/ cryptocurrency

How my Bitcoin was stolen - how to prevent it


Yep. It happened to me. We all know to be careful with API keys.

I already knew this, and thought I had taken precautions to make sure this wouldn't happen. But, for convenience (not so convenient now), in programming a tool for managing crypto portfolios, I stored my API keys in a file in the project folder. I made sure it would be ignored when I posted my code, but when I created the repository to host the code, it provided it's own .gitignore, overwriting the one I made. Then it happened.

I posted the code at 10pm and by 2am a BTC withdrawal was made on my account and by 6am all the ETH was gone too. Github helps make it easier for thieves with their Search API. Luckily they left me with $3.70 USD left :(. I have my portfolio on my pebble watch so I knew something was wrong when I woke up. However, it wasn't until manually scraping through all the transaction history that I thought to check my repo, and to my horror, the file with my keys was up. They were scooped up and exploited and within 8 hours they cleaned me out. A new bitcoin wallet was created to transfer the funds and a $200 expedite fee was paid to get the transaction in the block as fast as possible.

I'm posting the stolen transactions (since blockchain makes everything public) for posterity.

Here is a list of the transactions:

Ideas for prevention

Besides the obvious "don't post your api keys"

  • Exchanges could scan for public keys and disable them
  • Use this git hook I wrote: Git Hook API Key
  • Lower permissions on api keys (don't allow withdrawal permissions)