On reddit, user don4of4 posted a warning to fellow LocalBitcoins.com users that sellers and buyers have been reporting news of stolen funds from their wallets on the website. The user said that he didn’t believe all of the commotion, but when his 5 Bitcoin were transferred from his account without his knowledge, even though he had a 30 character random password and GAuth, he realized something was really wrong.
Don4of4 mentions that he changed his password after the heartbleed vulnerability was known. He advises users to disable ‘Js’ before withdrawing any funds to safer places in order to prevent XSS attacks. Don4of4 posted a picture of a Bitcoin wallet address that his Bitcoins were sent to without his knowing:
Other people have also reported stolen funds. A user by the name of ftctrades wrote on LocalBitcoins forum that,
“Within 20 min of completing a trade, btc was sent from [his] account – this while [he] was logged into [his] acccount on localbtc.”
Another user BigStretch3, wrote that twenty minutes after he deposited his Bitcoin on LocalBitcoins, they were transferred to another address without his knowing. He worries that his coins may be lost forever, and is asking for help.
On LocalBitcoins Twitter account, they had the following to say about the related issue:
@klintron Looking into the issue at the moment. Will inform when we have more exact information.
— LocalBitcoins.com (@LocalBitcoins) April 17, 2014
LocalBitcoins Responds to Commotion
A few hours after don4of4 posted a warning, LocalBitcoins responded to the stolen funds mystery. They’ve written that they’ve found
“One systematic and recent attack against LocalBitcoins users, and right now it seems that the amount of users attacked have been under 30, and amount of bitcoins reported has been less than that.”
LocalBitcoins claims that the pattern in all of these cases is that before the transactions, the users were logged into their account and that they didn’t have the 2-step authentication on. LocalBitcoins explains that the attacks must
“have been stolen user credentials through phishing or malware. So far nothing indicates that this have been a security flaw on the website itself, but we are going to continue investigating the case.”
LocalBitcoins does mention that there have been “two or three isolated cases” that don’t fall under the umbrella of the pattern they’ve drawn out. This means that those two or three cases had a two-step authentication enabled. For these isolated cases, LocalBitcoins claims that more research needs to be done before any conclusion can be made.
LocalBitcoins concludes that it will continue to investigate the problem. However, it warns that outgoing transactions might be delayed because it is lessening cold storage movements until everything is back to normal.