It’s not just MtGox! Two more Bitcoin companies hit hard by hackers

BitcoinIn the wake of the MtGox debacle, two more Bitcoin companies have been struck hard by hackers – forcing one of them to go out of business entirely.

First up is Flexcoin, “the Bitcoin bank”, which has closed its doors after hackers breached its systems and stole Bitcoins worth the equivalent of $600,000.

Flexcoin statement

Of course, $600,000 is chicken feed compared to the half a billion dollars apparently stolen from MtGox. But still, it’s a nice day’s work for whichever criminals managed to trick Flexcoin into allowing them to withdraw the digital currency without authorisation.

Sign up to our free newsletter.
Security news, advice, and tips.

Meanwhile, hackers are also said to have exploited a vulnerability in another Bitcoin exchange – Poloniex.

As Softpedia reports, Poloniex’s owner posted a message on a Bitcoin forum detailing how hackers had managed to exploit an embarrassing weakness in the site’s systems.

Poloniex statement

The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.

The major problem here is that the auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.

Another design flaw is that withdrawals should be queued at every step of the way. This could not have happened if withdrawals requests were processed sequentially instead of simultaneously.

The total loss from Poloniex is thought to be approximately $50,000.

Will this be the last Bitcoin firm to suffer at the hands of hackers? Somehow I doubt it.

Criminals are always attracted to where the money can be found – and sites created quickly during the Bitcoin gold rush may not have the right security in place to properly protect their customers’ money.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.