Author

Topic: Bitfloor hacked, most bitcoins stolen (Read 5187 times)

legendary
Activity: 1204
Merit: 1015
September 06, 2012, 06:05:57 PM
#3
The past few days have seen much speculation as to what is going on. I have waited to post updates until I had a clearer understanding of how to move forward.

After careful consideration, ACH withdrawals of USD from Bitfloor will soon be re-enabled, with details to be posted on bitfloor.com. You are welcome to continue keeping your USD funds at Bitfloor if you choose to do so. I feel that this is the first step in rebuilding the reputation of Bitfloor and regaining the trust of the community. As I have previously stated, all USD funds are available as no theft of USD occurred.

I have filed reports with the FBI and the IC3 regarding the theft. It was a cybercrime and as such am following up with the proper agencies to attempt to track down the perpetrator.

Finally, I am pursuing all avenues for keeping Bitfloor operational and serving the needs of the growing bitcoin community. I appreciate the support I have received from many over the past few days and will keep everyone updated as new information is available.

cheers,
~Roman
legendary
Activity: 1204
Merit: 1015
September 04, 2012, 06:00:59 PM
#2
Please quantify the amount of BTC lost as well as the total BTC owed.
What % of BTC were lost?

From the tx it looks like 30K BTC in outputs (although one involved two large outputs so it is unclear what is going on there).

This was almost all of the BTC.

Was there a loss of any USD funds?

No. All USD bank accounts are secure. And all records for the current status of the exchange (accounts, trades, etc) are all also secure.
unencrypted backup HuhHuh

Yes. It was made when I manually did an upgrade and was put in the unencrypted area on disk. I realize the details of the failure and attack are interesting but I am currently focused on user accounts and exchange status going forward.
So ~30K of ~30K in BTC has been lost?

The amount totals to ~24K BTC.
How long, given average operation, would it take to regain the 25K in fees?

We have seen steady growth over the last few months but our 30 day volume is ~64K BTC (717K USD) and given that we get 0.3% from each trade this means we make roughly 2.1k per month in USD (210 BTC at current rate). So quite a long time if trading did not ramp up. Regardless of the recovery time I felt it important to make this announcement as it impacts many users and the community.
Since neither the USD balances nor account records have been compromised please process scheduled ACH withdraws.

We have a pending ACH withdraw which should be processed today.
Should we send ACH withdraw request for the balance by email since the site will be down for the immediate future?

ACH withdrawals placed before the compromise have been processed. New withdrawals are currently on hold while I work through the future of the exchange.
Could you secure some investor funds to pay back losses to customers now, and payback the investor after your business picks back up?

This would be a possibility if investors interested in helping continue operations show interest. It is certainly something I am thinking about.
I never store keys on a webserver for a project involving customer funds.  If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).

I don't wish to go into too many details on this thread about it, but this box was not public facing.
Still irrelevant.  Maybe try understanding the question.  It still won't help though since the question isn't directed to you and you don't know the answer.  A system, holding an unencrypted copy of the keys was hacked.  He claims this system was not public facing, yet he also claims that the attacker connected from a specific IP.  If the system was not public facing, how did the attacker connect to it?

The system was connected to from one of our other boxes which was accessed through a virtual console. The wallet box had all public ports blocked but was able to be connected to from a few of the other boxes.
I have put the website back online for users who have USD to request a withdrawal via ACH. If you choose to leave your USD funds in the account they will be available for trading once it resumes. I hope to resume trading later in the week.

If you had outstanding orders they have all been cancelled.

Once trading resumes, I hope to be able to start repaying BTC losses using the proceeds from fees. More information about this will be provided later.
Please note that I have taken the website offline. I am consulting legal council about the current situation and will post once I have more details. I want to make sure the matter is handled appropriately given the financial situation the exchange is currently in.

The website was causing too much confusion in the current form and once I have more details I will post a very clear message for all users.
legendary
Activity: 1204
Merit: 1015
September 04, 2012, 05:56:48 PM
#1
As much as I regret the post I am about to write I feel that it is only fair and holding to the spirit of BitFloor that I disclose everything that is going on and make the information available. Please read the entirety of the post. As always, if you have any questions please post them here versus contacting support so that other users may benefit from the answer (unless it is private).

Last night, a few of our servers were compromised. As a result, the attacker gained accesses to an unencrypted backup of the wallet keys (the actual keys live in an encrypted area). Using these keys they were able to transfer the coins. This attack took the vast majority of the coins BitFloor was holding on hand. As a result, I have paused all exchange operations. Even tho only a small majority of the coins are ever in use at any time, I felt it inappropriate to continue operating not having the capability to cover all account balances for BTC at the time.

Due to the serious nature of what has happened I am currently evaluating options for BitFloor. One of the last things I want to happen is for BitFloor to shutdown and cause more panic in the bitcoin community. The platform itself is very valuable and provides an important and friendly service to many users.
BitFloor is very much focused on the end user and creating a reliable and trusted platform for everyone. Through exchange user support, I can continue to operate BitFloor. I believe that posting the exchange source and being even more transparent about operations would be a step in this direction if we were to continue operating. BitFloor is currently the #4 USD exchange and #1 in the US.

As a last resort, I will be forced to fully shut BitFloor down and initiate account repayment using current available funds. I still have all of the logs for accounts, trades, transfers. I know exactly how much each user currently has in their account for both USD and BTC. No records were lost in this attack.

I realize that saying that I appreciate everyone's understanding is a moot point, however I do wish to re-iterate that my goal is to find the best and most reasonable way forward for BitFloor customers and the exchange and not create more panic that the community has already seen time and time again.

I would like to keep this thread focused on evaluating ideas of BitFloor operation and will create a separate thread for discussion (see below) about the actual transactions and tracing the coin theft. I will not speak at detail about the actual breach at this time as my current focus is on the future and not the past.

In the intrest of information for tracking stolen coins:
https://bitcointalksearch.org/topic/bitfloor-coin-theft-details-105819

~Roman
This thread is the sister thread to the "bitfloor needs your help" thread here https://bitcointalksearch.org/topic/bitfloor-needs-your-help-105818

It is meant for the tracking and discussion of the stolen coins from BitFloor.com

The attack came from the following IP:
178.176.218.157

And the coins were withdrawn with the following transactions:
83f3c30dc4fa25afe57b85651b9bbc372e8789d81b08d6966ea81f524e0a02be
d5d23a05858236c379d2aa30886b97600506933bc46c6f2aab2e05da85e61ad2
f9d55dc4b8af65e15f856496335a29e2be40f128a7374c75b75529e864579f93
42ea472060118ee5aee801cdedbc4a3403f3708a87340660f766e2669f0afeb0
358c873892016649ace8e9db4c59f98a6ca8165287ac80e80c52e621f5a26e46

Obviously it is high hopes to have the coins returned, but I do feel that the community can always benefit from more knowledge about high profile thefts and the aftermath.
Jump to: