Thieves Covering Tracks Following $100M Bitcoin Heist

More than 96,000 Bitcoins disappeared from the Sheep Marketplace over the weekend, a heist topping $105 million.

UPDATE: As if Bitcoin malware and Bitcoin mining malware weren’t enough to worry about, there was more trouble for the users of the digital crypto-currency last week as 96,000 Bitcoins disappeared from the Sheep Marketplace.

Bicoin’s value has surged in recent weeks, peaking at an astonishing $1,203 per coin last week before dropping back nearly $200 in value over the weekend. The Bitcoin exchange rate is climbing again and currently rests at $1,102 per coin, meaning that the value of the heist is currently $105,792,000.

To put that in a historical perspective – as far as popular heists go – the New York Times estimated in 2008 that cross-dressing thieves made off with roughly $105 million in the famous robbery of the Harry Winston jewelry store in Paris. According to a Wired article from 2009, Leonardo Notarbartolo made off with $100 million worth of loose diamonds, jewelry, and gold after robbing the Antwerp Diamond Center in Antwerp, Belgian in the early 2000s.

Certain reports without sources claim that the attackers managed to spoof user-interfaces so that member-accounts seemed to contain their correct balances. While it is not clear at the moment if this is true, user-interface spoofing is a common tactic among online bank account theft.

According to Tom Gorup, a security operation center (SOC) analyst at Rook Consulting, there are a number of factors that may have helped the attackers cover their tracks during and immediately following the attack.

For one, based on a description of the attack from the forum Bitcointalk.org, Gorup said it’s likely that the attackers hijacked the Sheep Marketplace’s domain name system (DNS) servers and routed incoming traffic through a set of servers under their control. Thus, the attackers could have displayed whichever content they liked to anyone attempting to access their account. Gorup said it’s probable that the thieves are operating a botnet, because as the robbery was ongoing, the service was experiencing a distributed denial of service attack. The DDoS attack would have the effect of knocking the Sheep Marketplace offline, making it impossible for the users to access and monitor their accounts.

Gorup told Threatpost that the most challenging aspect of the attack would have been finding an exploitable vulnerability in the vendor’s software. Once the attacker gained proper privileges via exploit, the process of actually stealing the Bitcoins, he said, is trivial.

Once an attacker has the money in hand, so to speak, another challenge presents itself: how do you use it without all your victims realizing? It would seem simple enough, given that Bitcoin is pseudo-anonymous, but, like all functional currencies, Bitcoin cannot be truly anonymous because there must be safeguards against double-spending.

This is where Bitcoin’s public ledger, the BlockChain comes into play. Every public transaction is recorded on the BlockChain. Therefore, the instant someone tries move a massive some of money, like 96,000 Bitcoins, from one wallet to another, the BlockChain will make record of that movement. More so, each Bitcoin is uniquely identifiable, creating another avenue for tracking the stolen digital crypto-currency.

It’s well known that Bitcoins are widely used to launder traditional currencies, but there are, of course, services for “cleaning” stolen Bitcoins as well. These services are called “tumblers.” Essentially, tumblers, like any money laundering service, take stolen Bitcoins or fractions of Bitcoins and re-distribute them with completely different fractions of completely different Bitcoins. Gorup notes that one downfall to tumbler services, from a criminal’s standpoint, is that many tumblers are replacing stolen Bitcoins with other stolen Bitcoins.

Both Gorup and a Reddit-thread dedicated to tracking the thief or thieves responsible for the theft indicate that it is still possible – albeit difficult – to use the BlockChain to track money going through tumblers.

Gorup noted that the vast scope of this theft is going to make it considerably more difficult for the attackers to tumble their newly acquired Bitcoins. However, he believes their botnet – if they do indeed have one – could make the process slightly easier.

“It can be safe to say that the attacker could have created a number of wallets distributed throughout his/her botnet in preparation for this attack and automated the exchange to distribute throughout these wallets,” Gorup told Threatpost. “Then potentially, if they felt it wasn’t clean enough already, utilize multiple tumbler services to further clean these coins. It would be complicated, but with proper preparation, like any decent attacker should do, this is probably close to how it was done.”

Initially, a New Statesman report indicates that the Sheep Marketplace’s administrators believed that an error by a third party vendor had caused a much smaller sum of money to go missing. It quickly became apparent that the amount lost was far greater.

Gorup claims that the drop in Bitcoin value over the weekend is not related to the theft:

“I think the drop wasn’t due to theft as the Sheep Marketplace theft took place five days prior to Bitcoins reaching an all-time high. I think it was a natural drop after a huge peak, just as this happens time to time in the stock exchange when everyone wants to capitalize on their investment. I wouldn’t be surprised to see one or two more surges like this before Bitcoin settles to a normal rate like any other traded material like gold or silver.”

Straight-up Bitcoin theft along with infections from Bitcoin mining malware and Bitcoin stealing malware are becoming daily occurrences. Recently published research suggested there are frailties within the underpinnings of the Bitcoin economy itself. Trouble isn’t likely to abate any time soon for digital crypto-currency, given that it is completely unregulated. That reality presents a number of very real problems, not the least of which is, how do you recover stolen coins? Users certainly won’t be repaid in civil or criminal suits. Not yet at least.

*A previous version of this story referred to the Sheep Marketplace as a Bitcoin exchange. A Bitcoin exchange is a place where Bitcoin holders can exchange their Bitcoins for traditional currency. Sheep Marketplace is an underground marketplace located within the Tor Hidden Services that caters to the sale of drugs, weapons, and other illicit goods.

Suggested articles