The leading Bitcoin Vanity address site, known as Bitcoin Vanity, has just admitted to being hacked. Of course, that hack was on December 31, 2013, but they aren’t sure what the hack was, just that all your Bitcoins are belong to me now. This has caused many to suspect Bitcoin fraud (the first post has a link to the hacked site – I’m not posting it here for obvious reasons). Honestly, after explaining the problem with Mt Gox, and then following that up with the truth about the Mt Gox scam, my report on this latest drama is largely satire. This is because reporting on a village idiot doing something stupid isn’t really news, unless idiots populate your entire village, in which case Fox News already has that covered for you. It’s also because, in comparison to MtGox, this is just a drop in the ocean. That said, on with the story!
If you’re not sure what a Bitcoin Vanity address is, we’ll explain before diving into the details. If you already know, then you can skip this intro, and miss all this interesting and life changing commentary, provided by none other than The Great and Knowledgeable Icculus (warning – audible video link). However, as you’ll no doubt discover, I absolutely don’t think that vanity addresses are ever a good decision. That said, great journalist that I strive to be, I’ve endured my very own vanity address to bring you this riveting story.
Basically, vanity addresses are obtained by identifying a pattern from randomly generated Bitcoin addresses. They include numbers or letters, and typically make up a word, abbreviation, or other term that at least have meaning to the person requesting the address. As the title implies, they’re purely vanity, although they also of course function as Bitcoin addresses. The reason I say they’re purely for vanity purposes is because they really aren’t unique, no matter what anyone who just fell off the wagon might think.
They are not unique, because there are from 27 to 34 characters in a string of Bitcoin addresses. While all of these numbers aren’t necessarily unique, such as the leading digit, most of them are. In other words, if that guy just had to have a vanity name, say, something along the lines of ‘idiot’, there are potentially endless other idiots who could also share that address. In fact, there are so many that everyone who has ever lived on Earth could have the exact same vanity name as that guy. In other words, you wouldn’t want to be that guy, because they’d all be idiots. To demonstrate, here’s a number you’re familiar with, followed by a number with 27 zeros.
- 7,000,000,000 (Seven Billion people living on the earth – that’s 9 little 0’s)
- 1,000,000,000,000,000,000,000,000,000,000,000 (One Decillion – that’s 33 little 0’s)
For those of you who are more traditional, One Decillion is also known as One Thousand Quintillion, or a Quintilliard. Not even Dr. Evil has that much money.
Put another way, vanity addresses are just like the person who goes out and buys the exact same pair of shoes that every other person on the planet has, and then personalizes it by the way they put the laces in. If they’re a famous sports persona or a rock star, then an endless horde of adoring fans will copy that exact same style (remember the ‘idiot’ example?). This makes vanity Bitcoin addresses absolutely meaningless to anyone other than the person who has them, and perhaps the handful of others who are ‘one with the message’ as interstellar gynecologist and marketing guru OB-GYN Kenobi once told me.
As if that weren’t enough, to further expand on just how meaningless vanity Bitcoin addresses are, anyone serious about accepting Bitcoin payments for their business will only accept payment to unique addresses. This is because each individual payment is then tracked according to the payment address of the customer who made it. There is no need for additional accounting practices, other invoice numbers, or anything else. The Bitcoin protocol takes care of all that, and you can view it all online.
That makes vanity addresses even less useful from a practical perspective. Still, small businesses will likely want to have their own vanity addresses, as will hipsters and everyone else who learned their personal hygiene from a Wookie. Something about beards just screams vanity address, but maybe I’ve crossed into the dark side. Of course, reading the names of all these poor souls who had their Bitcoins stolen by this vanity address hack is unfortunate:
What is even more unfortunate is that further reading indicates that people have lost upwards of 20 to 40 Bitcoins, and according to some reports, even more as a result of vanity Bitcoin address hacks. That said, here’s the message that was sent out to users registered with the system (yep, good journalism baby, and I had my very own vanity address so that I could test the system too):
We have just discovered that the site was hacked on the 31st Dec 2013. They put some code in the page calckey that sent them the key if you used that page to calculate your private key rather than using bitaddress.org.
Please move any coins you have at addresses that were generated using this page. Please see forum page for updates. The site will now be shutdown, as we only ran it for fun, and it is now not fun.
Any addresses bought since 31st Dec 2013 will be refunded on request via forum. This may take a while as we will do all in one go (and all our coins you paid us were taken so we need to get some!). https://bitcointalk.org/index.php?topic=118968.0
Honestly, it comes as no surprise, but it is a bit sad. Particularly the fact that they indicated it was something they’d been doing for fun, but that now it was no longer fun. Less fun, I imagine, for those who lost their Bitcoins. Unfortunately they’ve also indicated that, other than paying back the four people who paid 0.1 BTC each for their vanity addresses, they won’t be paying anyone for their vanity Bitcoin address purchases.
Instead, in an in your face sort of move, they’ll be donating that money to the Bitcoin Foundation to better educate Bitcoin users on security, because they know so much about security that their site would never be hacked, and their users would never be compromised. Except, I wouldn’t be writing this article if they knew web security.
Sadly this is yet another chapter in the growth and adoption of Bitcoins. It’s not much different than a con artist in London tricking a visitor from a village out of his or her cash. The only difference here is that those of us who are more technically savvy than our cash wielding peers often assume that we’re above being tricked.
In reality, the Internet is a global village, and unfortunate or difficult as some lessons may be, anyone willing to trust their money to a stranger isn’t easily going to avoid being labeled an idiot.
As ever, thanks for reading. If you need advice on Bitcoins, feel free to look us up, and we’ll get you pointed in the right direction (which, if you’re having a go at it on your own, would be away from MtGox and Vanity Bitcoin addresses).