George Clooney roils the Bitcoin market | FT Alphaville

George Clooney roils the Bitcoin market

Alright, alright — someone calling themselves George Clooney appears to have roiled the Bitcoin market.

Bitcoin — the virtual currency — has had a tough time of it lately. Having recently gained some mainstream prominence and become the world’s fastest appreciating currency, Bitcoin has also had to contend with political scrutiny, a Black Friday and now — a hacker-induced flash crash, of sorts.

You can see the crash in the below chart, via the Daily Tech:

It happened over the weekend when one of the most prominent Bitcoin exchanges — and one of the few to convert bitcoins into US dollars — came under cyber fire. The attack on the MT.Gox exchange sent the virtual currency plunging from about $17.50 in worth to just pennies in a few hours, with an estimated $40m worth of bitcoins and more than 60,000 (MD5-encrypted) accounts involved.

Zorinaq has a fantastic blow-by-blow account of the weekend’s events:

On Saturday, June 18, the owner of MtGox, Mark “MagicalTux” Karpeles, reported an increase of theft cases. Some pointed out the pastebin message as a possible connection.

On Sunday, June 19, 17:15:36 UTC, suspicious trading activity suddenly started on MtGox. At this exact second, a person placed one or more orders to sell hundreds of thousands of Bitcoins, causing its exchange rate to crash from 17 USD down to 0.01 USD. It took half an hour for the trading platform to execute the order(s). The MtGox site was very unresponsive during this time. Whoever did that ended up trading the digital currency for a total of more than 1.5M USD (the volume for the day, after the sell-off, was 1.8M USD). Then, further trades occurred, either from confused MtGox users or from this same person. The largest trade seen, for 261383.7630 BTC, was executed at 0.01 USD at 17:51:16.

Around 18:00 UTC, the now thin MtGox market saw the exchange rate swiftly oscillate between $1 and $20. It is possible that this person re-bought large amounts of Bitcoins. During the same time, other Bitcoin exchanges experienced severe volatility.

A few minutes later, at 18:17 UTC, a very large transaction of 432109.87654321 BTC was recorded in the public Bitcoin block chain (not an MtGox trade!). This represents 6.6% of the amount currently in circulation (about 6.5M), and 2% of the total theoretical amount of Bitcoins that will ever exist once they will have been mined (exactly 21M). At first it was unclear who initiated this transaction. If it had been the person who sold and possibly re-bought Bitcoins, then transferring them out of MtGox to his private Bitcoin wallet, it would have made these coins unrecoverable and the largest Bitcoin heist ever. Fortunately I received personal confirmation from Mark Karpeles himself that it was just MtGox transferring the coins to another wallet, as a security precaution. An MtGox employee known as “Adam” also confirmed the purpose of this transfer in a live video broadcasting at OnlyOneTV.

At 18:18 UTC, the owner of MtGox, Mark “MagicalTux” Karpeles, living in Japan, was woken up and showed up on the IRC channel #bitcoin-otc, evidently surprised by the massive sell-off. After a quick investigation, he determined an attacker used a stolen MtGox account with a lot of Bitcoins in it, sold them, and caused the crash. Mark Karpeles announced the attacker was stopped and that he would roll back all these trades. He shut the MtGox site down, and posted a message explaining so.

Around 19:15 UTC, another event shed more light on the amplitude of the attack: someone, presumably the attacker, posted on the Bitcoin forums a complete list of MtGox user names, email addresses, and password hashes: MtGOX Account Database LEAKED (this thread has since been blocked, but the list has been re-leaked and posted in other threads, on Rapidshare, etc). The list contains 61016 accounts. Most of the passwords are hashed with Unix MD5-based crypt(), except 1765 of them which are plain MD5 hashes (unsalted, non-iterated).

Many of these hashes, even those that appear to be strong passwords, show up on various websites about password brute-forcing when googling for them. Notably, 2 days ago, a user named georgeclooney posted requests to crack some of these hashes on the InsidePro password recovery forums. He is almost certainly the same person who attacked MtGox (since he knew about the hashes beforey they were publicly released).

Unfortunately, many of the hashes are weak and were brute-forced easily according to these same websites. Some users discovering the leak have run password brute-forcers themselves against the hash list and easily broke hundreds of them. Contrary to previous claims from the MtGox owner, this indicates that many accounts had been compromised for at least days, if not weeks, before today’s attack.

Indeed. And unfortunately the data involved — accounts, e-mails and encrypted passwords — are still widely available (and indeed, have been offered up to FT Alphaville). Mt.Gox, meanwhile, has somewhat controversially agreed to roll back all of the weekend’s Bitcoin trades to $17.50.

As of pixel time this Tuesday morning, it has yet to to get its site back up.

The identity of the hacker, meanwhile, is unknown. Mt.Gox still says it wasn’t actually the exchange that was compromised. The database, they say, came from a Hong Kong-based IP address, possibly belonging to one of the exchange’s auditors whose own computer system was attacked.

As for the hacker’s motives (stealing bitcoins and driving down their value to oblivion hardly seems a worthwhile strategy for your average thief) they too remain a mystery. Some bitcoin participants figure the hacker may have been trying to bypass the daily withdrawal limit put into place by Mt.Gox ($1000 per day, per account) by driving the exchange rate of the virtual currency as far down as possible.

Meanwhile, of course, bitcoin nay-sayers cite the incident as evidence of Bitcoin’s limited future.

Bitcoin proponents, meanwhile, say it just highlights the need for regulated exchanges.

(Even if it means — shock, horror — some government involvement.)

Related links:
Bitcoin hack attack discussion thread – Via Y combinator
An insecure economy built on a super secure currency – MIT Technology Review
The Bitcoiners strike back – John Carney
Virtual money, from real central bank mistrust – FT Alphaville