Incident Response, Malware, TDR

Flexcoin hacked, Mt. Gox code leaks, but Bitcoin demand still grows

Following a strong rise to prominence in recent months, weaknesses in the anonymous and fairly unregulated virtual currency market are beginning to show.

On the same day that an attacker stole 896 bitcoins from Bitcoin bank Flexcoin, an individual allegedly posted on Pastebin code belonging to Mt. Gox, a Bitcoin exchange that recently filed for bankruptcy in Japan after hacker thieves stole hundreds of thousands of bitcoins from the Tokyo-based company.

“On [Sunday,] Flexcoin was attacked and robbed of all coins in the hot wallet,” according to a notification on the Flexcoin website. “As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing our doors immediately.”

It was not a total loss; users who put their coins in cold storage will be relieved to learn that Flexcoin maintained that depository offline and, thus, out of the reach of attackers, according to the notification. The company will transfer those users' coins for free following identity verification.

As of Tuesday, 896 bitcoins equals just under $600,000; but that may seem like chump change when compared to the 850,000 bitcoins – more than half a billion dollars – that was stolen from Mt. Gox after attackers took advantage of weaknesses in the exchange's computer systems.

Mt. Gox filed for bankruptcy protection in Japan on Friday, and on Sunday, what appears to be roughly 1,700 lines of Mt. Gox code was discovered on Pastebin.

In a Tuesday email correspondence, Frode Nilsen, a developer with five years of experience working on banking applications with money transactions, told SCMagazine.com that there is a good chance this is the authentic Mt. Gox code, or older code no longer in use, because there would be little motivation at this point for someone to fabricate 1,700 lines of code.

Although he only glanced at the code, Nilsen said that the most glaring offense is its vulnerability to a SQL injection attack.

“If this code was exposed directly on the web to the end user, this is a grave and elementary offense,” Nilsen said, pointing to OWASP as a good source for reading up on security principles that should be common for professional developers.  

The Mt. Gox incident is a big blow to the reputation of Bitcoin and other similar virtual currencies, but it is not the end, Nilsen said, explaining that there will continue to be demand because of the simplicity, effectiveness and low cost, as well as the anonymity, of the transactions.

“I'm not so sure that the lack of regulations will survive though – and maybe that's a good thing,” Nilsen said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.