Europeâs primary bitcoin payment processor for merchants and free online wallet service, BIPS, was the target of a major DDoS attack and subsequent theft in the past few days that saw 1,295 BTC (just over $1m on CoinDeskâs BPI) stolen.
Kris Henriksen, BIPSâ CEO, said most of the missing funds were âfrom the companyâs own holdingsâ. BIPS uses an algorithm, based on supply and demand, to work out the amount of bitcoins it needs to keep it in a âhot walletâ. The heist, however, was apparently not due to any vulnerability in the code itself.
He also said merchants who had chosen to instantly convert their bitcoin to fiat currency bank accounts were not affected.
The Copenhagen, Denmark-based company was targeted on 15th November by a massive DDoS attack. Then on 17th November, it was followed up by a subsequent attack that disabled the site and âoverloaded our managed switches and disconnected the iSCSI connection to the SAN on BIPS serversâ.
âRegrettably, despite several layers of protection, the attack caused vulnerability to the system, which has then enabled the attacker/s to gain access and compromise several wallets,â the company said in a written statement.
BIPS believes the two attacks were connected, and at least the initial DDoS attack was âfound to originate from Russia and neighboring countriesâ. The company moved fast to restore full merchant payment and transfer services by 19th November, but disabled all wallet functions in order to complete a full forensic analysis. Its help desk also went down for a few days, but was restored on 22nd November.
Under BIPSâ privacy policy, it is not allowed to disclose usersâ information to anyone, even the authorities. They will now set up a system for affected wallet users to voluntarily sign the required permission documents, to engage in a more thorough investigation with law enforcement to track down the culprits.
Henriksen stressed that merchant processing âwas restored very quickly, and if you had auto-convert on, there is nothing to worry aboutâ.
BIPSâ official statement on its site read:
To protect the successful merchant processing business, BIPS has decided to temporarily close down its consumer wallet initiative.
BIPS has been a target of a coordinated attack and subsequent security breached. Several consumer wallets have been compromised and BIPS will be contacting the affected users.
As a consequence BIPS will temporarily close down the wallet initiative to focus on real-time merchant processing business which does not include storing of bitcoins. Subsequently BIPS will consider to reintroduce the wallet initiative with a re-architected security model.
The consumer wallet initiative has not been BIPSâ core business and, as such, regrettably affecting several users has not affected BIPS merchant acquiring.
All existing users will be asked to transfer bitcoins to other wallet solutions, and users affected by the security breach will be contacted.
Restoration of merchant services did little to comfort individual wallet owners, though. On the Bitcoin Talk forum, several users voiced anger at the prospect of losing their funds, and what they saw as unclear statements from BIPS about exactly what had been stolen, from whom, and how much.
One member even created a âbips.me potential lawsuit signup formâ for users to input their contact details and number of bitcoins missing, in an effort to prompt a negotiated solution.
Though the attack and theft highlights problems that some online wallet services have faced with security, it is significant given BIPSâ comparatively large user base and prominence in the market. As well as online accounts, BIPS had also offered a paper wallet function for those wishing for a safer long-term storage solution.
