Bitcoin exchange Cryptoine hacked

Lax security and poor programming appeared to be at fault, but that's little comfort to the latest swathe of victim virtual currency investors.
Written by Charlie Osborne, Contributing Writer

Cryptoine has been hacked and its hot wallets emptied -- but the exchange blames a programming bug rather than a full-scale cyberattack.

Cryptoine was a Tor-friendly exchange post which traded in 34 different kinds of cryptocurrency. Despite emphasizing a focus on anonymous trading and core security features -- including secure SSL connections, two-step verification and a decentralized environment -- Cryptoine has simply become the next exchange to become the focus of an attack, less than a month after AllCrypt closed its doors.

At 8:36am UTC on Wednesday, the virtual currency exchange posted an update on its website, which at the time of writing is no longer operational. The trading post apologized and said that this week, a cyberattacker spent approximately seven hours plundering the system and draining Cryptoine's hot wallets -- the online storage facilities used for currency including Bitcoin, Litecoin and Dogecoin.

However, the cyberattacker did not have to break into the system in order to steal funds. Instead, Cryptoine admitted a bug in the trading engine allowed the hacker to manipulate balances as they wished.

"The hacker found some race condition bug in our trading engine. Manipulation of orders gave him false balances," the exchange's website states. In other words, a bug disrupted events happening in the order the program expected -- so withdrawals based on time and checks could be altered to compromise wallets. If two or more threads are attempting to access data at the same time, "racing" to access or change the data, the hacker may have exploited the bug to prevent the proper flow of access data and therefore make withdrawals that were not checked or verified as the program intended.

Cryptoine insists that there was no break-in and no personal data was leaked; nor were any private wallet keys compromised. In addition, the trading exchange says the hacker was not able to execute any external code.

While the bug has been located and fixed, Cryptoine users are still victims, and the company says "the losses are irreversible." Bitcoin, Litecoin, Urocoin, Dogecoin, Bitcoinscrypt, Magi and Darkcoin were among the currencies stolen.

All might not be lost for users. The exchange is closed, Cryptoine is saying "goodbye to all crypto-community," but the firm insists the post will only be gone for a few months as a break, and "we will back stronger and more experienced than ever before."

If the trading post does reappear, users may be able to recover some of their lost funds. Cryptoine has promised that all of the coins left will be returned to users -- due to a hot and cold wallet storage ratio of 60 percent to 40 percent -- and those stolen will eventually be returned in "correspondingly smaller quantities." A screenshot of the hacker's activities is below:


While there is no word on how much was stolen, Cryptoine has promised to reveal more details of the security breach soon.

Read on: In the world of security

Read on: Fixes and Flaws

Editorial standards