Flexcoin, a Canada-based "Bitcoin Bank", announces that they have been hacked and robbed of all 896 bitcoins under in its hot wallet. The loss is the equivalent to $588,000 based on today's bitcoin price.
The company has stated that, "As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing our doors immediately."
Coins held under Cold Storage were not affected. Those with coins held under cold storage will be contacted by the company to verify their identity. It is not known at this time what proportion of the coins were held under cold storage.
Clients keeping their coins in hot storage should not be expecting to get them back and should understand that they accepted the risk of this happening: "All other users will be directed to Flexcoin's "Terms of service" located at "Flexcoin.com/118.html" a document which was agreed on, upon signing up with Flexcoin." On their website, the company disclaims as follows:
"Legal Notice: We are not a true bank that accepts USD or any national currency, only bitcoins which by their nature are not regulated, weβre not FDIC insured or regulated by any government entity."
The company has also stated its intention to "work with law enforcement" to investigate the source of the attack. Users should not get their hopes up of this bearing any fruit, as cryptocurrency is entirely unregulated, not on the radar of law enforcement agencies and practically impossible to recover even if it was.
In an update, the company shed some light on what transpired. The hacker logged in and deposited coins with several confirmations. The attacker then exploited a flaw in the code, which allows transfers between Flexcoin users. Thousands of simultaneous requests were sent to move coins between accounts until the sending account was "overdrawn". This was repeated and the attacker withdrew the coins.
In the update, the company appears to express some powerful feelings on the development, declaring:
"Flexcoin has made every attempt to keep our servers as secure as possible, including regular testing. In our ~3 years of existence we have successfully repelled thousands of attacks. But in the end, this was simply not enough. Having this be the demise of our small company, after the endless hours of work we've put in, was never our intent. We've failed our customers, our business, and ultimately the Bitcoin community."
Flexcoin's offering had paid "discounts" on one's account balance, similar to a bank's interest. It is paid out in bitcoins or "flexcoins". They state that they do not lend out customer deposits.
The attack comes days after multi-coin exchange Poloniex was hacked, losing 12.3% of bitcoins under its care. In their case, operations will continue but trading will be halted. The 12.3% loss will be evenly distributed among accounts.