The company confirmed on Tuesday that hackers had stolen 896 Bitcoins, the equivalent of approximately £365,000.
“On 2 March Flexcoin was attacked and robbed of all coins in the hot wallet,” the company wrote on its website. “The attacker made off with 896 BTC, dividing them into these two addresses: 1NDkevapt4SWYFEmquCDBSf7DLMTNVggdu [and] 1QFcC5JitGwpFKqRDd9QNH3eGN56dCNgy6.”
“As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing our doors immediately. Users who put their coins into cold storage will be contacted by Flexcoin and asked to verify their identity. Once identified, cold storage coins will be transferred out free of charge.”
Interestingly, the firm added that cold storage coins were held offline and were “not within reach of the attacker”. It is currently looking to work with law enforcement agencies to trace the source of the hack.
This news comes just six days after Flexcoin was boasting about the closure of MtGox, another Bitcoin exchange which had to close after hackers stole 750,000 bitcoins by exploiting using a bug known as “transaction malleability”.
“We hold zero coins in other companies, exchanges etc. While the MtGox closure is unfortunate, we at Flexcoin have not lost anything,” the firm tweeted on 25th February.
Other Bitcoin services such as Bitcoinica, Inputs.io and MyBitcoin have all been hacked and lost currency in recent times, while Poloniex confessed on Tuesday that 12.3 percent of its reserves had been stolen by hackers.
“I sincerely apologise for this,” said the company owner in a statement, “and I am very grateful to the many people who have already expressed their support and belief in my character. I take full responsibility; I will be donating some of my own money, and I will not be taking profit before the debt is paid.”
In response to the news, Dell SecureWorks CTU director of malware analysis Joe Stewart told SCMagazineUK.com that the trend of attackers stealing from Bitcoin merchants is likely to continue, but could subside as the ecosystem wises up to security measures.
“This has definitely been happening for a while; web wallet services like Flexcoin - and plenty of others - have been hacked,” said Stewart, who recommends that users keep control of private Bitcoin keys on other computing devices, and away from web and desktop wallets that can be susceptible to malware attacks.
“The attacks will increase…it's a way to make money. People are not familiar with the best practices yet, and that's unlikely to happen before mainstream adoption.”
Neohapsis researcher Joe Schumacher said that this is further proof that cryptography is “notoriously difficult” to get right and told SCMagazineUK.com that “transaction malleability” – a technique recently used for the MxGox attack - is increasingly the method of choice for attackers to exfilitrate Bitcoins.
“The attack requires technical savviness as well as a social engineering component. In simple terms - the attacker captures and modifies a bitcoin transaction in a manner that confuses the exchange/bank. The attacker then contacts the exchange to state the transaction did not process and get the exchange to issue another transaction”, he told SCMagazineUK.com.
“It is doubtful that this vulnerability/gap caused big players to fail. It is an attack that takes time and should be caught by the exchanges. It would take a long time to milk 100+ thousand bitcoins as large transactions would catch the eye of the exchange. Also most exchanges should be well aware of this attack and recognise social engineering attempts to finalise the exploit.”
Schumacher added that Bitcoin suffers as a result of having no regulatory requirements.
“There are no regulatory requirements for bitcoin and exchanges can operate by the seat of their pants,” he told SCMagazineUK.com. While this is not a good business practice, an exchange could open with no sound security controls or processes around the business. People storing their coins in an online wallet have no guarantee for security as there is no way to see/audit the storage business.
“In simplest of terms, this would be similar to opening a bank with millions in deposits but have no locks on the front door and everyone using the same credential.”