The Search for the Owners of MyBitcoin

It appears that we are no closer to finding the true operators of the MyBitcoin.com exchange, which was hacked earlier this month. The website shut down, and now hosts a web page stating that half of the bitcoins stored at the site were stolen (ie. spent) by unknown hackers.

Someone going by the name of “Tom Williams” claims to be the operator of MyBitcoin.com. Numerous users have received a 49% refund of their bitcoins, but there are those who doubt that the site was really hacked. Some suspect that it was a scheme to steal about $800,000 worth of bitcoins, and just blame it on unknown hackers.

The site is registered in Nevis, in the Caribbean West Indies. Nevis is famous as being a dormant volcano, but one which has the potential to become active again, as there are active fumaroles and hot springs on the island. There is a nice Four Seasons resort on the island, which caters primarily to tourists. The small island is home to about 12,000 inhabitants.

Perhaps Tom Williams lives on the island, perhaps not. Nevis is well known as a tax haven, and it’s quite possible that the MyBitcoin people merely registered their domain there, and live somewhere completely different.

I visited the nearby island of Anguilla some years ago, and flew in a small plane by the island of Nevis. I was attending the Financial Cryptography conference. Naturally this conference is usually held in small tax haven islands. Of note when I visited is that the post office of Anguilla (an island about 7 miles long and only 1 mile wide), consists primarily of P.O. Boxes for “companies” supposedly headquartered on the island. Nevis has similar operations.

While speculation rages that the site was not really hacked, I am not so sure. I’ve been deeply involved in tracking online crime and fraud since 2003. I know the sophistication of Eastern European hackers, and the types of malware and mule operations that they run. Given that the Bitcoin economy is worth over $60M, and many of the servers and services are operated by very small teams, it seems a ripe target for cyber criminals. Most sites do not employ 2-factor authentication, and I am sure they are not running a highly layered network security infrastructure. The attack as described at MyBitcoin.com though is one that actually relies on an intimate understanding of how bitcoin transactions are verified to prevent double-spending of electronic coins. It is general practice to confirm a transaction after it’s been included in 3 blocks and no duplicate spends have been found. It’s thought to be very safe after 6 transaction blocks are found, as this indicates that most servers on the network have seen the transactions, and there is no double spending.

MyBitcoin.com apparently confirmed transactions after they were included in just one block (presumably to ensure fast transaction settlement in under 10 minutes). Apparently attackers were double-spending coins based on this incorrect assumption by MyBitcoin.com. Only time, and an FBI investigation, will tell! We will see if U.S. customers complain to the FBI or Secret Service and get an investigation going. We will also see if there is any way for these law enforcement agencies to be effective with a virtual electronic currency, supposedly operated out of a foreign tax haven by unknown people.

Here are the DNS records of MyBitcoin.com

Domain: mybitcoin.com – Whois History
Cache Date: 2010-04-27
Registrar: TUCOWS INC.
Server: whois.tucows.com
Created: 2010-04-25
Updated: 2010-04-25
Expires: 2011-04-25
Reverse Whois: Click on an email address we found in this whois record
to see which other domains the registrant is associated with:

Registrant:
Privacy Shark, LLC
Main Street
PO Box 556
Charlestown, Nevis
KN

Domain name: MYBITCOIN.COM

Administrative Contact:
Privacy Protected Domain, Privacy Shark Domain Trust cHJpdmFjeXNoYXJrLmNvbQ==@privacyshark.com
Main Street
PO Box 556
Charlestown, Nevis
KN
(202) 558-2876
Technical Contact:
Privacy Protected Domain, Privacy Shark Domain Trust cHJpdmFjeXNoYXJrLmNvbQ==@privacyshark.com
Main Street
PO Box 556
Charlestown, Nevis
KN
(202) 558-2876

Registrar of Record: TUCOWS, INC.
Record last updated on 25-Apr-2010.
Record expires on 25-Apr-2011.
Record created on 25-Apr-2010.

Registrar Domain Name Help Center:
http://tucowsdomains.com

Domain servers in listed order:
ANONYMOUS-DNS1.PRIVACYSHARK.COM
ANONYMOUS-DNS2.PRIVACYSHARK.COM

Domain status: clientTransferProhibited
clientUpdateProhibited

Advertisements

About Dave

I have been into financial cryptography and alternative electronic currencies since the mid 1990s. I have attended the Financial Cryptography conference, and have invented patents in the fields of cryptography and security. I've built systems for Visa, the US Federal Reserve, NASD, and hundreds of banks around the world.

Posted on August 19, 2011, in Uncategorized. Bookmark the permalink. 2 Comments.

  1. Hi Dave,
    I am sure it has just slipped under your scope but the Bitcoin community has made SOME progress in locating the mybitcoin offenders.

    I Sincerely suggest you join the freenode IRC channel #bitcoin-police and also review the content available at http://bitcoin.crimeunit.net/wiki/index.php/MyBitcoin adn http://bitcoin.crimeunit.net/wiki/index.php/MyBitcoin_Summary.

    You may well see that Nevis is a long way from Edmonton Canada.

    Regards

    MrTiggr

    • MrTiggr,

      Thanks for your links to more investigative information regarding Mr. Tom Williams. On the live chat today at the BitCoin conference in NYC, people are saying that he is in attendance.

      Thanks for posting the links to the bitcoin-police IRC. I didn’t post this since it’s been quiet recently. But good call on that.

      I’ve been to Nevis, and yes it’s a long way from Edmonton. You have to go through Chicago, and that sucks (as an airport). Thankfully I’ve never lived in Edmonton!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: