Bitcoin Payment Processor BIPS Attacked, Over $1 Million Stolen

Payment processor and free online wallet service BIPS suffered a major attack that saw 1,295 BTC (over $1m) stolen.

AccessTimeIconNov 25, 2013 at 9:59 a.m. UTC
Updated Sep 14, 2021 at 2:10 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Europe’s primary bitcoin payment processor for merchants and free online wallet service, BIPS, was the target of a major DDoS attack and subsequent theft in the past few days that saw 1,295 BTC (just over $1m on CoinDesk’s BPI) stolen.

Kris Henriksen, BIPS’ CEO, said most of the missing funds were “from the company’s own holdings”. BIPS uses an algorithm, based on supply and demand, to work out the amount of bitcoins it needs to keep it in a ‘hot wallet’. The heist, however, was apparently not due to any vulnerability in the code itself.

He also said merchants who had chosen to instantly convert their bitcoin to fiat currency bank accounts were not affected.

Theft

The Copenhagen, Denmark-based company was targeted on 15th November by a massive DDoS attack. Then on 17th November, it was followed up by a subsequent attack that disabled the site and “overloaded our managed switches and disconnected the iSCSI connection to the SAN on BIPS servers”.

“Regrettably, despite several layers of protection, the attack caused vulnerability to the system, which has then enabled the attacker/s to gain access and compromise several wallets," the company said in a written statement.

BIPS believes the two attacks were connected, and at least the initial DDoS attack was “found to originate from Russia and neighboring countries”. The company moved fast to restore full merchant payment and transfer services by 19th November, but disabled all wallet functions in order to complete a full forensic analysis. Its help desk also went down for a few days, but was restored on 22nd November.

Investigation

Under BIPS’ privacy policy, it is not allowed to disclose users’ information to anyone, even the authorities. They will now set up a system for affected wallet users to voluntarily sign the required permission documents, to engage in a more thorough investigation with law enforcement to track down the culprits.

Henriksen stressed that merchant processing “was restored very quickly, and if you had auto-convert on, there is nothing to worry about”.

BIPS’ official statement on its site read:

To protect the successful merchant processing business, BIPS has decided to temporarily close down its consumer wallet initiative.

BIPS has been a target of a coordinated attack and subsequent security breached. Several consumer wallets have been compromised and BIPS will be contacting the affected users.

As a consequence BIPS will temporarily close down the wallet initiative to focus on real-time merchant processing business which does not include storing of bitcoins. Subsequently BIPS will consider to reintroduce the wallet initiative with a re-architected security model.

The consumer wallet initiative has not been BIPS' core business and, as such, regrettably affecting several users has not affected BIPS merchant acquiring.

All existing users will be asked to transfer bitcoins to other wallet solutions, and users affected by the security breach will be contacted.

Restoration of merchant services did little to comfort individual wallet owners, though. On the Bitcoin Talk forum, several users voiced anger at the prospect of losing their funds, and what they saw as unclear statements from BIPS about exactly what had been stolen, from whom, and how much.

One member even created a ‘bips.me potential lawsuit signup form’ for users to input their contact details and number of bitcoins missing, in an effort to prompt a negotiated solution.

Though the attack and theft highlights problems that some online wallet services have faced with security, it is significant given BIPS’ comparatively large user base and prominence in the market. As well as online accounts, BIPS had also offered a paper wallet function for those wishing for a safer long-term storage solution.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.