A Bitcoin transaction services company says that hackers broke into one of its brokerage accounts last week, nabbing more than $12,000 worth of the digital currency.
That attack knocked Bitinstant offline over the weekend. The company says that while it lost Bitcoins, no customers were affected by the hack.
The criminals were able to take control of Bitinstant's internet domains by convincing its domain registrar, Site5, to hand over control of the company's Domain Name Service, or DNS. "Armed with knowledge of my place of birth and mother's maiden name alone (both facts easy to locate on the public record) they convinced Site5 staff to add their email address to the account and make it the primary login," the company said Monday in a blog post detailing the incident.
With control of the DNS, the bad guys also had control over Bitinstant's email. They then did an online password reset at a Bitcoin exchange called VirWox and started emptying Bitinstant's account. The total haul: $12,480.
The attack worked on the VirWox exchange because Bitinstant's account didn't have two-factor authentication. In other words, the criminals were able to empty out money with just a user name and password. "No other exchanges were affected," Bitinstant wrote, saying that the other exchanges it uses were protected by such security precautions as multi-factor authentication, Yubikeys, and auto lockdowns.
Reached Thursday, a VirWox representative said that the exchange has had multi-factor authentication since September 2012. "Bitinstant was not using it (they learned and do now)," the representative said in an email message.
This isn't the biggest Bitcoin heist. Last year, the Bitcoinica exchange was hacked twice, to the tune of more than 60,000 bitcoins. (A Bitcoin is worth more than $40 today; the Bitcoinica thefts were worth several hundred thousand dollars at the time.) That exchange eventually went out of business.
Bitcoins have been getting a lot of attention lately. The Internet Archive is paying its staff members in Bitcoins. You can use them to shop at Amazon or even buy a pizza. But that has made them a more attractive target to hackers, who have taken to writing malicious software that steals Bitcoins out of digital wallets stored on people's desktop computers.
Gaven Andresen, chief scientist with the Bitcoin Foundation, says he had a digital wallet swiped last year. It had been stored on an internet service provider's computer. But the thieves got away with only about $15. That's because Andresen stores most of his Bitcoins on an encrypted laptop that's not connected to the internet.
"Right now, we're in the Wild West days of Bitcoins," he says. "And some of the smaller exchanges and smaller services just don't have their security up to snuff yet."
Site5 and Bitinstant couldn't immediately be reached for comment.
H/T: Help Net Security.
Update -- This story has been updated to include comment from VirWox*
