Topic: Here we go again: BTCServ hacked, BTC gone - page 2. (Read 6909 times)

No.  I have 10,000 stolen BTC.  I divide it up into 1,000 lumps of 10 BTC.  I send 100 of those lumps to 100 different donation addresses I collect from the forum, and the other 900 to 900 different new addresses I create for myself.

When I later spend one of those 10 BTC lumps and someone questions me about it, I say "I don't know who sent it to me - it just turned up one day", and checking the blockchain they can see that the same amount "just turned up" in lots of other well known addresses at the same time, lending evidence to my story that the thief just randomly distributed his ill-gotten gains to strangers.

I remember watching a talk (guess it was http://www.youtube.com/watch?v=hlWyTqL1hFA) that proved that there is basically no anonymity with Bitcoins for the simple fact that the blockchain keeps track on any single transaction - forever. Remaining anonymous requires very precautious and continuous line of action, otherwise with the described methods one's addresses can be easily identified.

Those Bitcoin laundry services seem to be the only reliable method to cover the tracks to some degree. And like in real live, it is of questionable use -- the majority of their users might turn out not to be the typical Joe who wants to conceal his payments to porn sites.

Bitcoin does not claim to be anonymous at all, and like http://en.bitcoin.it/wiki/Anonymity#Legality suspects, Bitcoin laundry services are potentially illegal. Not all existing laws are bad, and in this case the community should consider avoiding such services. I even suppose that we need to accept transaction traceability by design, since irreversibility combined with anonymity won't work for too long.


Here I don't see the point. If one did those 900 transactions to new addresses, they are still visible and traceable from the blockchain. One could even set up some ping-pong or loop transaction scheme to move the BTCs between new addresses many times, but in the very end the BTCs need to be spent and as soon as the thief does a payment to someone checking the black-list, bad guy is bust.

This requires the black-list to be updated with each block and might turn out difficult to handle (DoS by spreading 100 stolen coins to 1 million addresses). Is this what your 10% sacrifice is meant for?

Not quite.  It's like this:

blockchain.info says the transaction was sent by 68.58.218.245

http://www.dnsstuff.com/tools/ipall/?tool_id=67&ip=68.58.218.245

this may or may not be the actual sender or it could just be a node that relayed the tx
 they could be behind a proxy....

the IP leads to Charleston, SC
traceroute:

Thank you very much!
Now I found the thread too.

Here you go: http://pastebin.com/Enm7Qr78

See the discussion with "deego" and MagicalTux.

It's actually quite simple. P2Pool creates a new block chain in which the difficulty adjusted so a new block is found every 10 seconds. So the blocks that get into the P2Pool block chain (called the "share chain") are the same blocks that would get into the Bitcoin block chain, only they have a lower difficulty target (currently around 200 vs. Bitcoin's ~1.4M). Whenever a peer announces a new share found (new block in the P2Pool block chain) it sends it around to the other peers, and the other peers verify that this block contains payouts for all the previous miners who found a share (and announced it) that made it into the P2Pool share chain. This continues until some peer finds a block that has a difficulty that meets the Bitcoin network's difficulty target. This peer announces this block to the Bitcoin network and miners who have submitted shares for this block are paid in the generation transaction of this block, proportionally to how many shares they have found since the last Bitcoin block was found.

Be careful with that. There's only one thing that's worse than getting hacked and getting your coins stolen, and that's punishing an innocent Bitcoin user.

If the thief uses one of those Bitcoin scramblers (where he sends his coins to a service that charges a fee, and sends back someone else's money to the thief) then we could be unjustly accusing some Silk Road user (or whoever might use such a service) for being a thief.

Also, if someone were to steal 10,000 BTC, he could just create 900 Bitcoin addresses for himself, send 10 BTC to each of these addresses and send the remaining 1000 BTC to publicly available Bitcoin addresses. We would then have no way of knowing which addresses belonged to the thief, and which were legimitate Bitcoin users who have published their address. Sacrificing 10% of the loot in order to avoid not being able to spend the coins seems like it would be worth it for a thief.

Can't find it
It was an irc conversation with MagicalTux pasted here on forums, if anyone recalls it, please confirm.

This is really interesting. Where can I read more about this?

Another interesting front is law enforcement. Bitcoins are not legal tender, here in the UK I sincerely doubt it would even be a prosecutable crime to transfer to yourself somebody else's bitcoins, even ownership would be challengeable as in virtual game's pretend money, anyone who has the key can claim legitimate ownership.

In short, f*cking protect your private keys, lads! there is no other real protection for bitcoins at the moment. Less so internationally.

I believe MtGox already does that. MtGox followed the stolen funds and locked an account (about a month ago), when it looked like bitcoins came from allinvain's stolen bitcoins. But it was a false alarm, account holder proved he got the money from Tradehill.

Verification must be done at receive time. Ideally there should be a public black-list of addresses to be checked against before a transaction is confirmed.

I remember such ideas popped up when allinvain got his 25k BTCs stolen, but didn't follow.

wtfman, I'm sorry if I sounded like accusing you being a scammer. Pretty sure you are not, since loosing credibility for less than 2.5k$ is a bad deal. But no matter what, miners lost their BTC, and this adds up to the line of bad things that periodically happen to Bitcoin. Just because some idiots don't see that (in the long run) they can make more money using it for what it was designated instead of misusing it.

That said, I assume operating a pool needs a very long time horizon to get profitable. Even operating deepbit hardly can make [Tycho]'s a living, if my math is not fully wrong: currently it generates 100 BTC per hour; with ~3% fees thats less than 13k$ per month. Minus operational expenses, still a good salary - but for the price of carrying responsibility for a third of miners worldwide? No, thanks.

I'm not expecting you will get the lost BTC back or reimburse them from your pocket. I'll take it and wish the best if you decide to try again.

How would you know an address was a merchants if they used unique addresses?

If you knew that it was a specific merchant, how would you know the ship to was not a diversion like a public member of the community?

cant we just sit wait for the coins to move and follow them everywhere they go?

if the go and pay for goods ... ask the merchant where he shipped to.

compile some evidence, and then egg his house.. or something

whoever says this was a scam should think about if he maybe have the least reason to do this. it's easy to blame the pool operators, but those who made such comments probably have never had to do with us, so just shut the fuck up.

i understand doubts but amateur sherlocks that make that stretch from an expiring domain name in 6 months to a scam just make me wanna puke.

Valid points, indeed. I always mine PPS to have some means to check the shares submitted against  accepted ones. But honestly, after switching to a pool I usually checked for only the first days to get some confidence. I am credulous (spell: naive) enough to trust the operators for one reason: with the fees they are making, in the long run it does not pay off to cheat, since credibility is their most important stake (and reliability of course).

After reading a little bit more about P2Pool, I understand that the maximum loss one can take are rewards mined since the last found block (which as of today is at ~26h). That is far less risky then what I lost to BTCServ.


I'm interested and confident enough in the idea to jump in. I'll soon put some GH into P2Pool, as soon as my BitForces arrive (no kidding).

Oh i missed the question about security of p2pool

Excuse me but where is the problem about p2pool is? Everytime a block is found, you receive the payment on your address, everything is p2p and it's opensource...

At this point I'd be surprised if the miners get their earnings back. This is why I always withdraw from manual payout pools on a regular basis, though lately this pool was a backup one for me, so I wasn't checking it as often, and lost about half a BTC (which still isn't too bad).

Ummm, a p2p-overlay network over another p2p-overlay network - sounds easy.

I understand that p2p has no single point of failure and is therefore DoS resistant, but is the P2Pool protocol itself secure? Realistically speaking, we all hope that the Bitcoin protocol is simple enough to be invulnerable - but we do not know for sure (and never will). And now after one just starts to scratch the surface on how the blockchain works, he must start learning about 'sharechain' to just mine...

I like the idea of P2Pool and therefore tried to get some insight on how it works, but to have a clear idea on how reliable it might be, one needs to read the code. Sadly, I'm otherwise busy this weekend, but alone from reading the official P2Pool thread it appears that it is far from being stable (split chains, etc.).

That said, I'll for sure switch to P2Pool as soon as I have a better understanding.

http://blockchain.info/tx/e266dd4a5aba8c848c2d66016c3716f2e08e8939e605edc4c80cf7643e95c3d3

419BTC

Received Time   2012-02-02 20:49:54 (GMT I assume)

So valuation around US$ 6.1 * 419 =~ US$ 2,556 at the moment. But the coins remain there so far.