It’s not just MtGox! Two more Bitcoin companies hit hard by hackers

Graham Cluley

BitcoinIn the wake of the MtGox debacle, two more Bitcoin companies have been struck hard by hackers – forcing one of them to go out of business entirely.

First up is Flexcoin, “the Bitcoin bank”, which has closed its doors after hackers breached its systems and stole Bitcoins worth the equivalent of $600,000.

Flexcoin statement

Of course, $600,000 is chicken feed compared to the half a billion dollars apparently stolen from MtGox. But still, it’s a nice day’s work for whichever criminals managed to trick Flexcoin into allowing them to withdraw the digital currency without authorisation.

Meanwhile, hackers are also said to have exploited a vulnerability in another Bitcoin exchange – Poloniex.

As Softpedia reports, Poloniex’s owner posted a message on a Bitcoin forum detailing how hackers had managed to exploit an embarrassing weakness in the site’s systems.

Poloniex statement

The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.

The major problem here is that the auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.

Another design flaw is that withdrawals should be queued at every step of the way. This could not have happened if withdrawals requests were processed sequentially instead of simultaneously.

The total loss from Poloniex is thought to be approximately $50,000.

Will this be the last Bitcoin firm to suffer at the hands of hackers? Somehow I doubt it.

Criminals are always attracted to where the money can be found – and sites created quickly during the Bitcoin gold rush may not have the right security in place to properly protect their customers’ money.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.
Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES