Hacker stole $250K from decentralized Bitcoin exchange Bisq

Cryptocurrency exchange Bisq stopped trading activities due to a cyberattack, crooks have stolen $250,000 worth of virtual currency from the company.

The decentralized exchange (DEX) Bisq rang stopped trading activities late Tuesday night after it uncovered a critical security vulnerability that was exploited by a hacker to steal more than $250,000 worth of cryptocurrency from users.

“Bisq developers are currently investigating a critical security vulnerability, and the alert key has been used to temporarily disable trading.” reported the decentralized exchange. “A hotfix release will be published within a few hours.”

The hacker has stolen roughly $22,000 worth of bitcoin (BTC) and $230,000 worth of monero (XMR).

“About 24 hours ago, we discovered that an attacker was able to exploit a flaw in the Bisq trade protocol, targeting individual trades in order to steal trading capital. We are aware of approximately 3 BTC and 4,000 XMR stolen from 7 different victims. This is the situation as we know it so far,” Bisq said in a statement to CoinDesk.

The issue was caused by a recent update to the network that introduced a security flaw that allowed attackers to manipulate fallback addresses.

A default fallback address is the address of the walled used as a destination in the transaction in the case of trade fails.

The hacker set other users’ default fallback address, posing as a seller they would start a trade with a buyer and wait for the time limit to run out. In this scenario, the funds are transferred to the attacker address along with the buyer’s payment and security deposit too.

Bisq has solved the issue by 12:00 UTC Wednesday and resumed trading, but some users continue to report the failure of trades and the disappearance of funds.

“In most cases of an exchange hack, the attacker can be booted off the trading platform for good. Not so with Bisq. One of the DEX’s associated developers told CoinDesk that although the flaw was fixed, there was nothing to prevent the attacker – whose identity cannot be known – from accessing and trading on the platform again.” concludes CoinDesk.

“Anyone can use Bisq, there is no censorship,” the developer said. “Just like anyone can use bitcoin, there is no way to ban someone from bitcoin.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Bisq exchange, Coronavirus)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.