CryptoThrift Suffers Security Breach, 15 BTC Stolen, Escrow Service Suspended
CryptoThrift is a popular eBay like site that uses Bitcoin and Litecoin. This weekend it suffered an attack that cost it more than 15 BTC.
Art by: Jing Jin
Another popular bitcoin site has been the victim of a hack. CryptoThrift, an “eBay like” site that allows buyers and sellers conduct their transactions in both Bitcoin and Litecoin, announced today that they lost a “little over” 15 BTC that was being held in escrow in a hot wallet. The attack took place early Sunday morning.
The funds, which the company says it will cover, were being held in escrow during the duration of various sales. CryptoThrift has stated that the majority of the funds being held in escrow were held in offline storage, safe from the attacker. That security practice is credited with lessening the effect of the attack.
CryptoThrift blames an unnamed third party plug-in for the leak, in a statement emailed to the press and posted on their blog:
“Whilst we have not yet completed our investigation, we have identified the attack vector as a vulnerability in a third party plugin. This was used to inject SQL queries into our database and manipulate the amounts on transactions being released from escrow.”
The hack has caused the company to “rethink” its escrow and security practices. Escrow will be suspended for an indefinite period of time and a third party security company will be brought in to audit CryptoThrift's practices. The attacks have reportedly been going on “ almost-daily” for “many months[.]” CryptoThrift has alerted the local authorities of the hack and say that they are handing over all related data to them.
CryptoThrift is also quick to point out that the company is currently run “by two guys, both with families and full-time jobs[.]” They also state that all profits to this point have been turned towards adding features or advertising the site, so covering the roughly US $5000 will come from their personal savings. They have set up a donation account for members of the community that would like to help out. 19bBwiFrAaCLxZZoS4grTDoFFVszxzvPMo
They state that all current escrows will be honored and that sellers who have funds that were affected by the attack will be contacted shortly. The site remains active but buyers will no longer have the option of using escrow services.
Meanwhile, an alternative, based in China, has popped up.