Crime  •  News  •  Wallets

Early Bitcoin Adopter Calls for Multi-Sig Solutions After 750 BTC Theft

(@southtopia) | Published on September 30, 2014 at 00:25 BST

An early bitcoin adopter has made a plea for bitcoin consumers to migrate to more secure bitcoin storage systems after having 750 BTC (about $280,000 at press time) stolen from him while on vacation.

Bitcoin entrepreneur Leo Treasure told CoinDesk his misfortune should serve as a cautionary tale for everyone. Whether they store bitcoins online, on hard drives or in cold storage, he implored users to switch to more secure multi-signature ('multi-sig') wallets as soon as possible.

Though he holds little hope of ever recovering his bitcoins and isn't expecting the authorities to help, he is following the lead of others who have suffered bitcoin-related crimes and promising 50% of the stolen amount as a reward to anyone who can help recover it.

Mysterious transaction

Treasure, a former computer science student and bitcoin entrepreneur from Perth, Australia, told CoinDesk he was traveling in Bali and didn't think connecting to public Wi-Fi could be a security issue as his bitcoins were stored locally.

Bitcoin early adopter and theft victim Leo Treasure
Bitcoin early adopter and theft victim Leo Treasure

Upon reading about the 'Bash Bug', he checked one of his bitcoin addresses on the block chain and noticed an unfamiliar transaction.

Once he synchronized the Bitcoin-Qt client on his MacBook, the 'sent' records confirmed the worst. A series of transactions leading to unfamiliar addresses had occurred from his wallet.

It was no small hack – the amount stolen represented the majority of Treasure's bitcoin holdings, leaving him with only small amounts stored elsewhere.

Treasure admitted that keeping such a large stash on his hard drive wasn't a good idea, but confessed to having the "could never happen to me" feeling of false comfort that precedes many a disaster, saying:

"I feel like an idiot being so blasé about computer security and thinking I'd be alright [...] I'd just given a talk at the Perth bitcoin meetup saying how I was going to move all my coins over to multi-sig, but I didn't act quick enough."

The year of multi-sig

Treasure pointed to an article on Medium.com, which quoted Gavin Andresen's comments in his State of Bitcoin Address in Amsterdam last May.

In the article, CEO and co-founder of multi-sig wallet provider BitGo Will O'Brien wrote that despite Andresen's call over 99% of all bitcoins are still stored in single-signature addresses. Multi-sig addresses, he wrote are "the only viable solution for securing bitcoins".

Multi-sig bitcoin addresses are the result of Bitcoin Improvement Proposal (BIP) 16, which was created in 2012 and implements something called 'pay to script hash' (P2SH) technology.

Bitcoin addresses generated using P2SH begin with a '3' instead of the usual '1', and require multiple keys for their balances to be spent.

The standard model is to require two out of three keys to spend from a balance – of those keys, one goes to the user, one to the service (exchange or wallet) provider and another to a trusted third party. A user may choose to keep the third key in a safe place instead.

Therefore, the owner of the coins may access the balance even if the service provider is shut down or goes out of business (or is run by a malicious operator) and, just as importantly, a single device stolen or compromised by a hacker is not enough to steal the coins.

Options available

BitGo published a white paper on the topic of P2SH in 2013 and open-sourced its own code to build trust.

Developer Ben Smith, who created multi-sig bitcoin wallet and social payment system Ninki, agreed this technology would solve a lot of problems. He said:

"Multi-signature wallets combined with strong passwords and two-factor authentication massively reduce the attack surface, making these simple exploits a thing of the past."

Unfortunately, security is often something people don't consider until after suffering an attack, and popular services are moving slowly to implement multi-sig.

Besides, BitGo, Treasure cited FrozenBit (still in invite-only beta) and GreenAddress as examples of multi-sig wallet solutions. Another service, QuickWallet, was recently acquired by major Chinese exchange Huobi.

The local-storage wallet Armory, often favored by more tech-savvy and security conscious bitcoin users, has a form of multi-sig called 'Lockboxes'.

Next moves

Treasure's involvement in bitcoin included importing 15 Lamassu ATMs to Australia, and his father Bret is a board member with the Bitcoin Association of Australia and chairman of the Australian Web Industry Association.

He was featured in the following Australian TV news report on bitcoin:

 

Treasure's trip to Bali involved discussions with Bitcoin Indonesia founder Oscar Darmawan and other participants in the BitIslands project, which aims to turn Bali into a digital currency haven.

He had obtained the majority of his bitcoins by taking out a AUD$20,000 loan. According to a Perth newspaper article, his own stash was in the 1,000 BTC realm.

Treasure's remaining coins are in multi-sig wallets and Casascius physical coins. Treasure said he plans to move all of them to multi-sig alternatives once home again and on a machine he trusts:

"I don't know if the hacker was only able to remotely get read access to my home directory (which had numerous unencrypted backups) or whether there's a customised root kit avoiding detection and logging my every keystroke. I'm buying a new computer and cloning my hard drive for evidence purposes."

"Don't ever sweep cold wallets 'til you're absolutely sure there's no keylogger on your machine."

He said he "still believes in bitcoin" despite feeling initially despondent after the setback, and considers it much more viable than the current banking system. His work in future, he added, is now more likely to focus on developing and promoting security.

Treasure will be speaking about his experience at Perth's 'Bitcoin Australasia' conference on 8th November.

Theft image via Shutterstock

ArmoryAustraliaBaliBitGoGreenAddressHackingIndonesia

Don't miss a single story

There is 1 comment. Press to view.