Today, the largest Bitcoin exchange, MtGox, with daily volume peaks of 1M+ USD, was victim of an attack that crashed the market down to 0.01 USD/BTC for a brief period of time; and the list of MtGox account password hashes was leaked. Bitcoin (BTC) is the first digital currency designed to be fully decentralized, meaning there is no trusted third-party, no company, no central bank authorizing, validating, and keeping track of transactions, yet Bitcoin is secure through clever use of well-known cryptographic primitives. It is important to understand that today's attack exposed flaws in a particular exchange, not in Bitcoin itself.
It all really started on Friday, June 17, 2011 when a dubious but plausible message was posted to pastebin, offering the MtGox "database" for sale, signed ~cRazIeStinGeR~ (firstname.lastname@example.org).
On Saturday, June 18, the owner of MtGox, Mark "MagicalTux" Karpelès, reported an increase of theft cases. Some pointed out the pastebin message as a possible connection.
On Sunday, June 19, 17:15:36 UTC, suspicious trading activity suddenly started on MtGox. At this exact second, a person placed one or more orders to sell hundreds of thousands of Bitcoins, causing its exchange rate to crash from 17 USD down to 0.01 USD. It took half an hour for the trading platform to execute the order(s). The MtGox site was very unresponsive during this time. Whoever did that ended up trading the digital currency for a total of more than 1.5M USD (the volume for the day, after the sell-off, was 1.8M USD). Then, further trades occurred, either from confused MtGox users or from this same person. The largest trade seen, for 261383.7630 BTC, was executed at 0.01 USD at 17:51:16.
Around 18:00 UTC, the now thin MtGox market saw the exchange rate swiftly oscillate between $1 and $20. It is possible that this person re-bought large amounts of Bitcoins. During the same time, other Bitcoin exchanges experienced severe volatility.
A few minutes later, at 18:17 UTC, a very large transaction of
432077.76654321 BTC was recorded in the public Bitcoin block chain (not an MtGox trade!).
This BTC represents 6.6% of the amount currently in circulation (about 6.5M).
At first, it was unclear who initiated this transaction. If it had been the person
who sold and possibly re-bought Bitcoins, then transferring them out of MtGox to
his private Bitcoin wallet, it would have made these coins unrecoverable and the
largest Bitcoin heist ever. Fortunately, I received personal confirmation from
Mark Karpelès himself that it was just MtGox transferring the coins to another
wallet, as a security precaution. Also, Adam Barr, an MtGox employee,
confirmed the purpose of this transfer in a live video broadcasting
At 18:18 UTC, Mark Karpelès, living in Japan, was woken up and showed up on the IRC channel #bitcoin-otc, evidently surprised by the massive sell-off. After a quick investigation, he determined an attacker used a stolen MtGox account with a lot of Bitcoins in it, sold them, and caused the crash. Mark Karpelès announced the attacker was stopped and that he would roll back all these trades. He shut the MtGox site down, and posted a message explaining so.
Around 19:15 UTC, another event shed more light on the amplitude of the attack: someone, presumably the attacker, posted on the Bitcoin forums a complete list of MtGox user names, email addresses, and password hashes: MtGOX Account Database LEAKED (this thread has since been blocked, but the list has been re-leaked and posted in other threads, on Rapidshare, etc). The list contains 61016 accounts. Most of the passwords are hashed with Unix MD5-based crypt(), except 1765 of them which are plain MD5 hashes (unsalted, non-iterated).
Many of these hashes, even those that appear to be strong passwords, show up on various websites about password brute-forcing when googling for them. Notably, 2 days ago, a user named georgeclooney posted requests to crack some of these hashes on the InsidePro password recovery forums. He is almost certainly the same person who attacked MtGox (since he knew about the hashes beforey they were publicly released).
Unfortunately, many of the hashes are weak and were brute-forced easily according to these same websites. Some users discovering the leak have run password brute-forcers themselves against the hash list and easily broke hundreds of them. Contrary to previous claims from the MtGox owner, this indicates that many accounts had been compromised for at least days, if not weeks, before today's attack.
In the next hour or two, other Bitcoin exchanges chose to voluntarily temporarily shut down as a security precaution, as many users re-use the same passwords across different trading sites. Britcoin is one of them and happens to be hosted on the same server infrastructure as MtGox, and claimed that a SQL injection was used to attack MtGox. Currently their homepage shows:
"Due to the recent events at MTGox.com, we at Britcoin have decided to move our servers to a new location. MTGox suffered an SQL injection which means access to the site's funds were in the hands of the malicious hacker. As such, until we see evidence to the contrary, for security reasons we are assuming that MTGox has none of it's [sic] client's bitcoins. For this reason, we have withdrawn their access to our servers and the sensitive information on those servers.
While our servers were separate, we were purchasing server space from MagicalTux, the owner/operator of MTGox. We have already moved all our customer bitcoins to a wallet which has newly been created and has the highest measure of security possible. The GBP deposits of course are still safe in our business bank account as well."
(MtGox later denied that SQL injection was the specific attack vector. See below.)
Around 21:00 UTC, MtGox started emailing their users to disclose the attack, and to recommend users who used the same password for MtGox and their email service to change it. (Personally, even though I confirmed the validity of my password hash in the leaked list, I would normally see no need to change it since it is unique and very strong: 15 random printable ASCII characters would take 2**47 centuries to brute-force at 1 Mpassword/sec. Note to self: add support for Unix MD5-based crypt() hashes to whitepixel :-) ). However, if one assumes the worst, that the attacker had infiltrated MtGox for some time and has been logging all password authentication attempts, then passwords should be changed anyway.
At 21:10 UTC, Jed McCaleb, the previous owner of the exchange, helping Mark Karpelès investigate the attack, announced that only a small fraction of Bitcoins were stolen. MtGox later confirmed that only 2000 BTC were stolen (valued $30k at the time).
Around 22:00 UTC: the only positive news amongst all this is that Mike Hearn, a prominent Bitcoin community member, and employee of Google, in the abuse/anti-hijack team, proactively forced a password change on all the Gmail accounts that were found in the leaked MtGox account list, again because some users use the same password for MtGox and Gmail.
June 20, 02:06 UTC: MtGox denies Britcoin's claim that the site was compromised by a SQL injection: "It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked."
06:30 UTC: MtGox announces that they are quickly working on immediately replacing MD5-based crypt() hashes with SHA-512-based crypt() for extra precaution, and are going to implement password-protected withdrawals. The site is planning to re-open on June 21, 02:00 UTC.
June 21, 04:35 UTC: Evidence is building up that there were, in fact, SQL injection vulnerabilities on mtgox.com. MtGox has not commented on this.
05:00 UTC: Mark Karpelès posts yet another update saying "we are still working to get the claim site up". Before re-opening MtGox, he wants to ensure that the process to claim ownership of one's account is secure, despite the password hashes having been leaked.
15:55 UTC: MtGox announces that "you can now file requests to recover your Mt.Gox account" through the special claim.mtgox.com website. A claim request consists of submitting the account name, email address, the old password, a new password; then verifying the email address; and optionally submitting more evidence such as the last known MtGox balance of the account, the Liberty Reserve account typically used for withdrawals, copy of a government ID, etc. Claim requests appear are verified manually by MtGox staff.
June 23, 06:50 UTC: the large transfer of 432k BTC mentioned above has a main input address associated with exactly 432109.87654321 BTC (output of another transaction made on June 12) which was noted to have a peculiar mathematical property (it reads from right to left: one, two, three, ..., nine, wraps to zero, one, two, three, four). This has led to speculation that it was a stunt by an attacker wanting to draw attention to the fact that he truly had manual control of this amount (presumably stolen from MtGox). In order to dispel this speculation, Mark Karpelès made another notable transfer of 424242.42424242 BTC, taking most of its inputs from the original 432k BTC, and announced it on the #bitcoin-otc IRC channel.
June 26, 17:16 UTC: after multiple broken promises of re-opening earlier in the week, MtGox finally re-opens for trading exactly 1 week after having been shut down. The fraudulent trades have indeed been rolled back. The first one is executed at at 17:16 at 17.51001 USD/BTC. In the next few hours, the exchange rate stabilized at around 16.50 USD. No panic selling. However I noticed that my open orders that were executed during the MtGox sell-off have not been reinstated. I recommend MtGox users to check their order book.
What to think about this whole saga?
The Bitcoin community users were able to brute-force (as of June 20, 06:00 UTC) about 900 of the password hashes out of the 61016 leaked MtGox accounts. Assuming the attacker was also able to brute-force about the same amount, it is possible to imagine that this number of accounts happened to collectively hold the hundreds of thousands of Bitcoins that were used in this massive sell-off.
But it is unclear what exactly the attacker had in mind exactly when selling off. Did he think he would then be able to withdraw the USD? Did he not know that Mtgox implements daily USD withdrawal limits (by default $1000 per day per account)? Did he have sufficiently compromised MtGox that he would be able to bypass these limits? Perhaps he was trying to bypass the daily BTC withdrawal limit, which is also the equivalent of $1000 per day per account (computed using the current exchange rate; selling off is one way to bring it closer to zero and artificially inflate the withdrawal limit).
Or perhaps, as it is sometimes the case, the attacker's purpose was simply to cause mayhem for fun (think a script kiddie doing random things). Not all attackers are like the well-prepared robbers in Ocean's 11, with a precise plan of action. This is probably the simplest explanation.