It appears that at least 100,000 USD were recently stolen from Blockchain.info wallets.
Then a lot more was stolen again as reported on 15 Dec.
Let us try to get make sure that we understand these events properly.
Historical Background
Bad random events in the blockchain have been known since January 2013. We have written on this topic amply, monitored these events for 18+ months, see also here, and more generally we have studied this topic for many years. A certain anonymous hacker johoe has also been monitoring these for 1 year and posted about these in forums in April 2014.
We have also already warned the public about poor security practice at blockchain.info wallets in the recent weeks here.
The December 2014 Incident at Blockchain.info
There was a bug in the source code which was around for a few hours and still active afterwards, after remaining in a browser’s cache. The source code can be studied here.
The white-hat hacker johoe has programmed a script which allows him to steal these bitcoins as soon as they appear on the blockchain, in order to prevent other people from swiping them as he claims. He has pledged to return these bitcoins to the rightful owners. He apparently already have returned 267 BTC (225 BTC+ some more) to blockchain.info which will then handle customer complaints and return the money.
Then a lot more, at least 300 BTC were stolen again by the same hacker as reported on 15 Dec.
Possibly no harm was done except what johoe did is not quite legal, yet possibly it is ethical to do, rather than leave these bitcoins to be stolen by others.
Be Warned
The sad reality is that the problem is wider than it seems and it is wider than the current commentators are willing to tell the public.
As it has frequently happened before in bitcoin community journalists have NOT done a good job at educating and warning the public about potential thefts, and as such they share some responsibility for potential thefts. On the contrary bitcoin owners have been exposed to a lot of re-assuring technology push in the recent days, while at the same time the thefts were going on and the public have NOT been sufficiently warned about the risks. It is almost as if the public is ever warned about thefts after bitcoins are stolen. Too bad.
What about warning the public BEFORE the thefts happen not after?
More Advanced Attacks
We risk repeating ourselves but this business is NOT only about bad random attacks, there is lots of more advanced attacks which are likely to bite in the near future.
We recommend reading this paper to have a glimpse on further more advanced threats and attacks.
Dodgy Security Advice by a Thief
Now very interestingly, the thief recommends a client that employs HD (hierarchical deterministic) wallets, such as Bread Wallet on iOS and Armory, Electrum or Wallet32 on Android”, cf. here.
Is he not aware that these solutions can lead to thefts at a much larger scale? Again, please read the paper.