@daily_btc_lore | Daily Bitcoin History Threads
July 13, 2012 | 14 years ago today
Bitcoinica's Third Hack Drains the Victim Recovery FundBitcoinica's Third Hack Drains the Victim Recovery Fund
By the summer of 2012, Bitcoinica had already been robbed twice and shut down for good. All that remained of Bitcoin's first leveraged trading platform was a recovery fund sitting in a MtGox account, the only realistic hope of repayment for hundreds of customers who were owed money. What almost nobody had considered was that the key to that account had been sitting in publicly leaked source code for months, in plaintext, waiting for someone to use it. On July 12, 2012, someone did.
A teenager builds Bitcoin's first margin platformA teenager builds Bitcoin's first margin platform
In September 2011, a 17-year-old programmer in Singapore named Zhou Tong launched Bitcoinica. It was the first platform where users could trade Bitcoin with leverage, betting on BTC's price with borrowed money. Nothing like it existed at the time, and the appetite turned out to be enormous. Within months, Bitcoinica was handling more trading volume than most of the exchanges it competed with.
Growth like that would strain any operation. For a platform built by a teenager and run with the loose operational practices typical of early Bitcoin businesses, it was a disaster waiting for a trigger. The trigger arrived in the spring of 2012, twice.
Two hacks and a key nobody rotatedTwo hacks and a key nobody rotated
On March 1, 2012, attackers compromised Linode, Bitcoinica's hosting provider, and drained 43,554 BTC from the platform's wallets. It was one of the largest thefts in Bitcoin's young history, and it came with a second, quieter consequence: in the fallout, Bitcoinica's source code leaked. Buried in that code, in plaintext, sat the API key to Bitcoinica's account at MtGox.
On May 11, a second attack took another 18,547 BTC, and Bitcoinica shut down for good. Co-founder Tihan opened a MtGox account to hold what remained. This was the recovery fund, the pool of assets that was supposed to make the victims whole.
Here is the detail that decided everything. The API key exposed in the leaked source code was never rotated. Not after the first hack. Not after the second. Not when the remaining funds were consolidated into the account that key controlled. For months, anyone who had read the leaked code held a working key to the victims' money.
And real people were counting on that money. One Bitcointalk user, DarkEmi, had deposited 5,000 BTC, most of his savings. Another customer had wired $38,626 saved over two years, verified his claim three times, and received nothing. They checked the forum every day for news of repayment.
The third theftThe third theft
On July 12, someone finally used the key. Within hours, roughly 40,000 BTC and $40,000 in cash drained out of the MtGox account. The funds flowed through AurumXchange into Liberty Reserve, a digital currency service the US government would later shut down for money laundering in 2013.
The next morning, July 13, developer Amir Taaki, posting as genjix, broke the news on Bitcointalk: Bitcoinica had been robbed a third time, and this time it was the victims' recovery fund. The original thread is still readable today at https://bitcointalk.org/index.php?topic=93074.0, a raw record of hundreds of creditors realizing their last hope of repayment had just walked out the door.
The trail leads somewhere uncomfortableThe trail leads somewhere uncomfortable
Two weeks later, AurumXchange published its findings, and the story turned. The account used to launder the stolen funds traced back to the email address stevejobs807@gmail.com. Erik Voorhees recognized it immediately. He had corresponded with that address for months. It belonged to Zhou Tong.
MtGox delivered the second blow: the laundering account had been opened from a Microsoft Singapore IP address, and Zhou Tong worked at Microsoft Singapore. Zhou posted a response that same day. He denied everything, named a former associate, Chen Jianhai, as the real thief, and offered 5,000 BTC in compensation to creditors.
Forum veterans were openly skeptical of the story, but nothing was ever proven in court. In August 2012, the Wendon Group was appointed receiver under New Zealand law, where Bitcoinica's holding company was registered. The receivership ground on for years. By 2014, fewer than 2% of Bitcoinica's customers had received any compensation at all. The platform that pioneered leveraged Bitcoin trading ended as a case study in everything early Bitcoin got wrong about custody, and the simplest lesson of all went unlearned three times in a row: rotate your keys.
Part of an ongoing series on Bitcoin history. Follow @daily_btc_lore on X for daily threads.
And here I thought CZ was a one of one! At least CZ didn’t lose customer funds like this guy