Bitcoin service StrongCoin hacks their users to recover stolen funds

The following was imported from my old blog.

Earlier this week, Ozcoin, a popular Bitcoin pool, had their payout script hacked, leaving them in the negatives of ~900 Bitcoins (~$132,000 USD). Today, the operator of StrongCoin, a online Bitcoin wallet, notified the Bitcoin community that he had intercepted the pool's coins from the attacker using their service, and sent them back to Graet [1].

Public Disclosure.

On Saturday afternoon I was notified that Strongcoin was holding 568 BTC believed to be from the Ozcoin theft. Everytime you make a payment from StrongCoin the fee goes to 1STRonGxnFTeJiA7pgyneKknR29AwBM77 so any payments from strongcoin held accounts are easily traced back to the site

I was asked by 2 separate people on this forum if I could hold the funds (Sorry to the people I didn't reply to). The evidence that these funds came from the heist seemed plausible to me.

At 8am yesterday morning the funds were intercepted when the user made a payment.

I've spoken to the user in question over email. The user says he sold a car for BTC but can't reveal who to due to an NDA agreement. 

Graeme and I had a conversation over the phone and some evidence came to light, that to me, made it very likely the user I have contact with was connected to the heist. I'm not going to reveal any details of the user accept to legal authorities if asked. I believe we should abide by due process.

I have sent a link to this post to the user so he/she can comment. Otherwise in the next few hours I will return the funds to Graeme, he can then decide what happens to those funds.

While this may appear to be a seemingly nice gesture, there are all sorts of wrong in this in incident. Lets look a bit closer on what StrongCoin is.


StrongCoin boasts that their service "only hold encrypted private keys", and that "neither [they] nor anyone else can spend your Bitcoins". Not only that, they also claim that Bitcoin private keys are "encrypted in your browser before it reaches [their] servers". How were they able to intercept the coins?

This leads to two inconvenient possibilites, neither which make StrongCoin appealing.
  1. Private keys were not actually encrypted on the client side, and were actually stored plain-text on their servers.
  2. They served malicious Javascript on the attacker's session, and stole the attacker's wallet's respective private keys.
They served malicious Javascript on the attacker's session, and stole the attacker's wallet's respective private keys.

Whether it be one or the other, neither make StrongCoin's decision right. They hacked their service to steal from a user, and probably for personal gain too. They have shown that they could, and would steal from their users at their discretion. None of their advertised security features protected anyone in this case. They lied to all current and potential customers.

Even if the operator of StrongCoin has a heart for the Bitcoin community, who is to say that the owner of StrongCoin would not take advantage of his position in a personal emergency? Or if StrongCoin decided to serve "justice" to one who has been wrongly tagged by the community? It's apparent that StrongCoin really should not have been involved in this incident, or let it any of their customer's transactions be any of their business. They voluntarily revealed that their service is just as useless as a shared wallet.

MyWallet, also an online wallet, by also had similar case in 2012. In late last year, Roger Ver abused his "admin" privileges at MyWallet to expose personal information of a customer he had a dispute against from his business, which was completely unassociated with He gained these admin privileges initially from Ben Reeves,'s owner, to provide additional customer support to MyWallet's users, however, he used his abilities not what they were intended for. Roger Ver was able to look up accounts according to the addresses associated with them. From there, more information could be gathered looking up individual accounts.

Unlike StrongCoin, little damage was done in the aftermath. Ben Reeves decided that it was best he did not intervene with a dispute that was none of his business, and unlike StrongCoin's realm of wrong decisions, he also revoked Ver's administrative privileges. Better yet, MyWallet no longer has the ability to directly link addresses to accounts. There was no indication that was even remotely interested in playing Bitcoin judge, like StrongCoin did in this incident.

It seems StrongCoin has better interests in playing world cop in the Bitcoin community than providing a secure service to the best of their abilities. Use StrongCoin at your own peril.

The bigger problem

Of these two incidents, there's a bigger problem that comes from the use of web wallets: they require arbitrary code to be executed from a potentially untrusted source. From a typical end user, there's no telling what, or how the wallet "encrypting" your private keys.

This is also the argument against web applications implementing client-side Javascript encryption. While it may appear client-side encrypted data negates the requirement to trust the provider with your data, it's important to note that the code to provide this added data security is also provided by the same source. Malicious Javascript can be served through hackings or forced government intervention, rendering the extra security useless.

An interesting way mitigates the risk is by providing browser extensions which verify the code being served against their open-source GitHub repository which houses MyWallet's core client code. Attackers don't have access to the repository, providing a line of security. Another alternative provided is the full-featured Chrome application. The app's client code can't update without the user manually taking action. This is all great, that is, if you trust the people behind

This incident, while grave, also serves as a beneficial lesson to the community. Bitcoin, by design, removes the requirement of trust. When you do trust, and rely on someone for convenience or whatever reason, incidents such as this can and will happen.

Thanks to gmaxwell for digging up the following quote:
Then strong encryption became available to the masses, and trust was no longer required. Data could be secured in a way that was physically impossible for others to access, no matter for what reason, no matter how good the excuse, no matter what.

- Satoshi

[1]: Ozcoin's pool operator

7 responses
I want to tell you that nothing is impossible because we are dealing with technology. If anybody is looking for some real stuffs in hacking through a professional hacker? let them talk to the dark lord to get solutions to all their hacking problem. he have help many people in solving many problem with the power of hacking send email to darkinfo to contact me and your problem will be solved
Hello All I'm offering following hacking services dark web / deep web / red room access ​ ..Western union Trf ..wire bank trf / debit cards ..Perfect Money / Bintcoing adders hacking /tracing ..Mobile hacking / mobile spam ​ ..hacking Tools ..Spamming Tools ..Scam pages ..spam tools scanners make your own tools ..Keyloggers+fud+xploits ​ ​ Am dealing with real peoples who interested and honest also teaching hacking subjects in reasonable price ​ ​
We Provide Follwoing Services Bank transfers / Western Union Transfer / Money Gram / Wire Transfer / Bank Logins are now available to the following countries : USA,UK,EU,Canada,Australia,Russia,Netherlands,China, Malaysia,France,Thailand,Ukraine, Nigeria Western Union Transfer : Value of Transfer 2500$-300$ Price 3500$-400$ 4500$-450$ 5500$-550$ 6500$-650$ 7500$-750$ After long time business (3) Years, Work with diedication and transparently. We did reliable work and give good service to all our clients. We make our clients for long time business. Contact us : ICQ : ICQ: 721 832 922 Skype :
Hello everyone! i want to publicly appreciate the effort of Mr. Roy for helping me Western Union Transfer i want to recommend him for you all, he is fast and highly reliable...He would be willing to help you....Tell him i reffered yoU....Goodluck
Hello all am looking few years that some guys comes into the market they called themselves hacker, carder or spammer they rip the peoples with different ways and it’s a badly impact to real hacker now situation is that peoples doesn’t believe that real hackers and carder scammer exists. Anyone want to make deal with me any type am available but first I‘ll show the proof that am real then make a deal like Available Services ..Wire Bank Transfer all over the world ..Western Union Transfer all over the world ..Credit Cards (USA, UK, AUS, CAN, NZ) ..School Grade upgrade / remove Records ..Spamming Tool ..keyloggers / rats ..Social Media recovery .. Teaching Hacking / spamming / carding (1/2 hours course) discount for re-seller Contact: 24/7
Cyberturbo do all kinds of related hacking and cyber works We give 100% satisfaction and confidential to our clients We do : * Surveillances * Hacking of social media e.g Facebook, Instagram, Snapchat Hangout , emails etc * Recovery & deleting of all kinds of records e.g CCTV footage, files evidence * Upgrade of all kinds of school results either high school, Colleges, University ( Don't have to stress Yourself with much study) * Encrypt and decrypt of all kinds of documents including all multimedia * Blank cards * Crypto currency e.g bitcoin * Bank transfer and western union transfer We do these and more Contact us @:
Fake peoples on this comments section watch it before contact anyone