Czech bitcoin exchange Bitcash.cz hacked and up to 4,000 user wallets emptied

bitcash-hacked1
12 November 2013

Czech Republic-based bitcoin exchange Bitcash.cz has been hacked and up to 4,000 customers’ wallets have been emptied.

The company’s site is currently down, showing only a message informing of the hack, which took place on 11th November.

bitcash-hacked

According to Czech news site E15.cz, some 4,000 bitcoin wallets had been opened with Bitcash.cz, with a total value of over 2 million Czech koruna (roughly equivalent to $100,000).

A post on the company’s Facebook page reads (roughly translated):

“Unfortunately, as we have already announced on our website Bitcash.cz, our server was attacked and compromised – including the wallets.

We are trying to resolve the situation, but we want to warn our users about fraudulent emails and scams [claiming to be from Bitcash].

We never ask anyone for access to his or her accounts or wallets nor ask for money.

We will inform you of any developments as soon as possible.
Thanks.”

Bitcash, founded in July 2011, has various features in addition to its wallets. It featured an online exchange that filled orders from traders, but also an OTC exchange, similar to LocalBitcoins.com, which enables people to trade with each other directly, using the site as an escrow service.

An online post purports to show an email sent from a bitcash.cz email address. The text in that mail suggests that the site may have been hacked using a phishing attack that used fraudulent emails to fool users. Hackers appear to have sent emails from Bitcash.cz email accounts pretending to be members of staff. The emails claim the company is having to use a US recovery company to get back the bitcoins that have been stolen.

Recipients are then apparently asked to send 2 BTC to a wallet address in order for their bitcoins to be returned. However the bitcoin address listed in the email text hasn’t been used online, and has no transactions.

Aleš Janda, a user of the Bitcash.cz service who claims to have known the administrator “a little”, is skeptical of the fake email claim. “This e-mail is strange,” he said, adding that he knows no one else who received it. “I can’t imagine that anyone who steals 485 BTC would take the risk of disclosure by sending dumb mails begging for 2 BTC.”

Janda arrived at this 485 BTC number via his own blockchain research. He has made several transactions to Bitcash.cz, which he says uses a shared wallet. These transactions enabled him to ascertain some of the addresses in the Bitcash.cz shared wallet, he says. He was then able to analyse transaction inputs and outputs to see where his bitcoins subsequently went. “Bitcash’s wallet was pretty simple,” he said. “So I can trace all transactions [using a wallet subtree] from my transaction to some big transaction in the future. This big transaction perfectly matches the time of the attack and was much bigger than other transactions.”

He then confirmed this by analyzing other bitcoin transactions with Bitcash.cz, which he said led to a large transaction pointing to the same address. Searching for that address brings up a bitcoin charity web site called bitcoin-charity.info – now no longer available – which claims to be a donation address for whistle-blowing organization Wikileaks.

That supposed charity site, registered using a privacy protection service on 8th September, appears to be a fraudulent copy of legitimate bitcoin charity web site Bitcoins for Charity. Bitcoins for Charity cites the correct Wikileaks bitcoin donation address.

Janda suggests that wallets on Bitcash.cz were compromised through the site’s web interface. “Maybe the whole portal was compromised, but the wallets of all users were. It seems to me that wallets were compromised through the web interface – the attacker didn’t have private keys.”

Calls and emails to ‘Carlos’, the owner of the site, who also owns Internet consultancy All High Seeds, went unanswered yesterday. However, a statement on the site suggested that it had filed charges against an “unknown perpetrator”.

Article co-authored by Emily Spaven and Danny Bradbury.