Skip to main content

The Strange Antics of the Bitcoinica Thief

Op-ed - The Strange Antics of the Bitcoinica Thief

The internet and the blockchain that power Bitcoin are unique in that they make any significant events in the Bitcoin ecosystem public, even if the identities carrying out the acts may sometimes be pseudonymous. Anomalies like the so-called “mystery miner”, large buys and sells on MtGox and SatoshiDice causing the Bitcoin network to exceed its all-time transaction record are available for all to see and comment on. The recent Bitcoinica theft, however, takes this form of publicity to a whole new level.

The Bitcoinica theft, like all others in the Bitcoin world, is visible on the public blockchain, but this time the thief has decided to exploit this functionality for a novel purpose: to send us a message. The idea of using the blockchain for this purpose is not new; a proof of concept has been demonstrated by one individual putting up one of Shakespeare’s sonnets, and block chain message services appearing online since 2011, but this is the first time this technique has found a use in practice. The message comes in the form of a transaction using the decimal places of the value spent to encode the text in binary:

The decimal places give binary ASCII codes for the individual letters of the message, which spell the cryptic “expect mass leak soon”.

Also of interest is the thief’s generosity. The last 21 bitcoin transaction was sent to the address of the Bitcoin faucet, which gives every Bitcoin user 0.005 bitcoins, and the faucet has distributed these coins to over a thousand people since then. The thief also generously gave out bitcoins on the Bitcoin IRC chat, handing out over thirty in total.

There are many possible motives for these actions. Clearly they were in part motivated by a simple desire to have fun, but the generosity may also have ulterior motives behind it. After the previous 43000 BTC Bitcoinica Linode theft, MtGox responded by freezing any accounts which contained coins that came from the original 43000 BTC transaction, reopening the accounts only in exchange for identification documents. It’s likely that the same will happen as a result of this theft. Thus, by distributing the coins so widely what the thief is trying to do is get as many people flagged as being connected to the theft as possible. While a Joker-like desire to wreak havoc for its own sake could be the end of the thief’s motives, and it fits perfectly well with the “expect mass leak soon” message, there is another reason why the thief would want to do this. By flagging so many people as potential thieves, the thief is diluting the value of the blockchain as a forensics tool in the first place. When he himself gets around to cashing out on his remaining 17200 bitcoins, if he gets caught at any point he can simply claim to be one of his lucky recipients.

The long-term strategy of the thief seems to be to hold on to most of his loot. While the perpetrator of the 25000 BTC theft in June 2011 quickly spread the wealth, mixing it in with large, active pools of money that likely represent major services and exchanges, both the Linode thief and this thief instead spread the coins out slightly, but were then content to keep their loot untouched. There are many reasons why the thieves would want to do this; one is the much stricter policy now compared to last June on the part of MtGox, leading the thieves to embark upon a more slow and steady strategy of cashing out by mixing coins a few at a time with various laundry services and accounts. Another is that the thieves are Bitcoin users just like everyone else, and optimistically believe that Bitcoin will have a higher value in the future. Unfortunately, at this point it’s impossible to know. While the more recent thief may be eager to hand out bitcoins and send messages, he has not yet released any kind of manifesto, and unless he does such a thing we have no information to go on; the blockchain may tell us what is happening, but it says nothing as to who or why.