Coinapult, the service which allows users to secure the value of their bitcoins in fiat, has been hacked to the tune of 150 bitcoins, roughly $43,000 USD. Access to the site was disabled on Tuesday while staff investigated the breach, which they believe may have roots in an outage at their data center last Friday.
The site disabled withdrawals and posted the following notice around noon CST on St. Patrick's Day.
The Panama-based service has never been available to US users, so CCN was unable to verify whether users were still able to log in and view balances or not. As the notice states, withdrawals were currently disabled. No details were released on how the company, founded by SatoshiDice veteran Erik Vorhees and Ira Miller in 2012, plans to reimburse whomever's coins have been lost. Being that it is a relatively small amount of money for a company of this size, this is probably the least of the problems.
The biggest problem is determining how and potentially who conducted the successful hack. The coins were transferred several hours prior to the service halt on Tuesday morning.
Funds Have Yet to Move
The funds were transferred to 12LszeXACdj9bdETzv8BkXyWeabZ1151aA and had yet to move from that address. According to a document made public by the firm, the hack may have been in progress for as long as two weeks, and the outage that took place over the weekend and subsequent plans to move data services elsewhere may have been incentive for the attacker to act quickly.
GP [Coinapult CTO] created and emailed Justin, Ira, and Zach a plan to transition all IT services to different servers outside of the data center. This may have been a last chance notice for the attacker, as their penetration work would be undone in the transfer.
The coins still sitting in the initial destination address is interesting. In the Bter hack, for instance, the stolen coins were immediately forwarded on to other addresses. It could be indicative of a well-intentioned hacker who intends to return the coins. It could be indicative of a hacker who intends to blackmail the site for the return of the coins, in exchange for something else. Or it could just be the hacker hasn't decided where to send them or what to do with them yet. Little is known in this department, other than the public address.
Possibility of a Physical Hack Being Investigated
When Mt. Gox went down, Mark Karpeles claimed that physical breaches of the data center where they hosted their services had also happened. While the scope of the Coinapult hack is nothing like the still-unresolved large-scale theft of Mt. Gox holdings, the team is nevertheless looking into the possibility of a physical hack having taken place. From the information sheet:
While we are moving the hardware out of the data center, we will ask for access logs and/or surveillance footage relevant to our situation. In addition, we will gather more information about the March 13th outage they experienced.
CCN will keep you updated with any relevant details as they become available, such as how the 150 missing BTC ends up being replaced and what measures are taken to ensure that such a hack is not repeated in the future.
As time goes on, it seems that every major player in the Bitcoin space either has been hacked or will be hacked, and while the result is smarter security practices and more aware Bitcoin users, the hacks have a serious effect on consumer confidence. Imagine stealing a million dollars in gift cards in such a way that the gift card issuer had to close its doors, and you get the picture as to why these hacks actually provide no real benefit for anyone.
Last modified (UTC): March 18, 2015 9:31 AM