On Saturday, an attacker and blackmailer “DD4BC” sent a note to the Bitalo Bitcoin exchange threatening distributed denial of service (DDoS).
DD4BC demanded 1 Bitcoin (about £206, $326) as protection money and for “info on how I did it and what you need to do to prevent it”.
Your site is extremely vulnerable to ddos attacks.
I want to offer you info how to properly setup your protection, so that you can't be ddosed! My price is 1 Bitcoin only.
Right now I will star small (very small) attack which will not crash your server, but you should notice it in logs. Just check it.
I want to offer you info on how I did it and what you have to do to prevent it. If interested pay me 1 BTC to [Bitcoin address]
Bitalo CEO Martin Albert eschewed the offer for lessons on avoiding DDoS.
Instead, the exchange slapped a bounty on DD4BC’s head, to the tune of 100x the ransom money.
That price may seem steep, but this is serious business to Albert, who told Motherboard that his company wants to show that it’s serious.
He noted that while its users’ funds were never at risk because of Bitalo’s multi-signature setup, extortionists like DD4BC nonetheless threaten the smaller startups that complete the global Bitcoin community.
These kind of people can do much more harm to the community than any government by regulation or something like that, in my opinion.
Fear and uncertainty take their toll as well: Bitcoin value plummeted after the fall of Mt. Gox.
DD4BC’s DDoS attack on Bitalo lasted two days.
Albert said that the company soon found out that the same attacker was behind threats to others:
Immediately we figured out it was not an unknown guy; it was this guy who also threatened many other people.
The list of DD4BC’s targets include exchange CEX.io and Bitcoin sportsbook Nitrogen Sports, Albert said.
Now, the company is offering 100 BTC – about $32,859 or £20,599 at Tuesday’s exchange rates – through the Bitcoin Bounty Hunter site.
This isn’t the first bounty for a Bitcoin burglar, but it’s the biggest by far.
Other bounties include:
- Ƀ37.6875 (approx. $12,331, £7,710) For help in catching whomever broke into the email accounts of Satoshi Nakamoto – the person or people who created the Bitcoin protocol and reference software – and Bitcoin angel investor, evangelist, the founder himself of the Bitcoin Bounty Hunter site, and a man known by some as the “Bitcoin Jesus”, Roger Ver.
- Ƀ2.1249 (approx. $698, £434) For help in catching whomever’s behind the missing 600K BTC from Mt. Gox.
Ver told Motherboard that he started the bounty site in September after somebody got into an old email account and started making threats:
Somebody hacked an old email account of mine and then was claiming they were going to steal my identity. [They also demanded] that I pay them $20,000 worth of bitcoin or they were going to ruin my life and ruin my family’s life, and they made all sorts of nasty threats.
At the time, Ver offered a 37 BTC reward in a Facebook post for “information leading [to] the arrest of the hacker.”
The problem was that he didn’t know what to do with the information people sent him, he said, some of which appeared legitimate but some of which were clearly a joke.
Thus was Bitcoin Bounty Hunter born: a site that allows anyone to offer information and claim a bounty anonymously.
It relies on the site proofofexistence.com, which requires informants to send in details in a manner that proves that they know something without revealing what it is that they know.
In order to claim any of the bounties, the culprit has to be arrested and convicted.
Why not just go to the cops?
Ver told Motherboard that when he’s been targeted by theft in the past, he had to track down the stolen parts himself before the police became interested.
The police in California did absolutely nothing to help, they didn’t even lift a finger. Going to the police, traditionally, they don’t do much of anything to help at all. By providing a bounty I think you can provide an incentive to have anybody - including the police - to actually do the right thing and help victims of crimes.
Albert said there haven’t been any real tips on the Bitalo attacker yet, but the company’s also analysing traffic to try to get at the blackmailer’s identity.Follow @NakedSecurity