White Hat Hacker Returns Missing Bitcoins to Blockchain.info

On December 8, Blockchain.info—a Bitcoin web wallet provider and block explorer—announced that they’d misfired a software update. The faulty update resulted in insecure private key generation for “less than 0.0002%” of their users for a few hours, and about 250 bitcoins were consequently reported stolen.
On December 8, Blockchain.info—a Bitcoin web wallet provider and block explorer—announced that they’d misfired a software update. The faulty update resulted in insecure private key generation for “less than 0.0002%” of their users for a few hours, and about 250 bitcoins were consequently reported stolen.

On December 8, Blockchain.info—a Bitcoin web wallet provider and block explorer—announced that they’d misfired a software update. The faulty update resulted in insecure private key generation for “less than 0.0002%” of their users for a few hours, and about 250 bitcoins were consequently reported stolen.

An anonymous white hat (meaning well-intentioned) hacker going by “johoe” noticed the security problem and began sweeping coins from vulnerable addresses. Two days later on December 10, the white hat hacker emailed Blockchain.info and offered to return the 255 bitcoins to them, worth about US$90,000 at time of writing.

Johoe apparently uses a Trezor hardware wallet to secure his bitcoins, and sent this picture in his email to Blockchain.info to demonstrate the transaction he was about to send:

Refunds Were Already Promised

Blockchain.info was already offering to reimburse the affected users before johoe’s act of honesty, but now they won’t have to—as they say—“eat it” on this one.

Users who believe their bitcoins were taken during the breach are instructed to send an email to [email protected] to start the refund process. Additionally, if you opened a new Blockchain.info wallet or generated a new address with them between the hours of 12:00am and 2:30am GMT on December 8, you should start a new wallet and transfer your bitcoins to it.

Amid Other Slipups

The security breach came during an already rocky time for Blockchain.info (Bc.i). Within the weeks leading up to it, two different reports of systemic problems with the wallet were reported in the Bitcoin subreddit.

First, a redditor reported that Bc.i’s application programming interface (API) is flawed for services that allow zero-confirmation transactions (like casinos or mixing services). The redditor showed that Bc.i provided a faulty validation, which lead to a mistaken double-spend.

A week later, another user generated a new address, but the Bc.i software did not save the private keys for it. The user sent 15 bitcoins to the address, but because the private keys had not “synced” with Bc.i’s servers, the user has lost them forever.

Blockchain.info logo

Blockchain.info Stepping Up Security in Response

Blockchain.info has responded to both of the reports listed above (tipping the first user US$5 in BTC via ChangeTip), and says that they plan to implement several security upgrades, including two-factor authentication from unrecognized browsers, SSL and HSTS redirect issues, Tor vulnerabilities, API fixes, and more.

The (Unrelated) Reasons I No Longer Use Blockchain.info

The reasons I don’t use a Blockchain.info wallet anymore are simple: it’s because (1) they don’t support hierarchical deterministic addresses (though said they plan to in the future), and (2) they don’t automatically generate new change addresses for Bitcoin hygiene.

Hierarchical deterministic (BIP32) wallets are those which can generate an infinite number of public addresses from a single private key. This means you only need to make one backup, and your bitcoins are backed up forever. But because Bc.i doesn’t support this, every time you generate a new address, you have to back up all over again with new data.

For someone who uses Bitcoin as often as I do, that’s a lot of time wasted making new backups and manually generating new change addresses.

A Respectable Track Record Nonetheless

Though it has been a bad couple of weeks in public relations, the following statement by Bc.i’s main developer (included with the security update announcement) is quite true:

“Tens of thousands of users login everyday without issue and do tens of thousands of transactions - the issues you see from users on reddit are a tiny minority. We track trends in customer operations closely on our support desk and over the last year have made improvements across common issues.”

If you’re thinking of switching wallets anyway, there are many other tested options. As a general rule, large amounts of Bitcoin should be kept in what’s called “cold storage,” which is like a savings account. Web wallets like Blockchain.info should only hold the kind of cash you’d keep in your back pocket for spending.


Did you enjoy this article? You may also be interested in reading these ones: