The Surprisingly Simple Way To Steal Cryptocurrency – Hackaday
In the news a few days ago, the revelation that Luke Dashjr, a core Bitcoin developer, had his wallet compromised, and lost 200 BTC. A small fortune, and something of a shock. I’m guessing that someone with that expertise would not have left his private key lying around, so as a cryptocurrency non-enthusiast I’m left curious as to how the attackers might have done it. So I phoned a few friends who do walk those paths for an explanation, and the result was a fascinating conversation or two. The most probable answer is still that someone broke into his computer and copied the keys — straight-up computer theft. But there’s another possible avenue that doesn’t involve stealing anything, and is surprisingly simple.
Are You A Gambler, Or An Engineer?
For some reason while writing this I have a Kenny Rogers earworm. Jason Lam (CC BY-SA 2.0)
I’m guessing that most Hackaday readers will know something about how a blockchain works, and also how public-key cryptography works. Public-key cryptography is key to the security of a cryptocurrency like Bitcoin, with the key that unlocks all your wealth for you being your private key and the key which allows transactions to be made with you by other people being your public key.
If you want to send some cryptocurrency to someone else, you encrypt the transaction using their public key which is as its name suggests, public, and your private key which is known only to you. Thus it’s important that your private key is kept really private, because if someone finds it they control your stash of cryptocurrency. So to steal all those bitcoins someone had his private key, an eventuality that should never have happened. We can safely assume that his protection of the key was as good as it gets, so further assuming that nobody physically stole his hardware wallet or whatever he kept it on, his key was compromised by other means.
The true security of public-key cryptography lies in it being extremely difficult to guess an individual’s private key. A brute-force algorithm to guess Luke Dashjr’s private key would require unimaginable computing power over a geological-level timespan, thus it’s also safe to assume that nobody set their computer to guessing his key alone. At this point, it’s helpful to stop thinking like an engineer, and start thinking like a gambler. An engineer calculates the time required to brute force Luke Dashjr’s private key, but a gambler throws the dice and sees if the throw generates any money.
Thinking from a gambler’s perspective, what are the dice, and …….