Sunday, February 5, 2023

‘The Bomber’ Fires Back Over BitGrail Hack

‘The Bomber’ Fires Back Over BitGrail Hack

In the developing public spat between Francesco “The Bomber” Firano and the Nano (XRB) development team over the recent BitGrail hack, Firano has fired back, accusing them of libel and asking them to cease making any contact with him. It’s estimated the previously little-known exchange lost over $170 million USD worth of Nano (formerly RaiBlocks) tokens.

Also see: Junseth’s World Episode 27: Intellectual Darkweb

Subscribe to the Bitsonline YouTube channel for great videos featuring industry insiders & experts

Firano expressed his displeasure in the following tweet:

That February 12th tweet was preceded two days earlier with Firano informing the Nano team he would be approaching law enforcement:

The “unfounded accusations” Firano referred to on February 10th were those made by the Nano development team in a February 8th post on Medium, in which the team claimed:

“We now have sufficient reason to believe that Firano has been misleading the Nano Core Team and the community regarding the solvency of the BitGrail exchange for a significant period of time.”

Firano, the owner of the BitGrail exchange allegedly hacked last week, followed his “libel” tweet with a warning that he was intending on pressing charges against the Nano team due to “irresponsible behavior”:

It is unclear whether an Italian court would be able to find in favor of a plaintiff claiming “irresponsible behavior” or what particular law proscribes such conduct.

Who’s to Blame?

The hack of 17 million XRB coins — actually valued around $195 million USD at the time — was reportedly discovered last week by BitGrail. The now-possibly insolvent exchange’s owner argued, in a text conversation leaked by the Nano team, that technical flaws in Nano’s design caused the theft, as they allowed for double-spending:

“Due to an xrb bug that caused the node to crash, the attackers forced the system to get double payments for which we have no trace of time due to another bug in xrb official explorer.”

Firano asked the team to execute a hard fork of the blockchain at a point prior to the apparent theft, enabling his customers to retrieve the funds:

“Is there any possibility to fork the chain and get xrb from burned address? Seems the only solution for me right now.”

A precedent for this was set in 2016 when TheDAO was hacked. Ethereum developers executed a hard fork to “turn back time”, retrieve the stolen funds and prevent further attacks.

The difference in the case of BitGrail and XRB is that the Ethereum community accepted that flaws in their code contributed to a vulnerability, which was then exploited. The Nano Core Team steadfastly denied similar problems in their protocol:

“From our own preliminary investigation, no double spending was detected on the ledger and we have no reason to believe the loss was due to an issue in the Nano protocol. The problems appear to be related to BitGrail’s software.”

Confusion Reigns in a Timeline of Chaos

To complicate matters, due to a January 19th server migration, transactions with missing dates were timestamped with that date by default. That made the job of discovering which transactions were unauthorized and when they occured more onerous than they otherwise would have been.

In an update posted February 11th, however, the Nano development team claimed to have studied a number of suspicious XRB transactions and concluded that unauthorized transactions can be dated back to late October last year. The team were only notified of the hack February 8th, a day before it was publicly announced. Nano also asserts that many of the stolen funds made their way back to BitGrail or Mercatox (two of the few exchanges XRB could be traded on).

BitGrail logoCuriously, as Bitsonline first reported, BitGrail users were suddenly hit with KYC (Know-Your-Customer) requirements on January 24th — roughly two weeks before the hack was announced. Those rules were particularly aimed at non-EU customers. Without providing the exchange with identification, non-EU users would not be able to withdraw their Nano coins without a prior conversion to Bitcoin (BTC). BitGrail accounted for some thirty percent of Nano coins — which rebranded from RaiBlocks on January 31st — in circulation worldwide.

During the unforeseen KYC implementation, the exchange’s interface — as shown by screenshots in that article and revealed in evidence submitted by users who wished to remain anonymous due to the sensitive nature of the subject — changed. It went from allowing users to select their country of origin in order to submit identification, to not allowing users to select their country of origin if they were not European (which Francesco argued was not a mandatory field), then back again to enabling users to select their country, after the article appeared.

Along with other forms of verbal abuse to which his customers have become accustomed, Firano demonstrated enthusiasm for threatening legal action for defamation, as his response to the Bitsonline story suggested:

Indeed, a translation from Italian of his more formal version of his February 12th tweet claimed:

“we have filed a further complaint for aggravated defamation … against the developers of NANO.”

BitGrail Hack Mishandled

But as the funds were allegedly stolen from BitGrail’s cold wallet — the supposedly safe area of an exchange’s infrastructure — and the chaotic sequence of events surrounding the theft, makes ascertaining the truth from fiction confusing, to say the least. It is difficult to believe that BitGrail’s failings did not play at least some part in exacerbating customer losses.

Firano’s bungled and hasty imposition of onerous Terms of Use changes, and concurrent lack of resources to manage those changes, possibly contributed to thousands of customers losing their money.

If time was of the essence, as Firano appears to argue to the Nano team in the leaked communique, freezing XRB withdrawals just before his exchange was hacked looks even more ill-timed now than it did then.

Do you have any thoughts on the BitGrail hack or exchange security in general? Please share your thoughts in the comments.

Images via Pixabay

Bitsonline Email Newsletter