Wait a Second. I Thought Bitcoins Were Unstealable?

Let our journalists help you make sense of the noise: Subscribe to the Mother Jones Daily newsletter and get a recap of news that matters.


I don’t really care about Bitcoin—really I don’t—but I guess I’m curious about something. How is that cyber thieves were able to steal a million bitcoins from Mt. Gox? I understand that Mt. Gox had inadequate security, but I thought the whole point of bitcoin was that it was protected by its very nature: every transaction is stored in a block chain; the block chains are mirrored by thousands of bitcoin miners; and you can’t screw with the block chains unless you apply galactic amounts of computing power. So even if you managed to steal some bitcoins, you couldn’t get anyone else to accept them unless you could demonstrate proper chain of custody, so to speak. Since this is more or less impossible, all the stolen bitcoins are of no use to anyone.

Obviously I’m missing something fundamental here, since I assume thieves don’t bother taking stuff they can never use. And yes, this is just academic interest in the deep geekery behind bitcoin. But can anyone point me to an explainer that tells me exactly how a theft like this could be successfully pulled off?

UPDATE: Judging from some links in comments, apparently the problem is that Mt. Gox had a bug in their software that allowed thieves to create seemingly legitimate transaction changes which were propagated throughout the block chains. There is a known problem with the bitcoin protocol that allows this, and Mt. Gox didn’t properly protect against it:

Many exchanges use the Transaction ID to uniquely identify transactions, but as it turns out, an attacker can change the Transaction ID without changing the actual transaction, rebroadcast the changed transaction (effectively creating a double-spend) and if his altered transaction gets accepted into a block instead of the legit transaction, the attacker receives his coins and can complain with the exchange that he didn’t. The exchange will then check their database, fetch the Transaction ID from it, look it up in the blockchain and not find it. So they could conclude that the transaction indeed failed and credit the account with the coins. … A simple workaround is to not use the Transaction ID to identify transactions on the exchange side, but the (amount, address, timestamp) instead.

I don’t know that I actually understand this, but then again, I’m not sure I want to. In any case, apparently it’s a known bug that Mt. Gox should have handled in its internal software. But they didn’t.

UPDATE 2: Emin Gün Sirer, who sure sounds like he knows what he’s talking about, says that the problem above, known as “transaction malleability,” is almost certainly not behind the Mt. Gox theft. Nor was it lost keys, hackers, web server problems, or US spooks.

So what was it? He doesn’t know. He concludes with this: “Chances are that this is a simple case of theft, involving at least one insider.” So I guess we still have to wait and see.

THE TRUTH IS...

what drives Mother Jones' team of 50-plus journalists. The truth is powerful, as evidenced by how hard those with something to hide, or profit to gain, seek to discredit it. The truth, stated boldly and reported meticulously, is what draws so many readers to Mother Jones.

And the truth is, going into the final 4 days of the year we still needed to raise $TK to hit our $350,000 goal and start 2021 on track. It's nerve-wracking, wondering if the big spike we normally see at the end of December is going to be another thing that doesn't go as planned in 2020, or worse, if, now that Donald Trump is set to leave the White House (for longer than a taxpayer-funded golf trip to a property he owns), folks might be pulling back from fighting for the truth and a democracy and think the hard work is done.

It's not, and if you can right now, please consider a year-end donation to support our team's fearless nonprofit journalism so we can close that big fundraising gap and finish the year strong, ready for all that's ahead in 2021. Whether you can give $5 or $500, it all matters in keeping us charging hard, and we'd be grateful.

payment methods

THE TRUTH IS...

what drives Mother Jones' team of 50-plus journalists. The truth is powerful, as evidenced by how hard those with something to hide, or profit to gain, seek to discredit it. The truth, stated boldly and reported meticulously, is what draws so many readers to Mother Jones.

And the truth is, going into the final 4 days of the year we still needed to raise $TK to hit our $350,000 goal and start 2021 on track. It's nerve-wracking, wondering if the big spike we normally see at the end of December is going to be another thing that doesn't go as planned in 2020, or worse, if, now that Donald Trump is set to leave the White House (for longer than a taxpayer-funded golf trip to a property he owns), folks might be pulling back from fighting for the truth and a democracy and think the hard work is done.

It's not, and if you can right now, please consider a year-end donation to support our team's fearless nonprofit journalism so we can close that big fundraising gap and finish the year strong, ready for all that's ahead in 2021. Whether you can give $5 or $500, it all matters in keeping us charging hard, and we'd be grateful.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate