OzCoin, one of the larger Bitcoin mining pools, has reported that an unknown attacker managed to hack into their server, defacing their website and database and stealing 923 BTC ($135,000) from their Bitcoin wallet. However, in less than a day over half of the money was seized as it was passing through the web wallet StrongCoin, and promptly returned to Ozcoin. 354.06 BTC are still missing, and will likely never be found, but this nevertheless leaves OzCoin with a much softer blow than what anyone expected.
It should be noted that the other major hybrid web wallet provider, Blockchain.info, has taken steps to protect their users against such an attack. Their web wallet is also offered in the form of a Chrome and Firefox extension, which is essentially equivalent to any other piece of desktop software with the sole difference being that it relies on the user’s browser to interpret its source code. Safari users also have a Wallet Verifier plugin, although its scope is much weaker.
The other issue is privacy. Explaining how they discovered that the thief was using their service, StrongCoin wrote that “Everytime you make a payment from StrongCoin the fee goes to
1STRonGxnFTeJiA7pgyneKknR29AwBM77 so any payments from strongcoin held accounts are easily traced back to the site.” Presumably, bitcoins from the theft were traced through the blockchain until one of the transactions made its way to StrongCoin, at that point establishing a direct link between the StrongCoin account and the thief. This actually marks the first time that a significant amount of money was successfully recovered using the help of blockchain analysis. Although blockchain analyses made by various researchers have been able to draw intricate graphs mapping Bitcoin transactions to a few high-profile users, until now the public transaction log in the Bitcoin blockchain had not managed to track down or stop a single large-scale theft – casting doubt on claims that Bitcoin is not anonymous. This incident does not imply that Bitcoin now has no privacy at all; StrongCoin’s counter-hack was only possible because the transaction came very soon after the original theft and the thief had not yet made any strong attempt at obfuscation, and StrongCoin’s wallet in particular is weak in terms of privacy because add transaction fees are sent to one particular address (1STRonGxnFTeJiA7pgyneKknR29AwBM77). However, it is still a worthy incident to point to when confronted with concerns that Bitcoin facilitates untraceable theft.
Those using StrongCoin should decide for themselves whether staying with StrongCoin is worth it. Those who enjoy StrongCoin for the user interface features should probably stay; StrongCoin has been in the Bitcoin community for a long time, and if users are willing to outright entrust their funds to exchanges it is not a leap to trust StrongCoin to do the right thing as well. Those who like the cryptographic client-side security aspect, on the other hand, should consider switching to Blockchain.info – or, better yet, a client-side wallet like Electrum. As for StrongCoin themselves, if they wish to maintain their status as a secure hybrid web wallet, they should quickly get to work on catching up with Blockchain.info and implement a Firefox and Chrome extension.