Topic: Question about hacking and private keys - Coinbase as example (Read 233 times)

Thanks everyone for taking so much time in helping me! It was very much appreciated. I had a lot of thinking to do

You are missing some of the basics and completely misunderstanding how bitcoin even works at all.

As a result, everything everyone is trying to explain is passing through your filter of misunderstanding before you try to follow along with their description.  This is leading to even more misunderstanding and confusion on your part.

It does appear that you are finally noticing a few things (such as the fact that bitcoins don't have keys), but it is also clear that you are still struggling with the underlying concepts.

To get a grasp on the general concepts, I suggest pretending that you don't know anything about bitcoin (or at least assuming that everything you know is wrong) and then watching this video as if it is about something completely different than your current understandings:

https://www.youtube.com/watch?v=bBC-nXj3Ng4

Some of the specific details are generalized or simplified in that video, so it won't give you an exact understanding of every technical detail, but it is a good introduction to the more basic concepts.

Then once you've watched it, let me know if you still have some questions.

As has already explained, it isn't the bitcoins that have the keys.  Each bitcoin address is associated with it's own key.  So, when Coinbase sends bitcoins to a wallet on your computer, the bitcoins don't "become keyless" and Coinbase doesn't "send you the key".  Instead, Coinbase uses the key that is associated with the address where they previously received the bitcoins. With a special mathematical function they can compute a signature of the transaction with the private key.  Then they broadcast the transaction (with the signature) to the network.  ALL the software on the network can use the address where Coinbase had previously received the bitcoins to verify the signature.

Note, it is impossible for software to generate a signature if all it has is the address or public key. Generating the signature REQUIRES the private key. However, it is simple for software to verify a signature if all it has is the address or public key.  So, ONLY someone that has access to the private key can create a valid signature, but EVERYBODY can check to make sure that the signature is valid.

The transaction that they broadcast assigns some Bitcoin value to YOUR address (an address for which YOU ALREADY have the private key).  Now, only you will be able to generate the necessary signature to spend those bitcoins since ONLY YOU have the necessary private key. When you DO choose to send those bitcoins somewhere, your software will use YOUR private key (which is associated with your address) to sign the transaction (proving that you are allowed to transfer that value).  The entire network will be able to use your bitcoin address to verify your signature, and then the value will be assigned to whatever address you send it to (requiring a signature from the private key associated with THAT address if the recipient wants to send the bitcoin value somewhere else.

 So yes you did understand perfectly what I was asking   but the last sentence kind of confused me. So are you saying keeping it on an exchange is a good thing or a bad thing?

“Perhaps you believe that each bitcoin has a private key. That is not how it works. In simplest terms, an address holds bitcoins and an address has a private key.”

 Absolutely I thought that each BTC, LTC, ETH, etc,et, had a key???  That’s just kind of blew me away!!!

There are no "my keys". The keys are Coinbase's keys. You have an account at Coinbase with a balance.

Keys are not sent, but are used to send.

However, moving bitcoins between Coinbase accounts consists solely of changing the balances of the accounts. Nothing is actually moved or sent.

Perhaps you believe that each bitcoin has a private key. That is not how it works. In simplest terms, an address holds bitcoins and an address has a private key.

You have just explained how the process works which is not only peculiar to coinbase but all of the exchange site operating in the market. What Op is asking is that what is the usefulness of the private key if its possible for someone to convert bitcoin to cash without the need to submit it somewhere or verify it.

The simple and straightforward truth is that private keys are to establish ownership. When one wants to bid for a project and you are required to have certain amount of money in your account, there only way to verify that is to show a verifiable bank statements not your flashy cars, wristwatches, clothes or chains. The same thing here in the case of bitcoin while bank statements can be forged, bitcoin messages cannot ( to a large extent) and keeping funds on exchange sites does not give room for that.

If you buy something, you can have Coinbase send the seller bitcoins on your behalf, and Coinbase will effectuate the payment with some UTXOs and private keys of theirs. Your choice boils down to whether you trust Coinbase. By keeping your bitcoins in a wallet of your own, you’re in control, but you also take a risk of losing your bitcoins e.g. due to malware.

Here’s how private keys work. Bitcoin exists in the form of unspent transaction units (UTXOs). Whatever balance of bitcoins anyone has in their wallet is made up of UTXOs. Each UTXO can have any denomination, as most will have been created as change from previous transactions. Each UTXO also has a corresponding private key. Anyone who knows the private key to a UTXO can spend it. That’s why Coinbase doesn’t give you any private keys. If they did, you could spend the bitcoins, which would defeat the purpose of having them deposited with Coinbase. Instead, when you withdraw bitcoins from Coinbase, they send some of their UTXOs to the address you specify. Those wouldn’t be the same UTXOs you sent them, just as a bank isn’t going to give you back the exact same banknotes you deposited.

Kind of...  but I understood your explanation the best   I guess maybe since I don’t actually use them for anything other than investing then none of this really applies to me is what you’re saying? But if I buy things or do other things with them, then the keys are essential??

I mean I’m sitting here thinking, reading all of this research about how coinbase is almost virtually unhackable, because they store the keys in an underground vault that’s inaccessible and has never touched or will touch the internet.  But if what they are storing is not needed to cash...

OK so after reading everyone’s replies this is what I get out. At the point where I buy and keep them at Coinbase  or send them to another Coinbase account the keys are never involved. But if I decide to send the coins to another exchange, then the actual keys are in fact sent at that point? So that means if somebody were to hack into my account and transfer the coins to their account, then at that point the keys ARE sent along with it?

So my understanding is not correct and my “keyless” concept ONLY applies to me keeping it all local on the Coinbase exchange, correct?

Then if that is all correct, the only question is why does Coinbase tell me I cannot get my keys?  That can’t be true then and that’s what made me think the coin‘s were not sent with the keys because they say they’re not available to me?  But they are available to absolutely anyone else when they are sent?

When you have bitcoins on a Coinbase or similar account, you don’t actually hold bitcoins in a technical sense. It’s like having a tech-savvy friend hold your bitcoins. Coinbase, or your friend, has the private keys to the bitcoins (actually to the UTXOs) you have deposited, and you trust them to eventually give you back your bitcoins by sending an equal amount of bitcoins (but probably not the same original UTXOs) to whichever address you specify.

Keeping your UTXOs in a wallet of your own is another thing entirely. You hold your own private keys and are responsible for keeping them secure.

Coinbase has several wallets and private keys. The private keys are required to send the coins between their wallets and to wallets they don't control.

When you buy bitcoins, Coinbase credits your account when the money is received from your bank. No bitcoins are moved.

When you deposit bitcoins in your Coinbase account, you are sending to a deposit address in Coinbase's wallet. When Coinbase receives the bitcoins, they credit your account. They know which account to credit because only your account uses that deposit address.

When you send bitcoins from your Coinbase account to a friend that has their own wallet, Coinbase debits your account and then uses their private keys to send the bitcoins from their wallet to your friend's wallet.

When you send bitcoins from your Coinbase account to your friend's Coinbase account, Coinbase simply debits your account and credits your friends account. No bitcoins are moved.

When you sell bitcoins in your Coinbase account, Coinbase simply debits your account and transfers the money to your bank account. No bitcoins are moved.

I hope that makes everything clear.

Coinbase have the private keys but they control them. An exchange have most (and not all) of the funds in cold storage for security reasons. If they get hacked, the cold storage cannot be touched so they basically limit their losses. They still have a hot wallet where they process withdrawal automatically.


Again, Coinbase have the private keys of the addresses you have in their site. If a hacker gain access to your account, he will withdraw to "his address" that he have the private keys of and coinbase will authorize this withdrawal transactions since the hacker have the email, password, 2FA or whatever.


A private key is what allow you to spend bitcoins from an address or sign a message (proof ownership) from an address, It has nothing to do with converting bitcoin back to cash. There is no keyless address, coinbase just choose to not show them to their users (just like any other exchange) while wallets like Electrum give you total access to your funds.

Private keys are not useless, without it you can't sign a message and prove that it's you who owns the address. For example if coinbase gave you a private key containing your address then the next day they went down because of other issues like DDoS you can easily use that private key to gain access to your bitcoins. Hackers target exchanges because they can't brute force their way on people's private key.

Don’t really have a good understanding on all this stuff as far as the actual mechanics behind it. But something just really doesn’t make sense to me and it seems very amiss.

Let’s take Coinbase as an example. If coinbase is only a hosted exchange and doesn’t actually have the keys available, as they are held in cold storage, then what good are those keys to begin with if they are not required to convert to cash?

If someone was to hack into my computer and take control of my account and transfer my coins out, they don’t have the actual keys, they just have the coins that are keyless, yet they can trade those coins without the keys and cash them in.

So what the heck good are keys if I don’t need them to convert to cash? They seem to be totally useless if somebody can just steal your keyless coins, put them in another account and then convert them to cash without even NEEDING the keys. That seems like a major flaw to me??