphoria quickly gave way to panic and fear, with r/bitcoin having almost everyone online. The selloff was brutal, but $50 held, and bitcoin (or willy the bot) went on to $1,200 a few months later.

MT Gox was DDOSed, claiming at the time it was a victim of its success with apparently millions of accounts registering. In response, people left, with other exchanges gaining market share, but MT Gox still had almost a million bitcoin when it went under.

How is anyone’s guess, with the obvious explanation being that people are lazy, so they just park their bitcoin somewhere and don’t want to bother any further, raising some interesting questions about the end of the free market and just how easily trust and power can be given and abused.

Lessons Learned

It is amazing that five years after bitcoin’s biggest weakness – security – was revealed, which bitcoin barely survived, little if anything seems to have been done to address this very important – if not the most important – matter, as shown by the occurrence of one of the biggest theft just last month.

Although segwit is now addressing transaction malleability, the loss it caused was far too small, with the main issue seemingly being at a human, rather than protocol, level. However, there are way too many more things that can be done at the protocol level, such as Bitcoin Vaults, but for some reason, they are not even being considered for implementation.

At the social level, what is obvious and does not need mentioning (although some, amazingly, dispute it) is that individuals who handle our money should be public figures with their full backgrounds on display; otherwise, they cannot be held accountable. Lacking such accountability, hundreds of millions, understandably, is far too tempting, as we have often seen.

An equally important point is that bitcoin security is very hard. Exchanges, in particular, require highly experienced developers who are fully familiar with the bitcoin protocol, the many aspects of exchange coding, and how to secure hard digital assets. To truly secure bitcoin, exchanges need layers and layers of metaphorical armed guards defending iron gates with vaults deep underground behind a thousand doors.

My biggest criticism is, however, reserved for CFTC because, although there is little that can be done about some incompetents putting up a website, CFTC can, should, and must provide an alternative and allow, in my view, as a matter of urgency, professional exchanges such as GDAX and Gemini and others, to provide margin and futures trading.

Of course, the culprits – the thieves, hackers, scammers, and amateurs – have the repugnant honor of primary blame. Still, CFTC holds an almost equal level of blame for they are denying the people the right to flock and trade at professional exchanges which comply with the law and have their USD balances FDIC insured, with some even having insurance for hacks or theft with incompetent websites, therefore, ignored and one hopes, eventually, becoming a thing of the past.

Although we are talking about abstract numbers and entities with bitcoin, even after almost eight years, still being something very new, every theft has a human tragedy at the other end. Fathers lost all their savings, mothers were left with no retirement, entrepreneurs were sent to bankruptcy, and industrious young men returned to nothing. We can, of course, criticize them and repeat that this space remains incredibly high risk, you might and perhaps will lose everything, but mistakes are made. People naturally dream of a better, richer future, while traders and some entrepreneurs have no choice.

It is crucial, therefore, that my inevitable question of who is next to be hacked of millions finds no answer, at least for a decade, but alas, looking around at exchanges – Poloniex, Bitfinex, OKcoin, Houbi, and others – and the lack of choice of professional exchanges, that is, unfortunately, unlikely.