World's largest crypto exchange targeted in security breach:
Hackers have stolen around $570 million in tokens from Binance, in a rare blow to the world's biggest crypto exchange and another dent to the troubled digital assets industry struggling to regain trust after a collapse in prices.
[...] However, the exchange later disclosed that the hacker had taken around 2 million of the cryptocurrency BNB, Binance's own digital token, with a value of around $284 each. The hack targeted BSC Token Hub, a bridge between two Binance systems.
[...] Cyber criminals had taken nearly $2 billion this year to the end of July, nearly double the total in the first seven months of last year, according to data from Chainalysis. High-profile thefts included $600 million from the blockchain behind popular crypto-gaming platform Axie Infinity. Many hacks have been traced to state-sponsored actors in North Korea.
Binance's position as the world's largest crypto exchange means Friday's exploit represents a significant blow to the digital assets industry.
[...] Many of the world's most widely used blockchains, such as Binance Smart Chain and Ethereum, run on separate technologies or use different tokens. That means investors and developers cannot easily move their tokens to a different blockchain to use or trade them elsewhere.
[...] Binance Smart Chain allows the world's largest crypto exchange to open its doors to let developers build applications that use smart contracts, based on Binance's own token. Binance launched the new chain in September 2020, at a time when the crypto industry was seeing widespread interest in decentralized finance projects.
Naïve question: if you can have a public ledger that establishes ownership, why can't you tag stolen crypto similar to how you can revoke an SSL cert? [hubie]
(Score: 5, Interesting) by isostatic on Tuesday October 11 2022, @07:02PM (16 children)
How do you prove it's stolen if you were to tag it?
How do you prove the person claiming it's stolen is right in their claim?
I buy something off you for 50 coins, you are happy, I'm happy
I then claim that I was hacked and that you stole the 50 coins.
If you want that sort of protection (protection ultimately backed by the might of a country's economy and military) use real currency in a real bank account
(Score: 0) by Anonymous Coward on Tuesday October 11 2022, @07:16PM (11 children)
But if I buy something from you and we exchange the coins, isn't that recorded in the ledger?
(Score: 5, Informative) by sea on Tuesday October 11 2022, @07:51PM (10 children)
Only the coin exchange is recorded, and it is identical to a theft.
The recording simply says: "Coins transferred from account A to account B" (where 'account x' is 'account associated with public key x')
It doesn't record anything about whether you transferred real money for it, or goods and services, or even if someone held a gun to you and asked you to transfer the coins or else.
(Score: 4, Informative) by JoeMerchant on Tuesday October 11 2022, @08:16PM (9 children)
The difference (as I see it) is:
With a Credit Card, you present your "wallet ID" to a merchant with an understanding that they will charge only a certain amount to it - there's a tremendous amount of trust involved, but 99.999% of the time these transactions actually go according to the understandings of both parties. The merchant presents you with some lame ass slip of paper with disappearing ink on it which "proves" that you paid for the items listed thereon, usually time and date of transaction, etc. Things go wrong, the CC company acts as arbiter between the parties and generally sucks up the loss one way or another out of the 1.5% average transaction fees they charge. Remember that 0.001%+ of transactions go without trouble? Yeah, I bought stock in Visa as soon as it was offered. The CC companies trade info about their customers and merchants with credit ratings bureaus, blacklist bad players, charge variable rates depending on risk, have standing in the legal system to pursue collections in court, etc. And, at least in the U.S.A. - anybody can sue anybody else over anything, for the cost of a filing fee plus whatever legal counsel they may or may not retain... It's insanely easy to steal a CC #, but difficult to get much value out of it before it gets deactivated.
With crypto-ledgers, the proof is in the keys. If you have a secret key corresponding to some "value store" (wallet or otherwise [mangocats.com]) recorded on some blockchain (aka crypto-ledger), then any number of transaction processors can validate a proposed transaction signed by that key as proof of ownership of whatever it corresponds to - usually a quantity of "cryptocurrency." Presentation of a proposed transaction signed by a valid key by the "legitimate" owner is indistinguishable from presentation of the key by a cyber-hacker-thief-terror-criminal-boogeyman, and so the transaction processors (being something less than 0.1% as developed in the real world as Credit Card processing organizations) simply accept the key, record the transaction and voilà, fait accompli. Instead of a scrap of paper or lame e-mail sent to you privately, your (or your cyber-mugger's) transaction is "on the chain" for basically the whole world to see, if they care to. Transaction processors really haven't developed anything to ID parties beyond the secret keys, they make no risk assessments, have no arbitration departments, mostly they are "in it" for some slice of the transaction - strangely similar to CC companies. While you can take a cyber-transaction gone bad to the courts, they are unlikely to understand or care (unless you happen to own the judge) and the chances of your chosen legal venue having jurisdiction over the party which stole your imaginary money are vanishingly small anyway. If you exercise due care, it _should_ be hard to steal your crypto-keys, but people have very little experience in keeping these kinds of secrets safe- yet not lost forever...
In today's geo-political situation, it's more than slightly conceivable that cryptocurrency which has allegedly been stolen was, in fact, intentionally transferred but called stolen in an attempt to mask the intentional transfer of value to parties not currently accepted by the world's banking community.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 5, Insightful) by Thexalon on Tuesday October 11 2022, @09:02PM (5 children)
Something that's definitely an aspect of all this is that the conventional banking system has a bunch of corporate bureaucracies and government bureaucracies looking after it, while crypto doesn't. And that means that when there's stuff that happens that shouldn't happen, there are a large group of people who, if they're remotely doing their jobs, are ready and able to do something about it, and are backed by the laws of their country and by extension people with guns to enforce those laws if needed.
Crypto, being a new, entirely unregulated, highly speculative business, doesn't have any of that infrastructure of trained humans to deal with problems.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by RS3 on Tuesday October 11 2022, @09:25PM (4 children)
I'll add: in may ways governments see crypto as possibly being at least somewhat subversive. They want their taxes, and now they have to learn how to know about, and then keep track of crypto transactions (to then tax them). So they have incentive to learn and track it, but until then, they have no incentive to protect it.
(Score: 4, Interesting) by JoeMerchant on Tuesday October 11 2022, @09:35PM (2 children)
If governments would get educated about how Blockchain works they should be very jazzed about the "irrefutable proof" of timestamped transactions openly recorded, which are ultimately traceable to whoever holds the secret keys.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by RS3 on Tuesday October 11 2022, @11:25PM (1 child)
Thanks. I'm not up on crypto, Blockchain, etc., so this might be a very naive question:
Does Blockchain point to that person? IE, can you definitively know who a particular person is from the transaction? If so, how do you prove it? Would they have to fork over the secret keys to unlock the entire record, and thereby prove they are that person? And even then, the secret keys could be stolen, I presume...
(Score: 3, Informative) by JoeMerchant on Wednesday October 12 2022, @12:53AM
>IE, can you definitively know who a particular person is from the transaction?
No, unless they tip you off somehow. Conversely, anyone who holds the secret keys for a crypto-asset can prove that they hold those secret keys (without divulging them) - so, even people who try to hide their identity sooner or later may end up unintentionally proving that some transaction(s) were owned by them.
If crypto goes regulated, tying personal identities to transactions would be relatively simple to do - as easy as issuing an ID card.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 3, Touché) by Thexalon on Wednesday October 12 2022, @02:20AM
This probably is at least somewhat related to the cryptobros portraying themselves as at least somewhat subversive: "Use the currency the government can't control!" "Use this to buy illegal drugs on SilkRoad!" "This is tax-free!" etc.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 4, Insightful) by Reziac on Wednesday October 12 2022, @02:46AM (2 children)
My Cynical Little Voice opines that more'n likely some of the crypto/blockchain stuff was developed explicitly to use for theft.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 3, Insightful) by JoeMerchant on Wednesday October 12 2022, @10:05AM (1 child)
Taken as a whole, most of the money in crypto is in there with the hope of being one of the "got rich quick club.". I doubt that most of them care how that happens.
In the early days it certainly was used to buy more drugs than pizza, and saying that out loud, I wonder if the pizza parlor that was one of the first (legit) places to accept BTC as payment was doing so because they knew people were buying weed with BTC and then getting the munchies.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by Reziac on Wednesday October 12 2022, @01:47PM
Good points.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 4, Insightful) by Rosco P. Coltrane on Tuesday October 11 2022, @09:21PM (1 child)
You don't. Once your wallet's private key is stolen, it's as good to the thief as it is to you.
Just like when someone makes a copy of your key and opens your car door with it: when you complain about your car being broken into, the insurance company usually replies that there's no visible trace of effraction so there is no effraction, and therefore likely no burglary.
Also...
To whom? There's no central authority or "bitcoin police".
At least on the EMC network, Visa or Mastercard will take your claim, reverse the charge and suck up the loss if approved. That's the only thing those two giant monopolies are actually good for in the world of CC payment in fact.
In the world of crypto, you do away with the hateful monopolies, but also with the only desirable service they provide,
(Score: 2) by FatPhil on Wednesday October 12 2022, @05:07PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by legont on Tuesday October 11 2022, @11:43PM
Well, the victim could go to court which could rule them stolen. After that the government could go after the coins, including using police, letter agencies, and military.
I do realize it does not happen today, but could in the future. Therefore I want to know if coins I buy are on the suspicion list or not. I do realize the info is not provided (unless I search the blockchain myself) and are likely mixed (or whatever the term is) therefore mint - uncirculated - coins should have higher value similar to gold coins.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by Tokolosh on Wednesday October 12 2022, @02:31PM
Ownership is not the same as possession. I might own a nice TV set, but the burglar who has it in his possession gets beneficial use.
If you don't have the key, you don't have the crypto.
(Score: 4, Insightful) by Thexalon on Tuesday October 11 2022, @07:40PM
It's almost like all those banking regulations and the like might actually have come out of people getting things stolen from them through no fault of their own and not wanting that to be a regular part of the financial system anymore.
But I know, we can't have that in crypto-land, because that's big government, and the private industry will always take care of all problems whether or not it's short-term profitable to do so.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Insightful) by Anonymous Coward on Tuesday October 11 2022, @08:13PM (1 child)
The system is designed to facilitate fraud and theft, to make fast, easy money and evade the tax on it. Why is everybody so upset? Why should we care what happens to speculators and scammers? It's just one group of thieves stealing from another... Let them rot.
(Score: 3, Insightful) by RS3 on Tuesday October 11 2022, @11:37PM
It reminds me of illegal gambling: if someone cheats, who are you going to complain to?
I can see this engendering an underworld of unsanctioned powers, retribution, and who knows what's next.
(Score: 2) by Sjolfr on Tuesday October 11 2022, @11:30PM (4 children)
The coins should be traceable as the tech sits right now. If the thief uses them then they can be tracked back to the wallet s/he put them in. Then they can be traced in an old-school triangulation.
However, it does bring up (again) something that crypto-currencies have been avoiding; regulations for control and prevention of dishonesty.
What percentage of cryto-currencies are in an unusable state right now? Lots wallets, stolen, etc.
(Score: 2) by RS3 on Wednesday October 12 2022, @01:18AM (3 children)
As above, please forgive my naivety, but are you saying there's a database (or many) that keeps track of transactions and owners? Seems like there must be, and that would be super vulnerable to the most clever of hackers.
I'm still not even sure what a "wallet" is. I'd guess it's an encrypted file on a hard drive somewhere? If so, can it be copied (backed up)?
(Score: 4, Interesting) by Sjolfr on Wednesday October 12 2022, @01:49AM (2 children)
Owners aren't tracked in the traditional sense of ID and social security numbers. Wallet addresses are traced and kept forever in what they like to call the blockchain.
So if person A steals some coins and those coin hashes/identification are marked as stolen, then the next time person A transfers those coins all of the wallet addresses can easily be tagged. It would take some old-school transaction triangulation to get to the bottom of who is using those stolen coins, but it can be done. Doesn't matter how many times person A moves the coins from one wallet to another. All of those transactions, including their details, are saved forever. People can not use the coins without touching the block chain.
In fact, it would be trivial to introduce a mechanism in to the block chain that would refuse coins that are marked as stolen. That would never happen because it would kill the cryptocurrency economy. There would need to be regulation and control measures put in to place to prevent this kind of theft ... but those measures would also likely kill the crypto-economy.
Cash is still king for un-traceability.
(Score: 2) by FatPhil on Wednesday October 12 2022, @05:34PM (1 child)
And taint can't follow transfers, else you could deliberately taint good guys' wallets by transferring tainted value to them. If a self-identifying good guy claims that he's not noticed that he's received some tainted coin, and then spends some, there's no way of telling if he was spending clean value or tainted value, so, again, taint definitely can't follow transfers unless it taints all value it ever shares a wallet with, in which case the whole ecosystem can be poisoned very easily.
(There are non-scalable theoretical solutions to all these problems, but even ones without such solutions don't scale well, make that worse, and you've got an impractical disaster.)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Informative) by Sjolfr on Wednesday October 12 2022, @08:36PM
The process through which "coins" are identified is actually one of the best ways to identify uniqueness. All of the "coins" are 100% unique hashes. That is the one thing that crypto-coins have brought to the table; clear unique identification. So, yes, there are no physical coins involved but they are all 100% unique from each other and very identifiable. Thusly, traceable.
We should be using this technology in voter ID machines.
(Score: 2) by ElizabethGreene on Wednesday October 12 2022, @08:53PM
You could do this, but then you've created a mechanism that can be (ab)used to create chargebacks and government or NGO currency controls. One of the key advantages (and disadvantages) of bitcoin is that unlike PayPal or EFT, once the money is sent, there are no takebacks. Embargoing funds transfers is also extremely difficult; That's a feature.
It would be trivial to implement a database on blockchain to identify specific addresses as receiving stolen funds. The hard part would be getting clients and/or miners to do something with that information. Miners choosing not to include transactions from on the list would be an effective way to prevent stolen funds from being used, but the mining fees from those transactions (and the extra work to filter them out) would be an effective disincentive to implementing those checks.
The excruciatingly hard part, the big ticket that breaks it, would be figuring out who to trust to put addresses on the naughty list, who can remove them, and how long they stay tainted. I can't think of a single entity I'd trust in this role.
(Score: 2) by SomeRandomGeek on Wednesday October 12 2022, @10:26PM
You: I was trying to get rich quick by speculating on a system designed to allow criminals to transfer funds untraceably, but the criminals took all my money.
Me: HA HA HA HA HA HA HA!!!!!!!!!!