Hackers steal $5 million from major bitcoin exchange

January 6, 2015, 2:25 AM UTC
Photo courtesy: George Frey — Getty Images

Hackers have stolen more than $5 million in virtual currency from Bitstamp, a major bitcoin exchange, forcing the company to freeze user accounts, suspend trades and block deposits.

The Slovenia-based company said Monday that fraudsters made off with 19,000 bitcoins a day prior. It was not immediately clear who was responsible for the theft or how it happened.

Bitstamp CEO Nejc Kodrič has said that his company will assume liability for all bitcoins lost prior to its warning today about the hacking. In a tweet today, he tried to reassure his customers, saying:

Bitstamp has previously said that it tries to keep up to 90% of its funds on hard drives, known in bitcoin jargon as “cold storage,” that are off the grid and therefore harder to hack into. This attack appears to have targeted the remaining 10-15% of cryptocurrency that is stored on servers in a data center.

Such storage, or what’s called a “hot wallet,” is more convenient because bitcoin owners can make transactions smoother and more quickly. But, being connected to the internet, it is also more vulnerable to theft.

Last year, Japan-based Mt. Gox, the then most prominent bitcoin exchange, imploded after a hacking in which it lost hundreds of millions of dollars in bitcoins. After the breach the cryptocurrency lost half its value.

Overall, bitcoin has suffered a prolonged slump, sinking to $300 from a high of more than $1,000 at the end of 2013. But its value is still up considerably over the past two years. (At the end of 2012, bitcoin sold for around $10.)

In May, an audit of Bitstamp by Mike Hearn, a bitcoin developer, showed that Bitstamp held more than 180,000 bitcoins in its “cold” reserves, worth just under $100 million at the time. Though those amounts have likely changed since, they provide a rough approximation for the company’s total cryptocurrency assets.

Bitstamp’s situation does not appear as bleak as Mt. Gox’s. Still, it is cause for concern.

“It puts a huge dent in the idea of bitcoin security,” said Jackson Palmer, an Adobe engineer and creator of the alternate cryptocurrency Dogecoin.

Watch more about Bitcoin from Fortune:

Bitstamp has been one of the industry’s stalwarts since Mt. Gox’s collapse, and it should have some of the best security in the field, he said. He noted that the breach could negatively impact companies that rely on Bitstamp’s data as well as deter others from transacting with and investing in the cyptocurrency.

BitPay, the bitcoin payment processing company used by a number of companies including Microsoft (MSFT), relies partly on Bitstamp data to set exchange rates between bitcoin and US dollars. BitPay released a statement today on its blog about the Bitstamp hacking that said, “Our merchants experienced no interruption in service over this episode, and bitcoin customers continued to receive the most favorable price available globally.”

To prevent the incident from affecting the integrity of its operation, BitPay is temporarily omitting Bitstamp data from its exchange rate calculation. Microsoft was unable to not provide additional information about whether Bitstamp’s situation impacted their operations by press time.

Bitstamp is now working with law enforcement to investigate what happened. A clue may be that a certain bitcoin address, or destination for payments, appears to have received a bitcoin deposit roughly equal to what thieves stole from Bitstamp on Sunday. A spokesperson with the company provided Fortune with a statement from the CEO:

Bitstamp customers can rest assured that their bitcoins held with us as prior to temporary suspension of services on January 5th (at 9am UTC) are completely safe and will be honored in full.

On January 4th, some of Bitstamp’s operational wallets were compromised, resulting in a loss of less than 19,000 BTC. Upon learning of the breach, we immediately notified all customers that they should no longer make deposits to previously issued bitcoin deposit addresses. As an additional security measure, we suspended our systems while we fully investigate the incident and actively engage with law enforcement officials.

This breach represents a small fraction of Bitstamp’s total bitcoin reserves, the overwhelming majority of which are are held in secure offline cold storage systems.

We would like to reassure all Bitstamp customers that their balances held prior to our temporary suspension of services will not be affected and will be honored in full.

We appreciate customers’ patience during this disruption of services. We are working to transfer a secure backup of the Bitstamp site onto a new safe environment and will be bringing this online in the coming days. Customers can stay informed via updates on our website, on Twitter (@Bitstamp) and through Bitstamp customer support at support@bitstamp.net.”

(The author of this story owns a small amount of bitcoin)