For those of you who read my blog regularly, it will not be news that I am not a huge fan of Bitcoin. There have been numerous bitcoin exchange hacks and now we have another, different attack.
A Reddit user reported losing 13 Bitcoin – at current value about $35,000 or so – due to an interesting attack.
The user wanted to send the $35k in Bitcoin to a friend; the friend sent him his Bitcoin wallet address and the user copy and pasted that address into the Bitcoin exchange window. Since Bitcoin wallet addresses look something like this
no one is going to type it in. In fact, the opportunity for error by typing it in is likely greater than the risk of pasting it in.
The user looked at the transaction and submitted it. Then he called his friend to confirm that he received the $35k. Nope. Didn’t. No money. The user tried to figure out the address that he sent it to, but, for whatever reason could not.
Here is what happened.
His computer was infected with some malware. Very simple malware. For the most part it does absolutely nothing and the code could morph every day to avoid detection. All it does is watch the clipboard and when it sees a Bitcoin address, it replaces it with its own.
If the user isn’t paying a lot of attention, that goes unnoticed and the attack is successful.
When people checked the blockchain, they found the transaction (contrary to some popular myths, Bitcoin transactions are not invisible – in fact, part of the power of the Bitcoin blockchain is that it is very visible – including the address that it went to. That address had 30 transactions, so, depending on the size of the transaction, whoever owns that wallet could be pretty rich.
The so called anonymous part of Bitcoin is that you may or may not be able to figure out who actually owns that wallet.
In the United States, at least in some states, Bitcoin exchanges are required to get ID before opening an account, but that only works so well and exchanges outside the U.S. may not require any ID at all.
One challenge about Bitcoin transactions is that they are not reversible. What is done, is done.
It is possible that depending on the circumstances, that the police may be able to figure out who the hacker is and they may or may not be able to arrest him or her and they may or may not be able to extradite him or her and they may or may not be able to bring them to trial and they may or may not get a conviction and at that point, they may or may not be able to get the user’s money back.
As you might suspect, the cops are reluctant to spend all the resources required given so many “may not”s.
Likely this guy learned an expensive lesson.
Verify the address on the screen after the paste.
At least for this attack, the swapping of the wallet address would have been visually obvious. If you took the time to compare the wallet addresses in the email and in the browser.
As long as Bitcoin exchanges have limited regulations and licensing and no laws requiring the exchanges to give people back their money, it is kind of the wild west.
In this case, the exchange did EXACTLY what the user asked it to do, so it is not even clear that any law would protect him.
And if you could reverse Bitcoin transactions at will, well, then, you have fundamentally altered what Bitcoin is all about. The whole idea is that transactions are final.
Smart people learn from OTHER people’s mistakes. The rest of us learn from our own mistakes. I would prefer to be in the first group.
Information for this post came from Crypto Coins News.