Hacker steals $250K by exploiting Bitcoin exchange Bisq

A hacker identified a significant software flaw on the decentralized Bitcoin exchange, Bisq, to steal more than $250,000 worth of cryptocurrency from users.

The exchange, which permits users to trade cryptocurrency anonymously, unexpectedly disabled trading late Tuesday night after it highlighted “a critical security vulnerability.” The exchange did not immediately release any information regarding the nature of the breach or whether user funds were secure. But 18 hours after it stopped the exchange, Bisq claimed it took the “unprecedented” step after locating an attacker who had identified a loophole in the software was stealing cryptocurrency from other users.

According to CoinDesk, Bisq officials stated, “About 24 hours ago, we discovered that an attacker was able to exploit a flaw in the Bisq trade protocol, targeting individual trades in order to steal trading capital. We are aware of approximately 3 BTC and 4,000 XMR stolen from 7 different victims. This is the situation as we know it so far.” Cryptocurrency worth $22,000 of Bitcoin (BTC) and $230,000 worth of Monero (XMR) were stolen. 

To conduct the thefts, the attacker was able to set other users’ default fallback address – the destination to which crypto is sent to if a trade fails – to his own. Posing himself as a seller, he would initiate an exchange with a buyer and simply wait for the time limit to run out. Rather than going to the legitimate owner, the digital assets arrived with the attacker, along with the buyer’s payment and security deposit too. The flaw was a result of a new update to the trading protocol, which was designed to improve decentralization and remove trusted third parties from the platform.

Bisq was able to manage the defect by 12:00 UTC Wednesday and informed CoinDesk that it has resumed its trading. Bisq allows each user to act as a node since the platform is based on a distributed network. In most instances of an exchange hack, the attacker can be knocked off the exchange for good. However, that is not the case with Bisq. One of the DEX’s associated developers told CoinDesk that although the flaw was managed, no steps were taken to prevent the attacker – whose identity is unknown – from accessing and trading on the platform again.

“Anyone can use Bisq, there is no censorship,” the developer said. “Just like anyone can use bitcoin, there is no way to ban someone from bitcoin.”