Flexcoin, the self-proclaimed "world's first Bitcoin bank," was robbed by attackers who took advantage of a flaw in the bank's code for transferring bitcoins.
As reported yesterday, Flexcoin shut down after an attacker made off with 896 bitcoins, the equivalent of about $600,000. The company has since posted a more thorough explanation of just how it was robbed on its home page:
The attacker logged into the flexcoin front end from IP address 126.96.36.199 under a newly created username and deposited to address 1DSD3B3uS2wGZjZAwa2dqQ7M9v7Ajw2iLy
The coins were then left to sit until they had reached 6 confirmations.
The attacker then successfully exploited a flaw in the code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to "move" coins from one user account to another until the sending account was overdrawn, before balances were updated.
The stolen coins were in Flexcoin's "hot wallet," the account used to instantly pay out withdrawals. The bitcoins that Flexcoin customers had deposited were stored separately on computers that weren't connected to the Internet, according to Flexcoin. The company said it will attempt to give users their coins back, presuming it can verify users' identities.