The development team behind altcoin Bitcoin Private (BTCP) has confirmed the creation of 2.04 million units of BTCP “that were never intended to exist on the blockchain,” according to an official statement published Dec. 24.

On Dec. 23, digital assets analytics website Coin Metrics published a report revealing that during the import of Bitcoin (BTC) chain data, an additional 2.04 million units of altcoin BTCP — about $3.9 million at press time — were secretly minted. Per the project’s white paper, the total supply of BTCP is equal to around 20.4 million coins, while the secretly premined BTCP brought “the initial supply to 22.6 million.”

The BTCP core team says in today’s statement that upon receiving the reports, they “immediately launched an investigation to ascertain whether or not the alleged findings of an additional amount of BTCP coins were true.” After performing an internal audit, the team officially says that Coin Metrics’ findings were “mathematically accurate.” The team added:

“However, at this time, the source, purpose, and recipient of this exploit is currently unknown to the Bitcoin Private Contribution Team.”

The statement further cites the timeline of events regarding the issue, unveiling that ultimately there was a bounty posted for a specific issue, which was subsequently accepted by a developer, who then became a BTCP developer and was “promoted to a contributor on GitHub, allowing him to merge pull requests.”

That developer reportedly then completed the issue, merged their own code, and received their reward. The BTCP team further discovered that one line missing in the code “allow[ed] the fork mine to be exploited due to the nodes not properly verifying the falsified fork blocks.” Once the bounty was collected, the developer left the BTCP project.

After that, the threat actor reportedly exploited the bug, creating over 2 million coins during the publicly announced fork mine. The statement reads:

“As the code was open source, and the fork-mine was announced on Twitter, anyone with sufficient blockchain development knowledge could have exploited it.”

The BTCP team further notes it is not clear whether those coins were transferred to an exchange or used or stored elsewhere. However, the team’s statement concludes:

“this particular exploit could only be taken advantage of during the fork mine, which already occurred earlier this year. Therefore, it is impossible for this particular bug exploit to occur again, nor can it be further exploited.”

The BTCP team also stated in the announcement that they had “no prior knowledge” of the incident before Coin Metrics’ report was released to the public.

At the end of the statement, the BTCP team writes that they have contacted major crypto exchange HitBTC about the situation. HitBTC has not responded to Cointelegraph’s request for comments by press time.

At press time, BTCP is trading at around $1.97, down close to 7 percent over the last 24 hours, according to CoinMarketCap.

In September, Bitcoin Core released an update following the recent detection of a vulnerability in the software. The vulnerability could reportedly have caused a crash of older versions of Bitcoin Core if they attempted processing a block transaction that tries to spend the same amount twice.