Look to
https://blockchain.info/address/1FYMZEHnszCHKTBdFZ2DLrUuk3dGwYKQxhDo you see outgoing transactions from this address?
They are unconfirmed and can not be confirmed by other nodes
Because 1FYMZEHnszCHKTBdFZ2DLrUuk3dGwYKQxh - is a hash of hex ( "00" )
You can see that scriptSigs do not contain public key, but only OP_FALSE instead of it
In fact this is not OP_FALSE command but OP_PUSH ( 00 )
So, these transactions are
invalid. But the attacker can "send" coins from this address to other users of bc.i
And this can create a long chain of never confirmed transactions, because bc.i service allows to spend unconfirmed coins
Does bc.i verify signatures at all?