Here’s your digital-currency lesson of the day, courtesy of a guy who calls himself TradeFortress: “I don’t recommend storing any bitcoins accessible on computers connected to the internet.”
That may sound like a paradox. Bitcoin is the world’s most popular digital currency, and it’s controlled by a vast collection of computers spread across the internet. But TradeFortress knows what he’s talking about. He’s the founder of inputs.io, a company that used to store bitcoins in digital wallets for people across the globe. The site was just hacked, with the bandits making off with more than a million dollars’ worth of bitcoins.
Yes, bitcoins are digital. And, yes, bitcoin transactions necessarily happen on the internet. But you can store bitcoins offline, and that’s what the most careful of investors will do. A collection of bitcoins is essentially a private cryptograph key you can use to send money to someone else, and though you can store that key in an online digital wallet, you can also store it on an offline computer – and even on a physical item here in the real world, writing it on a piece of paper or engraving it on a ring. That’s why your money can’t be hacked.
Until last week, inputs.io seemed like a nifty service for Bitcoin users. The company not only offered bitcoin wallets, it mixed the wallets up in order to anonymize the coins they stored, sped up bitcoin payments, and even spared them from the tiny transaction fees that are typically charged on the bitcoin network.
But there was a catch. You had to trust the company – and its internet-connected computers – with your bitcoins. In retrospect, that was a bad idea. And now, Inputs.io customers are learning just how bad of an idea it was.
The site was compromised on Oct 23, and again on Oct. 26, and hackers made off with 4,100 bitcoins ($1.2 million) stolen in two separate attacks. The company waited until this week to notify customers of the incident, which only affects certain users. A small number of Bitcoins belonging to TradeFortress’s other business, CoinLenders, were also taken, TradeFortress said in an email interview (He didn’t provide his real name).
Inputs.io doesn’t have the funds to pay back everything that was stolen, but TradeFortress says he’s going to issue partial refunds. “I’m repaying with all of my personal Bitcoins, as well as remaining cold storage coins on Inputs, which adds up to 1540 BTC,” he told WIRED.
TradeFortress says that this was a social engineering attack, meaning that the attacker masqueraded as someone he wasn’t in order to get access to the site’s systems on cloud-hosting provider Linode. “The attack was done through compromising a chain of email accounts which eventually allowed the attacker to reset the password for the the Linode server,” he said.
The hacker’s first step was recovering an email address for an account that TradeFortress set up six years ago.
The “attacker rented an Australian server to proxy as close to my geographical location so it won’t raise alarms with email recoveries,” TradeFortress said in a forum post.
“I know this doesn’t mean much, but I’m sorry, and saying that I’m very sad that this happened is an understatement,” TradeFortress wrote on the inputs.io website.
UPDATE: 6:25 EST 11/07/13: This story has been updated to include comment from TradeFortress.