Bitcoin investor Marco Martoccia was going to use his Bitcoins to buy a house with his girlfriend. Tradefortress, a young Sydney man who told ABC News he was over 18, but only just, refused to give his real name to Fairfax Media. He offered the wallet service through a website called Inputs.io. The Inputs.io domain is registered to a person with a landline based at a block of flats in Water Street, Hornsby, NSW, according to Fairfax searches. The site claimed to be "one of the most secure web wallets on the market" and charged customers a small fee to store their coins. As well as utilising two-factor authentication and location-based email confirmation, it claimed it was set-up to prevent "the hack of Bitcoins even if the web server was compromised".

The owner of the Inputs.io domain name, "Tradefortress", has been traced back to this block of flats at Hornsby in NSW using domain registration records. Credit:Google It now seems that claim has been proven untrue, with Tradefortress telling users on the site: "I don't recommend storing any Bitcoins accessible on computers connected to the internet." In an email interview with Fairfax, he said he would try to refund some of the hacked money using more than 1000 Bitcoins he personally owned and some not taken by hackers. "Users are being repaid up to 100 per cent depending on the amount (sliding scale), generally 40-75 per cent," Tradefortress said. "I won't have any Bitcoins left after this, except for a small amount of commemorative physical coins."

He said the hackers who made off with his customers' coins were able to bypass the two-factor authentication securing the server hosting them "due to a flaw". "The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset)," Tradefortress said. Because of the hacking incident, he said some users would probably lose trust in Bitcoin. "I think that's likely - we haven't seen any extremely sophisticated Bitcoin malware, however advanced malware that infects the computer you use to send [Bitcoins] can steal [them] from external hard drives [and the] browser." He said he won't be reporting the incident to law enforcement because there were "extremely limited actions" it could undertake considering the currency can't be easily traced.

Many of Input.io's users were "quite understanding" of what had happened, Tradefortress said. "I've received a lot of comforting support, but there's also ugly responses. It's quite different from the reactions of non-customers." The ugly responses were from users who accused Tradefortress of making up the hacking story. "Some people think I have their money. I don't and I'm using my personal coins to compensate users, yet there's some ugly messages I'm receiving." A sad face emoticon now sits at the top of the Inputs.io site, with text telling users that the hacking has "left Inputs.io unable to pay all user balances".

"I know this doesn't mean much, but I'm sorry, and saying that I'm very sad that this happened is an understatement," the notice says. A customer wrote on Twitter that they had lost four Bitcoins as part of the heist, worth about $1216 today. "I was the victim of part of a $1.2 million Bitcoin hack of an online wallet, inputs.io. If I'm lucky I'll get my principal back in a refund," wrote Marco Martoccia (@sheet_metal). "I still have one ninth of my Bitcoin. I dunno how to feel," he added. Martoccia told Fairfax he was planning on using the Bitcoins as a deposit for a house.

"I hope to get my Bitcoins back some day," he said. "I was [going to] use [them] to buy a house and start a family with my girlfriend in six years. "Four Bitcoins isn't a lot, but it was everything to me." Martoccia said he stored his Bitcoins on Inputs.io because he believed it would be safer than storing them on his own computer. "On the surface it seems safer to keep Bitcoins in a bank [like Inputs.io]. I know people can just hack my computer, so I guess they're still vulnerable, even in that case. And paper wallets can be plain lost!' Ty Miller, director of Australian IT security firm Threat Intelligence, said the underlying problem with online Bitcoin wallets was lack of regulation.

"The users of Inputs.io were trusting a random person with their money rather than in the real world when you're dealing with cash, where you trust banks to look after your money," he said. "They're more likely to become compromised because they're not being audited in the same way that those financial organisations are." The Reserve Bank of Australia declined to comment. Miller said there were ways to secure Bitcoins to try to avoid fraud or theft. "But it's really at this stage a personal effort to do that."

He recommended storing coins with a strong password on a device not connected to the internet, using hard-drive encryption and anti-virus. For extra protection, storing the device in a secure room or safe was also recommended. When it came time to using the Bitcoins online, the amount needed could be transferred to an internet-connected computer, he said. At the time of writing, one Bitcoin was worth $A309 or $US292.9 - up from around $US50 in mid-March. There are 11,925,700 million Bitcoins in circulation. Those who invested early in the virtual currency have recently found themselves far better off. A Norwegian man spent 150 kroner ($A28.44) on 5000 Bitcoins in 2009, they are now worth $A1.5 million. Know more? Email bgrubb@fairfaxmedia.com.au