How do you steal bitcoin, when it's on a coin?
Imagine you're a vintage toy collector. You've got an original Princess Leia action figure from the 70s, mint condition, and it's still in the package. It's worth a lot of money now. One day, when you finally decide to sell it. you walk to the shelf only to find that it's gone from its case; disappeared, without a trace, and without even a scratch on the plastic box that might give a clue about where it went.
This is essentially what happened to the owners of what are known as "physical bitcoins" this month, and the losses amount in the tens of thousands of dollars. Now, questions remain about how this could have happened, and how the owner of the company that issued the coins will pay everybody back.
Several years ago, numerous companies issued physical bitcoins. These are basically commemorative coins that represent an amount of bitcoin. One such company, Alitin, emblazoned its coins with a public bitcoin address, pre-loaded with whatever amount of bitcoin you wanted, and engraved the coins with the private key needed to withdraw the funds from the digital wallet.
At the time, Alitin boasted that its coin packaging was designed so that the private key was obfuscated, and so nobody simply viewing the coin could see, and thus steal, the private key.
In late February, the Alitin site states, customer coins were wiped of their value. People who bought Alitin coins—in some cases, years ago—posted angrily on bitcoin forums that they had checked their coin addresses only to find that they'd been cleaned out. The question on everybody's mind now is: How the hell could this have happened? Someone must have gotten their hands on both the coins' public addresses, and the private keys.
Alitin is no longer minting or selling coins, but I reached its co-founder, Richard Forsyth, over the phone. According to Forsyth, he generated the private keys for the coins offline, and personally engraved them into each coin. The only other records of these private keys were the logs that the company kept during the coin engraving process, which Forsyth says he kept under lock and key. Forsyth claims the logs were burned after the engraving.
"The conclusion that leads us to is that it must have been someone close to us," Forsyth said over the phone.
Forsyth said there have been 10 confirmed cases of customers finally opening their physical coins only to find them wiped out. He said that he has contacted the FBI and will work closely with law enforcement.
Now, Forsyth says that he and his brother, with whom he co-founded Alitin, are working to reimburse customers, and are taking on debt to do it. When Alitin sold most of these coins, he said, bitcoin was worth just $80 a pop. Now, one bitcoin is valued at over $1000 USD, meaning that Forsyth will have to reimburse thousands of dollars to people who initially only paid hundreds for their coins.
For this reason, Forsyth said that Alitin will only be giving out refunds for the next month, which is sure to anger any customers left out.
"We have a limited window of time in which we can do this, but we want to do our best," Forsyth said. "We're trying to defend our good name as well."
Subscribe to pluspluspodcast, Motherboard's new show about the people and machines that are building our future.