The December 2022 issue of IEEE Spectrum is here!

Close bar

Thousands of Bitcoins stolen in a hack on Linode

Bitcoiners wake up to find $200,000 gone in an overnight heist.

2 min read
Thousands of Bitcoins stolen in a hack on Linode

Bitcoin thieves have struck again, working like bandits in the middle of the night.

Three prominent people in the community, including Gavin Andresen, Bitcoin's lead programmer, announced yesterday that they had lost a significant sum of the cryptocurrency in attacks aimed at the virtual private server hosting company, Linode. While Andresen only lost 5 Bitcoins, the two others are reporting losses that add up to over 46,000 Bitcoins, which means that somewhere, someone is sitting on $200,000 worth of stolen Bitcoins.

Linode is a service that allows customers to set up and run virtual machines on remote servers. Andresen was using Linode to operate his "Bitcoin Faucet"—a website that doles out small amounts of new coins to users as a way to stimulate interest in the currency. Merak Palatinus was using Linode to communally mint new Bitcoins in a miners pool. Zhou Tong was using Linode to operate a Bitcoin trading site called Bitcoinica. Each also had enough Bitcoins stored on the file system to facilitate daily transactions.

The thief, it seems, was able to obtain customer support privileges which allowed him to find out which customers were holding Bitcoin wallets. The thief was then able to log in to the accounts through a weakness in the Linode manager—which customers use to configure their virtual machines—reboot the machines and change the root passwords. After that, it's take the money and run.

Linode has acknowledged the breach and confirmed that, in all, 8 customer accounts were broken into. However, they have not yet explained what they're willing to do about it. Palantinus and Tong seem hopeful that the company will admit fault and reimburse them for the lost funds. But for now, they are nobly swallowing the losses for their own customers. 

Interestingly, the price of Bitcoin, which usually tumbles on this sort of news, has stayed right around $4.6 all day. In fact, that's where it's been for over a month now, with occasional spikes up over $5. While the hack is clearly the latest set back for Bitcoin, the mellow reaction from the market could indicate that the currency is becoming more resilient as businesses prove their willingness to absorb losses.

And there's no doubt that people get smarter with each attack. Andresen has taken down the Bitcoin Faucet while he creates a new wallet and tries to decide whether to keep doing business with Linode. But he has also responded by proposing a system for a multisignature transaction. This would assign two private keys to a wallet, which could then be separated and monitored individually—a capability that could beef up security for some operations. Here's what he has to say about it.

For now, the victims are in triage mode. Bitcoinica is requesting that customers do not use any old deposit addresses. And anyone who wants to donate to the Bitcoin Faucet should hold off until Andresen has set up a new wallet.

The Conversation (0)

Why Functional Programming Should Be the Future of Software Development

It’s hard to learn, but your code will produce fewer nasty surprises

11 min read
A plate of spaghetti made from code
Shira Inbar

You’d expectthe longest and most costly phase in the lifecycle of a software product to be the initial development of the system, when all those great features are first imagined and then created. In fact, the hardest part comes later, during the maintenance phase. That’s when programmers pay the price for the shortcuts they took during development.

So why did they take shortcuts? Maybe they didn’t realize that they were cutting any corners. Only when their code was deployed and exercised by a lot of users did its hidden flaws come to light. And maybe the developers were rushed. Time-to-market pressures would almost guarantee that their software will contain more bugs than it would otherwise.

Keep Reading ↓Show less