Flexcoin – flexing Bitcoins to their limit

No doubt everyone reading this has heard about the recent Mt. Gox scandalous hack attack, which is obviously not very good press coverage for Bitcoin. However, the situation has been further aggravated by the fact that another Bitcoin-related site, this time Flexcoin, the “world’s first Bitcoin bank”, has been hacked and forced to shut down. Their homepage now reads:

On March 2nd 2014 Flexcoin was attacked and robbed of all coins in the hot wallet. The attacker made off with 896 BTC, dividing them into these two addresses:



As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing our doors immediately.
Users who put their coins into cold storage will be contacted by Flexcoin and asked to verify their identity. Once identified, cold storage coins will be transferred out free of charge. Cold storage coins were held offline and not within reach of the attacker. All other users will be directed to Flexcoin’s “Terms of service” located at “” a document which was agreed on, upon signing up with Flexcoin.

Flexcoin will attempt to work with law enforcement to trace the source of the hack.

The Bitcoin addresses that had the coins in (1NDkevapt4SWYFEmquCDBSf7DLMTNVggdu and 1QFcC5JitGwpFKqRDd9QNH3eGN56dCNgy6) have since been drained, and the loot split into tens, if not hundreds, of other addresses. We’ll keep you posted as and when we get further information.

These recent attacks are causing people to worry significantly about the use of Bitcoins. The way Bitcoin works is explained in

this video
, which shows how Bitcoin works as a peer-to-peer network. Because of this, flaws can be easily exploited, as shown in the case of Mt. Gox who state on their site:

…illegal access through the abuse of a bug in the bitcoin system resulted in … a possibility that bitcoins had been illicitly moved through the abuse of this bugMtGox Co.

For anyone who is concerned about usage of Bitcoin, I would recommend moving your BTC funds to a locally-hosted wallet; therefore if a Bitcoin wallet provider goes the way of Flexcoin and Instawallet, you will not be affected as severely and your funds will stay safe.


Update (4th March):

During the investigation into stolen funds we have determined that the extent of the theft was enabled by a flaw within the front-end.

The attacker logged into the flexcoin front end from IP address under a newly created username and deposited to address  1DSD3B3uS2wGZjZAwa2dqQ7M9v7Ajw2iLy

The coins were then left to sit until they had reached 6 confirmations.

The attacker then successfully exploited a flaw in the code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to “move” coins from one user account to another until the sending account was overdrawn, before balances were updated.

This was then repeated through multiple accounts, snowballing the amount, until the attacker withdrew the coins.

Flexcoin has made every attempt to keep our servers as secure as possible, including regular testing. In our ~3 years of existence we have successfully repelled thousands of attacks. But in the end, this was simply not enough.

Having this be the demise of our small company, after the endless hours of work we’ve put in, was never our intent. We’ve failed our customers, our business, and ultimatley the Bitcoin community.

Please direct any and all questions to [email protected] and we will reply to you as soon as possible.