I Broke Bitcoin
A lesson in the virtues of specificity.
Alister Maclin can break Bitcoin on command. In an email, Maclin said he's been the one spamming the Bitcoin network over the last several days with enough force to compel a Bitcoin exchange to notify its customers that the attack was causing withdrawal issues. Of course, he added, "Alister Maclin" is an alias.
In retrospect, I should have been more specific when I asked Maclin if there was a way for me to verify his claims.
Normally, confirmation of this kind might come in the form of a cryptographic fingerprint, but when I contacted Maclin over email, he replied in broken English: "I will switch the stress-test on once again for a short period (~10 min) at 17:30 of your local time (there is 00:22 now in Moscow - I wanna sleep). You will see."
Slightly taken aback, I asked if Maclin meant 5:30 PM tomorrow. "Today! Now! I've already started it ten minutes ago :)" he replied. Sure enough, the number of transactions rejected by the Bitcoin network skyrocketed at 5:30 PM on Tuesday afternoon.
At 5:54 PM, Maclin emailed me again. "Switched off," he wrote. "Now red lines on the third chart will return back to green." And as it was written, so it was done. Things calmed down, the number of rejected transactions dropped back to normal levels, and the chart's red spike settled back to green after an hour.
Maclin isn't the first person to try and break the Bitcoin network. An exchange called Coinwallet.eu previously threw $48,000 USD in Bitcoin to the winds in an attempt to fill the network with tiny spam transactions and slow things down for everyone. By comparison, however, Maclin's attack was extremely cheap, simple, and effective.
Maclin used what's known as a "malleability attack," which takes advantage of the time delay between when bitcoins are sent and when the transaction record is included in a block and uploaded to the blockchain for posterity. A script written by Maclin, running on a virtual machine, captures transactions and re-broadcasts them to the Bitcoin network with a slightly different ID, thus creating a duplicate transaction, only one of which can be added to a block. Everybody's bitcoins still get where they need to go, but it could take hours for the transaction to be confirmed instead of the usual 10 minutes.
The attack has cost him nothing, Maclin claimed, and he told me it only took him a couple of hours to write the 100 or so lines of code for the script. It's a devious and effective tactic, and it's not the first time someone has exploited it. But why do this at all? After asking if I'd read Jack London's 1904 novel about a brutal and amoral sea captain, The Sea-Wolf, Maclin wrote, "We do everything for living. For feeding our wifes and children." He assured me he's not in it for profit, though—this time.
Watch more from Motherboard: Life Inside a Chinese Bitcoin Mine
Instead, Maclin wrote that he has serious gripes with Bitcoin, centering around well-documented concerns over the ridiculous amount of energy the Bitcoin network consumes. "The main thing is that bitcoin network spends much more resources (electricity, hardware, human efforts) per transaction than current centralized systems," Maclin wrote. "Bitcoin exists now, because of bubble-ponzi scheme."
Maclin also took issue with the role of core developers, a relatively small group of programmers who actually contribute to the open source BItcoin project. Whatever everybody else thinks about things like the recent debate over a code change that divided the Bitcoin community, it's the core devs who ultimately do the work. It's "strange," Maclin wrote, that Bitcoin users expect the devs to do everything for them.
Whatever Maclin's true motivations, he told me that the attack is concluded for now. But, he added, he can always turn it back on. "Yes, I definitely switch it on in nearest future," Maclin wrote. "May be next week. May be later. I have to check some things."
But Maclin's window may be closing. A Bitcoin update designed to fix the malleability issue has been in the works for over a year, and the latest attack could be just the spark to light a fire under it.