Bitcoin wallet service Inputs.io hacked by thief who stole 4100 BTC

Maria Santos
Author
Last updated on:
Fact Checker

‘TradeFortress’, the young Australian developer that manages the Bitcoin web wallet Inputs.io, released a concerning statement on his website this Thursday (7): a major hack forced the shutdown of the service after 4,100 BTC were stolen.

Although Inputs.io was supposed to be a high-security digital wallet for the users’ Bitcoins, the administrator claims the platform was hacked in the end of October and cryptocurrency equivalent to $1.345 million at the current exchange rate was stolen. After two weeks, ‘TradeFortress’ has finally started to warn the clients with this message:

bitcoin-4

Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances. The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side.

Database access was also obtained, however passwords are securely stored and are hashed on the client.

If you stored more than 1 BTC, send an email to [email protected] with a bitcoin address (preferably, an offline, open source light/SPV wallet likeMultibit or Electrum). Use the same email you’re using on Inputs. Please don’t store bitcoins on an internet connected device, regardless if it is your own or a service’s.

I know this doesn’t mean much, but I’m sorry, and saying that I’m very sad that this happened is an understatement.

Apparently, not even the clients who made deposits after October 23rd, the alleged date of the hack, are safe, according to Coindesk.  ‘TradeFortress’ told the website that “the attacker was able to compromise older email accounts which were easily reset as they didn’t have phone numbers attached. Compromising one older email account led to the compromise of another, eventually allowing them to reset the password for the hosting account and obtaining shell access after bypassing two-factor authentication on the host’s side”.

One of the curious facts about the attack is that, as stated by the site Hacker Newsthe Bitcoins were ripped from the website’s ‘hot wallet’, the online storage system which processes the live withdrawals. However, this makes it look like Inputs.io was keeping most of “its” cryptocurrency online, while other services often keep up to 80 percent offline.

In a recent interview with an Aussie radio show, ‘TradeFortress’, who also manages coinchat.com and coinlenders.com, said he wouldn’t be reporting the theft to the police because it would be impossible to track the thief.

In the meantime, the administrator behind Inputs.io assured the hacked money is going to be refunded, according to RT. ‘TradeFortress’ said he would use 1,000 of his own Bitcoins, as well as the money the hackers didn’t steal: “users are being repaid up to 100 percent depending on the amount (sliding scale), generally 40-75 percent”.

Disclaimer: Crypto is a high-risk asset class. This article is provided for informational purposes and does not constitute investment advice. You could lose all of your capital.
99Bitcoins may receive advertising commissions for visits to a suggested operator through our affiliate links, at no added cost to you. All our recommendations follow a thorough review process.
Maria Santos
Maria Santos

Maria is an experienced journalist currently living in the UK. She has been writing about Bitcoin and the altcoin universe since 2013. She is also a member of the Lifeboat Foundation's New Money Systems Board and a big cryptocurrency supporter. Read More

Free Bitcoin Crash Course

Learn everything you need to know about Bitcoin in just 7 days. Daily videos sent straight to your inbox.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service
We hate spam as much as you do. You can unsubscribe with one click.