How to make money with Bitcoin in 10 easy steps

This a guest post from security researcherNicholas Weaver. Nicholas is a part of Berkley’s ICSIprogram and he’s here to tell you a bit about how broken bitcoin is and how you too can profit!.

OK, now I may be just be a simple country Hyper-Chicken, err Ph.D. security researcher, but I think by now I get something very important about Bitcoin: How to make money with Bitcoin. Now I’m also a lazy security researcher, so heck, lets reveal my super secret 10 step plan on how you too can make lots of money with Bitcoin.

Step 0:

You gotta move to Sochi. Now the Bitlievers like to claim that their digital Quatloos free them from the oppressive yoke of government imperialism, but at the same time they go screaming like little girls to the government to help them out if you steal too many of their Dunning-Krugerrands. So you gotta go to some country where the local language defines MLAT as “Tell the FBI to go fuck itself”. And although most of Russia is a frozen hellscape dominated by a shirtless, humorless tyrant, Sochi is, after enough billions of corruption, a nice place to live. Hey, they even have a F1 race.

Step 1:

Break into and all the other “web wallet” services. Oh, but wait, aren’t these companies run securely, with lots of venture capital money? Well, if you consider the VC fundedRNG Improvments[sic]to their code, do you think the rest of their security is much better? And breachCoinbase too while you’re at it…

Step 2:

Download all the saved web wallets. Now these wallets are all encrypted by the suckers users passwords but that just means most are protected with passwords only slightly more sophisticated than “123456”. So start throwing it at your password cracker. As a bonus, get everyone’s email addresses and download all the other password information. And get crackin…

Step 3:

In the meantime, its time to provide another “improvment” [sic] to’s JavaScript. Just tweak things to leak passwords out to you. Something subtle, or blunt, or whatever. Just as long as it works. For some presumably humorous reason, the Bitcoin community somehow thinks that downloading JavaScript from a server to access your wallet is more “secure” than just having all your digital Latinum stored by someone else. So be sure to laugh manically as each password rolls in.

Step 4:

Wait. Patience is a virtue, young padawan. Until your improvments [sic] are noticed, they will continue to work, snagging all the suckers who somehow, despite believing in a decentralized digital Clams, insist on trusting centralized companies because “the market will eliminate bad actors” or some such Randite fantasy. I mean, the market eliminated bad exchange actor Mt. Gox pretty quick and they in turn eliminated over $500 million of bad bitcoin actors from bad customer actors too!

Step 5:

Once you are discovered, only then do you transfer all those virtual Cubits into your own accounts. Conveniently, the wallet service will tell you when you are discovered and should move the loot because well, they’re going to have to post a big announcement and remove your improvments [sic].

Step 6:

Join the throng on /r/bitcoin who mock those who lost their binary Ankh-Moorpork Dollars to your attack, because everyone knows you should only store your Bitcoins on your own computer. This computer must run a self-burned live linux distro and never be connected to the internet. In fact, make sure to glue the ethernet ports shut. Don’t forgetto include posts noting how the thief is performing a public service in this objectivist paradise by educating the victims on how computer security works.

Now this is all fine and good, but why stop there?

Step 7:

Start writing your malcode module that looks for Bitcoin wallets. This pretty little malicious program should copy both unencrypted and encrypted wallets. It should also add an improvment [sic] to any Bitcoin client it finds to once again tell you the password. Don’t want to actually write the infection routines? Well, there are services you can use, just find your friendly PPI service.

Step 8:

For each stolen wallet, if you crack it, don’t rob it. Well, not right away. After all, probably the best host based IDS is an unsecured Bitcoin wallet, and you don’t want word to get out too soon. Wait a little while. Meditate on the fragility of all things. And then, get impatient and rob em blind.

Step 9:

Join the throng on /r/bitcoin who mock those who lost their binary Ankh-Moorpork Dollars to your malcode, because everyone knows that you should only store your Bitcoins using a paper wallet. Once again, be sure to include posts noting how the thief is performing a public service in this objectivist paradise by educating the victims on how computer security works.

Step 10:

Enjoy life!


So there you have it, a 10, well, 11 step program to make lots of money in Bitcoin. Whatever, off by one error, who cares? Its not like such errors exist in the core protocol of Bitcoin (*cough* OP_CHECKMULTISIG *cough*).

You can thank me by contributing to 1BitcoinEaterAddressDontSendf59kuE.

You can also follow me on Twitter: @ncweaver