Hackers steal $1.2 Million of bitcoins from Inputs.io, a supposedly secure wallet service
Published on November 7, 2013 at 14:22 GMT
UPDATE (8th November, 13:06 GMT):
In a phone interview with Australia's AM radio show Tradefortress responded to challenges that the theft was 'an inside job', though he insisted that he wouldn't be reporting the theft to the police because the bitcoins are untraceable and it would be impossible to track the culprit.
When asked about his age, Tradefortress told the publication: "I'm over 18 but not much over."
Tradefortresses' public identity still remains unknown, however his reputation on Bitcointalk seems to be questionable, with at least two members claiming to have been scammed by him for failing to deliver on coding projects he had already been paid for. He has said that he wishes to retain his anonymity as he now fears for his safety in light of this recent heist.
Tradefortress also runs coinchat.com as well as coinlenders.com.
Tradefortress, the developer behind bitcoin web wallet Inputs.io, released a statement on his website today, after being forced to close it down in the aftermath of a major hacking incident, saying:
"I know this doesn't mean much, but I'm sorry, and saying that I'm very sad that this happened is an understatement."
Inputs.io, which was intended to be a high-security bitcoin web wallet, was apparently hacked on the 23rd of October, when thieves stole bitcoins worth over $1.2m at current BPI prices. The statement, published this morning continues:
“Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances. The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side.
"Database access was also obtained, however passwords are securely stored and are hashed on the client. "If you stored more than 1 BTC, send an email to [email protected] with a bitcoin address (preferably, an offline, open source light/SPV wallet like Multibit or Electrum). Use the same email you're using on Inputs. Please don't store bitcoins on an internet connected device, regardless if it is your own or a service's.
"I know this doesn't mean much, but I'm sorry, and saying that I'm very sad that this happened is an understatement.”
According to Hacker News, just as in the Bitfloor theft, in which 24,000 BTC were stolen, the bitcoins were stolen from the website’s ‘hot wallet’ - an online wallet which has to operate to process live withdrawals. However, it seems as if Inputs.io was keeping most if not all of their coins online, whereas other services often keep as much as 80% offline.
Inputs.io says that although the hack took place on October 23rd, even depositors who made deposits after that date are not safe, as other users were able to make withdrawals from the shared wallet.
By contrast to a service like Blockchain.info (which, although generally thought of as safe still suffered a security issue back in August), Inputs.io is a shared wallet that manages the balance of its users and their private keys giving them full access to all the bitcoins stored with them.
Blockchain.info account access is secured by an identifier/alias, password combination and two-factor authentication and is generally thought of as secure. However, as with any technology, nothing is foolproof. According to Bitcoin Talk forum user ‘masteroflove’:
Questions are now being asked publicly about Inputs.io's main developer Tradefortress, who, whilst still not widely known in public, claims to have a deep understanding of the complexities of security procedures for bitcoin wallets.
When CoinDesk approached Tradefortress for comment he informed us that "the attacker was able to compromise older email accounts which were easily reset as they didn't have phone numbers attached. Compromising one older email account led to the compromise of another, eventually allowing them to reset the password for the hosting account and obtaining shell access after bypassing two-factor authentication on the host's side."
He continued: “We don’t use client-side encryption; that’s hardly foolproof and gives people a false sense of security".
When queried over how much Inputs.io will be able to reimburse users he responded somewhat obscurely: "[We'll be able to refund] as much as 100%. For Inputs it is solely based on the amount. 1 BTC at the current sliding scale would be 74%, 2 BTC 65%... This figure is not final, and if we have leftover coins we'll be able to refund more."
In other words: if you had less than 1 BTC on Inputs you should get it back, otherwise, be prepared to take a haircut.
GoCoin raises $550k to process bitcoin payments in Asia and...
Is bitcoin broken? Gavin Andresen responds to mining...