2014 Bitcoin and Altcoin Hacks [Part 6]

This article is part of our complete guide to Bitcoin and altcoin hacks. Here we cover Bitcoin and altcoin security incidents from the year 2014.

MintPal

In July 2014 Mintpal, a popular altcoin exchange at the time, got hacked and over 10,000 BTC worth of VeriCoin was stolen.

Later that year over 3,700 BTC also vanished from MinPal.

In a stunning turn of events, it was discovered that a former security consultant who later purchased MintPal may have been behind it all.

Moolah founder Ryan Kennedy, aka Alex Green, became a suspect of stealing coins, claiming they were hacked and later selling them at LocalBitcoins.com

In another even crazier development, Kennedy was convicted of rape in 2016.

The list of Kennedy’s exploits also includes running off with funds from Dogebot (a Dogecoin robot on Reddit).

Ryan Kennedy is serving an 11 year sentence for 3 counts of rape. He was acquitted in 8 other rape charges.

He’s still being tried for the MintPal hack.

BitPay

A successful phishing attack against BitPay’s CFO Bryan Krohn was the intrusion vector for the BitPay heist.

Over 5000 BTC were stolen from the payment services company after the hacker used social engineering tactics to learn about Khron’s habits and workflow, presumably by reading his email history.

The hacker impersonated an influential client of BitPay to request large sums of Bitcoin in 1000 BTC chunks. 5000 BTC were stolen before the company decided to check with the client if the requests were legit, to which they received a negative reply. But it was too late by then, the funds were already in the hacker’s possession.

BitPay’s troubles were only beginning. The insurer refused to cover the losses, claiming it was BitPay’s negligence that led to the heist. BitPay later sued the insurance company over the ordeal.

Cryptsy

This was perhaps the second highest profile cryptocurrency scandal of 2014.

The Cryptsy heist hit Bitcoin very hard in the same year as the MtGox scandal and was also largely responsible for that year’s bear market.

This is a controversial hack which has many internal details that weren’t fully revealed to the public.

Sometime during 2013 over 13,000 BTC and 300,000 LTC disappeared from Cryptsy. The exchange kept working like nothing had happened until a year later the story of the 2013 hack was revealed.

The story came out because Cryptsy customers sued the company in the USA. Due to the earlier hack, Cryptsy was making it difficult for users to withdraw as to gain enough time to cover the losses. The plan didn’t work out and everything was revealed in 2014.

Later it was discovered that the person behind the 2013 hack was the same guy behind the Lucky7Coin.

Cryptsy’s CEO was later convicted and ordered to pay U$ 8 million in damages.

Poloniex

In March 2014 yet another high profile hack took place.

This time Poloniex, one of the top exchanges at the time, was the target.

The attack was quite clever and resembled the MyBitcoin wallet hack : it exploited the timing of transactions.

As it turns out, if you placed several withdrawal orders at exactly the same time, the system did not synchronize them, attempting to process as many as possible in parallel. A classic blunder in banking systems : before one transaction completes, the balance has been changed by another transaction but, by then, this transaction had already started with a positive balance.

When all the requests were done the balance was negative but it was too late – blockchain transactions are irreversible.

This hack also exploits a very common mismatch between credit cards, checks and cryptocurrencies. The former are reversible, the latter is not. So you can buy cryptocurrency, void the check and run off with the crypto. After the Poloniex withdrawals were processed, there was no way to roll them back on the blockchain, even though it would be possible to revert them within the system.

When the attack was finally identified, Poloniex had lost over 12% of its Bitcoin reserves.

Mt Gox

Magic The Gathering X-change.

That was the initial idea behind the mtgox.com domain name early in 2006, three years before Bitcoin processed its first transaction between Satoshi and Hal Finney.

Jed McCaleb was a RPG gaming enthusiast who bought the domain name in order to promote game item trade. But soon he got interested in Bitcoin and used the domain name for cryptocurrency trade instead.

Five years later, in 2011, McCaleb sold the domain to someone who has now become infamous in the world of cryptocurrencies: Mark Karpeles.

Karpeles was at the right place, at the right time.

During MtGox’s reign as the leading Bitcoin exchange in 2011, BTC went from just under a dollar to over U$ 31 in June of that same year. A spectacular 3100+% run that drew worldwide attention to Bitcoin for the first time. Bitcoin had become a high risk investor’s dream and MtGox was the tool that made most of it happen.

From June 2011 to December, Bitcoin also burst its first bubble. Prices dropped back to U$ 1 just as quickly as they’d multiplied tens of times. It was a crazy year.

In 2013 everything seemed back on track. Bitcoin peaked at U$ 1000 by the end of that year. It was an amazing run, multiplying over 1000x from just over a year earlier. This is when Bitcoin started to become a household name and high risk investors from all over the world jumped aboard.

I began mining at the end of 2013. In early 2014 my house had become a mess of wires and funny expensive heaters hooked up to motherboards everywhere.

This is when trading Bitcoin got on my radar. I opened an account with MtGox and verified my identity using my drivers license. Everything was going great. Unknowing that it wasn’t a good practice, I pointed my miners to the MtGox deposit address. This seemed great, I was buying and selling BTC, riding the wave.

Suddenly withdrawals were frozen. I couldn’t get my Bitcoins out of MtGox. For a few seconds that felt like an eternity, I simply froze.

I knew it was bad.

MtGox had become a blank screen staring back at me. I stared blankly at my miners still pumping BTC over to MtGox. The electricity bill sitting on my desk in front of me, under the computer monitor. Karpeles and his MtGox had destroyed my finances in an instant.

Switching off the mining operation and selling the hardware wasn’t the hardest part.

I’d gotten family members to invest in this with me. I owed each of them a bunch of money. The light bill was astronomical and I was broke. The MtGox coins were gone.

Watching the collapse of Bitcoin price throughout 2014 only made things worse. There was still some Bitcoin in my cold wallet but it was worth a tiny fraction of my debt.

MtGox and Mark Karpeles were responsible for unspeakable pain around the world. Thousands of honest investors had been hoodwinked and were left on their own. No support, no way to get the coins back, just a blank page.

But, in the end, investing in MtGox was entirely my fault for not performing due diligence. I learned the hard way that when you don’t hold the private keys, then you don’t own the coins. That’s the most important law of crypto.

MtGox had been hacked twice already in years before. I didn’t care to do any research, in fact I only found out about the earlier hacks much later.

Mark Karpeles had very limited security and computer programming knowledge and he made that public. It should’ve been a major red flag before investing in his platform.

His own accounts were hacked and internal MtGox accounting infos leaked online.

The MtGox source code that was leaked as a disaster. Users immediately found tens of bugs upon first sight.

The warning signs were everywhere but unfortunately many miners, investors and cryptocurrency enthusiasts like myself did not heed them.

It’s important to mention that, unlike the 2010 hack, the MtGox heist was completely unrelated to Bitcoin. It was due to bad implementation, bad security or perhaps a dose of foul play.

Links

Remembering the Mintpal Hack – October 2014 $3.500.000 Loss in Crypto Assets

Cyber insurance rejects claim after BitPay lost $1.8 million in phishing attack

Cryptsy Threatens Bankruptcy, Claims Millions Lost in Bitcoin Heist

A 1,000 BTC Bounty Is the Perfect End to a Strange Week in Bitcoin

Vanished Cryptsy CEO ‘Big Vern’ Ordered to Pay $8M in Class Action Lawsuit

The Inside Story of Mt. Gox, Bitcoin’s $460 Million Disaster

Bitcoin’s Price Plummets As Mt. Gox Goes Dark, With Massive Hack Rumored

Poloniex Loses 12.3% of its Bitcoins in Latest Bitcoin Exchange Hack

Yet another exchange hacked: Poloniex loses around $50,000 in bitcoin

Return to the main article: The complete guide to Bitcoin and altcoin hacks

Comments

Meta