Poor Bitcoin Security

The article you are about to read highlights the security of Bitcoin infrastructure and provides its in-depth analysis as compared to commonplace fiat currencies.

The general perception of Bitcoin is that it is a highly secure decentralized type of currency bolstered by strong, military-grade cryptographic algorithms. Furthermore, the holder of “digital cash” doesn’t have to disclose any personally identifiable information when transacting, as opposed to providing a credit card number and security code in a regular payment scenario.

It is also generally believed that although Bitcoin-related services have been breached a few times, threat actors never compromised the underlying protocol.

But is it all so black and white?


It reasonable to split the discussion of Bitcoin security into the following two levels:

  • The safety of the protocol and blockchain technology.
  • The safety of wallets, online exchanges, and other payment systems.

This separation makes sense because many things reside beyond the blockchain. The objective of the core system is to simply issue coins and register transactions after issuance. It doesn’t even perform the function of registering ownership. structure, or even both of these layers.


The integrity and security of the blockchain, the distributed ledger system behind Bitcoin, is reliably protected by cryptography. In addition to safeguarding cryptocurrency transactions, it is intended to thwart double spending and other issues. Based on these hallmarks of the blockchain, there are two main security challenges to tackle:

  • Verifying the validity of transactions. This challenge boils down to ascertaining that the amounts spent correlate with unspent outputs preceding them within the previous blockchain. One of the ways to do this is to look for transaction signatures generated with valid private encryption keys.
  • Vetting the authenticity of the blockchain being mined. For the authenticity requirement to be satisfied, miners should mine the longest available blockchain. It takes a lot of computational resources to extend the blockchain, so the longest valid one is tried and true because miners have, obviously, worked with it the most.

If the above challenges are met, there is almost no room for doubt regarding the validity of transactions being registered in the blockchain. That is because the transactions cohere with unspent outputs, reside on the longest blockchain and were signed properly.

Is it within the realms of possibility to compromise this type of security?

In fact, there are plenty of applicable attack vectors. For instance, a perpetrator can guess private keys and sign fraudulent transactions where Bitcoin theft takes place. Another trick is to initiate transactions that appear to be valid and confirmed, but where the sender of cryptocurrency is duped into thinking these transactions were invalid and coins were not spent. One more technique is to try and overwhelm the network with substantial computing power. High-profile attackers may also discover yet unknown vulnerabilities and leverage them to compromise the blockchain infrastructure.


In fact, threat actors have had some success using some of the above methods. The scenarios below might pose serious risks to Bitcoin security:

  • Using brute force attacks to guess private keys for a specific address. This technique is extremely difficult to implement due to the big size of the key space. From a computational perspective, this incursion appears to be hardly viable at this point. However, simply traversing the blockchain may reveal unspent outputs. With enough computational power on their hands via things like quantum computers, though, perpetrators may be able to pull off brute force attacks of that sort. In this case, the adversary may be able to circumvent the defenses of the Bitcoin protocol, including those of cold storage.
  • Obtaining a private key via a dictionary attack. Attackers can use a plethora of common passwords to try and guess a private key for an arbitrary address with unspent outputs. This type of compromise has already been implemented multiple times. Once a private key is calculated, cybercrooks employ bots to check whether cryptocurrency is transferred to a vulnerable address. If so, they steal the Bitcoin in no time.
  • Double spending within a small timeframe. Bitcoin transactions take time to complete – confirmation blocks are generated within 10 minutes on average. This time window may allow for double or even triple spending. Such a technique is applicable if a merchant is unwilling to wait for a transaction to be confirmed and assumes it is completed instantly.
  • Overwhelming the network. This attack is extremely difficult to carry out because a rogue player needs enormous computing resources to cause a network outage. During these crashes, most miners will temporarily discontinue their work, while perpetrators may harness computing power to benefit from other people’s transactions.
  • Exploiting protocol imperfections. An uncatalogued vulnerability in the network protocol per se or the way it is implemented might become a godsend to thieves. For example, the notorious transaction malleability flaw reportedly allowed attackers to pilfer about 7% of the whole Bitcoin volume via the Japan-based Mt. Gox cryptocurrency exchange during the 2011-2014-time span.
  • Taking advantage of flaws in crypto implementation. Ideally, cryptography is an uncrackable means for safeguarding digital communication and other types of online interaction. This holds true as long as it is implemented the right way. A recent large-scale attack has exploited a gaping hole in a code library to calculate private keys, impersonate key owners and steal Bitcoin, compromise digital IDs, etc.


Users rarely interact with the blockchain directly. Instead, they deal with payment services residing on top of it. These include wallets, exchange services, and other systems.

Wallets are applications that keep private keys for your cryptocurrency. Their security boils down to using commonplace authentication through pass-codes, biometric features, hardware tokens and the like.

Bitcoin exchanges often hold funds (both crypto and fiat). They may leverage exchange wallets of their own in order to facilitate Bitcoin buying and selling. Another noteworthy hallmark of exchanges is that they have regular bank accounts propping their business.

Payment systems allow customers to purchase goods and services with cryptocurrency. These systems resemble widespread non-Bitcoin payment services like PayPal. They hold coins in the form of tokens residing in internal wallets. These tokens are exchanged for currency when a customer purchases something.

Unfortunately, none of the above systems is secure. In fact, they are all just as safe as services processing regular digital payments, such as banks and platforms like PayPal. They use the blockchain to simply keep track of transactions and are therefore susceptible to the exact same security risks as a garden-variety financial organization.


Yes, and no. On the one hand, associated third-party payment systems make it equally vulnerable. On the other hand, a fusion of properties intrinsic to Bitcoin makes it safer. These include the following characteristics:

  • It is impossible to reverse transactions. As soon as a Bitcoin transaction has been validated, the cryptocurrency will not be sent back unless the recipient opts for it.
  • Transactions are secure against censorship. A Bitcoin transaction signed with a valid private key and containing an amount that has not been previously spent will be validated by the network no matter what.
  • There is no connection between ownership and Bitcoin addresses. Well, in theory, there is such a link. However, any person who has the private key to a Bitcoin address gets unrestricted access to the cryptocurrency in it.

This combo puts the average Bitcoin user in a paradigm with the following causality:

  • If you lose your private keys, you lose the Bitcoin. Indeed, there is no mechanism to claim the lost keys, therefore Bitcoin simply vanishes for good.
  • If you make a mistake typing a destination Bitcoin address, you lose the Bitcoin. The blockchain system perceives such a transaction as valid because your private key is valid, plus the mistyped address is very likely to exist, given the enormous address space. In the upshot, consider the Bitcoin gone irreversibly. As opposed to this, a banking transaction where funds were sent to a wrong account number can be reversed.
  • If you get hacked, you might lose your Bitcoin. A cyber perpetrator who infected your PC with ransomware or other malware may get control over your wallet or exchange account and transfer or spend your Bitcoin as he or she pleases. These transactions cannot be reversed, remember? Things are different when you are dealing with a bank. If someone hacks your bank account and steals funds from it, it is usually possible to reverse the fraudulent transactions so that you get your money back. Alternatively, you can get the losses compensated by your insurance company. This scenario does not work for Bitcoin.
  • If your wallet gets hacked, you lose the Bitcoin. A threat actor will not find it hard to pilfer your digital cash in this case, and you will never see it again. This does not hold true for traditional financial services such as banks or PayPal – if they get hacked, you will most likely get the money back.
  • If your Bitcoin exchange gets compromised, you lose your Bitcoin. For the average Bitcoin exchange service out there, being hacked might be a road to bankruptcy. If your cryptocurrency vanishes along the way, there is no insurance option to return it. Hopefully, the exchange turns out robust enough to recover from a hacker onslaught, in which case you may get your funds back.
  • Bitcoin theft is inconspicuous. The blockchain system will not raise any red flags on transferring your Bitcoin away. You will not receive any email or text message on your phone if your private keys are stolen.

All in all, Bitcoin is not nearly as safe as most people think it is. Regular digital currency bodes much better in terms of security.


As the number of miners and generated transactions increases, the system may respond with a larger block size limit. Technically, this will create a fork of the Bitcoin network, such as the Bitcoin Cash that appeared in early August 2017. As a result, users who held Bitcoin at the time of this split automatically got an equal amount of Bitcoin Cash. However, people who purchased Bitcoin afterwards only got Bitcoin proper.

The security challenge here is that the newly forked blockchain may be declared not genuine over time. This predicament can be compared to discovering someday that some of your hard-earned fiat money is counterfeit.


Based on the facts provided above, it does not take a genius to understand that Bitcoin is a questionably secure form of digital currency. The biggest risks regarding it lie in the architectural characteristics of the blockchain. In particular, there is no option to stop, reverse or censor transactions. To top it off, no insurance scheme is in place.

The takeaway is that proper security and Bitcoin use simply do not work in tandem. Some people will probably disagree with such a conclusion, arguing that a paper Bitcoin wallet and the use of dubious sites instead of known-vulnerable exchange services will do the security trick. Well, that is like reinventing the wheel in the era of Tesla vehicles.


Photo via Getty Images

Source: Themerkle