Local Bitcoins has earned its reputation for being a convenient place where regular folks can buy BTC with their credit cards without dealing with greedy exchanges that ask for a premium. It’s the forum where small miners and early HODLers alike regularly post announcements about selling some of their precious digital gold, while people willing to exchange fiat for some satoshis find the fast service and reputation-based system just perfect for their needs. Until recently, the service was also void of any KYC requirements.

In financial terms, the Finnish website enables OTC (or Over-the-Counter) trading. This is the kind of financial exchange that doesn’t influence the market price directly, but affects the circulating supply by potentially producing scarcity. However, using Local Bitcoins isn’t all about economics or political reasons that drive people to avoid big exchanges: it enables bitcoiners to discover fellow enthusiasts around their area, and then meet, connect, and become part of communities. This social component is one big reason why the website has remained popular and relevant, as it removes the alienation associated with trading on big platforms like Coinbase or Binance.

The unfortunate hack

Yet in spite of these advantages, Local Bitcoins doesn’t benefit from the same kind of advanced security that one can find on exchanges. And this is one of the reasons why on January 26th 2019, a user named BitcoinBabeau has taken on the r/Bitcoin subreddit to announce that a phishing attack has been made on the website domain. As a consequence of this malevolent meddling with the platform, logged-in users were once again asked for their passwords and two-factor authentication data. And as soon as the information was provided, the targeted user accounts were liquidated.

This unfortunate turn of events has caused the administrators to shut down withdrawals and investigate. Local Bitcoins’ Vera has quickly posted an update on Reddit to announce that the hacking was due to third party software, and six user accounts have been affected by the malevolent liquidation. As it’s been revealed, the KYC database wasn’t affected, as the attack took place only on the forums page software.

The small scale of the attack, the quick process of identifying the issue its resolution are proof that the team behind the project is competent and responsive. However, this is still bad news and the hack proved to be a script which took advantage of the 60-second availability of the 2FA code to use it both for login and wallet liquidation (as both actions require a code). It’s a smart workaround a terrible shortcoming of something that should theoretically generate more security.

At press time, it’s still unclear if the users who had their funds stolen will receive any compensations to make up for their losses.

Later edit: Reddit user tefl0ncc has taken his time to explain the process through which the 2FA system was exploited and his Local Bitcoins account got hacked. Attached you will find the complete story:

What does this attack mean for Local Bitcoins?

Depending on how the case gets resolved in relation two the six users who had their bitcoins stolen, Local Bitcoins can either solidify its reputation in the community, or remind everyone that it isn’t much different from an exchange in political terms. However, the social component of meeting somebody in person and exchanging bitcoins is still a unique idea that other major players don’t seem to encourage. So even if the escrow system of LB gets removed for security reasons, there is still an essential use case for the platform.

Nevertheless, all bitcoiners should keep in mind the words of Nick Szabo about the poor scalability of trust, and how every third party involved can represent a security hole. As Bitcoin grows as a network and has its native currency turn into a popular financial asset, it’s important for users to exercise their self-sovereignty and autonomy. Holding your digital gold on any kind of platform or exchange is a bad idea in itself, and even if the security is top notch, there are still phishing attacks or social engineering methods to hack into individual accounts.

This security risk, which grows exponentially with the adoption of BTC, should be minimized by using decentralized exchanges and high-security individual wallets (that may include hardware or paper wallets). Keeping the coins on any kind of website or platform has proven to be a bad idea, and it’s the traders who are most exposed to this kind of threat.

Local Bitcoins may be a nice platform which has its unique benefits, but it definitely isn’t perfect or immune to witty workarounds to steal funds. That is why users should be educated about the need for responsibility and proper security, as their coins should ideally be held in a cold storage wallet. Additionally, in-person trades taking place within the security granted by good reputation are preferable both socially and financially to online purchases from exchanges, which also use your credit card. Maybe 2019 will finally be the year when bitcoiners become more responsible.