thief robber stealing hack riot
Sion
Touhig/Getty Images

Typos aren’t just a headache — they can sometimes have very
costly consequences.

On Friday, digital currency Zcoin announced that a typographical
error had let an unidentified attacker make a profit of around
$400,000 (£320,000).

Zcoin is similar to Bitcoin — it’s a digital currency powered by
cryptography, and without any single central bank. It’s based on
Zerocoin, a software protocol that was developed to to provide
its users with “complete financial privacy
and anonymity.”

But in implementing it, the Zcoin made a single screw-up.
“Yesterday, our team found a bug in our implementation of
Zerocoin,” Zcoin
community manager Reuben Yap wrote in a blog post on Friday.
“A typographical error on a single additional character in code
allowed an attacker to create Zerocoin spend transactions without
a corresponding mint.”

In other words, they got a single letter wrong in their code —
and this let a hacker steal coins by cashing out from single
transactions multiple times.

Yap emphasises that there’s nothing wrong with Zcoin’s
cryptography — it was just the typo that was the problem. “The
exploit happened due to the bug in the code and not from any
weakness in the cryptography. The bug from the typo error allowed
the attacker to reuse his existing valid proofs to generate
additional Zerocoin spend transactions,” he wrote.

In short: It’s human error, they argue, rather than any fatal
flaw in the Zcoin project.

The still-unidentified attacker was able to steal around 370,000
Zcoins — around
$680,000-worth (£546,000) at current exchange rates, according to
CoinMarketCap. Almost all of these have already been sold on,
netting the attacker a profit of around 410 bitcoin — $437,000
(£351,000) —
according to Zcoin.

The attacker evaded detection for weeks by slowly making payments
and withdrawals. “From what we can see, the attacker (or
attackers) is very sophisticated and from our investigations, he
(or she) did many things to camouflage his tracks through the
generation of lots of exchange accounts and carefully spread out
deposits and withdrawals over several weeks,” Yap wrote.

“We estimate the attacker has created about 370,000 Zcoins which
has been almost completely sold except for about 20,000+ Zcoin
and absorbed on the market with a profit of around 410 BTC. In
other words, the damage has already been mostly absorbed by the
markets.”

Get the latest Bitcoin price here.