In the early hours of Sunday 5th October, bitify was subject to a well-planned and clinically executed security breach. Our hot wallet was compromised and our attackers managed to steal a little over 15 BTC of funds that were held in escrow. The nature of the attack was such that it was not immediately clear that anything had happened, which is why it has taken us until today to take action.
Fortunately the majority of users funds being held in escrow were safe in offline storage, so the impact of this attack was lessened. Please be assured that any users that have payments or refunds due will be contacted over the next few days and your money will be paid. The owners of bitify are absorbing the cost of this.
Whilst we have not yet completed our investigation, we have identified the attack vector as a vulnerability in a third party plugin. This was used to inject SQL queries into our database and manipulate the amounts on transactions being released from escrow. What we have not made public until now is that we have seen sustained and almost-daily attack attempts on the site for many months. We have been in contact with the Australian Federal Police regarding this, and will be sharing with them all data that we have on this attack as well as all previous attempts.
This attack has prompted us to reflect on our security measures, and we have concluded that we need to make some significant changes to our escrow process, our storage of customers funds, and have a third-party conduct a full security audit. Until this is complete, we feel we have no choice but temporarily suspend our escrow service for our users, as we simply cannot risk holding users funds. Effective immediately, buyers will no longer be able to choose to use escrow when purchasing items. All existing transactions that are in escrow will be honored until they are released or refunded.
bitify is owned and operated by two guys, both with families and full-time jobs, who run this site in their evenings and weekends to try and create something new for the crypto community. We have made every effort to provide good customer service and have put 100% of all profits back into development, advertising, and marketing. A such, the cost of this theft is being covered by us personally. If our attackers wish to do the right thing and return our funds to us, they can do so by sending it back to 19bBwiFrAaCLxZZoS4grTDoFFVszxzvPMo. If any of our users wish to help, we would gratefully receive donations of support to the same address.
We must sincerely apologize to our loyal users for this breach and our decision to temporarily remove our escrow service. It is heartbreaking for us to see our hard work destroyed by cold-hearted, thoughtless, hackers.
Thanks for all your support, and we hope that you continue to use our site. If you have any comments, please feel free to share them on our blog post
Paul & Ahmad