BitcoinTalk Compromised Through Social Engineering

On May 22th the BitcoinTalk forums suffered an attack caused by social engineering on their ISP, the intrusion was quickly noticed by forum administrator Theymos who took the server down. The service was restored on the 23th, however another suspicious irregularity was spotted on the 24th, causing yet another day of downtime for security purposes until it was finally restored yesterday.

According to Theymos, although the attack was quickly stopped, the intruder likely managed to gain access to personal data such as email addresses, password hashes, IP addresses (last used and registration), secret questions and hashes of secret answers. It’s believed that private messages weren’t accessed and registered users are being urged to change their passwords and secret question/answers on the forums, as well as the passwords of other sites associated with their registered e-mails, in case a repeated one was used.

On the same day of the attack, Theymos explained the cause on a r/Bitcoin related topic.

The forum’s ISP NFOrce managed to get tricked into giving an attacker access to the server. I think that the attacker had access for only about 12 minutes before I noticed it and had the server disconnected, so he probably wasn’t able to get a complete dump of the database. However, you should act as though your password hashes, PMs, emails, etc. were compromised. The forum will probably be down for 36-60 hours for analysis and reinstall. I’ll post status updates on Twitter @bitcointalk and I’ll post a complete report in a post in Meta once the forum comes back online.

On May 25th the following e-mail was sent out to registered forum users (some parts were emphasized by us):


You are receiving this message because your email address is associated

with an account on I regret to have to inform you that

some information about your account was obtained by an attacker who

successfully compromised the server. The following

information about your account was likely leaked:

– Email address

– Password hash

– Last-used IP address and registration IP address

– Secret question and a basic (not brute-force-resistant) hash of your

secret answer

– Various settings

You should immediately change your forum password and delete or change

your secret question. To do this, log into the forum, click “profile”,

and then go to “account related settings”.

If you used the same password on as on other sites, then

you should also immediately change your password on those other sites.

Also, if you had a secret question set, then you should assume that the

attacker now knows the answer to your secret question.

Your password was salted and hashed using sha256crypt with 7500 rounds.

This will slow down anyone trying to recover your password, but it will

not completely prevent it unless your password was extremely strong.

While nothing can ever be ruled out in these sorts of situations, I do

not believe that the attacker was able to collect any forum personal


I apologize for the inconvenience and for any trouble that this may cause.







The community was quick to react to the attack, in some cases criticizing Theymos himself for alleged lack of security and constant downtimes. We’ve included some related comments from BitcoinTalk and r/Bitcoin users below, with their usernames redacted:

“It is a matter of setting up security with the hosting provider BEFORE a security incident happens. These things have been explained to Theymos several times but he is not competent in these areas. Many Bitcoin companies are operated by people who understand little outside of the Bitcoin technology and they generally have an attitude that they are smarter than everyone else because they discovered Bitcoin first. It doesn’t matter what the data center security is in cases like that. Bitcointalk is becoming irrelevant anyway due to mismanagement.”

“The problem is fundamentally attackers are rare and irate customers who have locked themselves out and have inadequate identification are common. In order for customer support to turn down these requests it needs to be actually difficult (or impossible) for them to comply. Requests and notes on accounts are demonstratively not sufficient.”

“Looks like scammy profiteers are already putting up supposed dumps of the database as well – of course without any proof and you only get access after you pay in BTC.”

A bounty of approximately 75BTC (1 XAU = approximately $1,200) was also placed on the attacker by Theymos on the 24th:

The forum will pay up to 15 XAU (converted to BTC) for information about the attacker’s real-world identity. Exact payment amounts will depend on the quality and usefulness of information as well as what information I’ve already acquired, but if for example you’re the first person to contact me and your info allows me to successfully prosecute this person, then you will get the full 15 XAU. You need to actually convince me that your info is accurate — just sending me someone’s name is useless.

The attacker used the following IPs/email: