BIPS' primary service is to allow merchants to accept payment in bitcoins, and exchange them for other currencies. As part of its service it provided free bitcoin wallets to allow people to store their bitcoins free of charge. In this sense it was similar to a bank, holding cash accounts (bitcoin wallets) for customers. The criminals broke into the system and transferred the bitcoins to their own wallet/accounts.
The attack started on 15 November with what is described as a 'massive DDoS attack.' Two days later, reports CoinDesk, it was followed by a subsequent attack "that disabled the site and 'overloaded our managed switches and disconnected the iSCSI connection to the SAN on BIPS servers.'”
In a written statement the company added, “Regrettably, despite several layers of protection, the attack caused vulnerability to the system, which has then enabled the attacker/s to gain access and compromise several wallets.” BIPS believes that the two attacks were related, and that the DDoS attack originated from Russia and neighboring countries.
"Kris Henriksen, BIPS’ CEO," reports Coin Desk, "said most of the missing funds were 'from the company’s own holdings'. BIPS uses an algorithm, based on supply and demand, to work out the amount of bitcoins it needs to keep... in a ‘hot wallet’. The heist, however, was apparently not due to any vulnerability in the code itself."
David Harley, ESET senior research fellow, notes that the attack is symptomatic of the increasing spillage of virtuality into reality. "Bitcoin, and similar operations such as Litecoin, are of particular interest to cybercriminals because they can be used to purchase real assets, not just virtual assets. Rather like," he says, "the way that ‘treasure’ and currency from online games and virtual environments like Second Life have spilled over into real life and real-life cybercrime in recent years."
He suspects that the lack of central regulation may make virtual assets easier to exploit, and notes that virtual currencies are already targeted by malicious code such as Win32/Delf.QCZ, CoinMiner, and MSIL/PSW.LiteCoin.A. He also points out that "while there is a great deal the individual can do to protect him or herself against malicious activity (security software, good systems and application patching and update practice, and being cautious about the sort of social engineering that phishing crews employ), there are some attacks where your defenses are only as good as your service providers’ security allows."
The irony is that the lack of regulation is both a blessing and a curse. "It turns out," notes Amichai Shulman, CTO at Imperva, "that the same characteristics that made this payment system so popular are the ones that now prevent people from getting their stolen money back. A potential deterrent for such events would be to introduce a black-listing mechanism into the Bitcoin protocol which would prevent people from cashing out on stolen wallets (which would take out the incentive for stealing them in the first place – assuming that BCs are not traded into money before the theft is detected)."
But for now, he adds, all the victims can do "is sit back and watch how their stolen Bitcoins are being anonymously traded (since all transactions in Bitcoin are public)."