Earlier today, an attacker exploited a previously unknown vulnerability in one of bustabit's API methods which allowed him to find out the current game's outcome before its end. By exploiting this bug the attacker managed to win a total of 122.5686 BTC and empty the hot wallet.
I have confirmed the existence of this vulnerability and deployed a fix for it. In a few minutes, the game will resume and the hot wallet refilled.
bustabit will reimburse all affected bankroll investors out of pocket. Each investor's account will be credited with the full amount of bits lost to the attacker and an equal amount of dilution fee credits. Because I want to ensure that all affected investors are made whole (vs just adding 122.5686 BTC to the bankroll again), this will take 1-2 days while I calculate how much each investors is owed.
There is no indication that this vulnerability was exploited before today. Player funds were not at risk at any point in time. The problem was specific to bustabit and bustadice was not affected in any way.
Have to express the way you managed this situation is exemplary. You are going to cover the losses of 122.5686 BTC and dilution fee credits - excellent. That equates to around $475,000 in FIAT.
It is unfortunate this attack took place but it is commendable you managed to isolate the issue and fixed it so quickly and it cannot be exploited again.
Regarding the vulnerability, though you have run thorough checks it just might be possible that the attacker made test runs with tiny amounts in the recent past to check the vulnerability exists before going after the 122.5686 BTC. It seems highly unlikely the attacker stumbled across the vulnerability by chance, it seems more probable the attacker carried out the attack after devising a plan.