Flexcoin Hot Wallet Hack: Difference between revisions
(Another 30 minutes complete. About section spread around. Added information from CoinDesk article and CoinFlex homepage.) |
No edit summary |
||
| Line 1: | Line 1: | ||
{{Case Study Under Construction}}{{Unattributed Sources}} | {{Case Study Under Construction}}{{Unattributed Sources}}[[File:Flexcoin.jpg|thumb|Flexcoin Logo/Homepage]]Flexcoin was a service that allowed users to send their bitcoins to other users quickly and more conveniently than through standard bitcoin. While hackers of course got into the hot wallets, all customers who had utilized the available cold storage service (available for an extra charge) were able to retrieve their funds. The company walked away and did nothing to assist the hot wallet users, however at least they were quick about it. | ||
Flexcoin was a service that allowed users to send their bitcoins to other users quickly and more conveniently than through standard bitcoin. While hackers of course got into the hot wallets, all customers who had utilized the available cold storage service (available for an extra charge) were able to retrieve their funds. The company walked away and did nothing to assist the hot wallet users, however at least they were quick about it. | |||
This exchange or platform is based in Canada, or the incident targeted people primarily in Canada.<ref name="kylegibson-86" /><ref name="bitcointalklist-87" /><ref name="businessinsider-190" /><ref name="theguardian-191" /><ref name="hackingdistributed-193" /><ref name="reuters-194" /><ref name="bitcoinexchangeguide-218" /> | This exchange or platform is based in Canada, or the incident targeted people primarily in Canada.<ref name="kylegibson-86" /><ref name="bitcointalklist-87" /><ref name="businessinsider-190" /><ref name="theguardian-191" /><ref name="hackingdistributed-193" /><ref name="reuters-194" /><ref name="bitcoinexchangeguide-218" /> | ||
Revision as of 12:35, 28 February 2024
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Flexcoin was a service that allowed users to send their bitcoins to other users quickly and more conveniently than through standard bitcoin. While hackers of course got into the hot wallets, all customers who had utilized the available cold storage service (available for an extra charge) were able to retrieve their funds. The company walked away and did nothing to assist the hot wallet users, however at least they were quick about it.
This exchange or platform is based in Canada, or the incident targeted people primarily in Canada.[1][2][3][4][5][6][7]
About Flexcoin
Flexcoin was a bitcoin storage service based in Alberta, Canada[8]. Flexcoin presented itself as the solution to a major problem with Bitcoin by offering a centralized platform for managing bitcoins across various devices[9]. Traditionally, bitcoins are only accessible from the device they were initially received on, limiting their usability[9]. With Flexcoin, users can access their bitcoins from any web-connected device, enabling easy transactions and payments without technical expertise[9]. Flexcoin described themselves as the world's first bitcoin bank, allowing users to send and receive bitcoins seamlessly[9].
By centralizing bitcoin storage and offering accessibility from any web-connected device, Flexcoin promised to revolutionize how bitcoins are managed and utilized[9]. Additionally, Flexcoin rewarded users with "discount payments" on positive bitcoin balances, further positioning itself as a leader in bitcoin banking[9].
“Alberta-based bitcoin storage specialist” “Flexcoin aimed to differentiate itself from other electronic wallet providers by incentivizing users for keeping their bitcoin balances on the site.”
Flexcoin had previously emphasized the security of its bitcoin storage practices, asserting that it held zero coins in other companies or exchanges[8]. This stance aimed to differentiate Flexcoin from other electronic wallet providers, with the company incentivizing users to keep their bitcoin balances on its platform[8].
6 days after bragging that “We hold zero coins in other companies, exchanges etc. While the MtGox closure is unfortunate, we at Flexcoin have not lost anything.”
, has after falling victim to a cyberattack resulting in the theft of 896 BTC, valued at roughly $600,000. Despite branding itself as the "first bitcoin bank," Flexcoin clarified that it was not legally classified as such.
One of Flexcoin's key features was its emphasis on security, implementing a ZERO link policy in emails to prevent phishing attempts[9]. The Flexcoin homepage described Flexcoin as "a leader in bitcoin security"[9].
Flexcoin is also a leader in bitcoin security, for example Flexcoin is the first to implement a ZERO link policy in e-mails. No e-mail sent from Flexcoin contains a link or image. If you receive one that does, it's a phishing attempt.
Homepage: [9]
The Reality
Despite branding itself as the "first bitcoin bank," Flexcoin clarified that it was not legally classified as such[8][9]. Flexcoin noted on their homepage that they do not accept traditional currencies and are not regulated by government entities like FDIC[9].
Legal Notice: We are not a true bank that accepts USD or any national currency, only bitcoins which by their nature are not regulated, we're not FDIC insured or regulated by any government entity.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| March 1st, 2014 12:00:29 AM MST | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
| March 4th, 2014 9:07:00 AM MST | CoinDesk Article Published | CoinDesk reports on Flexcoin announcing its closure after falling victim to the cyberattack. Losses are mentioned as 896 BTC, valued at roughly $600,000. The company disclosed the theft on its homepage and conceded that it lacked the resources to recover from the significant loss, leading to the immediate cessation of its operations. Flexcoin has already provided the wallet addresses associated with the hackers, revealing that the stolen funds had been transferred out of the compromised accounts. Customers who stored bitcoins in Flexcoin's cold storage were assured that they would be able to retrieve their funds, with the company facilitating the transfer free of charge upon verification of their identities. |
Technical Details
“The attacker successfully exploited a flaw in the code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to "move" coins from one user account to another until the sending account was overdrawn, before balances were updated.”
“The site was itself broken from the ground up. The hackers simply got it to do what it was programmed to do, a lot faster than normal.”
Total Amount Lost
Losses are mentioned by CoinDesk as 896 BTC, valued at roughly $600,000[8].
“Flexcoin also provided the wallet addresses of the alleged hackers. The largest wallet of which received 592.1 BTC from the breach, while the smaller of the two held at one point 304 BTC supposedly taken from the website.”
The total amount lost has been estimated at $600,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
In response to the breach, Flexcoin announced their closure and provided the wallet addresses associated with the hackers, revealing that the stolen funds had been transferred out of the compromised accounts[8]. Customers who stored bitcoins in Flexcoin's cold storage were assured that they would be able to retrieve their funds, with the company facilitating the transfer free of charge upon verification of their identities[8].
Flexcoin conceded that it lacked the resources to recover the significant amount of funds lost, leading to the immediate cessation of its operations[8].
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
"Flexcoin has announced that it will shut down following an attack and subsequent robbery that saw cybercriminals abscond with 896 BTC (roughly $600,000 at press time) stored in the company’s hot wallets."
“As Flexcoin does not have the resources, assets or otherwise to come back from this loss, we are closing our doors immediately.”
“Flexcoin also provided the wallet addresses of the alleged hackers. The largest wallet of which received 592.1 BTC from the breach, while the smaller of the two held at one point 304 BTC supposedly taken from the website.”
“As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing our doors immediately.”
The cyberattack and subsequent theft underscored long-standing concerns within the bitcoin community regarding the security of wallet storage services like Flexcoin[8].
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
Only funds held in a special "cold storage" wallet were returned. Users who kept their funds in cold storage were required to pay a 0.5% fee. Customers who stored bitcoins in Flexcoin's cold storage were assured that they would be able to retrieve their funds, with the company facilitating the transfer free of charge upon verification of their identities[8].
Flexcoin conceded that it lacked the resources to recover the significant amount of funds lost, leading to the immediate cessation of its operations[8].
“Flexcoin held some bitcoins in “cold storage”, keeping them on devices not connected to the internet. Those bitcoins are safe, but only users who explicitly requested their bitcoins be held in cold storage (and paid a 0.5% fee) benefit.” “Users who put their coins into cold storage will be contacted by Flexcoin and asked to verify their identity. Once identified, cold storage coins will be transferred out free of charge. Cold storage coins were held offline and not within reach of the attacker. All other users will be directed to Flexcoin's "Terms of service" located at "Flexcoin.com/118.html" a document which was agreed on, upon signing up with Flexcoin.”
Ongoing Developments
Flexcoin provided the wallet addresses of the alleged hackers. It is not clear what tracing has been done on those funds.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.0 1.1 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents - Kyle Gibson (Jan 25, 2020)
- ↑ List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses - BitcoinTalk (Feb 15, 2020)
- ↑ Flexcoin - Business Insider (Mar 1, 2020)
- ↑ Bitcoin bank Flexcoin closes after hack attack - The Guardian (Mar 1, 2020)
- ↑ NoSQL Meets Bitcoin and Brings Down Two Exchanges: The Story of Flexcoin and Poloniex - Hacking Distributed (Mar 1, 2020)
- ↑ Bitcoin bank Flexcoin shuts down after theft - Reuters (Mar 1, 2020)
- ↑ Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Mar 5, 2020)
- ↑ 8.00 8.01 8.02 8.03 8.04 8.05 8.06 8.07 8.08 8.09 8.10 Bitcoin Bank Flexcoin to Close After $600k Bitcoin Theft - CoinDesk (Feb 29, 2020)
- ↑ 9.00 9.01 9.02 9.03 9.04 9.05 9.06 9.07 9.08 9.09 9.10 Flexcoin Homepage Archive February 21st, 2014 6:27:33 AM MST (Accessed Feb 28th, 2024)