Bitcoin site Inputs.io loses £1m after hackers strike twice

More than $1m of Bitcoins were stolen when payment processor Inputs.io was hacked, according to the site's owner.

"Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances," the owner wrote in a message headlined ":(".

"The attacker compromised the hosting account through compromising email accounts (some very old and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side."

Known as TradeFortress in the bitcoin community, the developer also runs a bitcoin chatroom called CoinChat and a bitcoin bank called CoinLenders. A small number of bitcoins belonging to the latter were also taken.

TradeFortress ends his message with some advice: "Please don't store Bitcoins on an internet connected device, regardless of [if] it is your own or a service's."

The attacks came in late October, in two separate bursts on 23 and 26 October, but the company waited until this week to notify customers of the incident.

He is attempting to pay back customers who had stored more than 1 BTC (currently worth around $330) from his own personal account, as well as from the coins Inputs.io had in "cold storage" – a wallet not connected to the internet. But that totals slightly more than 1500 BTC, well less than the amount lost.

"I know this doesn't mean much, but I'm sorry, and saying that I'm very sad that this happened is an understatement."

TradeFortress, who is Australian, told the Canberra Times that he won't be reporting the incident to the police because of the "extremely limited actions" they could take, given the difficulty of tracing the currency. But that decision has sparked doubt amongst the Bitcoin community.

"This is a good example of why you shouldn't trust online wallet services," said colsatre, a moderator on Reddit's Bitcoin subforum. "Also, don't ever use anything that TradeFortress has made ever again. I don't know why people decided to trust someone who stays completely anonymous to begin with."

"Some people think I have their money," TradeFortres responded. "I don't and I'm using my personal coins to compensate users, yet there's some ugly messages I'm receiving."

Bitcoin users face a trade-off between security and convenience. Storing the coins offline, as TradeFortress now recommends, is technologically more complex – and also makes it harder to spend them in the real world (for example, if attempting to buy a beer in Hackney's Pembury Tavern).

And doing so still doesn't guarantee a user won't lose everything. One of the first major Bitcoin hacks, of 25,000 BTC (at the time worth $500,000, but now worth more than $75m), was taken from a wallet file stored on the hard rive of a windows computer in June 2011.