Bitcoin Magazine

Show Menu

Bitfloor Hacked, $250,000 Missing

Bitfloor, the fourth largest exchange dealing in US dollars, has just announced[1] that it has been hacked, and the service has taken a loss of 24,000 BTC, worth about $250,000 at the time of the theft. As Roman Shtylman, the founder of Bitfloor, describes it, “last night, a few of our servers were compromised. As a result, the attacker gained accesses to an unencrypted backup of the wallet keys (the actual keys live in an encrypted area). Using these keys they were able to transfer the coins. This attack took the vast majority of the coins BitFloor was holding on hand.” As a result, BitFloor has paused all exchange operations and, depending on the effect that this will have on BitFloor’s finances, BitFloor may take one of two options. They may either take the loss and continue running in an attempt to eventually earn the money back or, in the worst case, shut down entirely and begin an account partial refund process out of the available funds.

The unencrypted backup that allowed the thief to carry out the attack was made when Shtylman made a manual upgrade earlier and put the data into an unencrypted partition on his disk; Shtylman has so far declined to comment further on the details of the attack, saying that “my current focus is on the future and not the past.” As Bitcoin security experts point out, Bitfloor made not one but two errors that were both necessary to lead to such a severe loss; the first, leaving data stored unencrypted, was an honest and perhaps unavoidable mistake, but it would not have had nearly as much of an effect if there had not also been the second error of leaving so much money in an online-accessible “hot wallet”. Since the Bitcoinica Linode theft, in which an unknown attacker made off with $222,000 worth of bitcoins from Bitcoinica’s hot wallet in March, it has been generally understood that any Bitcoin-holding service should keep the vast majority of its funds in “cold storage”, a term referring to a setup where the private keys never touch any computer that is accessible from the internet.

ThomasV, the lead developer behind the Electrum client, lists some security recommendations for Bitcion exchanges here; his seven key points are:

  1. Don’t store more bitcoins outside of cold storage than you can afford to lose and remain solvent. This ensures that your business will be able to financially survive a hack.
  2. Deposits should be sent to cold storage addresses directly.
  3. Transfer from cold storage to hot storage should be manual only.
  4. An attacker should not be able to disguise a theft as a series of withdrawals from customers.
  5. If a withdrawal request exceeds the amount available on the hot wallet, the customer should have to wait. Receiving coins 24 hours later is better than not receiving one’s coins at all.
  6. Clone your database to a place where an attacker cannot irreversibly modify or delete it from the server.
  7. Send digitally signed account statements to customers regularly, using a key that is not on the public server.

Taking greater care to protect one’s server from being hacked in the first place is of course the best defense. However, any single layer of defense will invariably make mistakes, and sound Bitcoin service security requires a strong and detailed strategy for mitigating losses based on a defense in depth. Not following proper security procedures may mean seeing your prospering Bitcoin business meet a sudden and untimely end. Given the amount of information and experience available on such matters, not taking the most trivial standard precautions may even open one up to liability due to gross negligence. No matter how big, small, young or established your Bitcoin business may be, it is better to be prepared earlier rather than later.




Get Top Stories Weekly

We respect your email privacy

  • Asdf

    .wallet was unencrypted lol

  • Adblaze Marketing

    These idiots were that careless with that much money?

  • Ada Foster

    nice post

  • Andrew Pennebaker

    Why are Bitcoin banks being successfully hacked and not regular banks? What is it about Bitcoin that makes hacking it so easy? Is it because anyone can rapidly setup a Bitcoin bank without having much security knowledge?

    • vm_bm

      Perhaps, because banks were around for a little longer than 4 years, like Bitcoin. Perhaps banks spend a little more resources on both physical and information security. perhaps banks are not really telling everyone when they were robbed. Perhaps even if banks get robbed it not always get in the news unless it is 1 trillion USD got vaporised. And yes, perhaps most banks are not being run by 17yo kids out of their mom’s basements.

  • user1234

    “real” banks get hacked as well. They have a lot more money on self-defence though.

  • Pingback: Introducing Ripple | Bitcoin Magazine()