Hackers steal $1.2 Million of bitcoins from Inputs.io, a supposedly secure wallet service

Approximately $1.2m worth of bitcoin have been stolen from a wallet service intended to be high-security.

AccessTimeIconNov 7, 2013 at 2:22 p.m. UTC
Updated Feb 21, 2023 at 1:14 p.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

UPDATE (8th November, 13:06 GMT):

In a phone interview with Australia's AM radio show Tradefortress responded to challenges that the theft was 'an inside job', though he insisted that he wouldn't be reporting the theft to the police because the bitcoins are untraceable and it would be impossible to track the culprit.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • When asked about his age, Tradefortress told the publication: "I'm over 18 but not much over."

    Tradefortresses' public identity still remains unknown, however his reputation on Bitcointalk seems to be questionable, with at least two members claiming to have been scammed by him for failing to deliver on coding projects he had already been paid for. He has said that he wishes to retain his anonymity as he now fears for his safety in light of this recent heist.

    Tradefortress also runs coinchat.com as well as coinlenders.com.

    ----------------------------------------

    Tradefortress, the developer behind bitcoin web wallet Inputs.io, released a statement on his website today, after being forced to close it down in the aftermath of a major hacking incident, saying:

    "I know this doesn't mean much, but I'm sorry, and saying that I'm very sad that this happened is an understatement."

    , which was intended to be a high-security bitcoin web wallet, was apparently hacked on the 23rd of October, when thieves stole bitcoins worth over $1.2m at current BPI prices. The statement, published this morning continues:

    “Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances. The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side.

    "Database access was also obtained, however passwords are securely stored and are hashed on the client. "If you stored more than 1 BTC, send an email to support@inputs.io with a bitcoin address (preferably, an offline, open source light/SPV wallet like Multibit or Electrum). Use the same email you're using on Inputs. Please don't store bitcoins on an internet connected device, regardless if it is your own or a service's.

    "I know this doesn't mean much, but I'm sorry, and saying that I'm very sad that this happened is an understatement.”

    According to Hacker News, just as in the Bitfloor theft, in which 24,000 BTC were stolen, the bitcoins were stolen from the website’s ‘hot wallet’ - an online wallet which has to operate to process live withdrawals. However, it seems as if Inputs.io was keeping most if not all of their coins online, whereas other services often keep as much as 80% offline.

    Inputs.io says that although the hack took place on October 23rd, even depositors who made deposits after that date are not safe, as other users were able to make withdrawals from the shared wallet.

    Inputs.io-bitcoins-stolen.png

    By contrast to a service like Blockchain.info (which, although generally thought of as safe still suffered a security issue back in August), Inputs.io is a shared wallet that manages the balance of its users and their private keys giving them full access to all the bitcoins stored with them.

    Blockchain.info account access is secured by an identifier/alias, password combination and two-factor authentication and is generally thought of as secure. However, as with any technology, nothing is foolproof. According to Bitcoin Talk forum user ‘masteroflove’:

    “If the blockchain.info domain is compromised, the hacker can serve malicious JavaScript that will record your passwords and can get access to all your bitcoins. That's why it is recommend to use the Chrome or Firefox blockchain app. But even this isn't 100% foolproof as an attacker that gains access to blockchain's credentials can push a malicious update that will automatically update on your browser apps.”

    Questions are now being asked publicly about Inputs.io's main developer Tradefortress, who, whilst still not widely known in public, claims to have a deep understanding of the complexities of security procedures for bitcoin wallets.

    When CoinDesk approached Tradefortress for comment he informed us that "the attacker was able to compromise older email accounts which were easily reset as they didn't have phone numbers attached. Compromising one older email account led to the compromise of another, eventually allowing them to reset the password for the hosting account and obtaining shell access after bypassing two-factor authentication on the host's side."

    He continued: “We don’t use client-side encryption; that’s hardly foolproof and gives people a false sense of security".

    When queried over how much Inputs.io will be able to reimburse users he responded somewhat obscurely: "[We'll be able to refund] as much as 100%. For Inputs it is solely based on the amount. 1 BTC at the current sliding scale would be 74%, 2 BTC 65%... This figure is not final, and if we have leftover coins we'll be able to refund more."

    In other words: if you had less than 1 BTC on Inputs you should get it back, otherwise, be prepared to take a haircut.

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.