The popular peer-to-peer (P2P) bitcoin trading platform LocalBitcoins has been accessed by “an unauthorized source,” the platform confirmed, which was caused by a third-party feature vulnerability.
LocalBitcoins Forum Disabled
According to a thread which appeared on Reddit earlier today, popular P2P bitcoin trading platform LocalBitcoins has been subjected to a phishing attack.
LocalBitcoins has posted the following announcement:
We would like to inform that today 26.01.2019 at approximately 10:00:00 UTC, LocalBitcoins has detected a security vulnerability – an unauthorised source was able to access and send transactions from a number of affected accounts. Outgoing transactions were temporarily disabled while we investigated the case.
We were able to identify the problem, which was related to a feature powered by a third party software, and stop the attack. At the moment, we are determining the correct number of users affected – so far six cases have been confirmed. For security reasons, the forum feature has been disabled until further notice.
Outgoing transactions have already been re-enabled and we have taken a number of measures to address this issue and secure the limited number of accounts that might have been at risk.
Your LocalBitcoins accounts are currently safe to log in and use – we encourage you to enable Two-factor authentication, if you have not yet.
We sincerely apologise for any inconvenience this might have caused.
Kind Regards, LocalBitcoins
User (u/bitcoinbabeau) shared that when users visit the platform’s forum URL, they are prompted to log into their account as if they have been logged out.
Apparently, this only happens if the user is already logged in. According to the user, the URL represents a phishing site which has the 2FA codes sent to the hacker, enabling him to empty their accounts.
According to the thread, withdrawals on the platform have been disabled. Additionally, the platform’s forum is also currently disabled.
At the time of this writing, LocalBitcoins hasn’t come up with an official statement on the matter.
$28,000 Purportedly Gone Already
Commenting on the abovementioned thread, one of the users shares that he’s probably the first to fall victim to the hacker. He revealed that 0.14 BTC have been cleaned from his account, posting the details of the transaction.
The receiving address is already up to 7.95 BTC at press time. Given the current rate of BTC (coin_price), this is roughly around $28,000.
It remains unclear whether this is this is the actual (or the only) address of the hacker.
Last year, the P2P trading platform disabled multiple accounts because of new EU privacy laws.
Have you experienced anything odd using LocalBitcoins in the last few hours? Let us know in the comments below!
Images courtesy of Shutterstock