A multi-mining pool that allows users to mine any hashing algorithm and to sell their hashpower to users that want to buy mining contracts has allegedly been hacked out of 4,449 bitcoin, currently worth $75 million.
“There has been a security breach… We are currently investigating the nature of the incident and, as a result, we are stopping all operations for the next 24 hours,” NiceHash said.
The exact nature of the breach is unclear but Andrej P Škraba, NiceHash’s head of marketing, said it was “a highly professional attack with sophisticated social engineering.”
“Our payment system was compromised and the contents of the NiceHash Bitcoin wallet have been stolen,” NiceHash said. With the precise amount remaining unclear but at least 4,449 bitcoins have been drained from their address.
“The incident has been reported to the relevant authorities and law enforcement and we are co-operating with them as a matter of urgency,” the Slovenian based mining pool and marketplace says without providing further detail and without naming the authorities.
Questions are being raised as to how this hack could have happened. Usually, such huge sums of bitcoin are kept in offline cold wallets locked under metaphorical, and sometime literal, keys or vaults.
So how a hacker could have accessed them remains unanswered, with some going so far as to speculate that there may have not been a hack at all and the NiceHash operators may have run away with the money.
That is complete speculation, but the stupendous increase in bitcoin’s price might lead to strains for exchanges or service providers who may be operating as fractional reserves.
There is no evidence based indication that may have been the case here, however, MT Gox managed to operate fine while bitcoin’s price was low, yet buckled with their fractional reserve operations revealed in February 2014 after price increased at the time by some 10x.
A constant refrain since then has been to advise all to ensure they have full control of their private keys, however, in some instances that isn’t easy or even possible.
Due to the nature of bitcoin mining, pools are now very much a requirement. Small miners, therefore, who share their hash, can not control the private keys, so relying on trust that pool operators will not mismanage or even abuse their position.
Likewise, traders have no option but to trust exchanges they are not operating as a fractional reserve, or worse, that they won’t suddenly close shop and run away.
Even where there is full good will intention, as these hubs constantly receive and make bitcoin payments, hackers can tap into it and run away with the money.
Which is why in most instances service operators differentiate between hot wallets – that is around 10% of their total holdings is used to constantly make and receive payments and can be accessed by hackers – and cold wallets which are locked offline under key and rarely accessed.
That duality may minimize losses and protect from a targeted and sophisticated operation, but another option might be bitcoin vaults.
They, in effect, create a savings account of sorts by allowing bitcoins in that saving account to be charge-backable, that is, reversible. So that if someone steals those coins you use another key which simply takes them back.
It is unclear whether that idea has been developed or even put in practice as following its suggestion the scalability debate consumed everything, but with that now settled, attention might turn once more towards increasing usability and security.