The best way to get the Bitcoin community to rally to your cause is to speak to them in the language they know best: by offering up cold, hard (figuratively speaking) bitcoins.
So when Bitcoin service Bitalo found itself the victim of a DDoS attack, it sought help with an offer that would draw in any cryptocurrency fan: It put a 100 BTC bounty on the hacker’s head.
Bitalo CEO Martin Albert told me the attack started last weekend, and lasted two days. The attacker, known only as DD4BC, sent an email to say the Bitalo site was vulnerable to DDoS and that he’d started an attack, but that the company could stop it by paying him bitcoin. Albert forwarded me the company’s email chain discussing the ransom ploy with the hacker, the first of which reads:
“Immediately we figured out it was not an unknown guy; it was this guy who also threatened many other people,” said Albert. He named exchange CEX.io and Bitcoin sportsbook Nitrogen Sports as previous victims to the scheme.
Bitalo refused to pay the extortion money and instead put their bitcoin into a reward for whoever identifies the hacker. The company is offering 100 BTC, equivalent to around $32,000 at today’s rates, through the Bitcoin Bounty Hunter site.
Bitcoin Bounty Hunter was launched in September by cryptocurrency evangelist Roger Ver, known by some as “Bitcoin Jesus,” as a means to incentivize people to catch mischief-makers targeting the Bitcoin community. He is personally offering nearly 40 BTC, now around $12,000, to track down someone who hacked his email, who he thinks is the same person that got into Bitcoin father Satoshi Nakamoto’s email account in September.
“Somebody hacked an old email account of mine and then was claiming they were going to steal my identity," he said in a phone call. "[They also demanded] that I pay them $20,000 worth of bitcoin or they were going to ruin my life and ruin my family’s life, and they made all sorts of nasty threats.” Rather than pay up, he offered a 37 BTC reward in a Facebook post for “information leading [to] the arrest of the hacker.”
“People from all over the world started contacting me and claiming to have information,” said Ver. But he didn’t really know what to do with it, nor how to keep on top of all the tips, some of which seemed legit and some of which were clearly a joke.
So he conceived of Bitcoin Bounty Hunter, which allows anyone to offer information and claim a bounty anonymously. Using the site proofofexistence.com, you send in the details you have via a zero-knowledge proof, which basically proves that you know something without revealing the contents of what you know. You can then point to the information you provided and claim the bounty.
The Bitcoin Bounty Hunter website explains that for the bounty to be paid, the target must be arrested and convicted. I asked Ver why not just go to the police if it’s an arrest you’re after, and he said that when his business was robbed years ago, he found he had to track down the stolen parts himself in order to get authorities interested.
“The police in California did absolutely nothing to help, they didn’t even lift a finger,” he said. “Going to the police, traditionally, they don’t do much of anything to help at all. By providing a bounty I think you can provide an incentive to have anybody—including the police—to actually do the right thing and help victims of crimes." A police officer could anonymously claim the bounty as much as anyone, he added.
Albert told me that in the case of Bitalo, they’re just interested in identifying the hacker, though Ver said that unless they figure out new details, claiming the bounty will be subject to the usual conditions, i.e. an arrest.
Albert suggested that most people who attempt to extort bitcoin in this manner may also be involved with other bitcoin services, and thus unmasking the ransomer would be enough to solve the problem. “The biggest harm to him is also to be revealed, because then he cannot do any business any more," he said.
Bitalo’s bounty is currently being held in escrow, and is recorded on the blockchain. Albert said they haven’t really had any tips yet, but they’re also analysing traffic for a hint of the hacker’s identity.
GOING TO THE POLICE, TRADITIONALLY, THEY DON’T DO MUCH OF ANYTHING TO HELP AT ALL
He thinks a claim is most likely to come from someone in the Bitcoin community who is acquainted with the hacker, but perhaps not a great friend. “This kind of enforcement only works with social engineering,” he said, and noted that the Bitcoin community is very active. “It needs to be someone who knows the guy; it needs to be someone who maybe is like a colleague of the guy," Bitalo added. "Friends in the community talk to each other, ‘Haha, yesterday I threatened this old website and they gave me half a bitcoin to stop the DDoS.’”
The question becomes, is your friendship worth 100 BTC?
It might seem a steep price given the hacker was only asking for one percent of that in the first place, but Albert said the bounty is also a way of showing his company is serious. He added that no one’s funds were ever at risk because of Bitalo’s multi-signature setup, but that extortionists like this presented a broader threat to the Bitcoin community by targeting the small startups that make up the global scene.
“These kind of people can do much more harm to the community than any government by regulation or something like that, in my opinion,” he said. And of course, if the hacker isn’t caught, they don’t have to pay. The bounty has an expiry date of 31 December 2015.
As for Ver, his hacker hasn’t been caught yet, though he told me that “there’s a lot of people all pointing to the same guy.” He thinks an arrest at some point is “pretty likely.”
He said it was too early to see how much attention the Bitalo bounty was getting. “But I should expect 100 bitcoins, which is a little over $30,000, is enough to get a lot of people’s attention," he said.
Meanwhile, whoever DD4BC is doesn’t seem too concerned. Early this morning he emailed Bitalo: