Wait a Second. I Thought Bitcoins Were Unstealable?

Facts matter: Sign up for the free Mother Jones Daily newsletter. Support our nonprofit reporting. Subscribe to our print magazine.


I don’t really care about Bitcoin—really I don’t—but I guess I’m curious about something. How is that cyber thieves were able to steal a million bitcoins from Mt. Gox? I understand that Mt. Gox had inadequate security, but I thought the whole point of bitcoin was that it was protected by its very nature: every transaction is stored in a block chain; the block chains are mirrored by thousands of bitcoin miners; and you can’t screw with the block chains unless you apply galactic amounts of computing power. So even if you managed to steal some bitcoins, you couldn’t get anyone else to accept them unless you could demonstrate proper chain of custody, so to speak. Since this is more or less impossible, all the stolen bitcoins are of no use to anyone.

Obviously I’m missing something fundamental here, since I assume thieves don’t bother taking stuff they can never use. And yes, this is just academic interest in the deep geekery behind bitcoin. But can anyone point me to an explainer that tells me exactly how a theft like this could be successfully pulled off?

UPDATE: Judging from some links in comments, apparently the problem is that Mt. Gox had a bug in their software that allowed thieves to create seemingly legitimate transaction changes which were propagated throughout the block chains. There is a known problem with the bitcoin protocol that allows this, and Mt. Gox didn’t properly protect against it:

Many exchanges use the Transaction ID to uniquely identify transactions, but as it turns out, an attacker can change the Transaction ID without changing the actual transaction, rebroadcast the changed transaction (effectively creating a double-spend) and if his altered transaction gets accepted into a block instead of the legit transaction, the attacker receives his coins and can complain with the exchange that he didn’t. The exchange will then check their database, fetch the Transaction ID from it, look it up in the blockchain and not find it. So they could conclude that the transaction indeed failed and credit the account with the coins. … A simple workaround is to not use the Transaction ID to identify transactions on the exchange side, but the (amount, address, timestamp) instead.

I don’t know that I actually understand this, but then again, I’m not sure I want to. In any case, apparently it’s a known bug that Mt. Gox should have handled in its internal software. But they didn’t.

UPDATE 2: Emin Gün Sirer, who sure sounds like he knows what he’s talking about, says that the problem above, known as “transaction malleability,” is almost certainly not behind the Mt. Gox theft. Nor was it lost keys, hackers, web server problems, or US spooks.

So what was it? He doesn’t know. He concludes with this: “Chances are that this is a simple case of theft, involving at least one insider.” So I guess we still have to wait and see.

REAL QUICK, REAL URGENT

Minority rule, corruption, disinformation, attacks on those who dare tell the truth: There is a direct line from what's happening in Russia and Ukraine to what's happening here at home. And that's what MoJo's Monika Bauerlein writes about in "Their Fight Is Our Fight" to unpack the information war we find ourselves in and share a few examples to show why the power of independent, reader-supported journalism is such a threat to authoritarians.

Corrupt leaders the world over can (and will) try to shut down the truth, but when the truth has millions of people on its side, you can't keep it down for good. And there's no more powerful or urgent argument for your support of Mother Jones' journalism right now than that. We need to raise about $450,000 to hit our online fundraising budget in these next few months, so please read more from Monika and pitch in if you can.

payment methods

REAL QUICK, REAL URGENT

Minority rule, corruption, disinformation, attacks on those who dare tell the truth: There is a direct line from what's happening in Russia and Ukraine to what's happening here at home. And that's what MoJo's Monika Bauerlein writes about in "Their Fight Is Our Fight" to unpack the information war we find ourselves in and share a few examples to show why the power of independent, reader-supported journalism is such a threat to authoritarians.

Corrupt leaders the world over can (and will) try to shut down the truth, but when the truth has millions of people on its side, you can't keep it down for good. And there's no more powerful or urgent argument for your support of Mother Jones' journalism right now than that. We need to raise about $450,000 to hit our online fundraising budget in these next few months, so please read more from Monika and pitch in if you can.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate