Today we are happy to announce the full restoration of Coinapult services. Users can now deposit BTC and Lock in addition to withdrawing and Unlocking.

Attack Recap

On March 17th, an unauthorized withdrawal of 150 BTC were made from our hot wallet. We immediately notified our users and took all services offline. Our security team began investigating the attack while a police report was filed, including our initial incidence report.

Despite further in depth analysis, we have not yet been able to determine the specific entry point of the attack. We took extensive measures to protect against this sort of thing, and the hacker covered his tracks. Unfortunately, our own disk encryption and other security measures make forensics harder as well.

Interim Ultra-secure Wallet

In the past two weeks we have been working to restore full wallet service by rebuilding and rewriting any affected areas. Due to the breach and follow up DDOS attacks, we have moved all operations onto new servers at a new hosting location. In addition, CloudFlare is now protecting us against DOS.

Specifically, we replaced our hot wallet with a 2 of 3 multisig system which currently requires manual cosigning by a Coinapult executive for each withdrawal. Thanks to Coinkite for providing an easy way to manage the new wallet.

This manual cosigning is an extremely safe method of operation, but will result in delays making withdrawals. Our team will only be cosigning transactions during the hours of 9am-9pm in Panama (UTC−5).

Looking Forward

Our highest priority now is to shift from the interim multisig schema to one with client-side signing. When ready, this will put you in control of your own wallet. Please be patient with us during this transition period, and we will work hard to restore instant withdrawals.

We want to thank our customers for being patient during the last couple of weeks. Support and encouragement from the community have helped us prepare for a safe and successful relaunch.