Hackers steal $1.2 Million of bitcoins from Inputs.io, a supposedly secure wallet service

skull-hack
7 November 2013

UPDATE (8th November, 13:06 GMT):

In a phone interview with Australia’s AM radio show Tradefortress responded to challenges that the theft was ‘an inside job’, though he insisted that he wouldn’t be reporting the theft to the police because the bitcoins are untraceable and it would be impossible to track the culprit.

When asked about his age, Tradefortress told the publication: “I’m over 18 but not much over.”

Tradefortresses’ public identity still remains unknown, however his reputation on Bitcointalk seems to be questionable, with at least two members claiming to have been scammed by him for failing to deliver on coding projects he had already been paid for. He has said that he wishes to retain his anonymity as he now fears for his safety in light of this recent heist.

Tradefortress also runs coinchat.com as well as coinlenders.com.

—————————————-

Tradefortress, the developer behind bitcoin web wallet Inputs.io, released a statement on his website today, after being forced to close it down in the aftermath of a major hacking incident, saying:

“I know this doesn’t mean much, but I’m sorry, and saying that I’m very sad that this happened is an understatement.”

Inputs.io, which was intended to be a high-security bitcoin web wallet, was apparently hacked on the 23rd of October, when thieves stole bitcoins worth over $1.2m at current BPI prices. The statement, published this morning continues:

“Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances. The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side.

“Database access was also obtained, however passwords are securely stored and are hashed on the client. “If you stored more than 1 BTC, send an email to support@inputs.io with a bitcoin address (preferably, an offline, open source light/SPV wallet like Multibit or Electrum). Use the same email you’re using on Inputs. Please don’t store bitcoins on an internet connected device, regardless if it is your own or a service’s.

“I know this doesn’t mean much, but I’m sorry, and saying that I’m very sad that this happened is an understatement.”

According to Hacker News, just as in the Bitfloor theft, in which 24,000 BTC were stolen, the bitcoins were stolen from the website’s ‘hot wallet’ – an online wallet which has to operate to process live withdrawals. However, it seems as if Inputs.io was keeping most if not all of their coins online, whereas other services often keep as much as 80% offline.

Inputs.io says that although the hack took place on October 23rd, even depositors who made deposits after that date are not safe, as other users were able to make withdrawals from the shared wallet.

Inputs.io bitcoins stolen

By contrast to a service like Blockchain.info (which, although generally thought of as safe still suffered a security issue back in August), Inputs.io is a shared wallet that manages the balance of its users and their private keys giving them full access to all the bitcoins stored with them.

Blockchain.info account access is secured by an identifier/alias, password combination and two-factor authentication and is generally thought of as secure. However, as with any technology, nothing is foolproof. According to Bitcoin Talk forum user ‘masteroflove’:

“If the blockchain.info domain is compromised, the hacker can serve malicious JavaScript that will record your passwords and can get access to all your bitcoins. That’s why it is recommend to use the Chrome or Firefox blockchain app. But even this isn’t 100% foolproof as an attacker that gains access to blockchain’s credentials can push a malicious update that will automatically update on your browser apps.”

Questions are now being asked publicly about Inputs.io’s main developer Tradefortress, who, whilst still not widely known in public, claims to have a deep understanding of the complexities of security procedures for bitcoin wallets.

When CoinDesk approached Tradefortress for comment he informed us that “the attacker was able to compromise older email accounts which were easily reset as they didn’t have phone numbers attached. Compromising one older email account led to the compromise of another, eventually allowing them to reset the password for the hosting account and obtaining shell access after bypassing two-factor authentication on the host’s side.”

He continued: “We don’t use client-side encryption; that’s hardly foolproof and gives people a false sense of security”.

When queried over how much Inputs.io will be able to reimburse users he responded somewhat obscurely: “[We’ll be able to refund] as much as 100%. For Inputs it is solely based on the amount. 1 BTC at the current sliding scale would be 74%, 2 BTC 65%… This figure is not final, and if we have leftover coins we’ll be able to refund more.”

In other words: if you had less than 1 BTC on Inputs you should get it back, otherwise, be prepared to take a haircut.