Defcon hackers crack physical bitcoin Casascius coins

The Casascius coin was shown to be vulnerable to physical attack at this year's Defcon conference.

AccessTimeIconAug 13, 2013 at 10:53 a.m. UTC
Updated Sep 10, 2021 at 11:28 a.m. UTC

The Casascius coin was shown to be vulnerable to physical attack at this year's Defcon conference, one of the world's largest hacker conventions. Casascius coins are one form of physical bitcoin, being supplied in denominations of 0.5, 1 and 25 BTC. The coins each have a private key printed on them, concealed by a holographic sticker. The Defcon hackers were able to reveal the key and replace the stick with virtually no sign of tampering.

The private key on each Casascius coin relates to the bitcoin address that holds the value of the coin. The implication of having access to this coin is that the balance of the coin's address could be altered. This could either be to increase the value so as to smuggle money – or more likely to remove the BTC value from the coin before passing the coin along to anyone who accepts it as currency.

According to the Coding in my Sleep blog, the "physical attack" was performed by using a hypodermic needle to inject what was described as a "non-polar solvent" between the coin's holographic sticker and brass surface. The solvent had the effect of neutralising the adhesive, thus allowing the sticker to be non-destructively removed.

The private key could then be easily read, and the sticker replaced with new adhesive. The only sign of tampering was a small deformation where the needle had stretched the sticker during insertion – a mark which could be mistaken for normal wearing.

Information security expert Vladimir Marchenko, told us: "From the very beginning, when Casascius coins were announced I was rather skeptical about this project due to information security concerns. It was clear that if one hides a private key in a physical object there might be a cost-effective non-destructive method to discover the key or otherwise 'counterfeit' the coin.

"Moreover, there is no secret service to go after 'attackers' unlike a case with floating rate notes. With only purely technical measures there will always be a shield-and-sword kind of antagonism, but in this case even temporary advantage of attackers is unacceptable. Today it is chemicals, tomorrow it might be some kind of X-ray analysis detecting traces of metals in the ink used etc. There will inevitably be more and more successful attacks on physical representations of bitcoin that hide the private key inside some physical medium."

Marchenko went on to outline general concerns with physical representations of digital currencies: "What is even more worrying with such types of 'physical bitcoins' is the unknown 'chain of custody' of a private key before it gets embedded in the coin. We might as well all assume that the manufacturer of the coin is an upstanding gentleman with no intent to keep a database of private keys, but there are no guarantees. The first rule of information security is to not take unknown risks. These coins definitely have lots of novelty value and might be an interesting artefact and have some numismatic value. However, I would strongly advise against using such physical coins as a long term storage medium of any non-trivial amount of bitcoins."

Marchenko made the case to us that bitcoin should not be made into physical representations as doing so removes many of the benefits of a digital currency. "Bitcoin is designed as an electronic currency and the safest way to use it is to use it electronically and keep bitcoin transactions on the block chain. Private keys are meant to remain private and never be revealed to any third parties. The moment one starts trading private keys, one is voluntarily forfeiting most of the benefits modern cryptography like bitcoin provides. Those Defcon hackers have clearly demonstrated this concept by picking easy targets, like removing a sticker from a piece of plastic. I would be much more impressed if they had successfully attacked SHA256, RIPEMD or ECDSA."

Image credit: Coding In My Sleep


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.