UPDATE: As if Bitcoin malware and Bitcoin mining malware weren’t enough to worry about, there was more trouble for the users of the digital crypto-currency last week as 96,000 Bitcoins disappeared from the Sheep Marketplace.

Bicoin’s value has surged in recent weeks, peaking at an astonishing $1,203 per coin last week before dropping back nearly $200 in value over the weekend. The Bitcoin exchange rate is climbing again and currently rests at $1,102 per coin, meaning that the value of the heist is currently $105,792,000.

To put that in a historical perspective – as far as popular heists go – the New York Times estimated in 2008 that cross-dressing thieves made off with roughly $105 million in the famous robbery of the Harry Winston jewelry store in Paris. According to a Wired article from 2009, Leonardo Notarbartolo made off with $100 million worth of loose diamonds, jewelry, and gold after robbing the Antwerp Diamond Center in Antwerp, Belgian in the early 2000s.

Certain reports without sources claim that the attackers managed to spoof user-interfaces so that member-accounts seemed to contain their correct balances. While it is not clear at the moment if this is true, user-interface spoofing is a common tactic among online bank account theft.

According to Tom Gorup, a security operation center (SOC) analyst at Rook Consulting, there are a number of factors that may have helped the attackers cover their tracks during and immediately following the attack.

For one, based on a description of the attack from the forum Bitcointalk.org, Gorup said it’s likely that the attackers hijacked the Sheep Marketplace’s domain name system (DNS) servers and routed incoming traffic through a set of servers under their control. Thus, the attackers could have displayed whichever content they liked to anyone attempting to access their account. Gorup said it’s probable that the thieves are operating a botnet, because as the robbery was ongoing, the service was experiencing a distributed denial of service attack. The DDoS attack would have the effect of knocking the Sheep Marketplace offline, making it impossible for the users to access and monitor their accounts.

Gorup told Threatpost that the most challenging aspect of the attack would have been finding an exploitable vulnerability in the vendor’s software. Once the attacker gained proper privileges via exploit, the process of actually stealing the Bitcoins, he said, is trivial.

Once an attacker has the money in hand, so to speak, another challenge presents itself: how do you use it without all your victims realizing? It would seem simple enough, given that Bitcoin is pseudo-anonymous, but, like all functional currencies, Bitcoin cannot be truly anonymous because there must be safeguards against double-spending.

This is where Bitcoin’s public ledger, the BlockChain comes into play. Every public transaction is recorded on the BlockChain. Therefore, the instant someone tries move a massive some of money, like 96,000 Bitcoins, from one wallet to another, the BlockChain will make record of that movement. More so, each Bitcoin is uniquely identifiable, creating another avenue for tracking the stolen digital crypto-currency.

It’s well known that Bitcoins are widely used to launder traditional currencies, but there are, of course, services for “cleaning” stolen Bitcoins as well. These services are called “tumblers.” Essentially, tumblers, like any money laundering service, take stolen Bitcoins or fractions of Bitcoins and re-distribute them with completely different fractions of completely different Bitcoins. Gorup notes that one downfall to tumbler services, from a criminal’s standpoint, is that many tumblers are replacing stolen Bitcoins with other stolen Bitcoins.

Both Gorup and a Reddit-thread dedicated to tracking the thief or thieves responsible for the theft indicate that it is still possible – albeit difficult – to use the BlockChain to track money going through tumblers.

Gorup noted that the vast scope of this theft is going to make it considerably more difficult for the attackers to tumble their newly acquired Bitcoins. However, he believes their botnet – if they do indeed have one – could make the process slightly easier.

“It can be safe to say that the attacker could have created a number of wallets distributed throughout his/her botnet in preparation for this attack and automated the exchange to distribute throughout these wallets,” Gorup told Threatpost. “Then potentially, if they felt it wasn’t clean enough already, utilize multiple tumbler services to further clean these coins. It would be complicated, but with proper preparation, like any decent attacker should do, this is probably close to how it was done.”

Initially, a New Statesman report indicates that the Sheep Marketplace’s administrators believed that an error by a third party vendor had caused a much smaller sum of money to go missing. It quickly became apparent that the amount lost was far greater.

Gorup claims that the drop in Bitcoin value over the weekend is not related to the theft:

“I think the drop wasn’t due to theft as the Sheep Marketplace theft took place five days prior to Bitcoins reaching an all-time high. I think it was a natural drop after a huge peak, just as this happens time to time in the stock exchange when everyone wants to capitalize on their investment. I wouldn’t be surprised to see one or two more surges like this before Bitcoin settles to a normal rate like any other traded material like gold or silver.”

Straight-up Bitcoin theft along with infections from Bitcoin mining malware and Bitcoin stealing malware are becoming daily occurrences. Recently published research suggested there are frailties within the underpinnings of the Bitcoin economy itself. Trouble isn’t likely to abate any time soon for digital crypto-currency, given that it is completely unregulated. That reality presents a number of very real problems, not the least of which is, how do you recover stolen coins? Users certainly won’t be repaid in civil or criminal suits. Not yet at least.

*A previous version of this story referred to the Sheep Marketplace as a Bitcoin exchange. A Bitcoin exchange is a place where Bitcoin holders can exchange their Bitcoins for traditional currency. Sheep Marketplace is an underground marketplace located within the Tor Hidden Services that caters to the sale of drugs, weapons, and other illicit goods.

Categories: Web Security

Comments (4)

  1. Anonymous
    3

    …massive *sum* of money…

    Bitcoins are not uniquely identifiable. The system is all about amounts and transactions. A (specific and ever decreasing) number of coins are assigned to an address when they are mined. After this they only appear as amounts transferred to other addresses.

    Reply
  2. Amadou
    4

    I doubt anyone would use their time to read this but if anyone is, thank you. The point of this post is to ask for bitcoin donations. I had 10 btc a year back when one only cost $13 & now i’m sitting here regretting the fact that i no longer have any idea where they are. Spent most of them back then on the “deepweb”, which i ended up being scammed. If anyone is selfless enough to donate as small as a btc or less i’d really appreciate it. Currently trying to make a couple btc’s in hope to buy a Bitcoin Miner, unlike most people nowadays, i’m really mining for the fun of it and spreading the word about bitcoin. I love seeing high number of hashing ( Ghash/s ) hence i need a mining device. Please help, & we will keep on spreading the excitement of bitcoin ! And trade without the pain of banking fees.

    Btc Address – 1kymLZJQFrsPwx9g5cnhQujzGE2c4jqSR

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>