On the heels of hundreds of thousands of bitcoins disappearing from the now bankrupt Mt. Gox trading exchange, bitcoin bank Flexcoin announced that it was robbed of all of its coins, making clear the potential vulnerabilities of investing in digital cryptocurrencies—and trading them online.

Details of the losses at Mt. Gox, a trading exchange based in Tokyo, and Canadian-based online wallet Flexcoin are sketchy and industry players can only guess at how the trading exchange’s bitcoins were wiped out. At Mt. Gox, 750,000 customer bitcoins and 100,000 company bitcoins are gone, representing a loss at current market prices of around $556 million. Mt. Gox blamed what it called a “transaction malleability” hack for the losses. Flexcoin put a notice on its website saying it had been “attacked and robbed” of 896 bitcoins (worth around $586,000). The exact ways both sites failed to prevent these cyber-attacks are unknown, says Rob Banagale, founder of Gliph, a secure messaging tool that allows Bitcoin transfers.

Bitcoins themselves have been around for less time than even Facebook. Founded in 2009 by a developer (or group) called Satoshi Nakamoto, bitcoins are a form of electronic currency generated by a computer code and overseen by a community of “miners” and computer algorithms. Bitcoin is a peer-to-peer currency that doesn’t require a bank or Treasury Department. For the most part, people trade bitcoins with other actual currencies like the U.S. dollar, Yen or euro. But there are also limited places—mostly online—where consumers can also spend them. (Read: “Retailers offer discounts for those who pay in bitcoin.”)

Bitcoin does have one thing in common with other currencies: The exchange rate of both bitcoins and the U.S. dollar are set on the open market. In its short life, it’s proved to be volatile. It’s currently valued at around $654, up from about $50 this time last year. But that’s still just over half what it was worth in December ($1,151), two months before Mt. Gox trading exchange declared bankruptcy. To ensure they don’t have a limitless value, there are built-in limitations to prevent more than 21 million bitcoins from being in circulation by the year 2140. Given that there are over 12 million bitcoins already, bitcoins are collectively valued at around $7.8 billion at current market rates.

Why it’s easier to rob bitcoins than banks

Transactions are made using a private key—a secret code that allows bitcoins to be spent—and a public key that can be shared with the world. They can also be stored in “wallets”—encrypted, online storage systems where the bitcoins are kept. The golden rule: If you lose your private key to a thief—even if you maintain a copy of it—you lose your bitcoins. Buying and selling bitcoins creates a “transaction” that’s recorded, time-stamped and displayed in one “block” of the block chain—a database of all bitcoin transactions. Public-key cryptography ensures that all computers in the bitcoin network can access a real-time, verified record of all transactions. They are (in theory) unalterable, which prevents double-spending and fraud.

The biggest theft—at Mt. Gox—remains a mystery. But Alan C. Reiner, CEO of Armory Technologies, an open source Bitcoin wallet based in Fulton, Md., gives one theory as to what happened there: A malicious user logs into his account, requests a 10-bitcoin withdrawal, and Mt. Gox sends 10 bitcoins from its wallet to his wallet, with the transaction I.D. “ABCD.” The malicious user tweaks the transaction I.D. to become “EFGH.” There are now 10 fewer bitcoins in Mt. Gox’s wallet and 10 more bitcoins in his wallet, but then he contacts Mt. Gox and says, “I never received my 10 bitcoins.” Mt. Gox doesn’t recognize that “EFGH” is the same transaction, so it sends another 10 bitcoins to the user. “Rinse and repeat,” Reiner says.

The “transaction malleability” flaw was known in 2011, but it wasn’t until last month when one developer from within the community that manages the bitcoin standard came up with an official solution, says Alex Daley, chief technology investment strategist for Casey Research, a global independent finance research company based in Stowe, Vt. To be fair, some experts say companies were taking their own security measures. “It would be incredibly incompetent for any company not to know that they were slowly being bled of most of their funds,” says Jerry Brito, a senior research fellow at the Mercatus Center at George Mason University and director of its Technology Policy Program.

On Tuesday, Flexcoin closed its doors after all its bitcoins stored online were stolen. Flexcoin users who had put their coins in cold storage—kept offline in a safe or bank vault for a 0.5% fee—were not in reach of the cyber-attack and will get their bitcoins back. (Also read: “To secure your bitcoins, print them out.”) For a hacker to access the “hot wallet,” he or she only needs to control the system in which it resides, Daley says. “So any successful hack attack is likely not of the wallet itself, but of the computer that houses it,” he says. “Once you control that computer, including the private key used to open the wallet, you simply instruct the wallet to do what it does best: Transfer the coins.”

Given that the currency can easily, and anonymously, be moved online, “there are almost an infinite number of ways you can screw up and lose your bitcoins,” says Jesse Powell, CEO of Kraken, a trading platform for Bitcoin in San Francisco. But, he says, most trading exchanges have rules to ensure that the company’s accounts match what’s in the customers’ online wallets. Even so, there are still things that could go wrong, he says. “It’s still possible we could be hacked, all the employees could be taken for ransom and asked for our bitcoins, or we could screw up and send the bitcoin to the wrong address or lose the key,” Powell adds. “But we double and triple check to make sure that doesn’t happen.”

The good news: There are protective measures bitcoin owners can take. Only invest what you can afford to lose and use more than one trading exchange, experts say. “Bitcoin fulfills every definition of a highly speculative investment,” Daley says. “It’s thinly traded and it has no value beyond the trust of other users. Let Mt. Gox be a lesson.” There’s obviously no Federal Deposit Insurance Corporation—the government agency that preserves and promotes public confidence in the U.S. financial system—for bitcoin, Daley says, “so put your money in a real bank if you can’t afford to lose it.” Given recent high-profile thefts, he advises against using an online wallet. Again, “If you must, then use more than one,” he says.

There are other options for those who don’t want to use cold storage: two-factor authentication. It basically means that a digital wallet like Coinbase or Blockchain will send a text message with a code to your phone to access your digital wallet. “This way, someone needs to be in control of your phone in addition to knowing your password to break in,” Banagale says. “The natural outcome of banking security moving at least in part into the hands of consumers is that they will need to be more conscientious of their security efforts.” Also, Hybrid wallets like Armory allow you to maintain an encrypted wallet on an offline computer to keep it safe from online attackers.

Given its multi-billion-dollar valuation, experts say the cryptocurrency looks here to stay. The entire design of the Bitcoin protocol is based on a structure where no trusted agent (or bank) is required, which eliminates that point of failure, says Andrew “Flip” Filipowski, chairman and CEO of SilkRoad Equity, a cloud-based human capital management software company. “We will see advancements where the bitcoin user will be their own ATM machine, their own purse holder and be responsible for the wallet in their possession,” he says. Bitcoin will get more secure with each flaw they find, Daley adds, “but it’s naive to think that any software this complex doesn’t have any flaws in it. Mt. Gox has proven that it’s not 100% secure.”

Also see:

Mt. Gox CEO resigns from Bitcoin Foundation board

Regulator sounds alarm on bitcoin