Bitcoin service StrongCoin hacks their users to recover stolen funds

The following was imported from my old blog.

Earlier this week, Ozcoin, a popular Bitcoin pool, had their payout script hacked, leaving them in the negatives of ~900 Bitcoins (~$132,000 USD). Today, the operator of StrongCoin, a online Bitcoin wallet, notified the Bitcoin community that he had intercepted the pool's coins from the attacker using their service, and sent them back to Graet [1].

Public Disclosure.

On Saturday afternoon I was notified that Strongcoin was holding 568 BTC believed to be from the Ozcoin theft. Everytime you make a payment from StrongCoin the fee goes to 1STRonGxnFTeJiA7pgyneKknR29AwBM77 so any payments from strongcoin held accounts are easily traced back to the site

I was asked by 2 separate people on this forum if I could hold the funds (Sorry to the people I didn't reply to). The evidence that these funds came from the heist seemed plausible to me.

At 8am yesterday morning the funds were intercepted when the user made a payment. 

https://blockchain.info/address/1DsFCAZaxhJ9YGw5X8NCW9VkSMDZMyXzMF

I've spoken to the user in question over email. The user says he sold a car for BTC but can't reveal who to due to an NDA agreement. 

Graeme and I had a conversation over the phone and some evidence came to light, that to me, made it very likely the user I have contact with was connected to the heist. I'm not going to reveal any details of the user accept to legal authorities if asked. I believe we should abide by due process.

I have sent a link to this post to the user so he/she can comment. Otherwise in the next few hours I will return the funds to Graeme, he can then decide what happens to those funds.

While this may appear to be a seemingly nice gesture, there are all sorts of wrong in this in incident. Lets look a bit closer on what StrongCoin is.

The WTF

StrongCoin boasts that their service "only hold encrypted private keys", and that "neither [they] nor anyone else can spend your Bitcoins". Not only that, they also claim that Bitcoin private keys are "encrypted in your browser before it reaches [their] servers". How were they able to intercept the coins?

This leads to two inconvenient possibilites, neither which make StrongCoin appealing.
  1. Private keys were not actually encrypted on the client side, and were actually stored plain-text on their servers.
  2. They served malicious Javascript on the attacker's session, and stole the attacker's wallet's respective private keys.
They served malicious Javascript on the attacker's session, and stole the attacker's wallet's respective private keys.

Whether it be one or the other, neither make StrongCoin's decision right. They hacked their service to steal from a user, and probably for personal gain too. They have shown that they could, and would steal from their users at their discretion. None of their advertised security features protected anyone in this case. They lied to all current and potential customers.

Even if the operator of StrongCoin has a heart for the Bitcoin community, who is to say that the owner of StrongCoin would not take advantage of his position in a personal emergency? Or if StrongCoin decided to serve "justice" to one who has been wrongly tagged by the community? It's apparent that StrongCoin really should not have been involved in this incident, or let it any of their customer's transactions be any of their business. They voluntarily revealed that their service is just as useless as a shared wallet.

MyWallet, also an online wallet, by Blockchain.info also had similar case in 2012. In late last year, Roger Ver abused his "admin" privileges at MyWallet to expose personal information of a customer he had a dispute against from his business, which was completely unassociated with Blockchain.info. He gained these admin privileges initially from Ben Reeves, Blockchain.info's owner, to provide additional customer support to MyWallet's users, however, he used his abilities not what they were intended for. Roger Ver was able to look up accounts according to the addresses associated with them. From there, more information could be gathered looking up individual accounts.

Unlike StrongCoin, little damage was done in the aftermath. Ben Reeves decided that it was best he did not intervene with a dispute that was none of his business, and unlike StrongCoin's realm of wrong decisions, he also revoked Ver's administrative privileges. Better yet, MyWallet no longer has the ability to directly link addresses to accounts. There was no indication that Blockchain.info was even remotely interested in playing Bitcoin judge, like StrongCoin did in this incident.

It seems StrongCoin has better interests in playing world cop in the Bitcoin community than providing a secure service to the best of their abilities. Use StrongCoin at your own peril.

The bigger problem

Of these two incidents, there's a bigger problem that comes from the use of web wallets: they require arbitrary code to be executed from a potentially untrusted source. From a typical end user, there's no telling what, or how the wallet "encrypting" your private keys.

This is also the argument against web applications implementing client-side Javascript encryption. While it may appear client-side encrypted data negates the requirement to trust the provider with your data, it's important to note that the code to provide this added data security is also provided by the same source. Malicious Javascript can be served through hackings or forced government intervention, rendering the extra security useless.

An interesting way Blockchain.info mitigates the risk is by providing browser extensions which verify the code being served against their open-source GitHub repository which houses MyWallet's core client code. Attackers don't have access to the repository, providing a line of security. Another alternative provided is the full-featured Chrome application. The app's client code can't update without the user manually taking action. This is all great, that is, if you trust the people behind Blockchain.info.

This incident, while grave, also serves as a beneficial lesson to the community. Bitcoin, by design, removes the requirement of trust. When you do trust, and rely on someone for convenience or whatever reason, incidents such as this can and will happen.

Thanks to gmaxwell for digging up the following quote:
Then strong encryption became available to the masses, and trust was no longer required. Data could be secured in a way that was physically impossible for others to access, no matter for what reason, no matter how good the excuse, no matter what.

- Satoshi

[1]: Ozcoin's pool operator

11 responses
I want to tell you that nothing is impossible because we are dealing with technology. If anybody is looking for some real stuffs in hacking through a professional hacker? let them talk to the dark lord to get solutions to all their hacking problem. he have help many people in solving many problem with the power of hacking send email to darkinfo @protonmail.com to contact me and your problem will be solved
Hello All I'm offering following hacking services dark web / deep web / red room access ​ ..Western union Trf ..wire bank trf ..credit / debit cards ..Perfect Money / Bintcoing adders ..email hacking /tracing ..Mobile hacking / mobile spam ​ ..hacking Tools ..Spamming Tools ..Scam pages ..spam tools scanners make your own tools ..Keyloggers+fud+xploits ​ ​ Am dealing with real peoples who interested and honest also teaching hacking subjects in reasonable price ​ ​ [email protected]
We Provide Follwoing Services Bank transfers / Western Union Transfer / Money Gram / Wire Transfer / Bank Logins are now available to the following countries : USA,UK,EU,Canada,Australia,Russia,Netherlands,China, Malaysia,France,Thailand,Ukraine, Nigeria Western Union Transfer : Value of Transfer 2500$-300$ Price 3500$-400$ 4500$-450$ 5500$-550$ 6500$-650$ 7500$-750$ After long time business (3) Years, Work with diedication and transparently. We did reliable work and give good service to all our clients. We make our clients for long time business. Contact us : [email protected] ICQ : ICQ: 721 832 922 Skype : [email protected]
Hello everyone! i want to publicly appreciate the effort of Mr. Roy [email protected] for helping me Western Union Transfer i want to recommend him for you all, he is fast and highly reliable...He would be willing to help you....Tell him i reffered yoU....Goodluck
Hello all am looking few years that some guys comes into the market they called themselves hacker, carder or spammer they rip the peoples with different ways and it’s a badly impact to real hacker now situation is that peoples doesn’t believe that real hackers and carder scammer exists. Anyone want to make deal with me any type am available but first I‘ll show the proof that am real then make a deal like Available Services ..Wire Bank Transfer all over the world ..Western Union Transfer all over the world ..Credit Cards (USA, UK, AUS, CAN, NZ) ..School Grade upgrade / remove Records ..Spamming Tool ..keyloggers / rats ..Social Media recovery .. Teaching Hacking / spamming / carding (1/2 hours course) discount for re-seller Contact: 24/7 [email protected]
Cyberturbo do all kinds of related hacking and cyber works We give 100% satisfaction and confidential to our clients We do : * Surveillances * Hacking of social media e.g Facebook, Instagram, Snapchat Hangout , emails etc * Recovery & deleting of all kinds of records e.g CCTV footage, files evidence * Upgrade of all kinds of school results either high school, Colleges, University ( Don't have to stress Yourself with much study) * Encrypt and decrypt of all kinds of documents including all multimedia * Blank cards * Crypto currency e.g bitcoin * Bank transfer and western union transfer We do these and more Contact us @: [email protected]
Fake peoples on this comments section watch it before contact anyone https://scam-alert-report.blogspot.com/2019/02/...
INTERNET SCAM ALERT‼️ The internet today is full of SCAM ADS, mostly in comments of various sites and blogs. A large number of individuals have been victims of scam and lost a lot of money to SCAMMERS. Most of the common scam you can see ❌BANK LOAN SCAM. ❌BINARY OPTIONS SCAM. ❌BINARY AUCTION SCAM. ❌HACKING SCAM. and lost more...... But here is a good news to everyone who has been a victim of INTERNET SCAM❗️ You can get your money back from your scammer, Authorities will not been involve just the genius of our skill. WHO ARE WE⁉️ We are PLUGGERS! A group of skilled Hackers and have dedicated our time to help individuals get back thier money from INTERNET SCAMMERS. There is a research was carried one to calculate the amount of money individual loose to Scam, and it was confirmed that more than USD $3billion annually. This is so wrong and that’s why we have decided to help individuals get thier money. HOW DO WE OPERATE⁉️ We first of all study the scammer brought to us by hacking the person device(phone or computer) to get information of How, Where, this person keeps money he/she as defrauded from people ( so many of this scammers don’t actually save the money in banks, they mostly stack the money in a Bitcoin wallet, that way it is safe and untraceable to authorities) and we work on a strategy to get back the money and give it back to whom they have defrauded. Contacting us is simple, just give us a message through the email below. Email-: [email protected] If you a victim of internet scam or you know someone who is, make INTERNET SCAM ALERT‼️ The internet today is full of SCAM ADS, mostly in comments of various sites and blogs. A large number of individuals have been victims of scam and lost a lot of money to SCAMMERS. Most of the common scam you can see ❌BANK LOAN SCAM. ❌BINARY OPTIONS SCAM. ❌BINARY AUCTION SCAM. ❌HACKING SCAM. and lost more...... But here is a good news to everyone who has been a victim of INTERNET SCAM❗️ You can get your money back from your scammer, Authorities will not been involve just the genius of our skill. WHO ARE WE⁉️ We are PLUGGERS! A group of skilled Hackers and have dedicated our time to help individuals get back thier money from INTERNET SCAMMERS. There is a research was carried one to calculate the amount of money individual loose to Scam, and it was confirmed that more than USD $3billion annually. This is so wrong and that’s why we have decided to help individuals get thier money. HOW DO WE OPERATE⁉️ We first of all study the scammer brought to us by hacking the person device(phone or computer) to get information of How, Where, this person keeps money he/she as defrauded from people ( so many of this scammers don’t actually save the money in banks, they mostly stack the money in a Bitcoin wallet, that way it is safe and untraceable to authorities) and we work on a strategy to get back the money and give it back to whom they have defrauded. Contacting us is simple, just give us a message through the email below. Email-: [email protected] If you a victim of internet scam or you know someone who is, make contact to us immediately. You are 💯 % safe to contact us, our email is very secure.
Are you having any difficulties or looking for a reliable financial instrument lender? seek no further,we are certified Financial Instrument providers in United Kingdom. We are direct providers of Fresh Cut BG, SBLC and MTN which are specifically for lease, our bank instrument can be engage in PPP Trading, Discounting, signature project (s) such as Aviation, Agriculture, Petroleum, Telecommunication, construction of Dams, Bridges, Real Estate and all kind of projects. Fresh Cut BG/SBLC Lease Price: 4% + 2% Fresh Cut BG/SBLC Purchase Price: 32% + 2% Should you find this interesting and acceptable? Kindly, contact us and we shall review and respond with draft Contract/MOU within 48hrs maximum. Please request for full procedure details if interested. For further inquiry contact: E-mail : [email protected] Name :Oscar Theodore Skype : [email protected]
Dark web has full of scammers, you can't trust anyone for anything. Lots of people already lost their money and savings. So I have tried to reveled those scammers. Please visit our YouTube channel and support us. Channel link: https://www.youtube.com/watch?v=QSWJiiIgQ8c https://www.youtube.com/watch?v=kIQvUUZLgLk
1 visitor upvoted this post.