February became a black page in the history of FixedFloat. An attacker exploited a vulnerability in our security structure and stole $26.1 million. Our team has taken all necessary measures to address our security weaknesses and prevent similar incidents. But, unfortunately, the incident repeated itself.
On March 31st, our service was again attacked by the same hacker. After analyzing what happened, our team came to the conclusion that the attacker took advantage of the vulnerability of a third party, whose services we were using at that time. We refrained from commenting and did not disclose details about the third party because we hoped for their cooperation. But now we are ready to reveal all the details of what happened.
Time4VPS, but no Time4Safety
We have been using Time4VPS hosting for a long time to implement some technical solutions. It was chosen as the cheapest and most convenient option for starting the development of our project. Over the past years, we have migrated our subservers and wallets to other proprietary servers.At the beginning of 2024, the Time4VPS server hosted several low-power nodes with wallets, as well as some subsystems.
As Time4VPS itself states, it serves over 100,000 customers throughout Europe and is the largest web hosting provider in Lithuania (Europe). It provides internet address registration, web hosting and VPS services. Among its advantages, Time4VPS notes Secure and hassle-free and 24/7 customer support.
We like to work hard but try not to take ourselves too seriously. Experienced, friendly, and energetic professionals with strong technical background are ready to offer fast, top-quality support. We appreciate our community very much.
(с) Time4VPS
We have seen from our own experience that they do not take their work too seriously.
As a result of the first hack in February, the hacker managed to find out the IP of one of our technical servers, which was rented from Time4VPS. On March 31st, we recorded an unauthorized login to all of our servers that were rented from Time4VPS hosting at the same time, although only one IP was known to the hackers. We immediately changed the passwords on all servers and accounts, but after some time we received an email that our password on the server had been changed again.
Unfortunately, the virtualization of rented servers in this hosting did not allow many security protocols to be activated after unauthorized access was detected, which, of course, aggravated the problem. However, we managed to find a solution in which changing passwords on the server did not make it possible to log in to it. Thus, we tried to gain time for a gradual transition from this hosting. But we did not foresee that the attacker gained access to all functions of the hoster, including global access to all available servers, which made our actions completely ineffective.
Now we already understand our mistake: we did not destroy the servers immediately, and also did not create them from white lists. On April 1, the hacker changed the email account to invalid so that we could no longer log in to the account and would not respond to password change emails with the host's system functions, and then he connected to the servers without the need to use authorizations. Since the server is whitelisted, the hacker was able to provide some requests to embellish the funds.
Easter holiday: hacker attacks, Time4VPS team relaxes
Back on March 31st, immediately after detecting the intrusion into our servers, we immediately notified Time4VPS about the hack. The fact of hacking was obvious and immediately determined, since no one from our team was authorized in our account.
The response from technical support was extremely disappointing: we were told that the technicians had the day off and could not help us. The next day, again no action was taken by Time4VPS. They only advised us to change the passwords on our account. Only after a direct indication of the impossibility of performing certain actions through a personal account did they check the facts and confirm the hack, promising to provide a report on the incident the next day.
More than 3 months have passed and we still have not received a report from them. Moreover, they demanded that we provide some documents through their own system without confirming that the vulnerability had been found and fixed, which poses the risk of a new information leak. We refused to provide them with any documents without a report on the hack and fixes of vulnerabilities, as well as without the direct participation of law enforcement agencies.
We have several versions about the reasons for what happened. We do not rule out the possibility that a Time4VPS employee could have contributed to the hack. However, we are more inclined to the complete carelessness of the Time4VPS service and the Lithuanian company UAB "Interneto vizija" behind it. In the current situation, we have reason to believe that the critical vulnerabilities of the hoster have not yet been eliminated and all customer data of this company may be unprotected from hacker attacks.
FixedFloat is back
Our service is almost 6 years old. We have a friendly team united by one goal - to provide the best cryptocurrency exchange service to our users. After the second hack, we suspended our work for 2 months. All this time, our team has been working on changes to our infrastructure to protect against such attacks.
We have now resumed our work: most of the cryptocurrencies are available for exchange, all obligations to clients remaining after the hack have been fulfilled, and our specialists are already working on adding new currencies.
We are immensely grateful to all those who waited for us. Your words of support encouraged us. FixedFloat is back and ready to delight you again with high-quality service, fast exchanges and an excellent rate.