Gone With The Cloud - Bitcoinica Made No DB Backups
Revealed today was something that many traders had begun to suspect — Bitcoinica kept no “off-site backups”. Not only did Bitcoinica’s hacker steal 18K BTC of funds (worth about $80K USD) but that individual had also deleted the Rackspace Cloud Server instances which held the service’s customer account and transaction history databases.
The financial service’s USD funds remain intact and 80% of their bitcoin funds were kept in an offline wallet, so the only remaining gap that would have been needed to make customers whole was the remaining bitcoin funds (about $80K USD worth). Without the customer and transaction databases though, the service will have a hard time verifying customer claims. The claims form asks customers to provide their USD and BTC balances and to choose the qualifier “Exact”, “Approximate” or “Guess”.
At the time of the hack, many accounts still had open positions in the service’s BTC/USD contract for difference market (being either long or short the BTC/USD) so those account balances will be affected by gains or losses when those positions are closed out. Presumably this will be at the level just under the $5 spot where the BTC/USD was at when the service was hacked. The claim form asks for the net position and the cost basis for those open positions. Most individual traders do not keep this type of information to be able to provide an accurate claim.
The service’s founder, teenage college-student Zhou Tong, is no longer a part of the organization but is providing information as to what records the service might have available to help administer account recovery. The service reportedly still has its e-mail messages which sent out verifications for deposits, withdrawals and transaction executions as well as in/out transaction information with financial partners and includes bank transactions as well as redeemable code transactions that transfer funds to and from Bitcoin exchanges.
Organizations that handle customer’s funds don’t often trust cloud computing for their customer financial transaction data. This was the second security incident that Bitcoinica had where root access to cloud infrastructure was achieved using attack vectors that wouldn’t normally be available for self-managed systems. As far as recovering, even those organizations that do use cloud infrastructure are advised to have sufficient archives with a recovery plan to recover should the cloud provider have technical issues or should some other service problem arise.
It is possible that the hacker still holds a copy of the database though no public leak has occurred, even though the hacker has communicated in a unique way the message “expect mass leak soon”. Nearly all the stolen bitcoin funds appear to remain unspent by the hacker, though some amount of the funds were given away Robin Hood-style recently.
The service reported that it had about 5,000 accounts though some of those accounts would have low or no USD and BTC balances (e.g., under 1 BTC and/or under $5 USD). Additionally, some accounts still hold negative balances. That can occur for accounts that use the highest leverage levels but see forced margin call trading occur during periods when there is great exchange rate volatility.
Many of these accounts were opened with no more information than an e-mail address. To claim funds, more complete information is required, and in many instances where the claim amounts to any funds of significance it is likely a photo ID will be required.
There will be a few accounts where a lot of money is involved. A few months ago the service had begun offering interest on USD and BTC balances to attract a wider level of liquidity that would be used for providing leverage to Bitcoinica’s customers.
Earlier this week a forum user “tseale” (possibly by Tihan Seale, who is already known for his investment in Bitcoin startup CoinLab) posted information that has yet to be confirmed. The statement asserts that Bitcoin Consultancy is a General Partner in Bitcoinica LP. Bitcoinica LP was registered as a Financial Services Provider in March.
The Bitcoinica service had been wildly popular and it had days where nearly a million dollars worth of positions were traded. For a period of time, those volumes were second only to Mt. Gox, Bitcoin’s largest exchange. There had been plans that Bitcoinica will be reopening but that will depend on a few factors Servicing customer claims is the organization’s first priority and the amount of time it will take to implement proper security measures before reopening is unknown. As the details emerge of what security and processes had been employed the organization may find it difficult to regain customer’s trust.
A competing “forex-like” service, Kronos.io, is likely to end up with a head start over a re-opened Bitcoinca, though there is likely sufficient demand for leveraged trading that more than one service could operate profitably. Having multiple, separate, providers may even bring stability as leverage extended to Bitcoinica’s customers came from the organization’s own reserves which were often insufficient for the level of demand. Traders frustrated by insufficient reserves at Bitcoinica previously had few options elsewhere.
Little did they know at the time that insufficient reserves were about to become the least of their problems.
[Update: A later reply by Zhou Tong in that forum thread does reference “all kinds of records” and specifically describe a set of older records being available which can help in the account reconstruction process. The as-of date for that set of records is purposely not being shared for obvious reasons.]