$1.75 million hack raises prospect of hard fork: a price not worth paying

Just over a month ago, BTer – one of the largest exchanges for Bitcoin and altcoin trading – suffered a hack of cataclysmic proportions. Over 50 million NXT, with a market value of around $1.75 million, was stolen from its hot wallet. How could this have happened – and how would they ever address the problem?

by Brandon Hurst

The theft of 50 million NXT from BTer was due to little more than lax security. The hacker was able to gain some personal details and access the system. The real issue, though, was that BTer kept its NXT in a hot wallet, connected to the web all the time. Although the administrators used 2-factor authentication everywhere else, the NXT wallet had not been secured that way. If it had, the hacker would have stood no chance. As the most popular destination for trading NXT, BTer held over 5 percent of the entire money supply. The amount is roughly analogous to the 650,000 bitcoins ‘lost’ from Mt Gox – except instead of being siphoned off over months or years, and very likely sold through the same exchange it was taken from, in this case it was moved in one vast chunk to a new address.

The money left the account with the irreversibility that is one of cryptocurrency’s greatest strengths – and causes of anguish. Once a transaction has been made, it cannot be unmade. Cryptocurrency works on the principle of decentralisation. There is no central authority, no bank or payment processor, that has the ability to reverse a transfer.

Rollback

This is not to say that a transaction cannot be reversed, only that it must be the decision of the majority. This is the genius of Satoshi Nakamoto’s mining principle: one that is used or adapted in some form by every cryptocurrency. NXT uses the proof-of-stake, not proof-of-work approach, but the overall result is the same: unless a majority of the network wants it, a transaction is permanent.

BTer had no means of covering the loss, and would have gone out of business overnight. Moreover, the loss of 50 million NXT threatened to hamstring the cryptocurrency’s efforts to break into the mainstream. That amount hanging over the market, risking crashing the price at any time on the whim of a hacker, could have led to a catastrophic loss of confidence. The answer? According to some in the community, the only viable solution was a rollback.

A rollback simply means restoring the blockchain to an earlier state – one before the hack took place. To achieve this, the majority of network participants would need to run a modified version of the client (broadly analogous to a benign ‘51 percent attack’ for bitcoin).

The problem is that a rollback does exactly what cryptocurrency is supposed to avoid: it allows tampering with transactions. If a rollback, or ‘hard fork’ could be allowed for 5% of the money supply, what about a smaller hack? What about 5 million NXT? 1 million? Any business case for using cryptocurrency of any kind will be based on its advantages over fiat, especially as used by the banks and payment processors. Irreversibility is a big deal to merchants, who constantly have to deal with chargebacks. Remove that advantage, and suddenly crypto doesn’t look so attractive after all.

Community response

Many of those who had kept NXT on BTer clamoured for a rollback, and began running the modified software that would enable a hard fork. In the event, though, they turned out to be a small fraction of the overall community – around 8 percent, at most. The vast majority were against the rollback, albeit at the expense of having 50 million NXT hanging over their heads, ready to drop into an exchange at any point. (Although the major exchanges had been notified, the decentralised Multigateway could not block the hacker’s account.)

The true effect of a rollback cannot be known. Some time ago Vericoin hard forked in order to reclaim 8 million coins hacked from MintPal – 30 percent of the supply. It’s a reputation that has stuck, and it certainly hasn’t helped advance what is otherwise an innovative and well-presented coin. Bitcoin itself was rolled back in March 2013, after a glitch in a new version of the core bitcoin software inadvertently forked the blockchain; an emergency decision ensued, and miners were called upon to revert to the old software and chain – which every client would accept. But that was a somewhat different situation; a faulty code update, meaning that the network couldn’t operate properly, is a world apart from a theft, where there is nothing wrong with the network or blockchain. Still, forks and rollbacks are disruptive at best – on that occasion, the price of bitcoin plunged 23 percent due to the uncertainty surrounding the problem.

Negotiations

Meanwhile, direct negotiations were proceeding with the hacker, who went by the name ‘TheSir’. He initially turned up on the NXT forum, demanding bitcoins in exchange for the stolen NXT. This made perfect sense: bitcoin is a far more liquid currency, and it’s easier to hide by mixing or sending through exchanges. 50 million NXT would be impossible to sell without destroying the price of the currency you were trying to profit from.

Initial attempts went badly. Contact was established via arbitrary messages on the blockchain, and later outside channels. A price of 100 bitcoins was agreed in principle, with tranches of NXT and BTC being exchanged in turn. But the process was slow, and TheSir became impatient. When he threatened to leave for good and went quiet, BTer panicked. They sent the balance of the full amount, losing their bargaining position in the process. TheSir disappeared with both the NXT and BTC.

This was the point at which the demand for a rollback became loudest. It was clear who was calling the shots, and who had the upper hand in negotiations. To many, the only option left was the nuclear one: restore an earlier version of the blockchain, and go on like the hack had never happened.

Fortunately, away from the eyes of forum members and large holders with a conflict of interests, efforts were continuing. Contact was re-established via an anonymous website and then Skype, with a third-party negotiator from NXT – not one from BTer, and therefore someone who was able to maintain some detachment from a highly stressful situation. ‘Dom P’, a well-known member of the NXT community and co-founded of Crypto Finance Analysis Consulting (CFA Consulting) collaborated with a psychologist to build up a profile of TheSir, in order to gain maximum insight into how he thought – and how they would need to talk to him to regain the stolen NXT.

Dom P started by allowing and encouraging the hacker to boast about his exploit and praising him for this historic hack, allowing them to establish common ground. But he also managed TheSir’s expectations, telling him that the amounts he was demanding for the return of the NXT were simply not possible. Ultimately, after a full night of Skype discussion, a deal was established: 400 bitcoins for the remaining NXT. Again, the transfers were to be made incrementally.

This time, both sides stuck to the agreement. Small amounts were exchanged at first, then larger as the pattern was established. Perhaps not surprisingly, the final transactions were never made: the hacker kept 8 million NXT, and the final 70 BTC were never sent. That 8 million currently has a value of $240,000, and the hacker obviously thought it worthwhile to retain a stake rather than cash everything out for BTC.

Conclusion

So ended a situation that could have destroyed BTer and severely damaged NXT. BTer has since overhauled their security policy and are adamant that this could not happen again. TheSir is still at large, though there are ongoing efforts to find him and bring him to justice.

The real message is that, ingenious though hackers may be, poor security practices account for the vast majority of thefts. Bitcoin (and NXT) cryptography is rock-solid. It is impossible to brute force a properly created bitcoin cold wallet with a truly random private key, and there are no known exploits. But a chain is only as strong as its weakest link. Reused passwords, weak passwords, an identity gained or assumed by a confidence trick, coins left in a hot wallet instead of kept in cold storage: these are how scams and hacks are perpetrated. The cost of BTer’s mistake was immense, though only a fraction of the $1.75 million for which they would have been liable, had the situation not been resolved. The cost of a rollback? It’s impossible to say. But BTer’s 400 BTC was a small price to pay to avoid one.