drag2share: Here's How A 'Bitcoin Bank' Was Robbed Of Every Single Coin It Held Online

Source: http://www.businessinsider.com/flexcoin-robbery-2014-3

Yesterday we wrote about Flexcoin, the latest Bitcoin site that had to shut down after a massive theft that wiped it clean of every single Bitcoin it held online.

The company has now posted an explanation of how it happened:

During the investigation into stolen funds we have determined that the extent of the theft was enabled by a flaw within the front-end.

The attacker logged into the flexcoin front end from IP address 207.12.89.117 under a newly created username and deposited to address 1DSD3B3uS2wGZjZAwa2dqQ7M9v7Ajw2iLy

The coins were then left to sit until they had reached 6 confirmations.

The attacker then successfully exploited a flaw in the code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to "move" coins from one user account to another until the sending account was overdrawn, before balances were updated.

This was then repeated through multiple accounts, snowballing the amount, until the attacker withdrew the coins. (Here and Here)

Flexcoin has made every attempt to keep our servers as secure as possible, including regular testing. In our ~3 years of existence we have successfully repelled thousands of attacks. But in the end, this was simply not enough.

Having this be the demise of our small company, after the endless hours of work we've put in, was never our intent. We've failed our customers, our business, and ultimately the Bitcoin community.

Please direct any and all questions to admin(at)flexcoin(dot)com and we will reply to you as soon as possible.

Join the conversation about this story »

---
drag2share - drag and drop RSS news items on your email contacts to share (click SEE DEMO)