White Hat Hacker Returns Missing Bitcoins to Blockchain.info

Published at: Dec. 11, 2014

On December 8, Blockchain.info—a Bitcoin web wallet provider and block explorer—announced that they’d misfired a software update. The faulty update resulted in insecure private key generation for “less than 0.0002%” of their users for a few hours, and about 250 bitcoins were consequently reported stolen.

An anonymous white hat (meaning well-intentioned) hacker going by “johoe” noticed the security problem and began sweeping coins from vulnerable addresses. Two days later on December 10, the white hat hacker emailed Blockchain.info and offered to return the 255 bitcoins to them, worth about US$90,000 at time of writing.

Johoe apparently uses a Trezor hardware wallet to secure his bitcoins, and sent this picture in his email to Blockchain.info to demonstrate the transaction he was about to send:

Refunds Were Already Promised

Blockchain.info was already offering to reimburse the affected users before johoe’s act of honesty, but now they won’t have to—as they say—“eat it” on this one.

Users who believe their bitcoins were taken during the breach are instructed to send an email to [email protected] /* */ to start the refund process. Additionally, if you opened a new Blockchain.info wallet or generated a new address with them between the hours of 12:00am and 2:30am GMT on December 8, you should start a new wallet and transfer your bitcoins to it.

Amid Other Slipups

The security breach came during an already rocky time for Blockchain.info (Bc.i). Within the weeks leading up to it, two different reports of systemic problems with the wallet were reported in the Bitcoin subreddit.

First, a redditor reported that Bc.i’s application programming interface (API) is flawed for services that allow zero-confirmation transactions (like casinos or mixing services). The redditor showed that Bc.i provided a faulty validation, which lead to a mistaken double-spend.

A week later, another user generated a new address, but the Bc.i software did not save the private keys for it. The user sent 15 bitcoins to the address, but because the private keys had not “synced” with Bc.i’s servers, the user has lost them forever.

Blockchain.info Stepping Up Security in Response

Blockchain.info has responded to both of the reports listed above (tipping the first user US$5 in BTC via ChangeTip), and says that they plan to implement several security upgrades, including two-factor authentication from unrecognized browsers, SSL and HSTS redirect issues, Tor vulnerabilities, API fixes, and more.

The (Unrelated) Reasons I No Longer Use Blockchain.info

The reasons I don’t use a Blockchain.info wallet anymore are simple: it’s because (1) they don’t support hierarchical deterministic addresses (though said they plan to in the future), and (2) they don’t automatically generate new change addresses for Bitcoin hygiene.

Hierarchical deterministic (BIP32) wallets are those which can generate an infinite number of public addresses from a single private key. This means you only need to make one backup, and your bitcoins are backed up forever. But because Bc.i doesn’t support this, every time you generate a new address, you have to back up all over again with new data.

For someone who uses Bitcoin as often as I do, that’s a lot of time wasted making new backups and manually generating new change addresses.

A Respectable Track Record Nonetheless

Though it has been a bad couple of weeks in public relations, the following statement by Bc.i’s main developer (included with the security update announcement) is quite true:

“Tens of thousands of users login everyday without issue and do tens of thousands of transactions - the issues you see from users on reddit are a tiny minority. We track trends in customer operations closely on our support desk and over the last year have made improvements across common issues.”

If you’re thinking of switching wallets anyway, there are many other tested options. As a general rule, large amounts of Bitcoin should be kept in what’s called “cold storage,” which is like a savings account. Web wallets like Blockchain.info should only hold the kind of cash you’d keep in your back pocket for spending.

Did you enjoy this article? You may also be interested in reading these ones:

Breaking: Bter Hacked, 50M NXT Stolen CryptoThrift Suffers Security Breach, 15 BTC Stolen, Escrow Service Suspended Who Will Keep You Safe? A Comparison of Bitcoin Wallets That Aren’t Digital
Tags
Hackers
Trezor
Blockchain.Com
Related Posts
It’s been 4 months & KeepKey’s hardware is still vulnerable to remote ransom attacks
A Shift Crypto employee successfully deployed a ransom attack on Trezor and KeepKey hardware wallets last May. While Trezor released a fix on September 2, KeepKey has yet to fix the issue. According to a blog post published on September 2, the vulnerability affected all cryptocurrencies on affected devices. The exploit, which was first spotted on April 15 by developers Shift Crypto, also affected KeepKey wallets — which were originally based on a fork of Trezor’s code and likely operate on similar foundations. When asked about the vulnerability, a KeepKey representative apparently commented that a fix had not yet been …
Technology / Sept. 3, 2020
Ledger, Trezor and Others: Hack Allegations Are Baseless, Lack Proof
According to a report by an online monitoring web portal, Under the Breach, a hacker was able to penetrate the privacy protocols of major firms such as Trezor, Ledger and Bnktothefuture on May 24 and walk away with a host of sensitive customer data, including email addresses, home addresses and phone numbers. The documents posted by Under the Breach claimed that the hacker was in possession of three large databases that allegedly contained the details of more than 80,000 customers. In this regard, it was also rumored that the hacker was able to procure the above-stated information via an exploit …
Technology / May 27, 2020
Stolen Trezor, Ledger and KeepKey Databases Are a ‘Scam,’ Says SatoshiLabs
The hacker claiming to be selling user databases from top hardware wallet manufacturers Ledger, Trezor, and KeepKey appears to actually be peddling bunk, according to SatoshiLabs. On May 24, cybercrime monitoring blog Under the Breach reported that a hacker had begun advertising the customer databases of popular hardware wallet companies for sale. The data purportedly included the full names and physical addresses for over 80,000 user accounts. Under the Breach tweeted screenshots suggesting that the hacker obtained the databases by exploiting a vulnerability of popular e-commerce platform Shopify. “Don’t offer me low dolar, only big money allowed,” the hacker warns …
Blockchain / May 25, 2020
Hacker Sells Tens of Thousands of Ledger, Tezor, and Keepkey Users’ Info
The hacker that breached the Ethereum.org forum is allegedly selling the databases for the three most-popular crypto hard wallets — Ledger, Trezor, and KeepKey. The three databases contain the name, address, phone number, and email for more than 80,000 users combined, however, they do not contain passwords for the accounts. The hacker has also recently listed the SQL database for online investment platform, BnkToTheFuture. Ledger and Trezor databases reportedly compromised On May 24, cyber crime monitoring website, Under the Breach, spotted the hacker’s new listings for the databases of the top hardware wallet providers. The hacker claims to be in …
Technology / May 24, 2020
Engineer hacks Trezor wallet, recovers $2M in 'lost' crypto
A computer engineer and hardware hacker has revealed how he managed to crack a Trezor One hardware wallet containing more than $2 million in funds. Joe Grand — who is based in Portland also known by his hacker alias “Kingpin" — uploaded a Youtube video explaining how he pulled off the ingenious hack. After deciding to cash out an original investment of roughly $50,000 in Theta in 2018, Dan Reich, a NYC based entrepreneur, and his friend, realized that they had lost the security PIN to the Trezor One the tokens were stored on. After unsuccessfully trying to guess the …
Blockchain / Jan. 26, 2022