How a single typo let a hacker steal over £500,000 worth of cryptocurrency

Crypto-anonymising protocol Zcoin reveals more about the internal code bug.

The cryptocurrency theft has been blamed on a simple one-digit coding erroriStock

A simple one-digit typo within the source code of a cryptocurrency called Zcoin has allowed a hacker to make a profit of over $400,000 worth of cryptocurrency.

In a blog post, published on 17 February (Friday), Zcoin's community manager Reuben Yap said: "A typographical error on a single additional character in code allowed an attacker to create Zerocoin spend transactions without a corresponding mint."

The exploit has been blamed solely on the coding error and the firm has stressed there is no weakness in the cryptography of its virtual money. Essentially, it gave the attacker the ability to siphon Zcoins multiple times out of single transactions for "several weeks."

Advertisement

Zcoin works in a similar fashion to Bitcoin, the decentralised virtual currency which trades without the need for a central bank.

It is based on a protocol called Zerocoin, which is described as "crypto-graphic extension that allows fully anonymous currency transactions."

Thanks to the misconfigured source code, the hacker was able to create about 370,000 Zcoins, which is the equivalent to £561,000 ($699,000) according to CoinMarketCap. Most of this has already been sold on and converted to other cryptocurrency. As such, the firm believes the majority of the damage has already been "absorbed on the market."

This meant the hacker, whose identity remains a mystery, made a profit of roughly 410 Bitcoin, which is equivalent to roughly £349,000 ($435,000) at the time of writing. As previously reported, cryptocurrency, especially Bitcoin, is vulnerable to rapid price fluctuations.

Zcoin said that from its internal investigation of the incident the hacker – or hackers – are "very sophisticated", taking careful steps to "camouflage their tracks" by using a number of different exchange accounts to spread out deposits and withdrawals.

"We knew we were being attacked when we saw that the total mint transactions did not match up with the total spend transactions," Yap explained. "If our total supply was not verifiable due to hidden amount transactions, we would not have been able to discover this bug.

"Despite the severity of the hack, we will not be forfeiting or blacklisting any coins. Trading will resume once pools and exchanges have had time to update their code.

Advertisement

"We urge all pools and exchanges to update once the release is out. Prior to this announcement we had disclosed the hack to the exchanges for them to assist in our investigations."

Last year, there were numerous large-scale hacks focused on cryptocurrencies. In August, the Hong-Kong-based Bitcoin exchange, Bitfinex, revealed cybercriminals were able to steal over 110,000 Bitcoin, a massive haul that was the equivalent to $65m in cash.

© Copyright 2017 IBTimes Co., Ltd. All Rights Reserved.