UPDATE (15th December 11:15 GMT): Hacker johoe’s transaction history indicates he has received a further 244.2 BTC from compromised Blockchain wallets since 8.23pm yesterday evening (GMT).
When contacted by CoinDesk, Blockchain president Peter Smith confirmed that johoe’s funds had been taken from the same wallet addresses as before. This indicates that certain users are unaware of the hack or have continued to use their compromised wallets despite the company’s warnings, he said.
Johoe has been contacted for further comment on the issue.
The ‘Good Samaritan’ hacker who recently returned 267 BTC he took from compromised Blockchain wallets has revealed how he was able to collect the funds and given advice to bitcoin holders wanting to secure their money.
The computer scientist and researcher, who goes by the handle ‘johoe’ on Bitcoin Talk, told CoinDesk that each day he runs a script he has written that scans recently added data from the bitcoin blockchain and looks for repeated ‘R values’.
“Every bitcoin transaction is signed by two values – ‘R’ and ‘S’ – which prove that the sender knows the private key. If the same R value is used twice, the private key can be easily computed from the signatures alone.”
Johoe has been posting examples of such ‘broken’ addresses on Bitcoin Talk for over a year.
Spate of broken keys
Upon running the script last Monday morning, he said he recognized immediately that it had found something. The script, which had discovered only about 500 such ‘broken’ keys in the bitcoin blockchain’s five-year history, had suddenly unveiled 500 more in a single day.
A second script he wrote scanned the public ledger to see if any funds had been sent to those addresses, and was startled to see the amount.
“I had prepared some scripts to assist finding and spending the money from the broken addresses, but I hadn’t prepared it for this scale.”
He sorted the transactions, starting with the most valuable ones and sweeping the funds from the broken addresses into one he controlled.
The scripts prepared and signed the transactions, double-checking for correctness and transaction fees, about one every two or three minutes. Some, such as freshly mined bitcoins that can only be spent after 100 confirmations, took longer.
Collecting insecure balances
After nearly an hour, johoe had accumulated the first 150 BTC. He ran his scripts again on the entire 30GB+ blockchain, which took longer, but eventually netted a further 60 BTC.
Once all the transactions had been confirmed, johoe posted on Bitcoin Talk that he had the bitcoins and intended to return them to their rightful owners once the problem was fixed.
Why, when he could easily have kept the money all for himself, did he decide to do a good deed?
“I decided this beforehand. I make enough money with my day job that I can live on it. Also this way I don’t have to worry that someday someone will find it out. In hindsight, this was a very good decision.”
Running the scripts once more on the entire ledge swept a further 38 BTC into johoe’s wallet.
After seeing Blockchain‘s public post announcing the security issue, he connected the dots and realized these accounts must be the source of all the compromised addresses he had found.
The company contacted him after he posted his message to Bitcoin Talk. He then provided Blockchain with copies of his scripts so they would be able to notify the affected users.
Blockchain safe ‘in principle’
“In principle, it should be safe to use Blockchain.info again, but I still see some bad transactions”, he wrote on yesterday. The continuing problems could be due to browser cache issues, he added, advising any users to clear their cache and visit their Blockchain account again.
Any users who sent money, or created a new wallet address on 7th-8th December should consider their addresses broken, he said. Even if it was not published on his list of 1,019 known addresses, he could not pinpoint exactly at what time the problem ended.
As an added caution, johoe said that anyone who visited their online Blockchain wallet during that period may have picked up the buggy script in their browser cache, which could potentially affect future address creation or transactions.
Users of Blockchain’s mobile apps on iOS and Android, and the Chrome browser extension, were not affected.
For the past few days, Blockchain’s team has been working hard to process claims and return funds – once the claims have been verified as being genuine.
Johoe said Blockchain had presented him with a “reasonable reward” for his efforts.
Hardware wallet security
“It made me feel a lot safer than having the private key for 267 BTC on my computer,” he said.
A hardware solution like the Trezor’s isolates the private key from the Internet, meaning in principle it is impossible for a remote party to steal it. His only worry was that the device might somehow malfunction, but in the end it “managed everything gracefully”, despite taking around one and a half minutes to sign the transaction returning the bitcoins.
The only disadvantage with the Trezor device, johoe said, is the only current end-user backup support is the myTrezor Web Wallet, which does not work on mobile devices.
Mobile and spending solutions
These wallets generate key pairs (private and public) from an original seed phrase that needs only be saved somewhere safe once, and can recover balances from that seed even if a physical device is lost, stolen, or damaged.
Even so, portable solutions are best for spending money only, with larger amounts kept ‘cold’ or completely offline.
“For larger funds, I would not recommend to keep the private key on a computer. There are too many trojans around that specializes on stealing bitcoin wallets.”
Even protecting keys with a strong password might not be enough, johoe concluded, if malware has installed a key logger on a user’s computer that could grab the password and transmit it to a bad actor.
Cryptography image via Shutterstock
UPDATE: A previous version of this article stated that johoe had returned 255 BTC. He has since confirmed that this figure has risen to 267 BTC, attributing the additional 12 BTC to addresses that were only compromised later, due to a browser cache issue.