The LocalBitcoins website has resumed its normal operations for outgoing transactions after a phishing attack was stopped.
The attack was orchestrated via a link that had been added to the official LocalBitcoins forum, and which had led users to a phishing LocalBitcoins clone.
LocalBitcoins disabled withdrawals, with the community manager posting a Reddit warning to all users about the attack.
According to the Reddit post, a team at the popular over-the-counter (OTC) trading platform detected a security vulnerability on January 26.
An unidentified hacker exploited a vulnerability in the website’s forum to link it to a phishing site from where the attackers managed to access a number of accounts on LocalBitcoins and stole user funds.
A Reddit user had posted on bitcoin’s subreddit, warning of the attack and urging users not to attempt logging in to their accounts. The post, which came before the official LocalBitcoins communication, read:
“When visiting the localbitcoins forum […] users are prompted to log into their account, as if they have been logged out. This only seems to happen if you are already logged in. This is [SIC] a PHISHING SITE and 2FA codes are being used to empty customer accounts. Withdrawals have since been suspended by LocalBitcoins.”
One user who claims to have fallen victim to the attack identified the alleged hacker'(s) wallet address and urged that it (the address is 13WaahhsiGph4ysmQtjVhVTdgQUSL62KJr) should be “blacklisted on exchanges.”
At the time of writing, the address had received 7.95205862 BTC (approximately $28,134).
As per the LocalBitcoins’ community manager’s Reddit post, the vulnerability was related to a feature in a third-party software on the forum.
The entire forum feature has since been disabled and remains so as the platform tries to establish the extent of the attack and the number of those affected.
The attack was stopped, and outgoing transactions (which had been disabled) have resumed. At the moment, LBC has confirmed that six user accounts were affected.
One user, who claims to have been among those to fall to the phishing attack, has commented about the speed at which the hacking happened. According to him, it was pretty fast as he was “cleaned out within like 10 seconds of entering the first 2fa code.”
While LocalBitcoins provides an escrow service for its users, it is advisable for account holders to send bitcoins when executing a trade only and not to have their coins on the exchange when not.
Elsewhere, the attack on LBC follows another phishing scam that saw the international police arrest a 36-year-old man on suspicion of stealing IOTA worth $11 million.
Earlier this month, police in India detained a fourth suspect in cryptocurrency scam that saw investors lose up to 5 billion rupees (or approximately $70.5 million) in investments.
New Taipei police also recently arrested fifteen people in connection with a crypto scam in which up to 30 investors allegedly lost $8 million.
Disclaimer: This is not investment advice. Cryptocurrencies are highly volatile assets and are very risky investments. Do your research and consult an investment professional before investing. Never invest more than you can afford to lose. Never borrow money to invest in cryptocurrencies.