
Bitstamp Accounts Frozen - TwoFactor
All customers should have received the following email. For some reason its not posted on their website.<p>-----<p>Dear customer,<p>Today our transaction processing server detected problems with our hot wallet and stopped processing withdrawals.<p>You should STOP SENDING bitcoin deposits to your Bitstamp account IMMEDIATELY as private keys of your deposit address may be lost.<p>Your bitcoins already deposited with us are stored in a cold wallet and can not be affected.<p>We will send you more info as soon as possible.<p>Best regards,<p>Bitstamp team
======
FatalLogic
[https://Bitstamp.net](https://Bitstamp.net) is now showing this message

Bitstamp Service Temporarily Suspended

We have reason to believe that one of Bitstamp’s operational wallets was
compromised on January 4th, 2015.

As a security precaution against compromises Bitstamp only maintains a small
fraction of customer bitcoins in online systems. Bitstamp maintains more than
enough offline reserves to cover the compromised bitcoins.

IN THE MEANTIME, PLEASE DO NOT MAKE DEPOSITS TO PREVIOUSLY ISSUED BITCOIN
DEPOSIT ADDRESSES. THEY CANNOT BE HONORED!

Customer deposits made prior to January 5th, 2015 9:00 UTC are fully covered
by Bitstamp’s reserves. Deposits made to newly issued addresses provided after
January 5th, 2015 9:00 UTC can be honored.

Bitstamp takes our security and soundness very seriously. In an excess of
caution, we are suspending service as we continue to investigate. We will
return to service and amend our security measures as appropriate.

Bitstamp Team

~~~
tlrobinson
"IN THE MEANTIME, PLEASE DO NOT MAKE DEPOSITS TO PREVIOUSLY ISSUED BITCOIN
DEPOSIT ADDRESSES. THEY CANNOT BE HONORED!"

Shouldn't deposits go directly to cold storage addresses for exactly this
reason, and in case someone makes a large deposit that exceeds their desired
hot/cold wallet ratio?

~~~
sp332
Each user needs their own deposit address, for bookkeeping. If the cold
storage is really offline, you'd have to manually create a new address for
each new user.

~~~
tlrobinson
"Hierarchical deterministic wallets" (BIP0032) support parallel generation of
public and private keys on different systems.

The bookkeeping system can generate an unlimited number of addresses from the
public "seed" that corresponds to the private keys that will eventually be
generated using the private key seed stored in the cold wallet.

However, I didn't consider that the hot wallet needs to be replenished as
people withdrawal, which would require a steady flow of bitcoins from cold to
hot storage. I think it would make sense to have a "warm" wallet for all
deposits, then immediately send deposits to hot or cold wallets depending on
withdrawal demand.

~~~
eterm
Anything which can automatically send to somewhere else is a hot wallet. No
number of staging wallets inbetween makes it "cold".

~~~
tlrobinson
Hence why I called it a "warm" wallet. It would online but isolated from other
systems.

------
Animats
This is strange. There's still nothing about this on their web site.

It's very suspicious when a Bitcoin exchange claims problems on the _deposit_
side and stops processing _withdrawals_. Nobody trusts a Bitcoin exchange in
trouble, with good reason given the history. On the other hand, it's 6:30 AM
in London, where Bitstamp is, and their staff is probably not in yet. Bitstamp
is still processing trades; they haven't shut down their trading engine.

Most merchants who accept Bitcoin do so through Coinbase, which sells on
Bitstamp. Coinbase only holds a working float of Bitcoins. When Coinbase can't
unload incoming Bitcoins, they start refusing transactions. So most Bitcoin
e-commerce will stop within hours if this isn't fixed rapidly.

On top of that, Bitcoin, after being stable around $315-$320 or so for weeks,
suddenly dropped to a low of $255 in the last 48 hours. Right now, it's around
$270. Something is going on.

~~~
downandout
_> This is strange._

It is indeed strange...and strangely familiar. Every Bitcoin company that has
had massive holes in its books has first claimed that technical difficulties
were the reason they had to suspend withdrawals. Then over the following weeks
comes the annoucement that the money has been stolen, lost, or law enforcement
moves in and says it has been embezzled.

I would be extremely uncomfortable at the moment if I had money in Bitstamp.
If withdrawal capability does come back online, try to get your money out
ASAP.

~~~
Animats
Bitstamp has a blog, a web site, a Facebook page, and a Twitter feed. None of
these have any mention of problems.

There's a report on Reddit that withdrawals stopped 16 hours ago:
[http://www.reddit.com/r/Bitcoin/comments/2rayix/bitstamp_bit...](http://www.reddit.com/r/Bitcoin/comments/2rayix/bitstamp_bitcoin_withdrawal_not_processing_in_time/)

Yet no official comments from Bitstamp. Just a strange email, possibly forged.
That's a very bad sign.

 _" It is indeed strange...and strangely familiar."_

Right. This is a pattern we've seen so many times before in the Bitcoin world.

 _" If withdrawal capability does come back online, try to get your money out
ASAP."_

Yes. Definitely.

~~~
swinglock
When logged in on the balance page it says: "DO NOT DEPOSIT TO PREVIOUSLY
PROVIDED BITCOIN DEPOSIT ADDRESSES. Deposits sent to previous address will not
be honored. New deposit addresses are forthcoming.".

~~~
nullc
::sigh:: This is one of the reasons that Bitcoin core discourages address
reuse.

~~~
zo1
It looks like they use a specific/unique deposit address for each user. Where
exactly is the address reuse in this case that you mention?

~~~
csomar
I think he means you use a new address for each deposit.

~~~
tedunangst
How is this supposed to work in the real world? Imagine if you had to mail the
payment for your electric bill to a different address every month.

~~~
csomar
The site gives you a new address for each deposit. You are not going to
remember the address anyway. So it doesn't matter if it changes.

~~~
tedunangst
More generally, though. "Bitcoin core discourages address reuse." I work for
the company of the future and I get paid in bitcoins. I'm supposed to log into
the payroll system and enter a new address every two weeks?

~~~
natrius
There are two similar methods for generating addresses for a recipient.

Hierarchical deterministic wallets (HD wallets, BIP 32):
[https://github.com/bitcoin/bips/blob/master/bip-0032.mediawi...](https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki)

Stealth addresses:
[http://sx.dyne.org/stealth.html](http://sx.dyne.org/stealth.html)

The former is more broadly supported.

~~~
tedunangst
Thanks. That's interesting, though I have to admit I'm not excited about the
prospect of using it.

------
jasonjei
Until there is a bank that can credibly hold onto BitCoin deposits, these
sorts of things are going to hinder further the viability and credibility of
BitCoin as a mechanism of transaction (Mt Gox seems to have done a ton of
damage). As of right now, it seems it's very hard for BTC to be stored safely
at a stable price, and keeping your money in a world currency seems like a
better investment, for now. I know my sentiments are going to be unpopular
with some BTC champions, but as an observer with no BTC, I am wary of using
BTC. Just my .02 BTC.

~~~
moe
Since you appear to be struggling with the basic concept of bitcoin, here's
the first phrase from Bitcoin.org for you:

    
    
        Bitcoin uses peer-to-peer technology
        to operate with no central authority or banks

~~~
bdcravens
Most Bitcoin users struggle with the basic concept of Bitcoin then. While you
can "be your own bank", most coins (no reference, just surmising) are in
exchanges rather than wallets owned by the end user. So despite the marketing
copy, there's a ton of Bitcoin stored in what are essentially "banks".

~~~
qnr
> most coins (no reference, just surmising) are in exchanges rather than
> wallets owned by the end user.

Are you saying there are 7+ million BTC stored on exchanges? I disagree based
on two data points: Bistamp's reserves were 180K in November 2013 and MtGox's
were 850K (with 650K of them missing) at the time of its death.

Even if you add BTC-E, Chinese exchanges, Coinbase and LocalBitcoins, it most
likely won't exceed 2-3 million which means the remaining 80% is owned by end
users directly.

~~~
bdcravens
Honestly, I don't know. I'm thinking mostly of "active" coins, not those that
haven't moved in years. I personally think that Satoshi's coins will never
move.

So even if it's a minority at 20%, that's a pretty substantial number, and I
can't imagine why it won't grow. Bitcoin's success depends on mass adoption,
and I can't imagine a scenario where Jane Public would rather learn the
technical skills to secure a local wallet versus trusting a company like
Coinbase or Circle.

------
imperialdrive
[https://www.irccloud.com/pastebin/1cvm62al](https://www.irccloud.com/pastebin/1cvm62al)

this is all I could find from Twitter search: does the timing match up at all?

11:48 AM <jecar> protip 11:48 AM <jecar> and exchange is getting hacked now
11:48 AM <jecar> GOXXED 11:49 AM <jecar> an exchange 11:49 AM <heaven> what
11:49 AM <jecar> guess which one im goxxing 11:49 AM <jecar> thats why prices
are falling 11:49 AM → dzan joined ⇐ mpm quit 11:50 AM <Fate> you sound like
shovel 11:50 AM <Fate> hi shovel

~~~
miander
Always really important not to jump to conclusions on these things, but I
can't help but be curious to know what time zone these time stamps are in.
Unfortunately, there doesn't appear to be any way to find out. The http
headers for that page also simply report the current time.

------
qnr
More info: [https://coinfire.cf/2015/01/05/bitstamp-confirms-deposit-
add...](https://coinfire.cf/2015/01/05/bitstamp-confirms-deposit-address-
issue/)

"We are working to determine what has gone wrong. The majority of our coins
are swept and placed in cold storage often so this shouldn’t be a major issue
right now but we are still working to determine the breadth of the issue. This
seems to be a server issue and not a compromise but our teams are still
investigating."

~~~
megaultra
I don't like the wording here:

The _majority_ of our coins are swept and placed in cold storage often so this
_shouldn 't_ be a _major_ issue _right now_.

It leaves too much wiggle room. It's like saying:

 _At least some_ coins have _not_ been placed in cold storage so _this could
be an issue_.

Does not look good.

~~~
corford
To be fair, they have to leave some wiggle room while they investigate the
extent of the hack.

With a bit of luck just the hot wallet got compromised, they trace how, fix it
and honour any deposits made to the that wallet before the breach was
detected. So far this is exactly what they say they are going to do. Time will
tell but there's no reason to believe they wont act correctly at this stage.

~~~
corford
On the other hand, this makes for uncomfortable reading (was posted to
r/bitcoin earlier today):
[http://pastebin.com/ufNLW7xZ](http://pastebin.com/ufNLW7xZ)

------
sidko
Here's a verification with the mail headers:

[http://www.reddit.com/r/Bitcoin/comments/2rdbgf/bitstamp_hot...](http://www.reddit.com/r/Bitcoin/comments/2rdbgf/bitstamp_hot_wallet_problems_mail_with_full/)

Also, couple of more Reddit threads with an ongoing discussion around this:

[http://www.reddit.com/r/Bitcoin/comments/2rd6bb/problems_wit...](http://www.reddit.com/r/Bitcoin/comments/2rd6bb/problems_with_bitstamp_withdraws/)

[http://www.reddit.com/r/Bitcoin/comments/2rd2xe/bitstamp_is_...](http://www.reddit.com/r/Bitcoin/comments/2rd2xe/bitstamp_is_apparently_broken_or_hacked_i_suggest/)

------
davidgerard
What an _amazing_ coincidence they got hacked the day after a price crash! I
wonder how this could keep happening.

~~~
danieltillett
Yes it is. It is almost as though someone might have a vested interest in
announcing a problem at exactly this point in time.

~~~
davidgerard
_Almost_ only, of course - I'm sure everyone at Bitstamp, and indeed every
Bitcoin exchange, is of unimpeachable integrity, and it's just capricious
Fortuna toying with their hot wallets.

~~~
danieltillett
You might think this, but I could not possibly comment :)

~~~
davidgerard
To be fair, conventional banks say "Yes, Mr. Smith, I'm sorry but it seems we
misplaced all your money irretrievably. Sorry. It's gone. Forever. No, I'm
sorry, but we aren't liable. Have a great day!" all the time. NO WAIT, THEY
DON'T DO ANYTHING OF THE SORT.

~~~
danieltillett
Banks used to do this sort of thing before the FDIC was established, but as
you rightly point out the level of professionalism is somewhat lacking in
these outfits.

------
kordless
Looks like there were transfers out of the hot wallet addresses starting
yesterday morning sometime. $6M US:
[http://www.reddit.com/r/BitcoinMarkets/comments/2rd8h8/daily...](http://www.reddit.com/r/BitcoinMarkets/comments/2rd8h8/daily_discussion_monday_january_05_2015/cnf0h9p)

------
esoteric1
Well, ever since I lost my bitcoins on gox I don't let anything on exchanges.
This because if you let your coins on an exchange they are not yours, if the
exchange closes you can loose everything. What I've been using recently is the
BitShares decentralized exchange. I can save my assets there and everything
seems to run smoothly up until now. It seems to be a nice solution, you can
still trade and don't need to worry about exchanges going down. Not to mention
their market pegged assets have prevented me from loosing some money on this
last price drop. If you would like to try it, here is a link
[http://bitshares.org/](http://bitshares.org/) it's still something new but
definitely worth checking out, it solves most problems with crypto, which is
trusting exchanges and volatility

------
grondilu
I am a long bitstamp customer and I have not received such email.

~~~
grondilu
Just checked my email again, and indeed I have received it now.

~~~
im3w1l
Got it now too (about 2.5 hours after grondilus post). I wonder why it is
happening so slowly... Are they mailing us manually?

~~~
eli
If you suddenly start sending a much larger volume of mail, it can get flagged
as spam.

------
abrkn
> You should STOP SENDING bitcoin deposits to your Bitstamp account
> IMMEDIATELY as private keys of your deposit address may be lost.

I read this as wallet file(s) having been corrupted. The way to avoid this is
to use deterministic[1] wallets

However...

> We have reason to believe that one of Bitstamp’s operational wallets was
> compromised on January 4th, 2015.

makes it sound like one would be wise to short sell btc immediately.

[1]
[https://github.com/bitcoin/bips/blob/master/bip-0032.mediawi...](https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki)

------
bkolobara
I was also not able to log in for few hours to kraken.com. I would be just
informed to try later. I never saw a notification about it. And of course I
was not able to cancel my order while the price was dropping.

Every time I try to touch bitcoin I lose money before I even buy them. And
when the price starts dropping all the exchanges become a bit shady.

------
corford
Hopefully most people learned from the MTGox fiasco and weren't keeping all of
their coins on a Bitstamp provided deposit wallet (not that there's any
indication at this stage that the bulk of bitstamp's deposits are under threat
but, you know, better to be safe than sorry...)

------
Animats
Bitstamp needs a crisis PR team right now. They're blowing it. They've
announced "we're down, we don't know what happened, we don't know when we will
be back up, but everybody's assets are just fine. Trust us."

That's not how you do crisis PR. In this situation, a company has to
overcommunicate.

Their CEO should have called a press conference for noon in London. All the
financial press would show up. They should be announcing "We've been attacked.
All customer funds should be intact, but we're shutting down temporarily for a
snap audit. We've brought in outside auditors. We've notified the Metropolitan
Police (Scotland Yard). Here are their representatives and you can question
them. We will have another press conference in 24 hours".

Now people will be asking hard questions, such as "Is Bitstamp really in
London or are they really in Slovenia", and "Why is the CEO on a plane for
Vegas?" (Going to CES, yes, but in this situation, he needs to get back to the
office.)

~~~
sneak
Considering that you just figured out very nearly exactly what's happening
(sans press conferences) - how exactly are they blowing it?

PS: There is no current Concorde service.

~~~
pseudoscops
Boy am I glad I moved all my crypto holdings from Bitstamp to a decentralized
exchange ([http://www.bitshares.org](http://www.bitshares.org))

Feels a lot safer having it all in there!

------
davidgerard
Needless to say, /r/buttcoin has run out of popcorn. So it's had to move to
altcorns.

------
yc1010
I think the title of this thread should be edited since its highly misleading
and first thing people thing is their bank account was closed which would be a
huge kick in balls to bitcoin.

edit: quite possibly this is a false rumor being spread by malicious party to
sink bitcoin for their profit, now the title and the tone makes sense to me,
as well as lack of any news about this from bitstamp

edit2: checked r/Bitcoin seems convincingly legit but still nothing official
from bitstamp, might be good idea for people to use better exchanges like
Kraken anyways, those guys are cool

