Europe's primary bitcoin payment processor for merchants and free online wallet service, BIPS, was the target of a major DDoS attack and subsequent theft in the past few days that saw 1,295 BTC (just over $1m on CoinDesk's BPI) stolen.
Kris Henriksen, BIPS' CEO, said most of the missing funds were "from the company's own holdings". BIPS uses an algorithm, based on supply and demand, to work out the amount of bitcoins it needs to keep it in a 'hot wallet'. The heist, however, was apparently not due to any vulnerability in the code itself.
He also said merchants who had chosen to instantly convert their bitcoin to fiat currency bank accounts were not affected.
The Copenhagen, Denmark-based company was targeted on 15th November by a massive DDoS attack. Then on 17th November, it was followed up by a subsequent attack that disabled the site and "overloaded our managed switches and disconnected the iSCSI connection to the SAN on BIPS servers".
"Regrettably, despite several layers of protection, the attack caused vulnerability to the system, which has then enabled the attacker/s to gain access and compromise several wallets," the company said in a written statement.
BIPS believes the two attacks were connected, and at least the initial DDoS attack was "found to originate from Russia and neighboring countries". The company moved fast to restore full merchant payment and transfer services by 19th November, but disabled all wallet functions in order to complete a full forensic analysis. Its help desk also went down for a few days, but was restored on 22nd November.
Henriksen stressed that merchant processing "was restored very quickly, and if you had auto-convert on, there is nothing to worry about".
BIPS' official statement on its site read:
To protect the successful merchant processing business, BIPS has decided to temporarily close down its consumer wallet initiative.
BIPS has been a target of a coordinated attack and subsequent security breached. Several consumer wallets have been compromised and BIPS will be contacting the affected users.
As a consequence BIPS will temporarily close down the wallet initiative to focus on real-time merchant processing business which does not include storing of bitcoins. Subsequently BIPS will consider to reintroduce the wallet initiative with a re-architected security model.
The consumer wallet initiative has not been BIPS' core business and, as such, regrettably affecting several users has not affected BIPS merchant acquiring.
All existing users will be asked to transfer bitcoins to other wallet solutions, and users affected by the security breach will be contacted.
Restoration of merchant services did little to comfort individual wallet owners, though. On the Bitcoin Talk forum, several users voiced anger at the prospect of losing their funds, and what they saw as unclear statements from BIPS about exactly what had been stolen, from whom, and how much.
One member even created a 'bips.me potential lawsuit signup form' for users to input their contact details and number of bitcoins missing, in an effort to prompt a negotiated solution.
Though the attack and theft highlights problems that some online wallet services have faced with security, it is significant given BIPS' comparatively large user base and prominence in the market. As well as online accounts, BIPS had also offered a paper wallet function for those wishing for a safer long-term storage solution.