Alice deposits 100 bitcoins to Bank.Example.com. The next day, theowners of the site disappear with Alice’s money.

• Bitcoin bank users are vulnerable to direct theft becausethey don’t control their own private keys.

• Lightweight (SPV) wallet users and BitcoinCore users are not vulnerable because they control theirown private keys.

Direct theft is likely the leading cause of stolen bitcoins so far.

Real Example

Bitcoin exchange Mt Gox reportedly had 650,000 bitcoins (worth $347million USD) stolen from their customer deposits and their own operatingfunds. They declared bankruptcy on 28 February 2014.

Even when the bankruptcy proceeding is complete, customers are unlikely torecover more than a small fraction of the bitcoins they had on deposit.

Learn More:Collapse of MtGox

Alice installs Example Wallet, whose open source code has beenaudited. The next day, the authors of Example Wallet push new code toAlice’s device and steal all her bitcoins.

• Bitcoin bank users are vulnerable because they can onlyspend their bitcoins when they use the bank’s approved software.

• Lightweight (SPV) wallet users are vulnerable withmost software because auditors can’t easily verify the software yourun (the executable) is the same as the program source code, called adeterministic build. However, some lightweight wallets are moving todeterministic builds.

• Bitcoin Core is built deterministically. Cryptographicsignatures from build auditors—many of whom are well known to thecommunity—are released publicly.

Real Example

In April 2013, the OzCoin mining pool was hacked. The thief stole 923bitcoins (worth $135,000 USD), but online wallet StrongCoin modifiedtheir wallet code to ‘steal back’ 569 of those bitcoins ($83,000)from one of their users who was suspected of the theft.

Although this attack was done with good intentions, it illustratedthat the operators of StrongCoin could steal bitcoins from their usersat any time even though the users supposedly controlled their ownprivate keys.

Learn More:OzCoin Hacked, Stolen Funds Seized and Returned by StrongCoin

Mallory creates a transaction giving Alice 1,000 bitcoins, so Alicegives Mallory some cash. Later Alice discovers the transaction Mallorycreated was fake.

• Bitcoin bank users depend on the information reported by thebank, so they can easily be fooled into accepting fabricatedtransactions.

• Lightweight (SPV) wallet users depend on full nodes andminers to validate transactions for them. It costs nothing fordishonest full nodes to send unconfirmed fabricated transactions to anSPV wallet. Getting one or more confirmations of those fabricatedtransactions is also possible with help from a dishonest miner.

• Bitcoin Core users don’t have to worry about fabricatedtransactions because Bitcoin Core validates every transaction beforedisplaying it.

Real Example

On 4 August 2015, web wallet BlockChain.info began indicating that atransaction had spent the earliest mined 250 bitcoins, coins that somepeople believed were owned by Bitcoin creator Satoshi Nakamoto.

It was soon discovered that the transaction was invalid. BlockChain.infowas not validating transactions with Bitcoin Core and that transactionhad been created by a security researcher.

Learn more:BitcoinJ documentation about pending transactionsafety

Alice believes that there should never be more than 21 millionbitcoins—but one day she’s tricked into buying “bitcoins” thatare only valid on a block chain with permanent 10% inflation.

• Bitcoin bank users have to use whatever block chain thebank uses. Banks can even profit from switching their users to a newchain and selling their users’ bitcoins from the old chain.

• Lightweight (SPV) wallet users accept the block chainthey know about with the most proof of work. This lets the hash ratemajority of miners force SPV wallet users off of Bitcoin.

• Bitcoin Core users don’t have to worry about chainhijacking because Bitcoin Core validates every block using all ofBitcoin’s consensus rules.

Real Example

In July 2015, several large Bitcoin miners accidentally produced aninvalid block chain several blocks longer than the correct block chain.Some bank wallets and many SPV wallets accepted this longer chain,putting their users’ bitcoins at risk.

Recent versions of Bitcoin Core never accepted any of the blocks fromthe invalid chain and never put any bitcoins at risk.

It is believed that the miners at fault controlled more than 50% of thenetwork hash rate, so they could have continued to fool SPV walletsindefinitely. It was only their desire to remain compatible withBitcoin Core users that forced them to abandon over $37,500 USD worth ofmining income.

Learn more:July 2015 chain forks

Mallory shows Alice $1,000 USD that he will pay her if she sends him somebitcoins. Alice sends the bitcoins but the transaction never seems toconfirm. After waiting a long time, Alice returns Mallory’s cash. Itturns out the transaction did confirm, so Alice gave away her bitcoinsfor nothing.

• Bitcoin bank users only see the transactions the bankchoose to show them.

• Lightweight (SPV) wallets users only see thetransactions their full node peers choose to send them, even if thosetransactions were included in a block the SPV wallet knows about.

• Bitcoin Core users see all transactions included inreceived blocks. If Bitcoin Core hasn’t received a block for too long,it displays a catching-up progress bar in the graphical userinterface or a warning message in the CLI/API userinterface.

Real Example

In March 2015, spy nodes run by the company Chainalysis accidentallyprevented some users of the lightweight BreadWallet from connecting tohonest nodes. Since the spy nodes didn’t relay transactions, BreadWalletusers stopped receiving notification of new transactions.

Learn more:Chainalysis CEO Denies ‘Sybil Attack’ on Bitcoin’s Network

Mallory gives Alice 1,000 bitcoins. When Alice’s wallet says thetransaction is confirmed, Alice gives Mallory some cash. Later Alicediscovers that Mallory has managed to steal back the bitcoins.

This attack applies to all Bitcoin wallets.

The attack works because powerful miners have the ability to rewrite theblock chain and replace their own transactions, allowing them to takeback previous payments.

The cost of this attack depends on the percentage of total network hashrate the attacking miner controls. The more centralized mining becomes,the less expensive the attack for a powerful miner.

Real Example

In September 2013, someone used centralized mining pool GHash.io tosteal an estimated 1,000 bitcoins (worth $124,000 USD) from the gamblingsite BetCoin.

The attacker would spend bitcoins to make a bet. If he won, he wouldconfirm the transaction. If he lost, he would create a transactionreturning the bitcoins to himself and confirm that, invalidating thetransaction that lost the bet.

By doing so, he gained bitcoins from his winning bets without losingbitcoins on his losing bets.

Although this attack was performed on unconfirmed transactions, theattacker had enough hash rate (about 30%) to have profited fromattacking transactions with one, two, or even more confirmations.

Learn more:GHash.IO and double-spending against BetCoinDice