September 5, 2012 | BBC News Technology
One of the biggest Bitcoin currency exchanges has been taken offline after 24,000 units ($250,000; £157,800) of the virtual currency were stolen from its computer servers.
Bitcoins can be used for online money transfers and trades, and the currency uses cryptography to protect it.
But Bitfloor’s founder, Roman Shtylman, said he had kept unencrypted “keys”, which the thief accessed and used to take the money.
Bitfloor’s future is now in doubt.
Mr Shtylman said his New York-based service was the biggest of its kind in the US and the fourth largest in the world.
Creating e-cash
Unlike other currencies, Bitcoins are not issued by a central bank or other centralised authority. Instead they are created in a process called “mining”, in which coins are issued to a user when they solve a complicated mathematical problem using their computer.
The complexity of the problems is determined by the number of “miners”, to ensure there is not a flood of new currency.
Most people using Bitcoins do not create cash in this manner, but rather use currency exchanges – such as Bitfloor – to purchase them.
Part of the attraction is they can be used to make transactions that are difficult to trace, offering privacy to their users, and the currency has been adopted by Wikileaks and other sites to receive donations.
Effectively Bitcoins are a very long meaningless string of digits that only have value if their owner uses a shorter related number, known as a private key, to spend them.
The key identifies the address the currency is stored at, allowing the currency to be accessed and transferred to a new owner, who then stores it at a new address safeguarded by a different key.
Unencrypted keys
It is therefore critical that a user protects their keys to secure their Bitcoins – and the Bitfloor exchange used encryption to protect its store.
But Mr Shtylman acknowledged on a forum that he had recently carried out an upgrade of his systems and stored an unencrypted copy of the keys during the process, which the thief took advantage of.
“I realise this is a very serious mistake,” he wrote.
He added the thief had taken the vast majority of the currency that he had been holding at the time, meaning he could not cover all his users’ account balances. However, he added that account details had not been compromised.
“As a last resort, I will be forced to fully shut Bitfloor down and initiate account repayment using current available funds,” he wrote.
“I still have all of the logs for accounts, trades, transfers. I know how much each user currently has in their account for both US dollars and Bitcoins. No records were lost in this attack.”
This is not the first attack on a Bitcoin exchange.
UK-based Bitcoinica was hacked twice this year and subsequently sued by several of its users after they had alleged it was not able to honour their withdrawal requests. The firm has since ceased operations for what it terms “a transition period”.
Last year another exchange, Japan’s MtGox, suspended operations for several days after one of its accounts was compromised causing the currency to plummet in value. The service acted to compensate users who had been caught up in the sell-off.