The popular Bitcoin discussion forum, Bitcointalk.org, was hacked and defaced on Wednesday. The site continues to be unavailable following a decision by administrators to take it down to investigate the full extent of the hack.
Before the site went offline it displayed animations of bombs exploding and various photos of classical music conductors. Tying those two themes together was Tchaikovsky’s 1812 overture.
Here’s the animation played out on a video from YouTube user fluttershy77x:
When the animation ended visitors saw a banner saying,
Hello friend, Bitcoin has been seized by the FBI for being illegal. Thanks, bye.
In another message, seen at the end of the video above, a group calling themselves “The Hole Seekers” claimed responsibility for the attack and helpfully pointed out that the music is also the soundtrack from the explosion scene in the movie “V for Vendetta.” Coincidentally, perhaps, that movie is known to have inspired the hacktivism collective known as Anonymous.
Theymos, the administrator for the Bitcoin Talk site, told Cryptolife that the attack was worse than first imagined,
It's unfortunately worse than I thought. There’s a good chance that the attacker(s) could have executed arbitrary PHP code and therefore could have accessed the database, but I'm not sure yet how difficult this would be. I'm sending out a mass mailing to all Forum users about this.
The attack on Bitcointalk came just hours after the FBI had seized $3.6 million of the currency following the arrest of the alleged operator of Silk Road, an online market known primarily for selling illicit items.
Ross William Ulbricht, allegedly the mastermind of Silk Road, was himself a Bitcoin Talk user and, in one of his posts, he sought out an IT pro in the Bitcoin community. This, according to Federal prosecutors, is evidence that he is also the same individual who used the moniker “Dread Pirate Roberts” and so, by definition, is the operator of Silk Road.
Theymos believes that the forum may now be down for some time, though he doesn’t believe that passwords have been compromised, saying that,
At this time I feel that password hashes were probably not compromised, but I can't say for sure. If you used the same password on bitcointalk.org as on other sites, you may want to change your passwords. Passwords are hashed using sha256crypt with 7500 rounds (very strong).
He went on to say that whoever was behind the attack had injected some code into $modSettings[‘news’], which is the news found at the top of the forum pages. News updates, he said, are normally logged but these actions weren’t which leads him to believe that the hacker did not compromise an admin account or otherwise make a ‘legitimate’ change.
Instead, he theorises that,
Probably, part of SMF related to news-updating or modSettings is flawed. Possibly, the attacker was somehow able to modify the modSettings cache in /tmp or the database directly.
Theymos also said that the hacker was able to upload a PHP script and other files to the avatar directory though he did admit that his lack of knowledge prevented him from discovering more details of the attack.
If any Naked Security readers have the skills to help Theymos, he is offering 50 Bitcoins, roughly equivalent to around $6,500, to the first person who can explain in detail how the attack was executed.