New Internet toothache: unstoppable bitcoin thieves

The Dell computer corporation’s SecureWorks Counter Threat Unit recently discovered an unknown hacker quietly “hijacking networks belonging to Amazon, Digital Ocean, OVH, and other large hosting companies between February and May 2014.”  During that period of time, the hijacker used a complicated but time-tested “redirection” technique to steal $83,000 of profits from the currency miners.  (“Cryptocurrency” refers to virtual online currency, the most famous example being Bitcoin.  The miners were basically using automated programs to engage in sophisticated high-speed currency speculation.)

As noted in an article by MIT cyber-security student Josephine Wolff at Slate, what’s alarming about this little heist is that the redirection tools used by the hacker have been around for nearly two decades, and security professionals have no idea how to stop them, because they’re perverting one of the core features of the Internet:

When we go online we take for granted that we’ll be able to reach content and communicate with people regardless of the Internet service provider they use. My home Internet connection comes via Comcast, but I can use that connection to email friends with Verizon or Time Warner, or any other service provider. Eventually, that email will have to make its way from my provider, where it originated, to the recipient’s. This is what the Border Gateway Protocol, or BGP, is for–to help autonomous networks like Comcast and Verizon connect and direct traffic between each other.

Using BGP routers, service providers announce which IP addresses they can easily deliver traffic to, so that other providers know which traffic to send them. If multiple providers advertise that they can deliver traffic to the same IP address, then whichever one serves a smaller set of addresses will receive traffic intended for that address. So networks are constantly updating and broadcasting these announcements to one another via BGP routers, letting their peers know which addresses they can deliver traffic to, and allowing the rest of us to ignore the question of which service providers everyone else is using.

Without BGP, there is no Internet as we know it. But that doesn’t mean it can’t cause problems–our reliance on the accuracy of the information provided by BGP routers means that anyone who can gain access to one can redirect some portion of online traffic by advertising a sufficiently small set of addresses whose traffic it wants to target. In other words, if you want access to some piece of online traffic directed to someone else, you can use BGP to announce that you will deliver it to its intended recipients–in the same way that Comcast announces it can deliver traffic to me–and the rest of the Internet will believe you. So this is probably what happened in the bitcoin theft incidents investigated by SecureWorks–the thief used the credentials of someone who worked at a Canadian ISP to send out false routing announcements. Using those announcements, the thief redirected the traffic of groups dedicated to bitcoin mining and was able to retain the bitcoins harvested by those groups’ machines rather than paying them out to the owners of the mining computers.

It’s sort of like dressing up as a mailman, helping yourself to sacks of mail at the post office, and stealing every letter that contains money.  The thieves can operate from nearly anywhere in the world – a previous redirection scare from a couple of years back was caused by a Russian gang that had quietly insinuated a bit of viral code into millions of web browsers, routing Internet address requests to servers under their control.  They originally did this to hijack the in-line ad spaces on web pages, a relatively subtle and innocuous crime in which they would quietly replace, say, an ad for with ads provided by their illicit clients.  The big problem is that once the gang got busted, infected web browsers around the world would keep hitting those sleazy Russian servers to get Internet addresses… and if the servers were abruptly yanked offline, a sizable portion of the Internet would crash.  The solution involved keeping the gang’s servers up and running until the virus could be thoroughly purged from the planet’s computer systems.  It went off quite well, but cybersecurity experts were very nervous for a while there.

As Wolff notes, these redirection shenanigans are extremely difficult to detect and nearly impossible to prevent, because the fluid nature of the Internet is one of its great strengths.  You didn’t have to type in a long string of 16-digit numbers to read this article; you just pointed your computer at, and a fairly long string of computers located hundreds or thousands of miles apart swiftly resolved that request.  Virtual real estate moves around, but the process is wonderfully transparent to end users.  It’s as though your home or business can hoist itself onto wheels and roll to a less expensive or more convenient location at the drop of a hat, but everyone can still effortlessly find you just by using your name.

There have been many other examples of the Internet’s strength being turned against it by miscreants – spam email, for instance, which peaked into such a menace during the mid-2000s that companies were taking themselves offline to escape the from the tidal wave of Canadian pharmacy ads and requests for assistance from deposed Nigerian princes, which threatened to bring corporate mail networks to their knees.  Spam exploits the astonishing ease of sending mail across the Internet.  The early spam kings were using beat-up old computers from spare rooms in their houses, pumping out thousands of emails per hour.

And look at all the Obama Administration scandals in which inconvenient emails have been made to disappear, with muttered excuses about freak hard-drive crashes and bouts of amnesia concerning federal record-keeping requirements.  It didn’t take our political class long to figure out how it could use the ease and power of online communication to digitally enhance its cover-ups, did it?

In many ways, the swift growth of the Internet has served as an unprecedented sociological experiment, hurling people into a new world where there weren’t many rules at first.  Parts of that virtual frontier will never be tamed.  In a state of online anarchy, some people saw wondrous opportunities for communication and collaboration… while others set to work figuring out how they could pillage the high-speed traffic, or ruin the hard work of others for their amusement.  It’s a tough lesson for those who believe human nature can be perfected.