“Be advised that sellers and buyers have been reporting stolen funds from their Localbitcoins wallet all day today,” posted a user on social sharing website Reddit on Thursday.
With a 30-character password and two-factor authentication, the user reported losing his funds on the LocalBitcoins service — a platform that allows bitcoin buyers and sellers to trade coins for cash and vice-versa.
He wasn’t the only one. A number of other users reported the same issue, raising concerns that the LocalBitcoins website/platform had somehow become vulnerable to a malicious attack.
The service took to their official blog to report their findings, and noting that the root cause of the issue may boil down to malware and/or phishing attacks at the end-user level:
“The common pattern between these cases has been that prior the transaction there have been login to the account, and the fact that none of the users affected had 2-factor authentication enabled. Most likely explanation to these attacks have been stolen user credentials through phishing or malware,” the company wrote.
Except some users did have two-factor authentication enabled — complicating the situation.
“There have been claims that users with 2FA have been affected. So far we have received three this kind of reports in total during last month, and some further investigation is required before we can draw too many conclusions about these cases,” the Finnish company said in an update to their original post.
All-told, the company says the amount of users affected has been under 30, and the amount of missing bitcoins has been less than that.
“We will continue investigating these cases during the weekend, and meanwhile outgoing transactions might be delayed, since we try to minimize cold storage movements until everything is sorted out,” they said. “We apologize all inconvenience affected [sic].”