CEO of the Nigerian Bitcoin exchange, Naira4Dollar, Ejezie Sunday has allegedly had $15,000 worth of Bitcoins stolen from his company’s wallet on blockchain.info.
Hackers are getting more sophisticated, and recovering stolen funds is a complicated procedure.
Trading for Perfect Money
“We ran out of stock on Tuesday March 15, 2016, and had to buy $15,000 worth of Bitcoins, valued at N4,575,000”, Sunday told Cointelegraph.
“We actually needed Perfect Money, but since we couldn’t get that at that time, we bought Bitcoins, with the hope of trading for Perfect Money. On getting to the office, I logged into the company’s wallet but didn’t find any Bitcoin (I had received and confirmed the $15,000 earlier). It was a huge shock as I yelled out, we’ve been hacked!
Immediately, I noticed that the transaction was yet to be confirmed, so I tried by every means I could to contact blockchain.info. Unfortunately I didn’t get any reply, neither did I have any idea on how to stop the transaction. I painfully watched as the transaction was confirmed and all funds moved into the hacker’s wallet.”
According to Sunday, a reply from blockchain.info was received after the Bitcoins had long been moved and split between different addresses. The reply read:
I am sorry to hear of this trouble, but the Bitcoin network is designed to make chargebacks impossible. Blockchain.info never has access or control of a user’s bitcoins in any way, which means only the end user has 100% control over his own bitcoins. This means we have no power to stop or reverse a transaction for you.”
Sunday listed the addresses involved in the entire transaction as follows:
Sunday says that normal business operations have continued at Naira4Dollar and the company has moved to improve the security of their wallets, by enabling 2FA and a second password, and increasing password stretching (PBKDF2).
Recovery not so easy
Immaculate Dadiso Motsi-Omoijiade is a PhD/Doctoral Researcher in Law focusing on the regulation of cryptocurrencies. When asked about a victim’s options when their wallet is hacked, she said:
“There has been precedent for people combining (class action) to sue the wallet provider/exchange after they've lost their BTCs to hackers. Cases in point are Mt.Gox and Bitconica. I am sure they're a few more.
If the victim can argue that there was neglect on the part of blockchain.info, rather than the hackers getting access to the victim’s wallet through their own (the victim’s) system, then they'll have a case. The reason why people group together is to make a stronger case that the wallet provider was negligent.
If blockchain.info is US-based they should by law be registered with FINCEN and also in the state they're based in, and they have consumer protection standards they're required by law to meet.
However, in all practicality, the first port of call for a victim should be blockchain.info's customer service. The victim has to report the hack and ask if recovery is an option and how. There must be some fine print when setting up a wallet that explains the level of liability for loss or theft the wallet provider bears. By agreeing to those terms when the wallet is set up, the only recourse would be to prove a breach in these terms through gross neglect.”
More security offline
“Unfortunately, the computers and systems we use are vulnerable and in many cases, not even a 2factor authentication helped to protect the user accounts. Hackers are sophisticated and highly focused. Ways to remotely obtain passwords from our computers are fairly trivial today.
The only way to protect our bitcoins is to keep the private keys away from our computers, phones or online services. That doesn't mean we should give up on the comfort of our favorite bitcoin wallets. With TREZOR in the hands of the user and the TREZOR Connect API implemented in services such as Blockchain.info, we can have both ultimate end-user security and great user experience.
The Trezor Connect API allows the user to create a TREZOR account embedded into any bitcoin service and effectively prevent a hacker from moving the bitcoins away from the service . The TREZOR Connect API also introduces the passwordless "Login with TREZOR", replacing the login credentials by a cryptographic signature derived from Trezor, again making the user account safe from intruders.”