Third cryptocurrency exchange becomes hacking victim, loses Bitcoin

Third cryptocurrency exchange becomes hacking victim, loses Bitcoin

Summary: Following Mt. Gox and Flexcoin, Poloniex has admitted to losing over 10 percent of customer funds due to cyberattacks.

TOPICS: Security

Yet another cryptocurrency has come forward and admitted that security and system problems have led to customer funds being pinched by hackers.

Poloniex, a Bitcoin trading post similar to Mt. Gox, has lost 12.3 percent of the Bitcoin stored in hot wallets on the website. However, in stark contrast to how Mt. Gox CEO Mark Karpeles handled his company's Bitcoin losses, the owner of Poloniex, Tristan D'Agosta -- a.k.a. Busoni -- admitted to the loss and asked users how they would like to be compensated.

In a forum post, Busoni said that a hacker took advantage of a processing flaw in the Bitcoin exchange post. When users submit a withdrawal request, the input is checked against your balance, deducted, and the new amount recorded within a database. However, it was discovered that placing several withdrawals all in practically the same instant meant each request was processed at more-or-less the same time, resulting in a negative balance but "valid insertions into the database, which then get picked up by the withdrawal daemon."

According to the Poloniex chief, auditing and security features were not explicitly looking for negative balances, and so the transactions were allowed to proceed. Busoni admitted that another "design flaw" contributed to the theft, as "this could not have happened if withdrawals requests were processed sequentially instead of simultaneously."

Trading was frozen following the discovery of unusual activity, and Busoni says he takes "full responsibility" for the missing 12.3 percent of Bitcoin -- believed to be worth roughly $50,000. 

"If I had the money to cover the entire debt right now, I would cover it in a heartbeat." Busoni admitted. "I simply don't, and I can't just pull it out of thin air."

So, to keep everyone from withdrawing their BTC in order to not be left with picking up the debt, everyone's wallet on the trading post has been "temporarily be deducted by 12.3 percent."

"Please understand that this is an absolute necessity -- if I did not make this adjustment, people would most likely withdraw all their BTC as soon as possible in order to make sure they weren't left in that remaining 12.3 percent," Busoni said. "Aside from the obvious drawback of most of the BTC being taken out of the exchange, this would not be fair -- some people would get all of their money right away, and a few would get none right away."

The amounts deducted have been recorded, and the Poloniex chief says that funds will be raised from exchange fees -- and his own pocket -- to try and cover the debt and redistribute funds to users who have had Bitcoin deducted.

In order to prevent further exploits, Poloniex is checking for negative balances and will freeze any accounts that have taken advantage of the processing flaw. In addition, before the trading post is unfrozen, a new daemon will be created to make sure no more accounts with negative balances are running. Withdrawals will also be switched to a queued method.

Mt. Gox, once the dominate Bitcoin trading post online, closed its doors last week and filed for bankruptcy protection in Japan following years of undetected infiltration that resulted in the theft of 750,000 customer-owned Bitcoin, as well as Mt. Gox's store of roughly 100,000 coins, in total worth almost $500 million. System design flaws, hackers and poor accountancy practices have been blamed for the massive financial losses.

Flexcoin follow suit and closed after hackers stole 896 Bitcoin -- worth approximately $606,000 -- and the trading exchange did not have the funds or resources to recover. 

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Get out while you can!

    This is going South in a hurry. Not unexpected by many, but most likely its riddled with corruption and people who thought they had the best "get rich quick" scheme.
    Now its looking like a "get poor fast" scheme.
  • "a Bitcoin trading post similar to Mt. Gox"

    Not even by a far stretch. Mt. Gox dealt in Bitcoin-fiat trading, while Poloniex is "just" a simple cryptocurrency exchange that lets people trade one cryptocurrency for another, most often Bitcoin. Add to that, the trading volume of Poloniex is diminutive in comparison. Please, Charlie, stop writing FUD like this. Be a journalist and read up on the topic and its details before publishing.
    • hmm

      So they both traded in bitcoin. Just in different versions of bitcoins? So they are similar and both were hacked.
      • No

        Your ignorance and narrow-mindedness is getting in the way here. Let me try again: MtGox traded in fiat - real dollar, real euro; REAL MONEY - while Poloniex only trades in virtual goods, and at tiny volumes to boot. Do you perhaps now see a difference?
    • Okay

      I have read your clarification and appreciate that I now do know a bit more.

      The precise characterization of Poloniex, though, is quite tangential to the real points for this incident. A problem of concurrency that the banks with ATMs solved in the 80s was overlooked by the folks who put together the trading software for Poloniex.

      Secondarily, the exchange distributed its loss to all its customers and promises to make it good. I am quite sure the promise is made in good faith. It does occur to me, though, that the exchange should have acquired some insurance, but that assumes that someone would underwrite, and that the risks are understandable. Still, while the action does forestall a run, I expect that there will be suits for fraud and negligence, and it may cost the exchange's owners more than the 12.3% shortfall.

      Thirdly, returns are tied to amount of risk. And while there is a core value with regards to disintermediation for transactions, right now almost everyone is all excited about the investment potential, which pushes the value upwards. I'm going to have to think about whether the perception of the instruments as investments in effect incentivizes exchanges, or, more accurately, give the exchanges an upside which allow them to not charge fees. Investments go up and go down and that means an exchange may become insolvent or face liquidity issues.

      But right now the big risk for an investor/user is the existence of exploitable software/protocol bugs. The early and the lucky will win. Many will attribute their win to their smarts for being early when perhaps it was more attributable to luck.
  • Watch and laugh

    Watch and laugh at the silly bitcoin "emperors" as they parade around in their new clothes.

    Everyone else can see your all naked and have been taken in.

    Haha. Who will be the last ones standing who still think they are wearing invisible clothes?
  • Good thing Bitcoin is FDIC insured!

    It is insured, right?
    • "It is insured, right?"

      Ahhh...I am fairly sure it is not.

      But that's OK...'cause the folks running these "banks" will still gladly take your money, and assure you that your Bitcoins are perfectly safe.

      How? Simply by telling you so...that's how. Anything wrong with trusting someone you will never be able to talk to in person, let alone meet face to face?
  • Confidence Game

    One of the key features to the stability of any currency is confidence. Currencies such as the US dollar, British pound, and Japanese Yen have been reasonably stable for decades due to the confidence in the respective governments' ability to support the currency. There is no large entity to support virtual currencies, so the moment confidence wanes the value will plummet. It would not be at all surprising if the next blip causes the entire Bitcoin concept to collapse in on itself.
  • Money out of thin air

    This is what happens when you try making money out of nothing. Another failed experiment.
  • Hey, I have a solution!

    I am going to start up a new virtual currency that will be absolutely, positively, 100% safe, and call it Buttcoin.

    So if everyone who currently holds Bitcoins will please send them all to me at, I promise you that I will look after them, and you will never have a worry in the world. OK?

    You all can trust me, can't you? I mean after all, I post here occasionally using my real name, and many of you have read my posts so I must be legitimate, so I can be trusted because I say I can, can't I?

    Hey, it's sort of worked out OK for other Bitcoin "banks", so I know my Buttcoins will be just as good an investment.

    Thanks in advance for all of your money. I'll use it wisely, I promise.
  • Q: When will suckers ever learn?

    Here's some general rules for people who haven't figured it out yet:

    When any new investment bubble/Ponzi scheme gathers enough steam to make into the general consciousness and press, it's already too late to jump in and make a fortune. Also, the people who orchestrated it have already left the building with all of everyone else's money they can carry. You can often recognize these things as scams because they are based on nothing of any real value like Tulips or I don't know what with Bitcoin (bits? really?). The promoters of these things appeal to the fear and greed of potential suckers using the tried and true clichés of things like religion, racism, xenophobia, fear of civil society collapsing, hatred of government (i.e. having to pay their fair share of taxes in order to support the civil society they worry will collapse. Ironic, no?), and the suckers' general belief that they are smarter than everyone else and that the rules that apply to everyone else shouldn't apply to them.

    A: Never. There's new ones born every minute and the old ones don't seem to want to learn. After all, the next scam will be different, right?
    Sir Name
  • Governments. Probably including ours.

    If I understand correctly how BitCoin works, whoever is stealing the BitCoins will never be able to redeem them, because it will be instantly apparent if a BitCoin is among those that were stolen.

    Anyone smart enough to hack exchanges and steal BitCoins is smart enough to know that. So the motive for the thefts must not be material gain, but rather to visit harm on the BitCoin franchise, and virtual currencies in general.

    Gee, who would do such a thing?
    Robert Hahn
    • Robert,

      I must say you look very good in that Tinfoil hat. Cheers.
    • No

      Robert, as it happens you do not understand how the Bitcoin protocol works, and using the term 'BitCoins' definitely sucked all credibility out of your statement. There are numerous ways stolen Bitcoin can be siphoned into cash.
    • And next thing you'll know, someone will

      irradiate all the gold in Fort Knox, thus raising the value of their own stockpile.
  • We Laugh At Stupidity

    As a federal bank examiner, it never ceases to amaze me how dumb some smart people can be. I have been watching the rise and fall of Bitcoin for the past year and have stated exactly whats going to happen well before it happens, like the Silk Road being a honeypot for cybercriminals.
    But the one thing I can't wait to see, is the day all (or most) of the Bitcoin disappear from accounts suddenly. Mt Gox was small potatos compared to the bigger heist. Think of it as a test run of what's to come. And before you start pointing fingers, NO the US Gov is not involved in secret plot to take down cryptocurrencies.
  • Want to Keep your Bitcoins?

    store them in a paper wallet offline. do not let exchanges or marketplaces hold your coin. print out a wallet and move your coins into cold storage. only transfer out what you need at a time and no more. ive had btc since they were $6 and stopped buying at $100 so despite the volatility, still sitting pretty and holding the paper.
  • Misguded blame.

    Misleading and sensationalistic articles like this lead the reader to believe that cryptocurrencies are fraught with great risk and eminent cataclysm. But if we were talking about a stock exchange, would you blame the stocks for the mistakes made by the exchange? Of course not because one has nothing to do with the other. Likewise the stability and trust of an online exchange has nothing to do with the cryptocurrencies it trades. Cryptocurrency, like Bitcoin, is the future of free* money. (*free as in freedom)
    • The Disillusioned and Misguided

      Reading the above comment is so funny, yet so sad. For someone to actually believe any currency, be it real or virtual, is FREE!?!?!? There is always a cost. Never-the-less there are always disillusioned people like SapphireSpire that jump in blindly with both feet and never hesitate to drink the kool-aide.

      "......the stability and trust of an online exchange has nothing to do with the cryptocurrencies it trades."

      If people didn't trust the online exchanges, would the cryptocurrencies even have value?!?! How would the price of Bitcoin gone so high, if it were not for people....much like SapphireSpire, believing in online exchanges?!?! There is a great article relating cult following to Bitcoin Believers. It might shed some light and open a misguided eye or two.