BTC-e hacked, losing around 4,500 BTC

Summary

In July 2012, BTC-e, a cryptocurrency exchange, experienced a security breach that resulted in the loss of around 4,500 BTC. The hack was enabled by a combination of weak security practices and system vulnerabilities, which allowed the attackers to obtain Liberty Reserve API keys and exploit the deposit algorithm. BTC-e claimed to have compensated affected customers and improved security measures following the attack, resuming normal operations within a few days.

Attackers

The attackers behind the BTC-e hack remain unidentified. Given the level of sophistication and knowledge required to exploit the system vulnerabilities and obtain 3rd-party API keys, it is suspected that the attackers might have been a highly skilled group of hackers. Alternative theories suggest that the attackers could have been an insider or even a state-sponsored actor.

Losses

BTC-e lost around 4,500 BTC during, worth 55,020 USD during the attack ($72,093 in 2023, adjusted for inflation). BTC-e claimed they compensated affected customers and improved their security measures.

Timeline

  • July 31, 2012: BTC-e announces the hack on their platform and the extent of the losses, with around 4,500 BTC stolen. They revealed that their Liberty Reserve API key was compromised, leading to the falsification of funds on the exchange. Approximately 4,500 bitcoins were actually withdrawn and stolen by the attacker. The exchange promised to cover the stolen funds, remain open, and revert all affected transactions.
  • August 2, 2012: BTC-e resumes normal operations.

Security Failure Causes

The main reasons for the BTC-e attack can be attributed to a combination of weak security practices and system vulnerabilities. The attackers were able to exploit these weaknesses to obtain Liberty Reserve API key and take advantage of the deposit algorithm that credited user accounts.