When the Canary Stops: New Bitcoin Mining Hack a Wake-Up Call?
Another day, another bitcoin mining hack. According to Threatpost, a group of unknown attackers was able to take control of servers owned by Norwegian mining service Cloudminr.io, harvest its entire database and take over its website. This isn’t the first problem encountered by the virtual currency and won’t be the last, but the mining disaster points to a canary that’s kicked the bucket and a market that may not be ready for nonstandard funds. Is it time to close the tunnels, shut down the exchanges and take a break from bitcoin?
What’s Yours Is Mine
As noted by The Hacker News, the home page of Cloudminr.io stood as mute testament to the attackers’ triumph, at least for a few days. While it’s now offline, the compromised version offered to sell Cloudminr’s entire database of 80,000 accounts — including usernames and passwords — for just one bitcoin, or around $240. As proof of their misdeeds, the cybercriminals also modified the homepage to show a partial list of compromised accounts, including plain text passwords.
The low price for this kind of valuable information suggests that profit isn’t the motivator here. As Threatpost pointed out, users had already expressed concern about the site’s legitimacy, and the use of unencrypted passwords to safeguard bitcoin accounts seems to confirm their worst fears.
The Underground Bitcoin Industry
Bitcoin mining collectives aren’t new, and while many engender the same kind of suspicion as Cloudminr, there’s continuing interest here: Why not leverage the power of someone else’s technology to mine virtual currency and generate free money? But bitcoins make tempting targets for malicious actors since, just like cash, it’s impossible to trace the real owner of any single coin.
In January, for example, the Bitstamp exchange was hacked, and $5 million worth of bitcoins was stolen, ZDNet reported. Back in 2013, Wired noted that inputs.io lost $1.2 million, and every BTC user remembers Mt. Gox.
So where does this leave users? On the horns of a dilemma: The allure of virtual currency is real — under ideal conditions, bitcoin mining provides virtually endless income — but the lack of ownership granted single coins combined with the large volume of personal details that must be provided to mining companies makes for a perfect storm, with users underground too busy digging deep to notice that their canary is deathly silent.
Mine after mine claims its particular version of the bitcoin dream is perfectly safe. Here’s the thing: Any time currency and credentials mix online, there’s potential for attack. The fluctuating, unregulated nature of bitcoin makes it the ideal surface since users are always looking for a new way to store, mine or invest their bitcoins. With a little social engineering, brute force and good luck, cybercriminals can effectively reach in, scoop out the gold and leave worthless metal scraps in their wake.
Bitcoin remains a burgeoning industry, but users keep falling for the trap of sites that talk big and skimp on security. Someone will come along and get this right eventually, but for now, this is mining without a canary — dig at your own risk.