Hackers steal $1.2 Million of bitcoins from Inputs.io, a supposedly secure wallet service
Approximately $1.2m worth of bitcoin have been stolen from a wallet service intended to be high-security.
UPDATE (8th November, 13:06 GMT):
In a phone interview with Australia's AM radio show Tradefortress responded to challenges that the theft was 'an inside job', though he insisted that he wouldn't be reporting the theft to the police because the bitcoins are untraceable and it would be impossible to track the culprit.
When asked about his age, Tradefortress told the publication: "I'm over 18 but not much over."
Tradefortresses' public identity still remains unknown, however his reputation on Bitcointalk seems to be questionable, with at least two members claiming to have been scammed by him for failing to deliver on coding projects he had already been paid for. He has said that he wishes to retain his anonymity as he now fears for his safety in light of this recent heist.
Tradefortress also runs coinchat.com as well as coinlenders.com.
Tradefortress, the developer behind bitcoin web wallet Inputs.io, released a statement on his website today, after being forced to close it down in the aftermath of a major hacking incident, saying:
"I know this doesn't mean much, but I'm sorry, and saying that I'm very sad that this happened is an understatement."
, which was intended to be a high-security bitcoin web wallet, was apparently hacked on the 23rd of October, when thieves stole bitcoins worth over $1.2m at current BPI prices. The statement, published this morning continues:
“Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances. The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side.
"Database access was also obtained, however passwords are securely stored and are hashed on the client. "If you stored more than 1 BTC, send an email to email@example.com with a bitcoin address (preferably, an offline, open source light/SPV wallet like Multibit or Electrum). Use the same email you're using on Inputs. Please don't store bitcoins on an internet connected device, regardless if it is your own or a service's.
"I know this doesn't mean much, but I'm sorry, and saying that I'm very sad that this happened is an understatement.”
According to Hacker News, just as in the Bitfloor theft, in which 24,000 BTC were stolen, the bitcoins were stolen from the website’s ‘hot wallet’ - an online wallet which has to operate to process live withdrawals. However, it seems as if Inputs.io was keeping most if not all of their coins online, whereas other services often keep as much as 80% offline.
Inputs.io says that although the hack took place on October 23rd, even depositors who made deposits after that date are not safe, as other users were able to make withdrawals from the shared wallet.
By contrast to a service like Blockchain.info (which, although generally thought of as safe still suffered a security issue back in August), Inputs.io is a shared wallet that manages the balance of its users and their private keys giving them full access to all the bitcoins stored with them.
Blockchain.info account access is secured by an identifier/alias, password combination and two-factor authentication and is generally thought of as secure. However, as with any technology, nothing is foolproof. According to Bitcoin Talk forum user ‘masteroflove’:
Questions are now being asked publicly about Inputs.io's main developer Tradefortress, who, whilst still not widely known in public, claims to have a deep understanding of the complexities of security procedures for bitcoin wallets.
When CoinDesk approached Tradefortress for comment he informed us that "the attacker was able to compromise older email accounts which were easily reset as they didn't have phone numbers attached. Compromising one older email account led to the compromise of another, eventually allowing them to reset the password for the hosting account and obtaining shell access after bypassing two-factor authentication on the host's side."
He continued: “We don’t use client-side encryption; that’s hardly foolproof and gives people a false sense of security".
When queried over how much Inputs.io will be able to reimburse users he responded somewhat obscurely: "[We'll be able to refund] as much as 100%. For Inputs it is solely based on the amount. 1 BTC at the current sliding scale would be 74%, 2 BTC 65%... This figure is not final, and if we have leftover coins we'll be able to refund more."
In other words: if you had less than 1 BTC on Inputs you should get it back, otherwise, be prepared to take a haircut.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.