Article Thumbnail

The Next Bitcoin Heist is Unstoppable

How a currency built around security still manages to get stolen

Though it existed mostly as a curiosity for the first few years of its life, bitcoin is real money. You can use it to buy plane tickets online, coffee in Berlin or a sandwich in San Francisco. And like all money, you can steal it. As the currency becomes increasingly legitimate — with usage skyrocketing around the world and a move toward normalization within the European legal system — the value of one bitcoin has risen to $408.09 (as of this writing) in recent months. That’s good news for those holding bitcoins, but it only makes them more of a target for theft.

The two main selling points for the Bitcoin-system (often spelled as capital-B Bitcoin to distinguish from ‘bitcoin’ the currency) are privacy and security. You can use it anonymously; the technology behind it is reckoned to be unbreakable. Such technological resilience explains, in part, why one bitcoin is still worth so much. But users have collectively lost hundreds of millions of real, irrecoverable dollars’ worth of bitcoin, thanks to thieves and hackers who have heisted bitcoins from poorly-secured third-party apps and crooked exchanges like Mt.Gox. Such services offered all the security of a bank vault with the doors left wide open.

Bitcoin uses a technique called public-key cryptography, assigning users a matched pair of keys — two alphanumeric strings of characters so long and complicated that they’re basically impossible to remember. One is public — and better thought of as a lock than a key — and the other is private and must be kept secret. You can publish your public key as your Bitcoin address (just as you would the email address on your Paypal account) but the private key is used like a password, to move funds and verify your right to transact. If you forget the private key, then you’ve lost your money for good. There’s no customer support line to reset it.

Sites like Mt.Gox (originally a trading site for Magic Cards, hence its name, the Magic the Gathering Online Exchange), held so-called “hot wallets” — accounts with both private and public keys, all ready to transact. This appealed to convenience. Mt.Gox users could move money in and out of Bitcoin instantly without pausing for verification. But there was little oversight at Mt.Gox (or, at various points, at Bitcoinica, MyBitcoin, or Silk Road) to make sure that private keys were kept out of the hands of grifters, thieves or idiots.

The anonymity of Bitcoin makes this kind theft smooth, quick, and untraceable. Some thieves used password cracking technologies. Others simply filmed people doing Bitcoin transactions on their laptops at cafes. One clever hacker stole $20 in bitcoin from Bloomberg’s Matt Miller, when he broadcast a QR-code storing his private key over live television. In June of 2011, everyone from private citizens (like this poor guy) to Mt.Gox were the targets of theft. Mt.Gox lost about $8.75 million, that time. Just three years later, Bitcoin users fell victim to another heist, magnitudes larger.

Perhaps the most audacious heist was pulled off by the FBI itself. When the Feds raided The Silk Road (Amazon for assassins and heroin, more or less) and shut it down in October 2013, “The government [made] sure they got the private keys before they shut the systems down,” says Nathaniel Popper, author of Digital Gold: Bitcoin and the Inside Story of the Misfits and Millionaires Trying to Reinvent Money.

To do so, the FBI functioned like a heisting hacker, by seizing all the Silk Road account records in order to secure the site’s bitcoins. To these, the feds added those seized from the Silk Road founder Ross Ulbricht, for a total of about 145,000 bitcoins — worth a staggering $16 million by 2013’s inflated prices. The FBI transferred all this wealth to accounts under their own control, with their own private keys. And then came something very strange: the FBI liquidated its whole bitcoin hoard in a series of auctions netting tens of millions.

Turns out, this was great news for people who want Bitcoin to be treated with legitimacy by the government. “If the government has sold bitcoins, it certainly can’t crack down on someone else for selling them, and means the government recognizes that this is a legitimate thing of value that you can hold,” Popper says. After all, the government won’t auction off heroin it seizes; auctions are reserved for items of value that are legal to own. “It was actually a big boost to confidence,” adds Popper. It made people feel like bitcoins would be worth something, assuming they could prevent them from getting heisted.

After the final Mt.Gox debacle, Bitcoin trader Kolin Burgess summed up a lot of Bitcoin enthusiasts’ feelings about the currency’s safety. “I may have lost all of my money,” he told the Christian Science Monitor. “It hasn’t shaken my trust in Bitcoin, but it has shaken my trust in Bitcoin exchanges.” Bitcoin hasn’t been broken — except when it has. And until more secure systems for storing and moving the cryptocurrency are developed, including better methods for protecting users against corrupt third parties — all the cryptographic genius in the world won’t stop the next heist.