Just over eight years ago, MyBitcoin, a popular Bitcoin purchasing platform and web wallet, was hacked for millions of dollars’ worth of Bitcoin – almost £2 billion worth by today’s valuation. We look back at the case and see what happened and what lessons have been learnt.
The “Unfortunate Incident”
In 2011, MyBitcoin was one of the most popular Bitcoin wallets around, with huge numbers of first-time buyers purchasing and holding their tokens through the platform due to its simplicity, which back in 2011 was a huge bonus. The April-July bull market had grabbed the attention of the mainstream media and propelled the price from $1.25 to $15.40, making it a top target for scammers and hackers. At the end of July, MyBitcoin suddenly went offline, resurfacing after a week with a message posted on the site to say that due to “an unfortunate incident” the platform would have to be shut down after someone had breached the shopping cart interface and made off with “a large amount of Bitcoin”.
Later posts revealed how the team had “screwed up”, blaming the loss on “human error combined with a misunderstanding of how Bitcoin secures transactions into the next block.” They also revealed how they “got shitfaced for many days” as a way of trying to deal with the loss as the community tried to work out what exactly had happened.
Hack or Inside Job?
The first theory that sprang up in the days between the site going offline and the announcement of the loss was that MyBitcoin had been an exit scam from the start. Proponents of this idea pointed to the fact that Bruce Wagner, early cryptocurrency evangelist and the largest holder of BTC on the platform to the tune of ₿25,000, had started urging people off the platform due to growing reports of individuals losing BTC, so the runners of the operation exit scammed before he could move his off too. This theory dissipated as the team started to communicate about the hack, and a group of amateur Bitcoin sleuths calling themselves the ‘Bitcoin police’ began to do some digging instead. They found links to at least a trio of Canada-based hackers, one of which was alleged to have been Tom Williams, ‘operator’ of MyBitcoin and author of the announcement post. The team denied any involvement in the hack, and no credible evidence has linked them to it, although they remain the chief culprits. It was soon revealed that the mechanics of the hack revolved MyBitcoin’s 1-block confirmation time – a single block transaction can be tricked by an individual creating a bad transaction and confirming it themselves, tricking the system into thinking a legitimate transaction had taken place, allowing them to siphon away coins at will. This explains the small losses suffered by individuals followed by either larger ones or one huge one.
What Have We Learnt?
Thankfully, MyBitcoin kept around half its deposits in cold storage, which shows some level of forethought, meaning that victims were able to claim back 49% of their lost tokens. For people like Wagner however, this still meant the loss of ₿12,500 – worth in the region of $150 million today. No one has even been conclusively identified as the hacker or hackers, and the case remains another example of unsolved Bitcoin theft. The MyBitcoin hack remains one of the largest crypto crimes in terms of a contemporary valuation, with the stolen coins worth some $1.8 billion today. It also serves as a lesson against storing your coins on third party wallets, especially web wallets, and that, even eight years later, nothing is 100$ secure.