An ongoing investigation has revealed multiple allegations that hot wallets from users of popular subreddit r/btc were hacked through Tippr, resulting in thousands of dollars worth of bitcoin cash (BCH) stolen. Early theories assumed this to be a new low in the so-called Civil War between supporters of bitcoin core and BCH.
Bitcoin Civil War Might’ve Gotten Uglier
Using a previously unknown third-party vulnerability, users of Reddit’s increasingly popular subreddit forum, /r/btc, a discussion board which often features positive comments by bitcoin cash supporters, were hacked for thousands of BCH.
Reddit is a news aggregator fueled by subreddit discussion boards which fill every kind of topic niche. It is owned by media conglomerate Advance Publications, and is routinely in the top ten most visited websites.
The attacks were seemingly so base, early thinking went toward an inside job. Perhaps a rogue Reddit admin had snatched bitcoin cash, came an initial theory. In the final month of last year, /r/btc’s moderator and a user who happened to work in the malware field were made vulnerable and hacked. For about half an hour, the subreddit itself was redirected to r/bitcoin. And then a half dozen other bitcoin cash-favoring forum users were compromised, especially those tipped through Tippr.
The conspiracies began. Obviously, bitcoin core supporters had taken to ire, doing so as a new low. They might hate bitcoin cash, but no one turns down free money.
50,000 USD of BCH Flowed Through Tippr in December
Tippr is a bot used on Reddit for the purposes of tipping users in BCH. Tippers send the bot a deposit, and then comment, noting they’re using u/tippr. An example might be: “Great point u/tippr $3.” The bot will chime in, confirming the tip. The recipient must have a BCH wallet, and then message the bot in return, listing the BCH wallet address and include the amount. The bot dutifully answers in confirmation, and so the recipient can now access funds. Estimates in the upwards of 50,000 USD worth of BCH has flowed through the bot in December of last year. The culprit evidently was tracking such public posts, causing Tippr to go dark, pending results, as the developer learned of the investigation.
The attack came as a reset from Reddit in email form. Immediately another email confirmed the password change…even if the email hadn’t opened for whatever reason. “My email provider is a very large provider with a name we all know,” a hacked user explained. “Logging is provided and there was no suspicious activity on my email account. My email account also has 2FA. The emails sent by reddit (first one ‘click here to change your password’ second one ‘your password has been changed) were unopened in my inbox.’”
Whatever the case, this does appear to be something of a new kind of attack allowing access to Reddit accounts, a vulnerability hitherto unknown. It now could at least be plausible NEITHER a Reddit employee was on the make or a dastardly bitcoin core jihadist was involved.
It turns out one or the other might’ve been sufficient but not a fully necessary condition to launch the attacks. Tippr is the common denominator, and where there is money to be taken no other motive need be ascribed. Tippr is used not only on Reddit forums but also on Twitter.
Conspiracy Sufficient But Not Necessary
The bot’s creator, Rob Danielson, mused it was probably “someone [who] realized they had an opportunity to make a quick buck.” Through private messaging via Reddit, accounts gave up as much as $4,000 total worth of bitcoin cash. Once the incidents were discovered, Mr. Danielson disabled the bot for Reddit.
For its part, Reddit is pointing fingers at its automated email subcontractor Mailgun. Though the number of users impacted was roughly a dozen, someone could gain access to resetting emails through Mailgun, a potentially huge problem for Reddit going forward. The hacker could not access Reddit proper nor a user’s email account, they claim. Reddit has since dropped Mailgun in favor of its own server. Mailgun believes “less than 1% of our customer base was potentially affected.” Tippr is now available again on Reddit.
A Reddit engineer did finally respond to multiple requests by users for public comment. “Thanks for reporting – we’re not ignoring. This was reported privately via security at [Reddit] and we’ve been investigating.”
Moderator of /r/btc, Bitcoinxio, noted Reddit maybe “needed a kick in the butt after all this publicity about the hacks in the past couple days, but we’ve been telling them about the hacks now for some time,” he wrote. “I wouldn’t be surprised if the other hacks are related in some way or there are other exploits which they haven’t even investigated because they are ignoring our concerns and just shrugging them off.”