Bitcoin bank Flexcoin shuts down after attackers loot $570,000 from “hot wallet”

Bitcoin bank Flexcoin has shut down after it was unable to cover losses from a hacker attack in which 896 bitcoins were lost – valued at $570,000 according to The Guardian’s report.

The attackers were able to steal all the bitcoins stored in the bank’s “hot wallet” – the portion of its funds on computers accessible via the internet – due to a transaction flaw in its code. Much of the bank’s assets was in “cold storage” – ie on devices not accessible via the web, but the bank was unable to cover the losses from the theft.

The closure comes just days after Mt Gox lost a reported $500m in a theft which the exchange claims was due to hackers exploiting flaws in the site code, as reported by We Live Security here. Flexcoin said in a statement, “We have failed the Bitcoin community.”
PC Pro reports that the attack on Flexcoin began with an attacker creating a username for the site, then depositing a number of bitcoins.

Flexcoin said in a statement, “On March 2nd 2014 Flexcoin was attacked and robbed of all coins in the hot wallet. The attacker made off with 896 BTC. As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing our doors immediately.

“Users who put their coins into cold storage will be contacted by Flexcoin and asked to verify their identity. Once identified, cold storage coins will be transferred out free of charge. Cold storage coins were held offline and not within reach of the attacker.

“The attacker then successfully exploited a flaw in the code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to “move” coins from one user account to another until the sending account was overdrawn, before balances were updated.This was then repeated through multiple accounts, snowballing the amount, until the attacker withdrew the coins.”

Another bitcoin exchange, Poloniex, admitted that it had lost 12.3% of its reserves to hackers exploiting a security flaw, according to the Guardian’s report. Poloniex’s owner said in a statement ,“ I take full responsibility; I will be donating some of my own money, and I will not be taking profit before the debt is paid.” The Guardian commented that the recent spate of large-scale thefts highlighted a broader problem with security.
Flexcoin said in a statement, “Flexcoin has made every attempt to keep our servers as secure as possible, including regular testing. Having this be the demise of our small company, after the endless hours of work we’ve put in, was never our intent. We’ve failed our customers, our business, and ultimately the Bitcoin community.”

This week, bitcoin exchange Mt Gox  admitted that nearly $500 million in bitcoin had “disappeared” a new statement posted online – as computer code posted on Pastebin appeared to be part of the backend for the exchange, which would tally with CEO Mark Karpele’s claims that the site was hacked, as reported by We Live Security here.

Ars Technica reports that a chunk of PHP code posted to the website Pastebin appears to originate from Mt Gox, and tally with CEO Mark Karpeles’ claims that the site was hacked. “The block of PHP code appears to be part of the backend for MtGox’s Bitcoin exchange site, and it includes references to IP addresses registered to Karpeles’ Web hosting and consulting company, Tibanne,” Ars Technica’s Sean Gallagher writes.

The site’s statement says, “At the start of February 2014, illegal access through the abuse of a bug in the bitcoin system resulted in an increase in incomplete bitcoin transfer transactions and we discovered that there was a possibility that bitcoins had been illicitly moved through the abuse of this bug. We believe that there is a high probability that these bitcoins were stolen as a result of an abuse of this bug and we have asked an expert to look at the possibility of a criminal complaint and undertake proper procedures.”

Wired claimed that many of the company’s troubles could be traced to its CEO, Mark Karpeles, quoting unnamed “insiders” who described Karpeles as more of a computer coder than a CEO. One company insider, speaking to Wired on condition of anonymity, said, “Mark liked the idea of being CEO, but the day-to-day reality bored him.”

The company’s website was taken offline last week, shortly after a statement was published online by digital wallet company Coinbase, denouncing Mt Gox, and endorsed by other leading Bitcoin exchanges, saying, “ As with any new industry, there are certain bad actors that need to be weeded out, and that is what we are seeing today.  Mtgox has confirmed its issues in private discussions with other members of the bitcoin community.”

Rumours had circulated that the company faced insolvency after it halted withdrawals earlier this year, according to Bloomberg Businessweek. The company had halted withdrawals after what it described as ‘unusual activity’.