Flexcoin Hot Wallet Hack: Difference between revisions
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/flexcoinhotwallethack.php}} Flexcoin was a service that allowed users to send their bitcoins to other users quickly and more conveniently than through standard bitcoin. While hackers of course got into the hot wallets, all customers who had utilized the available cold storage service (available for an extra charge) were able to retrieve their funds. The company walked away and did nothing to assis...") |
(Prevention) |
||
| (6 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{ | {{Case Study Under Construction}}{{Unattributed Sources}}[[File:Flexcoin.jpg|thumb|Flexcoin Logo/Homepage]]Flexcoin was a service that allowed users to send their bitcoins to other users quickly and more conveniently than through standard bitcoin. The platform had an issue where submitting multiple withdrawal requests close together could allow the user to withdraw more funds than they had. On March 2nd, 2014, a hacker exploited this bug to steal all of the wallet funds. Only customers who had utilized the available cold storage service (available for an extra charge) were able to retrieve their funds. The company walked away and did nothing to assist the hot wallet users, however at least they were quick about it. | ||
<ref name="kylegibson-86" /><ref name="bitcointalklist-87" /><ref name="businessinsider-190" /><ref name="theguardian-191" /><ref name="hackingdistributed-193" /><ref name="reuters-194" /> | |||
== About Flexcoin == | == About Flexcoin == | ||
Flexcoin was a bitcoin storage service based in Alberta, Canada<ref name="coindesk-189" />. Flexcoin presented itself as the solution to a major problem with Bitcoin by offering a centralized platform for managing bitcoins across various devices<ref name=":0">[https://web.archive.org/web/20140221132733/http://flexcoin.com/ Flexcoin Homepage Archive February 21st, 2014 6:27:33 AM MST] (Accessed Feb 28th, 2024)</ref>. Traditionally, bitcoins are only accessible from the device they were initially received on, limiting their usability<ref name=":0">[https://web.archive.org/web/20140221132733/http://flexcoin.com/ Flexcoin Homepage Archive February 21st, 2014 6:27:33 AM MST] (Accessed Feb 28th, 2024)</ref>. With Flexcoin, users can access their bitcoins from any web-connected device, enabling easy transactions and payments without technical expertise<ref name=":0">[https://web.archive.org/web/20140221132733/http://flexcoin.com/ Flexcoin Homepage Archive February 21st, 2014 6:27:33 AM MST] (Accessed Feb 28th, 2024)</ref>. Flexcoin described themselves as the world's first bitcoin bank, allowing users to send and receive bitcoins seamlessly<ref name=":0">[https://web.archive.org/web/20140221132733/http://flexcoin.com/ Flexcoin Homepage Archive February 21st, 2014 6:27:33 AM MST] (Accessed Feb 28th, 2024)</ref>. | |||
By centralizing bitcoin storage and offering accessibility from any web-connected device, Flexcoin promised to revolutionize how bitcoins are managed and utilized<ref name=":0">[https://web.archive.org/web/20140221132733/http://flexcoin.com/ Flexcoin Homepage Archive February 21st, 2014 6:27:33 AM MST] (Accessed Feb 28th, 2024)</ref>. Additionally, Flexcoin rewarded users with "discount payments" on positive bitcoin balances, further positioning itself as a leader in bitcoin banking<ref name=":0">[https://web.archive.org/web/20140221132733/http://flexcoin.com/ Flexcoin Homepage Archive February 21st, 2014 6:27:33 AM MST] (Accessed Feb 28th, 2024)</ref>. | |||
Flexcoin had previously emphasized the security of its bitcoin storage practices, asserting that it held zero coins in other companies or exchanges<ref name="coindesk-189" />. This stance aimed to differentiate Flexcoin from other electronic wallet providers, with the company incentivizing users to keep their bitcoin balances on its platform<ref name="coindesk-189" />. | |||
One of Flexcoin's key features was its emphasis on security, implementing a ZERO link policy in emails to prevent phishing attempts<ref name=":0" />. The Flexcoin homepage described Flexcoin as "a leader in bitcoin security"<ref name=":0" />.<blockquote>Flexcoin is also a leader in bitcoin security, for example Flexcoin is the first to implement a ZERO link policy in e-mails. No e-mail sent from Flexcoin contains a link or image. If you receive one that does, it's a phishing attempt.</blockquote>Flexcoin emphasized their independence from third parties<ref name=":3">[https://twitter.com/flexcoin/status/438355933777756160 Flexcoin - "We hold zero coins in other companies, exchanges etc. While the MtGox closure is unfortunate, we at Flexcoin have not lost anything." - Twitter] (Accessed Mar 4, 2024)</ref>.<blockquote>“We hold zero coins in other companies, exchanges etc. While the MtGox closure is unfortunate, we at Flexcoin have not lost anything.”</blockquote>Homepage: <ref name=":0" /> | |||
== The Reality == | |||
Despite branding itself as the "first bitcoin bank," Flexcoin clarified that it was not legally classified as such<ref name="coindesk-189" /><ref name=":0" />. Flexcoin noted on their homepage that they do not accept traditional currencies and are not regulated by government entities like FDIC<ref name=":0" />.<blockquote>Legal Notice: We are not a true bank that accepts USD or any national currency, only bitcoins which by their nature are not regulated, we're not FDIC insured or regulated by any government entity.</blockquote>Flexcoin stored all user funds in the same hot wallet to allow for fast withdrawals. With the exception of users who had specifically opted for a premium version of the service, none of the user funds were stored offline. It is not believed that any funds were protected by a multi-signature wallet. | |||
A bug existed on the Flexcoin platform where transfers between accounts could be conducted multiple times before balances were updated<ref name="reuters-194" />. The sending accounts would have their balance decrease well below zero, while the recipient account balance would increase<ref name="reuters-194" />. A large balance could be built up within the recipient account by repeatedly sending transfer requests to that account<ref name="reuters-194" />. The recipient could then withdraw the extra funds<ref name="reuters-194" />. | |||
Shortly after Mt. Gox, Flexcoin announced that they had "not lost anything". This tweet announced that their hot wallet was still full<ref name=":3" />. | |||
== What Happened == | == What Happened == | ||
The | The Flexcoin wallets were emptied out by a hacker exploiting the account transfer bug with thousands of simultaneous requests that had a total value of 896 bitcoin. | ||
{| class="wikitable" | {| class="wikitable" | ||
|+Key Event Timeline - Flexcoin Hot Wallet Hack | |+Key Event Timeline - Flexcoin Hot Wallet Hack | ||
| Line 44: | Line 27: | ||
!Description | !Description | ||
|- | |- | ||
| | |February 25th, 2014 9:52:00 AM MST | ||
| | |Mt. Gox Unaffected | ||
| | |Flexcoin assured users that it remained unaffected by the closure of Mt. Gox, asserting that it had not incurred any losses due to the latter's shutdown<ref name="reuters-194" /> and emphasizing holding no coins in other companies<ref name=":3" />. "We hold zero coins in other companies, exchanges etc. While the MtGox closure is unfortunate, we at Flexcoin have not lost anything."<ref name=":3" /> | ||
|- | |- | ||
| | |March 2nd, 2014 5:15:12 AM MST | ||
| | |Hacker Withdraws 840 Bitcoin | ||
| | |The three largest blockchain transactions happen within the same bitcoin block, withdrawing 500 bitcoin<ref name=":1">[https://www.blockchain.com/explorer/transactions/btc/a1b887233c06490fbdeb2c8779fd47e1f93a68d16928766d45879dcfc39571e2 Hacker Withdrawal of 500 Bitcoin - Blockchain.com] (Accessed Mar 1, 2024)</ref> and 90 bitcoin<ref>[https://www.blockchain.com/explorer/transactions/btc/e03686a33aacbd462cb0a64345513dfb6c20a442a4cc651e5e2eaeca54bfe0f7 Hacker Withdrawal of 90 BTC - Blockchain.com] (Accessed Mar 4, 2024)</ref> from Flexcoin to the first wallet, and another 250 bitcoin<ref>[https://www.blockchain.com/explorer/transactions/btc/00e2b00fb3c5cf2edb71c8f4a856111e614c3681503c583eab84cd67a2850ef9 Hacker Withdrawal of 250 Bitcoin - Blockchain.com] (Accessed Mar 4, 2024)</ref> from Flexcoin to the second wallet. | ||
|- | |- | ||
| | |March 2nd, 2014 5:18:16 AM MST | ||
| | |Hacker Withdraws 50.1 Bitcoin | ||
| | |The hacker withdraws a total of 50.1 bitcoin in 3 more transactions<ref>[https://www.blockchain.com/explorer/transactions/btc/b21e9bee8a9bfe040b8bfde23c6ba26e345b22581cb96f5af8b6fcbf6579a075 Hacker Withdrawal Of 32 Bitcoin - Blockchain.com] (Accessed Mar 4, 2024)</ref><ref>[https://www.blockchain.com/explorer/transactions/btc/fde8ae93bb8fe82583dd9bc94528b07eebddf7257d30b7d25a1e4726948fa466 Hacker Withdrawal of 16 Bitcoin - Blockchain.com] (Accessed Mar 4, 2024)</ref><ref>[https://www.blockchain.com/explorer/transactions/btc/4811e548e7f2cb3785c30daecafcb4bffa239da7228a13ee48f1226f179f0cec Hacker Withdrawal of 2.1 Bitcoin - Blockchain.com] (Accessed Mar 4, 2024)</ref>. | ||
|- | |||
|March 2nd, 2014 5:21:04 AM MST | |||
|Hacker Withdraws 6 Bitcoin | |||
|The hacker withdraws a further 6 bitcoin in 2 more transactions<ref>[https://www.blockchain.com/explorer/transactions/btc/ebc684fd60f537d26fb82e26aeb4e2f00bf570ca1fd2eb2052eb10487be465ee Hacker Withdrawal of 2 Bitcoin - Blockchain.com] (Accessed Mar 4, 2024)</ref><ref>[https://www.blockchain.com/explorer/transactions/btc/90908281e8a6039569e83c6b28b3a8ea582c6d9b9bd58f66962bca6918c49e1d Hacker Withdrawal of 4 Bitcoin - Blockchain.com] (Accessed Mar 4, 2024)</ref>. These would be the last known withdrawals of the attacker. | |||
|- | |||
|March 4th, 2014 12:52:00 AM MST | |||
|Flexcoin Shutdown Tweet | |||
|Flexcoin announces on Twitter that they will be shutting their doors<ref>[https://twitter.com/flexcoin/status/440756584386269184 Flexcoin - "Flexcoin will be shutting its doors. Flexcoin.com" - Twitter] (Accessed Mar 4, 2024)</ref>. | |||
|- | |||
|March 4th, 2014 9:07:00 AM MST | |||
|CoinDesk Article Published | |||
|CoinDesk reports on Flexcoin announcing its closure after falling victim to the cyberattack. Losses are mentioned as 896 BTC, valued at roughly $600,000. The company disclosed the theft on its homepage and conceded that it lacked the resources to recover from the significant loss, leading to the immediate cessation of its operations. Flexcoin has already provided the wallet addresses associated with the hackers, revealing that the stolen funds had been transferred out of the compromised accounts. Customers who stored bitcoins in Flexcoin's cold storage were assured that they would be able to retrieve their funds, with the company facilitating the transfer free of charge upon verification of their identities. | |||
|- | |||
|March 5th, 2014 1:33:00 AM MST | |||
|Reuters Article Published | |||
|Reuters reports high level details of the attack method<ref name="reuters-194" />. An update from Flexcoin revealed that the attack exploited a flaw in its code related to transfers between users, involving inundating the system with simultaneous requests to move coins between accounts<ref name="reuters-194" />. Despite the company's efforts to maintain server security, including regular testing and repelling thousands of attacks over the years, these measures proved insufficient in preventing the breach<ref name="reuters-194" />. Flexcoin emphasized its collaboration with law enforcement agencies to trace the source of the hack and announced its intention to return bitcoins stored offline, or in "cold storage," to users<ref name="reuters-194" />. Cold storage, being offline and inaccessible via the internet, offers greater security against hacking attempts. Bitcoin, a digital currency traded on a peer-to-peer network independent of central control, experienced a surge in value the previous year, with the total worth of bitcoins minted reaching approximately $7 billion<ref name="reuters-194" />. According to Bitstamp, a leading bitcoin exchange, the value of a single bitcoin was around $658 at the time of the announcement<ref name="reuters-194" />. | |||
|} | |} | ||
== Technical Details == | |||
The attack on Flexcoin exploited a flaw in its code related to transfers between users, involving a flood of simultaneous requests to transfer coins between accounts. Despite the company's efforts to maintain server security through regular testing and repelling numerous attacks over the years, it proved insufficient in preventing this breach<ref name="reuters-194" />.<blockquote>“The site was itself broken from the ground up. The hackers simply got it to do what it was programmed to do, a lot faster than normal.”</blockquote> | |||
=== Technical Analysis On Flexcoin Homepage === | |||
FlexCoin published an analysis on their homepage of the attacker's activity<ref name=":2">[https://web.archive.org/web/20140309213800/http://flexcoin.com/ Flexcoin Homepage Archive March 9th, 2014 3:38:00 PM MDT] (Accessed Mar 1, 2024)</ref>.<blockquote>The attacker logged into the flexcoin front end from IP address 207.12.89.117 under a newly created username and deposited to address 1DSD3B3uS2wGZjZAwa2dqQ7M9v7Ajw2iLy | |||
The coins were then left to sit until they had reached 6 confirmations. | |||
The attacker then successfully exploited a flaw in the code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to "move" coins from one user account to another until the sending account was overdrawn, before balances were updated. | |||
This was then repeated through multiple accounts, snowballing the amount, until the attacker withdrew the coins.</blockquote> | |||
=== Blockchain Transactions/Addresses === | |||
“Flexcoin also provided the wallet addresses of the alleged hackers. The largest wallet of which received 592.1 BTC from the breach, while the smaller of the two held at one point 304 BTC supposedly taken from the website.” | |||
Attacker addresses<ref name=":2" />: | |||
1NDkevapt4SWYFEmquCDBSf7DLMTNVggdu | |||
* Total received: 592.1 BTC in 3 transactions. | |||
1QFcC5JitGwpFKqRDd9QNH3eGN56dCNgy6 | |||
* Total received: 304 BTC in 5 transactions. | |||
Transaction example:<ref name=":1" /> | |||
== Total Amount Lost == | == Total Amount Lost == | ||
Losses are mentioned by CoinDesk as 896 BTC, valued at roughly $600,000<ref name="coindesk-189" />. | |||
The total amount on the blockchain is 896.1 BTC. | |||
“Flexcoin also provided the wallet addresses of the alleged hackers. The largest wallet of which received 592.1 BTC from the breach, while the smaller of the two held at one point 304 BTC supposedly taken from the website.” | |||
The total amount lost has been estimated at $600,000 USD. | |||
== Immediate Reactions == | == Immediate Reactions == | ||
Flexcoin announced its closure following the loss. The company revealed that all 896 bitcoins stored online were stolen, prompting its immediate shutdown<ref name="reuters-194" /><ref name="coindesk-189" />. Flexcoin announced their closure and provided the wallet addresses associated with the hackers, revealing that the stolen funds had been transferred out of the compromised accounts<ref name="coindesk-189" />. | |||
The incident occurred shortly after the bankruptcy filing of Mt. Gox, once the leading bitcoin exchange globally, which reported the potential loss of around 850,000 bitcoins to hacking<ref name="reuters-194" />. Flexcoin clarified that it remained unaffected by Mt. Gox's closure, asserting that it had not incurred any losses from that incident<ref name="reuters-194" />. Flexcoin cited its lack of resources to recover from the significant loss as the reason for its closure, acknowledging that it could not withstand the financial impact<ref name="reuters-194" /><ref name="coindesk-189" />. | |||
Flexcoin stated its collaboration with law enforcement agencies to trace the origin of the hack and pledged to return bitcoins stored offline, known as "cold storage," to its users. Cold storage coins, held in computers disconnected from the internet, are considered more secure against hacking attempts<ref name="reuters-194" />. | |||
Customers who stored bitcoins in Flexcoin's cold storage were assured that they would be able to retrieve their funds, with the company facilitating the transfer free of charge upon verification of their identities<ref name="coindesk-189" />.<blockquote>“As Flexcoin does not have the resources, assets or otherwise to come back from this loss, we are closing our doors immediately.”</blockquote> | |||
== Ultimate Outcome == | == Ultimate Outcome == | ||
<ref name="kylegibson-86" /> | |||
The incident was featured in the Bitcoin Exchange Guide<ref name="bitcoinexchangeguide-218" />. | |||
The cyberattack and subsequent theft served to underscore long-standing concerns within the bitcoin community regarding the security of wallet storage services like Flexcoin<ref name="coindesk-189" />. | |||
== Total Amount Recovered == | == Total Amount Recovered == | ||
Only funds held in a special "cold storage" wallet were returned. Users who kept their funds in cold storage were required to pay a 0.5% fee. Customers who stored bitcoins in Flexcoin's cold storage were assured that they would be able to retrieve their funds, with the company facilitating the transfer free of charge upon verification of their identities<ref name="coindesk-189" />. | |||
Flexcoin conceded that it lacked the resources to recover the significant amount of funds lost, leading to the immediate cessation of its operations<ref name="coindesk-189" />. | |||
“Flexcoin held some bitcoins in “cold storage”, keeping them on devices not connected to the internet. Those bitcoins are safe, but only users who explicitly requested their bitcoins be held in cold storage (and paid a 0.5% fee) benefit.” “Users who put their coins into cold storage will be contacted by Flexcoin and asked to verify their identity. Once identified, cold storage coins will be transferred out free of charge. Cold storage coins were held offline and not within reach of the attacker. All other users will be directed to Flexcoin's "Terms of service" located at "Flexcoin.com/118.html" a document which was agreed on, upon signing up with Flexcoin.” | |||
== Ongoing Developments == | == Ongoing Developments == | ||
Flexcoin provided the wallet addresses of the alleged hackers. It is not clear what tracing has been done on those funds. | |||
== Individual Prevention Policies == | |||
{{Prevention:Individuals:Avoid Third Party Custodians}} | |||
{{Prevention:Individuals:Store Funds Offline}} | |||
{{Prevention:Individuals:End}} | |||
== Prevention Policies == | == Platform Prevention Policies == | ||
Making multiple transfers quickly is a common platform vulnerability, which should have been tested against. The Flexcoin platform could also have significantly reduced the amount which could be taken by storing most funds offline and protecting them with a multi-signature wallet. | |||
{{Prevention:Platforms:Regular Audit Procedures}} | |||
{{Prevention:Platforms:Implement Multi-Signature}} | |||
{{Prevention:Platforms:Establish Industry Insurance Fund}} | |||
{{Prevention:Platforms:End}} | |||
== Regulatory Prevention Policies == | |||
{{Prevention:Regulators:Platform Security Assessments}} | |||
{{Prevention:Regulators:Establish Industry Insurance Fund}} | |||
{{Prevention:Regulators:End}} | |||
[https://bitcoinexchangeguide.com/bitcoin/scams-hacks/ Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com] (Mar | == References == | ||
<references> | |||
<ref name="kylegibson-86">[https://medium.com/@kylegibson/100-crypto-thefts-a-timeline-of-hacks-glitches-exit-scams-and-other-lost-cryptocurrency-873c87fd5522 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents - Kyle Gibson] (Jan 25, 2020)</ref> | |||
<ref name="bitcointalklist-87">[https://bitcointalk.org/index.php?topic=576337 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses - BitcoinTalk] (Feb 15, 2020)</ref> | |||
<ref name="coindesk-189">[https://www.coindesk.com/bitcoin-bank-flexcoin-close-600000-bitcoin-theft Bitcoin Bank Flexcoin to Close After $600k Bitcoin Theft - CoinDesk] (Feb 29, 2020)</ref> | |||
<ref name="businessinsider-190">[https://www.businessinsider.com/flexcoin-2014-3 Flexcoin - Business Insider] (Mar 1, 2020)</ref> | |||
<ref name="theguardian-191">[https://www.theguardian.com/technology/2014/mar/04/bitcoin-bank-flexcoin-closes-after-hack-attack Bitcoin bank Flexcoin closes after hack attack - The Guardian] (Mar 1, 2020)</ref> | |||
<ref name="hackingdistributed-193">[https://hackingdistributed.com/2014/04/06/another-one-bites-the-dust-flexcoin/ NoSQL Meets Bitcoin and Brings Down Two Exchanges: The Story of Flexcoin and Poloniex - Hacking Distributed] (Mar 1, 2020)</ref> | |||
<ref name="reuters-194">[https://www.reuters.com/article/us-bitcoin-flexcoin/bitcoin-bank-flexcoin-shuts-down-after-theft-idUSBREA2329B20140304 Bitcoin bank Flexcoin shuts down after theft - Reuters] (Mar 1, 2020)</ref> | |||
<ref name="bitcoinexchangeguide-218">[https://bitcoinexchangeguide.com/bitcoin/scams-hacks/ Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com] (Mar 5, 2020)</ref> | |||
</references> | |||
Latest revision as of 12:27, 4 March 2024
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Flexcoin was a service that allowed users to send their bitcoins to other users quickly and more conveniently than through standard bitcoin. The platform had an issue where submitting multiple withdrawal requests close together could allow the user to withdraw more funds than they had. On March 2nd, 2014, a hacker exploited this bug to steal all of the wallet funds. Only customers who had utilized the available cold storage service (available for an extra charge) were able to retrieve their funds. The company walked away and did nothing to assist the hot wallet users, however at least they were quick about it.
About Flexcoin
Flexcoin was a bitcoin storage service based in Alberta, Canada[7]. Flexcoin presented itself as the solution to a major problem with Bitcoin by offering a centralized platform for managing bitcoins across various devices[8]. Traditionally, bitcoins are only accessible from the device they were initially received on, limiting their usability[8]. With Flexcoin, users can access their bitcoins from any web-connected device, enabling easy transactions and payments without technical expertise[8]. Flexcoin described themselves as the world's first bitcoin bank, allowing users to send and receive bitcoins seamlessly[8].
By centralizing bitcoin storage and offering accessibility from any web-connected device, Flexcoin promised to revolutionize how bitcoins are managed and utilized[8]. Additionally, Flexcoin rewarded users with "discount payments" on positive bitcoin balances, further positioning itself as a leader in bitcoin banking[8].
Flexcoin had previously emphasized the security of its bitcoin storage practices, asserting that it held zero coins in other companies or exchanges[7]. This stance aimed to differentiate Flexcoin from other electronic wallet providers, with the company incentivizing users to keep their bitcoin balances on its platform[7].
One of Flexcoin's key features was its emphasis on security, implementing a ZERO link policy in emails to prevent phishing attempts[8]. The Flexcoin homepage described Flexcoin as "a leader in bitcoin security"[8].
Flexcoin is also a leader in bitcoin security, for example Flexcoin is the first to implement a ZERO link policy in e-mails. No e-mail sent from Flexcoin contains a link or image. If you receive one that does, it's a phishing attempt.
Flexcoin emphasized their independence from third parties[9].
“We hold zero coins in other companies, exchanges etc. While the MtGox closure is unfortunate, we at Flexcoin have not lost anything.”
Homepage: [8]
The Reality
Despite branding itself as the "first bitcoin bank," Flexcoin clarified that it was not legally classified as such[7][8]. Flexcoin noted on their homepage that they do not accept traditional currencies and are not regulated by government entities like FDIC[8].
Legal Notice: We are not a true bank that accepts USD or any national currency, only bitcoins which by their nature are not regulated, we're not FDIC insured or regulated by any government entity.
Flexcoin stored all user funds in the same hot wallet to allow for fast withdrawals. With the exception of users who had specifically opted for a premium version of the service, none of the user funds were stored offline. It is not believed that any funds were protected by a multi-signature wallet.
A bug existed on the Flexcoin platform where transfers between accounts could be conducted multiple times before balances were updated[6]. The sending accounts would have their balance decrease well below zero, while the recipient account balance would increase[6]. A large balance could be built up within the recipient account by repeatedly sending transfer requests to that account[6]. The recipient could then withdraw the extra funds[6].
Shortly after Mt. Gox, Flexcoin announced that they had "not lost anything". This tweet announced that their hot wallet was still full[9].
What Happened
The Flexcoin wallets were emptied out by a hacker exploiting the account transfer bug with thousands of simultaneous requests that had a total value of 896 bitcoin.
| Date | Event | Description |
|---|---|---|
| February 25th, 2014 9:52:00 AM MST | Mt. Gox Unaffected | Flexcoin assured users that it remained unaffected by the closure of Mt. Gox, asserting that it had not incurred any losses due to the latter's shutdown[6] and emphasizing holding no coins in other companies[9]. "We hold zero coins in other companies, exchanges etc. While the MtGox closure is unfortunate, we at Flexcoin have not lost anything."[9] |
| March 2nd, 2014 5:15:12 AM MST | Hacker Withdraws 840 Bitcoin | The three largest blockchain transactions happen within the same bitcoin block, withdrawing 500 bitcoin[10] and 90 bitcoin[11] from Flexcoin to the first wallet, and another 250 bitcoin[12] from Flexcoin to the second wallet. |
| March 2nd, 2014 5:18:16 AM MST | Hacker Withdraws 50.1 Bitcoin | The hacker withdraws a total of 50.1 bitcoin in 3 more transactions[13][14][15]. |
| March 2nd, 2014 5:21:04 AM MST | Hacker Withdraws 6 Bitcoin | The hacker withdraws a further 6 bitcoin in 2 more transactions[16][17]. These would be the last known withdrawals of the attacker. |
| March 4th, 2014 12:52:00 AM MST | Flexcoin Shutdown Tweet | Flexcoin announces on Twitter that they will be shutting their doors[18]. |
| March 4th, 2014 9:07:00 AM MST | CoinDesk Article Published | CoinDesk reports on Flexcoin announcing its closure after falling victim to the cyberattack. Losses are mentioned as 896 BTC, valued at roughly $600,000. The company disclosed the theft on its homepage and conceded that it lacked the resources to recover from the significant loss, leading to the immediate cessation of its operations. Flexcoin has already provided the wallet addresses associated with the hackers, revealing that the stolen funds had been transferred out of the compromised accounts. Customers who stored bitcoins in Flexcoin's cold storage were assured that they would be able to retrieve their funds, with the company facilitating the transfer free of charge upon verification of their identities. |
| March 5th, 2014 1:33:00 AM MST | Reuters Article Published | Reuters reports high level details of the attack method[6]. An update from Flexcoin revealed that the attack exploited a flaw in its code related to transfers between users, involving inundating the system with simultaneous requests to move coins between accounts[6]. Despite the company's efforts to maintain server security, including regular testing and repelling thousands of attacks over the years, these measures proved insufficient in preventing the breach[6]. Flexcoin emphasized its collaboration with law enforcement agencies to trace the source of the hack and announced its intention to return bitcoins stored offline, or in "cold storage," to users[6]. Cold storage, being offline and inaccessible via the internet, offers greater security against hacking attempts. Bitcoin, a digital currency traded on a peer-to-peer network independent of central control, experienced a surge in value the previous year, with the total worth of bitcoins minted reaching approximately $7 billion[6]. According to Bitstamp, a leading bitcoin exchange, the value of a single bitcoin was around $658 at the time of the announcement[6]. |
Technical Details
The attack on Flexcoin exploited a flaw in its code related to transfers between users, involving a flood of simultaneous requests to transfer coins between accounts. Despite the company's efforts to maintain server security through regular testing and repelling numerous attacks over the years, it proved insufficient in preventing this breach[6].
“The site was itself broken from the ground up. The hackers simply got it to do what it was programmed to do, a lot faster than normal.”
Technical Analysis On Flexcoin Homepage
FlexCoin published an analysis on their homepage of the attacker's activity[19].
The attacker logged into the flexcoin front end from IP address 207.12.89.117 under a newly created username and deposited to address 1DSD3B3uS2wGZjZAwa2dqQ7M9v7Ajw2iLy
The coins were then left to sit until they had reached 6 confirmations.
The attacker then successfully exploited a flaw in the code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to "move" coins from one user account to another until the sending account was overdrawn, before balances were updated.
This was then repeated through multiple accounts, snowballing the amount, until the attacker withdrew the coins.
Blockchain Transactions/Addresses
“Flexcoin also provided the wallet addresses of the alleged hackers. The largest wallet of which received 592.1 BTC from the breach, while the smaller of the two held at one point 304 BTC supposedly taken from the website.”
Attacker addresses[19]:
1NDkevapt4SWYFEmquCDBSf7DLMTNVggdu
- Total received: 592.1 BTC in 3 transactions.
1QFcC5JitGwpFKqRDd9QNH3eGN56dCNgy6
- Total received: 304 BTC in 5 transactions.
Transaction example:[10]
Total Amount Lost
Losses are mentioned by CoinDesk as 896 BTC, valued at roughly $600,000[7].
The total amount on the blockchain is 896.1 BTC.
“Flexcoin also provided the wallet addresses of the alleged hackers. The largest wallet of which received 592.1 BTC from the breach, while the smaller of the two held at one point 304 BTC supposedly taken from the website.”
The total amount lost has been estimated at $600,000 USD.
Immediate Reactions
Flexcoin announced its closure following the loss. The company revealed that all 896 bitcoins stored online were stolen, prompting its immediate shutdown[6][7]. Flexcoin announced their closure and provided the wallet addresses associated with the hackers, revealing that the stolen funds had been transferred out of the compromised accounts[7].
The incident occurred shortly after the bankruptcy filing of Mt. Gox, once the leading bitcoin exchange globally, which reported the potential loss of around 850,000 bitcoins to hacking[6]. Flexcoin clarified that it remained unaffected by Mt. Gox's closure, asserting that it had not incurred any losses from that incident[6]. Flexcoin cited its lack of resources to recover from the significant loss as the reason for its closure, acknowledging that it could not withstand the financial impact[6][7].
Flexcoin stated its collaboration with law enforcement agencies to trace the origin of the hack and pledged to return bitcoins stored offline, known as "cold storage," to its users. Cold storage coins, held in computers disconnected from the internet, are considered more secure against hacking attempts[6].
Customers who stored bitcoins in Flexcoin's cold storage were assured that they would be able to retrieve their funds, with the company facilitating the transfer free of charge upon verification of their identities[7].
“As Flexcoin does not have the resources, assets or otherwise to come back from this loss, we are closing our doors immediately.”
Ultimate Outcome
The incident was featured in the Bitcoin Exchange Guide[20].
The cyberattack and subsequent theft served to underscore long-standing concerns within the bitcoin community regarding the security of wallet storage services like Flexcoin[7].
Total Amount Recovered
Only funds held in a special "cold storage" wallet were returned. Users who kept their funds in cold storage were required to pay a 0.5% fee. Customers who stored bitcoins in Flexcoin's cold storage were assured that they would be able to retrieve their funds, with the company facilitating the transfer free of charge upon verification of their identities[7].
Flexcoin conceded that it lacked the resources to recover the significant amount of funds lost, leading to the immediate cessation of its operations[7].
“Flexcoin held some bitcoins in “cold storage”, keeping them on devices not connected to the internet. Those bitcoins are safe, but only users who explicitly requested their bitcoins be held in cold storage (and paid a 0.5% fee) benefit.” “Users who put their coins into cold storage will be contacted by Flexcoin and asked to verify their identity. Once identified, cold storage coins will be transferred out free of charge. Cold storage coins were held offline and not within reach of the attacker. All other users will be directed to Flexcoin's "Terms of service" located at "Flexcoin.com/118.html" a document which was agreed on, upon signing up with Flexcoin.”
Ongoing Developments
Flexcoin provided the wallet addresses of the alleged hackers. It is not clear what tracing has been done on those funds.
Individual Prevention Policies
When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Making multiple transfers quickly is a common platform vulnerability, which should have been tested against. The Flexcoin platform could also have significantly reduced the amount which could be taken by storing most funds offline and protecting them with a multi-signature wallet.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.0 1.1 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents - Kyle Gibson (Jan 25, 2020)
- ↑ List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses - BitcoinTalk (Feb 15, 2020)
- ↑ Flexcoin - Business Insider (Mar 1, 2020)
- ↑ Bitcoin bank Flexcoin closes after hack attack - The Guardian (Mar 1, 2020)
- ↑ NoSQL Meets Bitcoin and Brings Down Two Exchanges: The Story of Flexcoin and Poloniex - Hacking Distributed (Mar 1, 2020)
- ↑ 6.00 6.01 6.02 6.03 6.04 6.05 6.06 6.07 6.08 6.09 6.10 6.11 6.12 6.13 6.14 6.15 6.16 6.17 Bitcoin bank Flexcoin shuts down after theft - Reuters (Mar 1, 2020)
- ↑ 7.00 7.01 7.02 7.03 7.04 7.05 7.06 7.07 7.08 7.09 7.10 7.11 Bitcoin Bank Flexcoin to Close After $600k Bitcoin Theft - CoinDesk (Feb 29, 2020)
- ↑ 8.00 8.01 8.02 8.03 8.04 8.05 8.06 8.07 8.08 8.09 8.10 Flexcoin Homepage Archive February 21st, 2014 6:27:33 AM MST (Accessed Feb 28th, 2024)
- ↑ 9.0 9.1 9.2 9.3 Flexcoin - "We hold zero coins in other companies, exchanges etc. While the MtGox closure is unfortunate, we at Flexcoin have not lost anything." - Twitter (Accessed Mar 4, 2024)
- ↑ 10.0 10.1 Hacker Withdrawal of 500 Bitcoin - Blockchain.com (Accessed Mar 1, 2024)
- ↑ Hacker Withdrawal of 90 BTC - Blockchain.com (Accessed Mar 4, 2024)
- ↑ Hacker Withdrawal of 250 Bitcoin - Blockchain.com (Accessed Mar 4, 2024)
- ↑ Hacker Withdrawal Of 32 Bitcoin - Blockchain.com (Accessed Mar 4, 2024)
- ↑ Hacker Withdrawal of 16 Bitcoin - Blockchain.com (Accessed Mar 4, 2024)
- ↑ Hacker Withdrawal of 2.1 Bitcoin - Blockchain.com (Accessed Mar 4, 2024)
- ↑ Hacker Withdrawal of 2 Bitcoin - Blockchain.com (Accessed Mar 4, 2024)
- ↑ Hacker Withdrawal of 4 Bitcoin - Blockchain.com (Accessed Mar 4, 2024)
- ↑ Flexcoin - "Flexcoin will be shutting its doors. Flexcoin.com" - Twitter (Accessed Mar 4, 2024)
- ↑ 19.0 19.1 Flexcoin Homepage Archive March 9th, 2014 3:38:00 PM MDT (Accessed Mar 1, 2024)
- ↑ Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Mar 5, 2020)