Bitcoin thieves have struck again, working like bandits in the middle of the night.
Three prominent people in the community, including Gavin Andresen, Bitcoin's lead programmer, announced yesterday that they had lost a significant sum of the cryptocurrency in attacks aimed at the virtual private server hosting company, Linode. While Andresen only lost 5 Bitcoins, the two others are reporting losses that add up to over 46,000 Bitcoins, which means that somewhere, someone is sitting on $200,000 worth of stolen Bitcoins.
Linode is a service that allows customers to set up and run virtual machines on remote servers. Andresen was using Linode to operate his "Bitcoin Faucet"—a website that doles out small amounts of new coins to users as a way to stimulate interest in the currency. Merak Palatinus was using Linode to communally mint new Bitcoins in a miners pool. Zhou Tong was using Linode to operate a Bitcoin trading site called Bitcoinica. Each also had enough Bitcoins stored on the file system to facilitate daily transactions.
The thief, it seems, was able to obtain customer support privileges which allowed him to find out which customers were holding Bitcoin wallets. The thief was then able to log in to the accounts through a weakness in the Linode manager—which customers use to configure their virtual machines—reboot the machines and change the root passwords. After that, it's take the money and run.
Linode has acknowledged the breach and confirmed that, in all, 8 customer accounts were broken into. However, they have not yet explained what they're willing to do about it. Palantinus and Tong seem hopeful that the company will admit fault and reimburse them for the lost funds. But for now, they are nobly swallowing the losses for their own customers.
Interestingly, the price of Bitcoin, which usually tumbles on this sort of news, has stayed right around $4.6 all day. In fact, that's where it's been for over a month now, with occasional spikes up over $5. While the hack is clearly the latest set back for Bitcoin, the mellow reaction from the market could indicate that the currency is becoming more resilient as businesses prove their willingness to absorb losses.
And there's no doubt that people get smarter with each attack. Andresen has taken down the Bitcoin Faucet while he creates a new wallet and tries to decide whether to keep doing business with Linode. But he has also responded by proposing a system for a multisignature transaction. This would assign two private keys to a wallet, which could then be separated and monitored individually—a capability that could beef up security for some operations. Here's what he has to say about it.
For now, the victims are in triage mode. Bitcoinica is requesting that customers do not use any old deposit addresses. And anyone who wants to donate to the Bitcoin Faucet should hold off until Andresen has set up a new wallet.