Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Bitcoin Exchanges Hit By Hackers

It has been a rough year so far for the world of cryptocurrency.

First it was the collapse of Mt. Gox; now two more bitcoin exchanges say they have been hit by hackers.

It has been a rough year so far for the world of cryptocurrency.

First it was the collapse of Mt. Gox; now two more bitcoin exchanges say they have been hit by hackers.

According to officials at Poloniex and Flexcoin, attackers recently hit the exchanges and made off with a substantial amount of Bitcoins. As a result of the theft, Flexcoin announced it was shutting down, while Poloniex vowed to recover from the incident and take steps to improve security.

At Flexcoin, officials said that on March 2, hackers stole 896 bitcoins valued at more than $600,000 from its “hot wallet.” To pull of the heist, the attacker created a Flexcoin account. After depositing some bitcoins into it, the attacker exploited a vulnerability in the code that allows transfers between users.

“By sending thousands of simultaneous requests, the attacker was able to ‘move’ coins from one user account to another until the sending account was overdrawn, before balances were updated,” according to the company. “This was then repeated through multiple accounts, snowballing the amount, until the attacker withdrew the coins.”

“[The hack of] Flexcoin reminds me of vulnerabilities I used to see in online banking applications 10 years ago,” Amichai Shulman, Imperva’s CTO, said in a statement. “I think that the story here is not the individual incident or the individual vulnerability but the fact that this has been a repetitive pattern over the past few months.”

“I think that what Bitcoin users are learning now, the hard way, is that there are some benefits to the existing ‘centralized’, regulated financial infrastructure (like supervision and insurance for example),” he said.

Over at Poloniex, the company said an attack March 4 cost users 12.3 percent of their bitcoins. In this case, the attacker took advantage of a vulnerability in the code that takes withdrawals.

“The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time,” the company explained in a post on a Bitcoin forum. “This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.”

“The major problem here is that the auditing and security features were not explicitly looking for negative balances,” according to the company. “They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8. Another design flaw is that withdrawals should be queued at every step of the way. This could not have happened if withdrawals requests were processed sequentially instead of simultaneously.”

Still, the company noted that it discovered the activity because an existing security feature noticed unusual withdrawal activity and stopped it.

Poloniex said it is committed to repaying the stolen money, and added that the withdrawal daemon now checks for negative balances before processing withdrawals and will freeze any account with a negative balance.

“The next thing that will be done–before markets are unfrozen–is a daemon will be created that continually monitors for negative balances and freezes any account with a negative balance,” according to the company. “After that, markets can be unfrozen and withdrawals resumed. Immediately following that, a daemon that will run automated audits on every account will be created, which will alert me of any strange activity and freeze any account with an overage of a balance.”

John Miller, security research manager at Trustwave, told SecurityWeek that attacks against exchanges and other commercial users of cryptocoins such as Bitcoin are expected to rise. 

“Since most of the exchanges and other third party services underlying the crypto currency economy do not function as financial institutions, there is little recourse for users of defunct services,” he said. “Any organization that deals with crypto currency needs to implement security controls on par with other payment methods and take care to address specific concerns brought about by their use of alternative currency. Penetration testing and application assessments are standard testing procedures for companies dealing with payment card information. Companies accepting Bitcoin should be under no less scrutiny.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cybercrime

More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.