LulzSec rogue suspected of Bitcoin hack
More than $9m of online currency was stolen in weekend attack on Bitcoin currency exchange that could cost members of Anonymous and LulzSec thousands of dollars each
The LulzSec logo. The group has denied involvement in the Bitcoin hack
A rogue member of hacker group LulzSec is suspected to have been responsible for a hack last weekend which resulted in the theft of $9m worth of online currency.
The hack focussed around a "currency exchange" called MtGox, which provides a method for swapping Bitcoins – an untraceable, cryptographically-created online-only currency favored by online activists and hackers – for real US dollars.
The attack – which could cost members of Anonymous and LulzSec thousands of dollars each – suggests other, more profit-focused hacking groups may be stepping up activity in response to the more high-profile politicized groups.
LulzSec has denied any involvement in the Bitcoin hack. The group has also denied any link to attacks on the websites of games company Sega and the UK Office for National Statistics.
Late on Sunday evening, MtGox was compromised when a hacker tried to sell more than 400,000 Bitcoins – 6% of all the virtual currency presently in circulation – for an initial price of $17.50 each, which would have netted $7m at a constant price.
But the attempt to sell such a large volume of coins at once drove the value of the currency down almost to zero, before trading on the site was suspended.
More than 60,000 users' details were compromised in the attack and have since been posted publicly in dozens of places across the internet. Trading on the MtGox site has still not been reinstated since the attack, leaving the future of the fledgling currency in doubt.
Bitcoins are produced without the involvement of any governments or banks; instead, they are generated by using software (also called Bitcoin). The idea was created in 2009 by a Japanese programmer.
Bitcoins are not issued by a central authority, but instead generated by a mathematical algorithm after computers complete a certain number of complex calculations.
Some of most experienced members of the Anonymous and LulzSec hacker collectives are believed to have botnets of more than 100,000 compromised computers.
If that many machines were set to work generating Bitcoins, they could create up to $7,500 worth a day for as long as Bitcoins trade at current levels – meaning members of the hacker collectives could be among the biggest losers if Bitcoins' value does not recover as and when MtGox reopens. In the hours before the hack, the total value of the currency in circulation was more than $150m.
Anonymity and security are the central propositions of the currency, which has attracted controversy after being used in sites selling drugs and pornography.
High-profile organizations accepting the coins include WikiLeaks and the US lobby group Electronic Frontiers Foundation, who have suspended their acceptance of Bitcoins in the wake of the hack.
MtGox says access to its site was gained after a financial auditor's computer was hacked, and insists its site was not compromised.
However, Amir Taaki, who runs the rival Bitcoin exchange Britcoin.co.uk, disputes this chain of events. Developers working on his site, which runs on much of the same software as MtGox, found a security hole several days before the hack was carried out. He says MtGox was notified publicly and privately of the issue.
"Due to the recent events at MTGox.com, we at Britcoin have decided to move our servers to a new location," read a Britcoin statement. "MTGox suffered an SQL injection [a form of hacking attack that creates direct access to databases and files] which means access to the site's funds were in the hands of the malicious hacker. As such, until we see evidence to the contrary, for security reasons we are assuming that MTGox has none of its clients' bitcoins."
Other senior coders in the Bitcoin community claim to have been offered the full database of MtGox users days before the hack was carried out. Though they had not verified whether the database was genuine, it came from the same intermediary who has been testing interest in selling or distributing details from the Sega Pass hack.
Members of Lulzsec, the hacker group whose alleged member Ryan Cleary was arrested in Essex on Tuesday, denied responsibility for the Sega Pass hack, as did several members of Anonymous.
The recent spate of hacks denied by both groups – neither of which usually seeks to hide from the limelight – raises the possibility of a third, as yet unnamed, group of hackers carrying out the attacks.
Lulzsec and Anonymous members stand to lose a significant amount of money if Bitcoins fail. Several members of both groups – speaking directly and through intermediaries – claim to know of others using thousands of hacked computers to generate Bitcoins.