How the “world’s first Bitcoin bank” was robbed blind

Flexcoin, the self-proclaimed "world's first Bitcoin bank," was robbed by attackers who took advantage of a flaw in the bank's code for transferring bitcoins.

As reported yesterday, Flexcoin shut down after an attacker made off with 896 bitcoins, the equivalent of about $600,000. The company has since posted a more thorough explanation of just how it was robbed on its home page:

The attacker logged into the flexcoin front end from IP address 207.12.89.117 under a newly created username and deposited to address 1DSD3B3uS2wGZjZAwa2dqQ7M9v7Ajw2iLy

The coins were then left to sit until they had reached 6 confirmations.

The attacker then successfully exploited a flaw in the code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to "move" coins from one user account to another until the sending account was overdrawn, before balances were updated.

This was then repeated through multiple accounts, snowballing the amount, until the attacker withdrew the coins. (Here and Here.)

The stolen coins were in Flexcoin's "hot wallet," the account used to instantly pay out withdrawals. The bitcoins that Flexcoin customers had deposited were stored separately on computers that weren't connected to the Internet, according to Flexcoin. The company said it will attempt to give users their coins back, presuming it can verify users' identities.

Read 1 remaining paragraphs | Comments