Major Attack on the World's Largest Bitcoin Exchange

Today, the largest Bitcoin exchange, MtGox, with daily volume peaks of 1M+ USD, was victim of an attack that crashed the market down to 0.01 USD/BTC for a brief period of time; and the list of MtGox account password hashes was leaked. Bitcoin (BTC) is the first digital currency designed to be fully decentralized, meaning there is no trusted third-party, no company, no central bank authorizing, validating, and keeping track of transactions, yet Bitcoin is secure through clever use of well-known cryptographic primitives. It is important to understand that today's attack exposed flaws in a particular exchange, not in Bitcoin itself.

It all really started on Friday, June 17, 2011 when a dubious but plausible message was posted to pastebin, offering the MtGox "database" for sale, signed ~cRazIeStinGeR~ (auto36299386@hushmail.com).

On Saturday, June 18, the owner of MtGox, Mark "MagicalTux" Karpelès, reported an increase of theft cases. Some pointed out the pastebin message as a possible connection.

On Sunday, June 19, 17:15:36 UTC, suspicious trading activity suddenly started on MtGox. At this exact second, a person placed one or more orders to sell hundreds of thousands of Bitcoins, causing its exchange rate to crash from 17 USD down to 0.01 USD. It took half an hour for the trading platform to execute the order(s). The MtGox site was very unresponsive during this time. Whoever did that ended up trading the digital currency for a total of more than 1.5M USD (the volume for the day, after the sell-off, was 1.8M USD). Then, further trades occurred, either from confused MtGox users or from this same person. The largest trade seen, for 261383.7630 BTC, was executed at 0.01 USD at 17:51:16.

Around 18:00 UTC, the now thin MtGox market saw the exchange rate swiftly oscillate between $1 and $20. It is possible that this person re-bought large amounts of Bitcoins. During the same time, other Bitcoin exchanges experienced severe volatility.

A few minutes later, at 18:17 UTC, a very large transaction of 432109.87654321 BTC 432077.76654321 BTC was recorded in the public Bitcoin block chain (not an MtGox trade!). This BTC represents 6.6% of the amount currently in circulation (about 6.5M). At first, it was unclear who initiated this transaction. If it had been the person who sold and possibly re-bought Bitcoins, then transferring them out of MtGox to his private Bitcoin wallet, it would have made these coins unrecoverable and the largest Bitcoin heist ever. Fortunately, I received personal confirmation from Mark Karpelès himself that it was just MtGox transferring the coins to another wallet, as a security precaution. Also, Adam Barr, an MtGox employee, confirmed the purpose of this transfer in a live video broadcasting at OnlyOneTV.

At 18:18 UTC, Mark Karpelès, living in Japan, was woken up and showed up on the IRC channel #bitcoin-otc, evidently surprised by the massive sell-off. After a quick investigation, he determined an attacker used a stolen MtGox account with a lot of Bitcoins in it, sold them, and caused the crash. Mark Karpelès announced the attacker was stopped and that he would roll back all these trades. He shut the MtGox site down, and posted a message explaining so.

Around 19:15 UTC, another event shed more light on the amplitude of the attack: someone, presumably the attacker, posted on the Bitcoin forums a complete list of MtGox user names, email addresses, and password hashes: MtGOX Account Database LEAKED (this thread has since been blocked, but the list has been re-leaked and posted in other threads, on Rapidshare, etc). The list contains 61016 accounts. Most of the passwords are hashed with Unix MD5-based crypt(), except 1765 of them which are plain MD5 hashes (unsalted, non-iterated).

Many of these hashes, even those that appear to be strong passwords, show up on various websites about password brute-forcing when googling for them. Notably, 2 days ago, a user named georgeclooney posted requests to crack some of these hashes on the InsidePro password recovery forums. He is almost certainly the same person who attacked MtGox (since he knew about the hashes beforey they were publicly released).

Unfortunately, many of the hashes are weak and were brute-forced easily according to these same websites. Some users discovering the leak have run password brute-forcers themselves against the hash list and easily broke hundreds of them. Contrary to previous claims from the MtGox owner, this indicates that many accounts had been compromised for at least days, if not weeks, before today's attack.

In the next hour or two, other Bitcoin exchanges chose to voluntarily temporarily shut down as a security precaution, as many users re-use the same passwords across different trading sites. Britcoin is one of them and happens to be hosted on the same server infrastructure as MtGox, and claimed that a SQL injection was used to attack MtGox. Currently their homepage shows:

"Due to the recent events at MTGox.com, we at Britcoin have decided to move our servers to a new location. MTGox suffered an SQL injection which means access to the site's funds were in the hands of the malicious hacker. As such, until we see evidence to the contrary, for security reasons we are assuming that MTGox has none of it's [sic] client's bitcoins. For this reason, we have withdrawn their access to our servers and the sensitive information on those servers.

While our servers were separate, we were purchasing server space from MagicalTux, the owner/operator of MTGox. We have already moved all our customer bitcoins to a wallet which has newly been created and has the highest measure of security possible. The GBP deposits of course are still safe in our business bank account as well."

(MtGox later denied that SQL injection was the specific attack vector. See below.)

Around 21:00 UTC, MtGox started emailing their users to disclose the attack, and to recommend users who used the same password for MtGox and their email service to change it. (Personally, even though I confirmed the validity of my password hash in the leaked list, I would normally see no need to change it since it is unique and very strong: 15 random printable ASCII characters would take 2**47 centuries to brute-force at 1 Mpassword/sec. Note to self: add support for Unix MD5-based crypt() hashes to whitepixel :-) ). However, if one assumes the worst, that the attacker had infiltrated MtGox for some time and has been logging all password authentication attempts, then passwords should be changed anyway.

At 21:10 UTC, Jed McCaleb, the previous owner of the exchange, helping Mark Karpelès investigate the attack, announced that only a small fraction of Bitcoins were stolen. MtGox later confirmed that only 2000 BTC were stolen (valued $30k at the time).

Around 22:00 UTC: the only positive news amongst all this is that Mike Hearn, a prominent Bitcoin community member, and employee of Google, in the abuse/anti-hijack team, proactively forced a password change on all the Gmail accounts that were found in the leaked MtGox account list, again because some users use the same password for MtGox and Gmail.

June 20, 02:06 UTC: MtGox denies Britcoin's claim that the site was compromised by a SQL injection: "It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked."

06:30 UTC: MtGox announces that they are quickly working on immediately replacing MD5-based crypt() hashes with SHA-512-based crypt() for extra precaution, and are going to implement password-protected withdrawals. The site is planning to re-open on June 21, 02:00 UTC.

June 21, 04:35 UTC: Evidence is building up that there were, in fact, SQL injection vulnerabilities on mtgox.com. MtGox has not commented on this.

05:00 UTC: Mark Karpelès posts yet another update saying "we are still working to get the claim site up". Before re-opening MtGox, he wants to ensure that the process to claim ownership of one's account is secure, despite the password hashes having been leaked.

15:55 UTC: MtGox announces that "you can now file requests to recover your Mt.Gox account" through the special claim.mtgox.com website. A claim request consists of submitting the account name, email address, the old password, a new password; then verifying the email address; and optionally submitting more evidence such as the last known MtGox balance of the account, the Liberty Reserve account typically used for withdrawals, copy of a government ID, etc. Claim requests appear are verified manually by MtGox staff.

June 23, 06:50 UTC: the large transfer of 432k BTC mentioned above has a main input address associated with exactly 432109.87654321 BTC (output of another transaction made on June 12) which was noted to have a peculiar mathematical property (it reads from right to left: one, two, three, ..., nine, wraps to zero, one, two, three, four). This has led to speculation that it was a stunt by an attacker wanting to draw attention to the fact that he truly had manual control of this amount (presumably stolen from MtGox). In order to dispel this speculation, Mark Karpelès made another notable transfer of 424242.42424242 BTC, taking most of its inputs from the original 432k BTC, and announced it on the #bitcoin-otc IRC channel.

June 26, 17:16 UTC: after multiple broken promises of re-opening earlier in the week, MtGox finally re-opens for trading exactly 1 week after having been shut down. The fraudulent trades have indeed been rolled back. The first one is executed at at 17:16 at 17.51001 USD/BTC. In the next few hours, the exchange rate stabilized at around 16.50 USD. No panic selling. However I noticed that my open orders that were executed during the MtGox sell-off have not been reinstated. I recommend MtGox users to check their order book.

What to think about this whole saga?

The Bitcoin community users were able to brute-force (as of June 20, 06:00 UTC) about 900 of the password hashes out of the 61016 leaked MtGox accounts. Assuming the attacker was also able to brute-force about the same amount, it is possible to imagine that this number of accounts happened to collectively hold the hundreds of thousands of Bitcoins that were used in this massive sell-off.

But it is unclear what exactly the attacker had in mind exactly when selling off. Did he think he would then be able to withdraw the USD? Did he not know that Mtgox implements daily USD withdrawal limits (by default $1000 per day per account)? Did he have sufficiently compromised MtGox that he would be able to bypass these limits? Perhaps he was trying to bypass the daily BTC withdrawal limit, which is also the equivalent of $1000 per day per account (computed using the current exchange rate; selling off is one way to bring it closer to zero and artificially inflate the withdrawal limit).

Or perhaps, as it is sometimes the case, the attacker's purpose was simply to cause mayhem for fun (think a script kiddie doing random things). Not all attackers are like the well-prepared robbers in Ocean's 11, with a precise plan of action. This is probably the simplest explanation.

Useful links:

mrb Sunday 19 June 2011 at 6:12 pm | | Default

fourteen comments

I Wonder

Hi,
beside the database hack and theft, i wonder why a “small” Sell Order can bring the whole rate down. Ever saw some Bank Sell EUR/USD and bring it down from 1.4250 to 0.0200? MtGox has to revisit their priceformula too.

I Wonder, - 19-06-’11 20:03
mrb

It was possible to bring it from $17 to $0.01 because the market was not very deep. By comparison, forex markets trade billions of EUR or USD daily, making them much more stable.

mrb, - 19-06-’11 20:09
xlp

Re: the 432kBTC transaction, Adam indicated on the OnlyOne interview that it was a precautionary Mt Gox internal backup.

xlp, - 19-06-’11 20:15
Bitcoiner

Good timeline – just a quick fix, there are only about 6.3 million bitcoins generated to date. 21 is the final limit, which will be reached in a few decades.

Another thing to note that I find interesting is that Mt.Gox has a transfer limit of $1000 per day. As far as anyone knows, that $1000 is also in effect for BTC. If BTC was at $20 and you tried to transfer out 51, you would not be allowed to. But it is unlikely MagicalTux had the foresight to implement this as a moving average. When the price crashed down to $0.01, any user would have been able to move 100,000BTC at a time. This may make Mt.Gox’s rollback very, very difficult and could mean lost money for many users, as Mt.Gox may simply not have the coins needed to do a real rollback.

Bitcoiner, - 19-06-’11 20:19
I Wonder

Yup, Forex is much bigger. But still, a 2%-of-all-avail-coins trade is bringing the price down to nothing? Also the sharp uptrend, after Bitcoin was in the media worldwide, was unreal. Their Formula sucks. Pricechange should be something like: currentrate-(currentrate/coinsavail*ordervolume). So only someone selling the whole 6.5mil coins can bring the market down to 0.00$.

I Wonder, - 19-06-’11 20:22
mrb

432k BTC represents 2 percent of 21M coins, 6.6 percent of the coins currently in circulation (6.5M), but was 100% of the market depth on MtGox. The price did not crash to 0.01 USD on other exchanges.

Also, on the traditional forex markets, a single person is not in control of most of the money, and is not stupid enough to sell everything down to zero.

This attack emphasizes the need for more than 1 dominant Bitcoin exchange.

mrb, - 19-06-’11 20:31
I Wonder

Also, imagine this scenario: U want to buy a PC at a store at 9am. Price 85bitcoins (1btc=17$). Two hours later someone sold 60,000btc at a market, rate is dropping. And now the PC in the store costs 400btc? If Bitcoins wants to become a real currency the market must be stable!

I Wonder, - 19-06-’11 20:35
Mike

There is no “formula”. It’s all bids and asks.

Mike, - 20-06-’11 02:10
oldsock

Please note: The new salted hashes were created upon logging in with that account. These accounts with plain md5 hashes thus would have a salted hash, if the attacker logged in these details or the owner to check/verify his lost bitcoins.

That means the accounts with a plain MD5 hash there have not been robbed in the last days/weeks.

You have to take a snapshot of the accounts before the data was leaked (nobody knows when that was right now, sadly.) and count the plain-md5 hashed passwords and compare it to the number of currently plain-md5 hashes passwords.

If mtgox is true about their salting-upon-login claim, then this differencein the numbers would be a hint at the maximum possible broken accounts.

The claim that the few hunderts of unsalted accounts in the files were all possibly compromised is then wrong.

oldsock

oldsock, - 20-06-’11 05:08
Z.

Another thing that is pretty unsafe is re-authenticating accounts by sending mails with a new password. That might work for a dating site but isn’t at all safe enough for a financial service, even if eBay and Amazon do the same crap.

I’d like it much more if account re-authentication would be done using a GnuPG signature for a public key which initially has to be deposited at the site. That makes it also possible to use existing SmartCard infrastructures for GnuPG, thus enabling much safer two-factor authentification. Too complex? You need that anyway when you send payment adresses; Email isn’t going to warrant integrity of your payment address and the next wave of fraud will be forgery of Bitcoin addresses.

It would also be more than helpful to use something like an mTAN scheme, requiring transactions confirmed by a number sent to a mobile phone. The owner of Bitcoin faucet managed to set that up, why not Mt Gox? Please! Not that such is unbreakable but it is orders of magnitude safer than simple password authentication.

I believe that the people running Mt Gox have best intentions and feel friendly for them, but I am actually embarassed to use a site with such poor security. Ultimately, trust is believing in a combination of good intentions and competence. I wouldn’t ask the Dalai Lama for a liver transplant, I’d trust rather some bad-assed surgeon with sardonic laugther.

Z., - 20-06-’11 13:47
EB

**********************************************
Nobody noticed the amount of the Very Large Transaction: 432109.87654321 ?
Strange number, isn’t it?
I really do not buy this explanation then: “ it was just MtGox transferring the coins to another wallet, as a security precaution.”
How come. They would have had this exact amount of money??? **********************************************

EB, - 22-06-’11 14:27
mrb

I did notice the fractional part was counting from one to eight (right to left), but I did not notice that the integer part was also continuing the count…

It does not mean the sender had this exact amount of coins. Mark Karpeles probably wanted to transfer about 400k-500k BTC, and chose this amount as a simple mathematical peculiarity for fun.

Though, I do wonder why he would do this “for fun”, in time of such a crisis…

mrb, - 22-06-’11 19:49
mrb

As published in my update of June 23, 06:50 UTC, that 432109.87654321 BTC txfer was actually made on June 12, days before the June 19 flash crash.

And MtGox just demonstrated they controle these ~430k BTC with a 424242.42424242 BTC txfer.

mrb, - 23-06-’11 03:11
coinsigner

beside the database hack and theft, i wonder why a “small” Sell Order can bring the whole rate down.It was possible to bring it from $17 to $0.01 because the market was not very deep. http://www.coinsigner.com

coinsigner, (URL) - 22-06-’13 21:02
(optional field)
(optional field)
Remember personal info?
Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.