A bitcoin address containing ~18,866 bitcoins may hold the stolen bitcoins from the Bitstamp hack on January 4th. Bitstamp confirmed last night that "we have reason to believe that one of Bitstamp’s operational wallets was compromised on January 4th, 2015." According to data maintained by Bitstamp…
Bitstamp has repeatedly reminded its users, who are currently locked out of the site, and that already deposited bitcoins “are stored in a cold wallet and can not be affected.” In Bitstamp’s service suspension notice, they also stated:
As a security precaution against compromises Bitstamp only maintains a small fraction of customer bitcoins in online system. Bitstamp maintains more than enough offline reserves to cover the compromised bitcoins.
Dogecoin Creator Jackson Palmer has previously suggested an explanation for the Bitstamp hack that seems increasingly probable. Palmer speculated:
Deposit addresses were being used by a not truly random number generator (RNG). Ie. Someone realizes a pattern, is able to do an R value attack like Blockchain.info was hit with.
In the scenario described, a hacker would be generating Bitcoin private keys and loading them into his or her own client and essentially sending from Bitstamp’s hot wallet to his or her own address. Using a weak random number generator in the generation of a Bitcoin public/private key pair is a result of bad security practices, and not a flaw of the Bitcoin protocol. If this is what happened in the Bitstamp hack, then no databases or sensitive information was directly siphoned from Bitstamp servers. Thousands of verified Bitstamp users and their passports scans, bank information, personal information are likely safe, even if 12% of their bitcoins may be missing.
Many users have come forward to confirm that the addresses funding the Bitstamp Hack address were previous Bitstamp deposit addresses that they had been using. The movements from the Bitstamp hot wallet during the alleged timeframe of the hack are notably different than what is believed to be standard Bitstamp sweeping procedures. Starting in the early morning of the 4th of January, Bitstamp hot wallets started sending bitcoins to 1L2JsXHPMYuAa9ugvHGLwkdstCPUDemNCf with abnormally large fees, up to one whole bitcoin. This activity is consistent with the RNG attack vector. Under the suggested scenario, as the hacker was sending bitcoins away from Bitstamp, Bitstamp still had control of the same private keys; thus, the hacker had to attach abnormally high fees to discourage Bitstamp from attempting to recover the in-the-process-of-being-stolen funds by intentionally trying to doublespend with an even higher fee. As the hacker realized that Bitstamp wasn’t going to retaliate in such a way, the fees dropped to ~0.01 BTC, enough to ensure that most mining pools include your transaction.
Bitcoin blockchain detectives have followed Bitstamp’s proven bitcoin reserves from May of 2014, when the Bitcoin exchange proved their reserves to Bitcoin developer Mike Hearn by signing a send-to-self transaction. Observers are able to verify with relative certainty that this address is Bitstamp’s cold wallet. After the hack around 10pm CET, you can observe Bitstamp sweeping, presumably from their other hot wallets, to their cold storage in a meticulous manner. Pretty integer amounts of bitcoin are sent to the cold storage address, and the change is aggregated and sent again to the cold storage address. The Bitstamp sweeping routine is consistent with blockchain activity observed over the years of Bitstamp’s existence. The transactions relating to the Bitstamp hack, with their abnormally high fees, are clear indication of a non-Bitstamp party being in control of previously secure private keys.
If this address contains all of Bitstamp’s bitcoins, and this address contains all of the bitcoins stolen in the Bitstamp hack, then Bitstamp has lost 12% of all of their bitcoins. Many users have wondered why 12% of Bitstamp’s bitcoins were in their hot wallet; for comparison, Coinbase claims to keep 87% of their funds cold and 13% hot. Bitstamp, as a large Bitcoin exchange, might see more movement than Coinbase. Bitstamp also needed more bitcoins on hand due to the Bitcoin price movements from the weekend. It is even likely that the hacker has been waiting for such a frenzy to launch his or her attack to achieve maximum efficacy.
Images from Shutterstock.
Last modified: January 25, 2020 10:08 PM UTC