Wait a Second. I Thought Bitcoins Were Unstealable?

For indispensable reporting on the coronavirus crisis and more, subscribe to Mother Jones' newsletters.


I don’t really care about Bitcoin—really I don’t—but I guess I’m curious about something. How is that cyber thieves were able to steal a million bitcoins from Mt. Gox? I understand that Mt. Gox had inadequate security, but I thought the whole point of bitcoin was that it was protected by its very nature: every transaction is stored in a block chain; the block chains are mirrored by thousands of bitcoin miners; and you can’t screw with the block chains unless you apply galactic amounts of computing power. So even if you managed to steal some bitcoins, you couldn’t get anyone else to accept them unless you could demonstrate proper chain of custody, so to speak. Since this is more or less impossible, all the stolen bitcoins are of no use to anyone.

Obviously I’m missing something fundamental here, since I assume thieves don’t bother taking stuff they can never use. And yes, this is just academic interest in the deep geekery behind bitcoin. But can anyone point me to an explainer that tells me exactly how a theft like this could be successfully pulled off?

UPDATE: Judging from some links in comments, apparently the problem is that Mt. Gox had a bug in their software that allowed thieves to create seemingly legitimate transaction changes which were propagated throughout the block chains. There is a known problem with the bitcoin protocol that allows this, and Mt. Gox didn’t properly protect against it:

Many exchanges use the Transaction ID to uniquely identify transactions, but as it turns out, an attacker can change the Transaction ID without changing the actual transaction, rebroadcast the changed transaction (effectively creating a double-spend) and if his altered transaction gets accepted into a block instead of the legit transaction, the attacker receives his coins and can complain with the exchange that he didn’t. The exchange will then check their database, fetch the Transaction ID from it, look it up in the blockchain and not find it. So they could conclude that the transaction indeed failed and credit the account with the coins. … A simple workaround is to not use the Transaction ID to identify transactions on the exchange side, but the (amount, address, timestamp) instead.

I don’t know that I actually understand this, but then again, I’m not sure I want to. In any case, apparently it’s a known bug that Mt. Gox should have handled in its internal software. But they didn’t.

UPDATE 2: Emin Gün Sirer, who sure sounds like he knows what he’s talking about, says that the problem above, known as “transaction malleability,” is almost certainly not behind the Mt. Gox theft. Nor was it lost keys, hackers, web server problems, or US spooks.

So what was it? He doesn’t know. He concludes with this: “Chances are that this is a simple case of theft, involving at least one insider.” So I guess we still have to wait and see.

Thank you!

We didn't know what to expect when we told you we needed to raise $400,000 before our fiscal year closed on June 30, and we're thrilled to report that our incredible community of readers contributed some $415,000 to help us keep charging as hard as we can during this crazy year.

You just sent an incredible message: that quality journalism doesn't have to answer to advertisers, billionaires, or hedge funds; that newsrooms can eke out an existence thanks primarily to the generosity of its readers. That's so powerful. Especially during what's been called a "media extinction event" when those looking to make a profit from the news pull back, the Mother Jones community steps in.

The months and years ahead won't be easy. Far from it. But there's no one we'd rather face the big challenges with than you, our committed and passionate readers, and our team of fearless reporters who show up every day.

Thank you!

We didn't know what to expect when we told you we needed to raise $400,000 before our fiscal year closed on June 30, and we're thrilled to report that our incredible community of readers contributed some $415,000 to help us keep charging as hard as we can during this crazy year.

You just sent an incredible message: that quality journalism doesn't have to answer to advertisers, billionaires, or hedge funds; that newsrooms can eke out an existence thanks primarily to the generosity of its readers. That's so powerful. Especially during what's been called a "media extinction event" when those looking to make a profit from the news pull back, the Mother Jones community steps in.

The months and years ahead won't be easy. Far from it. But there's no one we'd rather face the big challenges with than you, our committed and passionate readers, and our team of fearless reporters who show up every day.

We Recommend

Latest

Sign up for our newsletters

Subscribe and we'll send Mother Jones straight to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate

We have a new comment system! We are now using Coral, from Vox Media, for comments on all new articles. We'd love your feedback.