After a tech entrepreneur and investor lost his password for retrieving $100,000 in bitcoin and hired experts to break open the wallet where he kept it, they failed to help him. But in the process, they discovered a way to crack enough other software wallets to steal $1 billion or more. From a report: On Tuesday, the team is releasing information about how they did it. They hope it’s enough data that the owners of millions of wallets will realize they are at risk and move their money, but not so much data that criminals can figure out how to pull off what would be one of the largest heists of all time.
Their start-up, Unciphered, has worked for months to alert more than a million people that their wallets are at risk. Millions more haven’t been told, often because their wallets were created at cryptocurrency websites that have gone out of business. The story of those wallets’ vulnerabilities underscores the enormous risk in experimental currencies, beyond their wild fluctuations in value and fast-changing regulations. Many wallets were created with code containing profound flaws, and the companies that used that code can disappear. Beyond that, it is a sobering reminder that underneath software infrastructure of all kinds, even ones explicitly dedicated to securing funds, are open-source programs that few or no people oversee. “Open-source ages like milk. It will eventually go bad,” said Chris Wysopal, a co-founder of security company Veracode who advised Unciphered as it sorted through the problem.