Hacker Stole $3B of Bitcoin — Because ‘Crypto’ is Garbage

James Zhong admitted to stealing 50,000 bitcoins from the former dark web market, Silk Road. The U.S. Department of Justice recently opened up and gleefully told the seizure story.

It’s yet another example of how the ecosystem around cryptocurrency is incredibly weak. Zhong was able to easily confuse Silk Road’s website and make multiple withdrawals of the same deposit.

To call him a “hacker” is frankly insulting to hackers. In today’s SB Blogwatch, we roll our eyes.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Jayme told an AI to make his music video.

In Fiat We Trust

What’s the craic? Bill Toulas reports—“U.S. unmasks hacker who stole 50,000 bitcoins from Silk Road”:

Under blankets in a popcorn tin inside a bathroom closet
James Zhong, a mysterious hacker who stole 50,000 bitcoins from the ‘Silk Road’ dark net marketplace … pled guilty to money laundering crimes. … In September 2012, he stole 50,000 bitcoin from Silk Road by … exploiting a “withdrawal processing flaw” that allowed him to withdraw many times more Bitcoin than he deposited.

Zhong funded nine different accounts with an initial deposit of 200 to 2,000 bitcoin and then triggered 140 withdrawal transactions in rapid succession. The hacker exploited a lag in the market’s transaction system allowing someone to withdraw their own escrow multiple times. This way, Zhong tricked the system into releasing 50,000 bitcoin.

The seizure occurred on November 9, 2021, when law enforcement authorities holding a search warrant located … 50,491 Bitcoin hidden in an underground floor safe and on a single-board computer submerged under blankets in a popcorn tin inside a bathroom closet. … Zhong is scheduled to hear his sentence on February 22, 2023, with the maximum potential penalty for wire fraud being 20 years in prison.

Sounds like a lot of money. Jacquelyn Melinek is unnecessarily precise—“DOJ announces seizure of $3.36B in cryptocurrency”:

A mystery for almost 10 years
Law enforcement seized 50,676.17851897 bitcoin, then valued at more than $3.36 billion, from Zhong’s home. [They] also recovered $661,900 in cash, 25 Casascius coins of bitcoin (valued at about 174 bitcoin), an additional 11.116 bitcoin and a handful of silver- and gold-colored bars.

The whereabouts of this massive amount of bitcoin was a mystery for almost 10 years, U.S. Attorney Damian Williams said. … It was the largest cryptocurrency seizure in the history of the U.S. DOJ at the time.

Although there’s been something of a crash since then. closewith does the math:

At the spot price at this time, 51,680.32473733 Bitcoin is worth $1,066,821,439.46 (~$1.06B) USD. Some difference from the ~$3.36B on November 9th, 2021.

And nothing of value was lost. ROOT1803 says it with bigger words:

The rampant speculation surrounding cryptocurrencies (i.e., being used as a speculative investment rather than as a currency) has more or less destroyed their ability to grow organically into their relevant use cases. … Cryptocurrencies are frivolous in most use cases in developed countries with more secure and less energy intensive alternatives (i.e., regular money).

Of course, it was worth a lot less at the time of the offense. bazza ponders procrastination:

Interesting that the FBI took their own sweet time in following the money, to the extent that it had ballooned in value. Had they got him in 2012, it’d have been a fairly small deal, barely in the public interest. But because they waited 8 [or] 9 years, it’s become a $billions fraud.

Not quite sure how big a crime has actually been committed? For example, if he’s done for a multi $billion crime, and bitcoin then crashes in value, will he get a corresponding reduction in sentence?

Wait. Pause. I thought cryptocurrency was anonymous? ggm just laughs:

A forensic accountant I know … said bitcoin had transformed their job in a good way: The evidentiary chain of intent behind peoples money moving (mixers aside) was so much simpler with a self-documenting sequence.

Pseudonomy in a distributed ledger isn’t anonymity. It’s a lovely loose thread on the jersey which un-knits the whole thing back to a set of simple sequences.

And CRHill agrees:

So much for the anonymity of cryptocurrencies. Ten years and he couldn’t unload it even when he had billions of theoretical dollars to pay for the most elaborate means possible.

So how was it traced? gregarican fills in the blanks:

Once Silk Road’s servers were seized and dug into then the trail became easier to follow for sure. … The withdrawal bug in their code was definitely a hole big enough to drive a Brinks truck through.

Oh yeah, tell me more about this bug? miohtama says it was a classic race condition:

The original hack was caused by the fact that Silk Road was running PHP on MySQL without transaction isolation. Many early crypto exchanges had similar withdrawal bugs as they were running on LAMP stacks — MySQL has been notoriously famous for having lax transaction isolation. Sometimes you could overwithdraw just by hitting refresh fast enough in a web browser.

Meanwhile, rsilvergun calls it like he sees it:

[They’re] a bunch of amateurs in a hurry to make a fast buck. … There’s bound to be security holes because security is hard and these are “go fast, break things” companies.

And Finally:

Disco Diffusion in da Haus

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Viacheslav Bublyk (via Unsplash; leveled and cropped)

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now … Read More