
Excoin exchange's Bitcoins stolen, will be shutting down - dewey
https://exco.in/
======
x0n
"We noticed the hot wallets dwindling but assuming it was members moving their
funds off site during the DDOS, we loaded all the cold balances onto the site
so that users would not have withdrawals interrupted during our periods of up
time.This fatal mistake allowed Ambiorx to continue to drain the site." \--
World's stupidest bitcoin exchange admins, or some of the ballsiest? Inside
job?

~~~
Animats
As I pointed out the previous three times this happened to a Bitcoin exchange,
these operators seem to be totally clueless about basic bookkeeping and
financial controls. Consider a typical large supermarket. Cash, credit cards,
coupons, and merchandise are being handled. There are multiple cashiers,
usually more than one shift of staff, cash drawers, safes, cash pickups from
an armored car service. That's a lot going on.

If there's a $10 bill missing, it will noticed within hours. Where it went
will probably be figured out the same day. If someone is stealing, management
will usually find out who, how much, and when.

The Bitcoin crowd has a much simpler problem. They're all online, they don't
have a staff of people handling money, and they don't have as many special
cases as a supermarket does. (Travelers checks, returns, check cashing, etc -
Bitcoin exchanges don't have to deal with that.) Most Bitcoin exchanges are
doing a few transactions a minute. Bigger supermarkets do more than that. Yet
the Bitcoin crowd consistently botches it.

The Bitcoin crowd needs to get some people who have passed Internal Financial
Controls 101 at a 2-year business college.[1] This isn't rocket science.

[1] [http://www.georgiacenter.uga.edu/courses/governmental-
traini...](http://www.georgiacenter.uga.edu/courses/governmental-
training/internal-controls-payable)

~~~
jackgavigan
_> The Bitcoin crowd needs to get some people who have passed Internal
Financial Controls 101 at a 2-year business college. This isn't rocket
science._

To quote somebody who has forgotten more about cryptography and digital
currencies than probably the entire population of Bitcoin startup founders put
together will ever know, many Bitcoin founders take "offense at the very
notion that there might be something to be learned from several millenniums of
financial services best practices."[1]

What's really interesting for me is that VCs seem happy to invest in such
startups. It's one thing when a small, bootstrapped exchange/wallet provider
gets hacked. It'll be a different story when a major, VC-backed one gets done.

1:
[http://lists.randombit.net/pipermail/cryptography/2014-Febru...](http://lists.randombit.net/pipermail/cryptography/2014-February/006256.html)

------
cordite
Seems like whoever writes financial code in the future should treat it more
like NASA code than startup technical-debt code.

~~~
ryan-allen
This is true if you intend on running an exchange properly and not being a
highway robber posing as a travelling dentist.

~~~
panhandlr
Exactly... From my perspective, their plan worked perfectly.

1\. Open an exchange. 2\. Collect real money in exchange for fake money. 3\.
"Get hacked" losing all the fake money and keeping all the real money.

~~~
im2w1l
Yeah, "We noticed the hot wallets dwindling but assuming it was members moving
their funds off site during the DDOS, we loaded all the cold balances onto the
site"

sounds extremely suspicious.

~~~
Mtinie
Possiblely, but in light of the protracted duration of the DDoS, it makes
sense that people would be moving their holdings off-exchange when they could
connect. If the withdrawal addresses were all different -- and from what
Excoin posted on their site it looks like the party responsible used multiple
BTC and NBT addresses to move the funds -- multiples of small to moderate
amounts of coins being requested doesn't sound out of the question.

In retrospect, it was a horrible decision not to research these transactions
in depth as they happened, but the Excoin team was fighting a "bigger" fire at
the time with the DDoS.

------
akerl_
"We noticed the hot wallets dwindling but assuming it was members moving their
funds off site during the DDOS, we loaded all the cold balances onto the site"

I'm a bit shocked that their tracking of their transactions was so easily
broken as to prevent them from seeing that all the funds were being pulled by
so few users.

Also, the part at the bottom where they basically post a wall of IPs and
addresses seems like a weird way to move forward. Do they not plan on there
being an official investigation?

~~~
panhandlr
"Do they not plan on there being an official investigation?"

How do you officially investigate someone stealing your monopoly money?

Where is the FDIC insurance? Exactly what are they suppose to tell the police?
The FBI? ... oh thats right, nothing, because they are not a bank, and the
only thing "stolen" was some ones and zeroes off a hard-drive.

Seriously though... where is the police report on this? Or any of the other
hacked bitcoin exchanges for that matter?

~~~
akerl_
It doesn't matter if you're storing bitcoins or roflcoins or pictures of
kittens: in most places, maliciously accessing somebody else's computer system
and stealing data is a crime.

The government investigates stolen "ones and zeros" all the time. The FDIC
provides protection for users, but the lack of FDIC doesn't mean that no laws
apply.

~~~
panhandlr
What about the laws the operators of the exchange broke by running un-audited
code to handle financial transactions?

~~~
akerl_
Assuming such laws apply to them, and assuming they broke them, "so?". Their
guilt or innocence does not have any connection with any investigation of
somebody hacking into their systems.

------
jimrandomh
> Users are now able to withdraw their remaining funds from Exco.in with new
> deposits having been disabled. If you have any issues withdrawing, please
> contact support we will assist you as soon as possible.

In case the administrators of exco.in happen to be reading this -

You fools, what the hell are you doing leaving automated withdrawals turned on
after you know you've been hacked? That'll just lose you even more money. The
first thing you need to do is get the coins, databases and log files into
secure offline storage. The second thing you need to do is get qualified
professionals to investigate. Only after the investigation is complete can you
safely return funds.

~~~
toomuchtodo
> The first thing you need to do is get the coins, databases and log files
> into secure offline storage.

All logging and auditing data should be sent in real time to a write once
medium, whether that's an S3 account with append (no overwrite/delete
permissions) access, local DVD/Bluray, or even a dotmatrix printer if your
volume is low enough.

------
dredmorbius
Of that IP set:

    
    
           Host                ASN     CIDR
        104.131.204.15      62567   104.131.192.0/19   
        104.131.213.10      62567   104.131.192.0/19   
        104.154.38.52       15169   104.154.0.0/15     
        107.170.150.138     62567   107.170.128.0/19   
        130.211.185.192     15169   130.211.0.0/16     
        146.148.40.57       15169   146.148.0.0/17     
        172.245.55.112      55286   172.245.48.0/21    
        184.172.15.235      36351   184.172.0.0/18     
        50.97.173.18        36351   50.97.128.0/18     
        5.255.253.51        13238   5.255.253.0/24     
        66.249.69.136       15169   66.249.69.0/24     
        66.249.69.88        15169   66.249.69.0/24     
        66.249.75.104       15169   66.249.75.0/24     
        66.249.75.184       15169   66.249.75.0/24     
        66.249.75.216       15169   66.249.75.0/24     
        66.249.75.88        15169   66.249.75.0/24     
        66.249.79.111       15169   66.249.79.0/24     
        66.249.79.119       15169   66.249.79.0/24     
        66.249.79.127       15169   66.249.79.0/24     
        66.249.79.135       15169   66.249.79.0/24     
        66.249.79.4         15169   66.249.79.0/24  
    

Distinct ASNs:

    
    
         14 15169	GOOGLE
          3 62567	DIGITALOCEAN-ASN-NY2
          2 36351	SOFTLAYER
          1 13238	Yandex
          1 55286	SERVER-MANIA
    

So ... yeah, these jokers got themselved "DoS'd" by a couple of search engines
and couldn't even figure that out.

But they might want to look at Digital Ocean, SoftLayer, and ServerMania.

Or figure out where the traffic was actually coming from.

------
nickysielicki
The tinfoil hat in me has to wonder if there's some reason all these exchanges
are failing so extravagantly.

~~~
nyolfen
a currency whose value is underpinned by drugs and money laundering may
attract criminals you say

~~~
grubles
Bitcoin is underpinned by drugs and money laundering, you say? That is funny
considering "the most powerful drug trafficking organization in the world"
just had 32 people arrested for running a multistate gold-for-cash scheme that
laundered more than $100m in US profits.[0]

[0][http://www.theguardian.com/us-news/2015/feb/12/gold-for-
cash...](http://www.theguardian.com/us-news/2015/feb/12/gold-for-cash-scheme-
sinaloa-drug-cartel-profits)

~~~
ch
You're just bolstering the point with this argument.

~~~
grubles
How, exactly? The point is: drug and crime are currency-agnostic.

------
jcfrei
I wonder if this is related to the loss at
[http://bter.com/](http://bter.com/) ?

~~~
Mtinie
Different exchanges and principals, so it's unlikely. I don't know what BTER
uses on the back-end, but unless it is written in Go, I find the likelihood of
a connection to be very small (due to a common vulnerability). On the other
hand, if there is a shared vulnerability, it may be in a commonly used library
lower in the stack.

There is one possible tangential relationship, however. As I've been
researching the transactions, early indications point to a portion of the
stolen BTC and NBT from Excoin being placed on BTER prior to BTER's
announcement. If this is the case, the parties responsble for the Excoin theft
may have inadvertently deposited their coins into an exchange that was
subsequently pillaged...

(Disclosure: I'm a member of the Nu development team, so Excoin's and BTER's
exchange problems affect our community)

------
ogig
"...We fixed the caching issues with the trades and moved forward"

Caching trade info sound like a bad idea. Atomic and transactional operations
directly to the ledger so integrity is easier to achieve sounds like the way
to go. A caching layer gives basically speed at the cost of simplicity, not
sure if I'd like that when running a btc exchange. Am i wrong?

Of course we don't know the exact nature of those "caching issues" so my
comment is highly especulative regarding the nature of that cache.

------
sek
I think a trustworthy Bitcoin exchange requires the software development
capabilities/requirements similar to a real bank.

The amount of money at stake is probably not he same, but the anonymity of
Bitcoin makes up for attractiveness as a target.

AFAIK most smaller banks use third party software/services. Maybe there is a
need for a bitcoin exchange software provider that takes care of the critical
parts and you build your interface/business on top.

------
smoyer
"I will be resigning from Blackwave Labs and looking for regular full time
employment to help pay back the lost funds. I will also ask drunkonsound to
help cover my loses with Blackwave Labs holdings as well."

They may not have been good at security but I still have to admire someone who
is willing to take responsibility for their mistakes. Where's Mark Karpeles?

~~~
Johnie
This guy needs to get a lawyer immediately. He's extremely naive in thinking
he can 'fix' this. In addition, he's exposing his personal asset and future
liability to all of these creditors.

As I said, amateur hour.

~~~
SuddsMcDuff
It's a woman

------
whizzkid
I am now comparing the bitcoin holders to regular banks' online systems in my
mind and I wonder why bitcoin systems are constantly getting hacked while
regular banks' are functioning properly. I am not really sure which one of
these reasons are true;

\- Code that is written for bitcoin banking is fairly new comparing the real
banks' code which contains lots of vulnerabilities.

\- These guys hold huge amount of money from other people which becomes very
tempting so that some insiders decide to take it and make it look like they
are hacked

\- Law enforcements are not as high as comparing to stealing dollars to
bitcoins which makes hackers to focus on bitcoin.

Not really sure and i am really not an expert on bitcoin systems, i just
wonder.

~~~
kungfooguru
When you put $100 in a bank it doesn't matter if that exact $100 bill is
stolen by a bank robber, you still have $100 in the bank. Additionally bank
accounts are federally insured.

That isn't the case with bitcoin.

~~~
Mtinie
> When you put $100 in a bank it doesn't matter if that exact $100 bill is
> stolen by a bank robber, you still have $100 in the bank.

For the majority of digital currency exchanges that I've used, deposits may be
sent to unique address to associate it with your user record, but the funds
are then typically moved into a pool to facilitate trading. I don't know off-
hand of any exchanges that atomically isolate user funds and utilize the block
chain to handle internal transaction reconsiliation. There's an off-shoot of
block chain tech that is attempting to do atomic, cross-chain trading using
the block chain, but it's still very new and experimental[1].

> Additionally bank accounts are federally insured.

Up to a certain amount. The standard insurance amount is $250,000 per
depositor, per insured bank, for each account ownership category.[2]

\---

[1] [https://en.bitcoin.it/wiki/Atomic_cross-
chain_trading](https://en.bitcoin.it/wiki/Atomic_cross-chain_trading)

[2]
[https://www.fdic.gov/deposit/deposits/](https://www.fdic.gov/deposit/deposits/)

~~~
kungfooguru
Right, $250k, not really worth nothing every time since that is basically
infinity to everyone in the US.

------
AshleysBrain
From the announcement:

"during the DDOS two separate trades spiraled out of control either due to a
bug or an exploit and transferred a very large number of small Bitcoin
transactions to Ambiorx's account."

Note "either due to a bug or an exploit". Then:

"Ambiorx used the fraudulently obtained Bitcoins..."

If the cause was a bug in your own code, that's not fraudulent is it? Isn't
that the exchange's fault? That line seems to assume exploitation, when they
already said it was possible it was a bug.

~~~
dogma1138
If tomorrow you wake up and find 10000000$ in your account and then go on a
spending rampage what do you think will happen?

The bank will notice it, revoke the funds and then at best you will end up
with a pile of debt and at worse will be charged with some financial fraud or
another.

It's time that exchanges will develop the ability to reverse bitcoin
transactions by extending the chain or by building their own transaction
protocol on top of the current BTC chain. It's also about time that these
establishments will get some private insurance if they want to play around as
they were some private banks for oligarchs which are not tied directly to the
central bank or insured by it.

With how BTC transactions work in general, and how exchanges seem to operate
these days im amazed that people still use them.

~~~
jamestnz
>If tomorrow you wake up and find 10000000$ in your account and then go on a
spending rampage what do you think will happen?

Something pretty similar to this happened here in NZ in recent years. A couple
who ran a BP franchise had applied to a bank for a $100k line of credit. They
were accidentally given $10m instead. They decided to rapidly transfer the
money offshore, where they then fled. The woman eventually returned
voluntarily, the man was extradited. He received jail, she a home detention
sentence and reparation.

[http://www.stuff.co.nz/national/crime/2428243/Couple-
missing...](http://www.stuff.co.nz/national/crime/2428243/Couple-missing-
after-10m-bank-bungle)

Sentencing:
[http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objecti...](http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10829144)

------
th0br0
"Excoin is still under DDOS attack which makes it very difficult to
investigate the causes of these issues."

This makes little sense to me.

~~~
dublinben
It sounds like they have no physical access to their infrastructure, and
cannot remove it from the network.

~~~
panhandlr
... running a financial institution on servers you don't have physical access
to, What is the worse that could happen?

Isn't physical access security like OpSec 101?

~~~
detaro
Yeah, but mostly focused on keeping bad guys out, not making sure the good
guys can get in. (E.g. hving your servers in someone elses data center is
probably more secure than trying to secure them physically in a startups
office, but means getting to them is harder for you as well)

~~~
GoodIntentions
I could see an argument for colocating this type of enterprise in a secure
data centre. There are places with 24/7 surveillance and 24/7 armed staff on
site and they are going to do the security better than your average group of
startup guys.

------
yc1010
1\. Create exchange

2\. Realize its not going anywhere

3\. Close citing a hack

4\. Profit! go laughing all the way to the bank with the "stolen" ahem ahem
bitcoins

~~~
smoyer
I was thinking of that old Slashdot trope too ... someone has finally filled
in the step(s) before profit!

~~~
letstryagain
It's not a slashdot trope - it's from South Park - Underpants Gnomes

1) Collect underpants 2) ... 3) Profit

[http://upload.wikimedia.org/wikipedia/en/d/dd/Gnomes_plan.pn...](http://upload.wikimedia.org/wikipedia/en/d/dd/Gnomes_plan.png)

------
cbeach
As long as centralised Bitcoin exchanges exist, this will happen.

It's why I built CoinTouch, which finds friends of friends that trade Bitcoins
(FB / G+). Post buy/sell orders, priced at a spread to market rates:

[https://www.cointouch.com/](https://www.cointouch.com/)

------
photorized
Does anyone have an estimate of their volume, or how much was 'lost'?

~~~
nextw33k
28th Dec: "Exco.in surpassed 60 BTC 24H Volume"
[https://blackwavelabs.com/](https://blackwavelabs.com/)

It seems to have happened over a 5 day period. So a back of the packet
calculation: 60 x 230 * 5 = $69,000

Of course that doesn't tell us anything about if people had larger amounts
stored, just that the hot wallet should have contained around that amount
before they needed to refill it.

------
rayiner
I don't see the outrage over this. Bitcoins are just sequences of ones and
zeros. How can anyone "own" information? And how do you "steal" a bitcoin?
Doesn't the exchange still have its copy of the bits?

~~~
sp332
Bitcoins are not sequences of bits. There is a global blockchain that keeps
track of transactions in the network. Each block contains transactions. Since
a transaction is the fundamental unit, if you want to know the balance of a
particular address, you have to look at every transaction since the beginning
of time and add up all the ones that involve that address. You can't just edit
the books to say that an address has more or less money. And to add a new
transaction to the chain, whoever has the private key for the originating
address has to sign the transaction, then the transaction is checked by a
miner and added to the global chain.

So to get the money back, you would have to get the private key for the
address where it all ended up. Our have the owners of the majority of mining
power commit fraud on your behalf, that could work too.

~~~
mlvljr
So what was stolen, exactly?

~~~
sp332
This is more a case of fraud than burglary. The attackers tricked the exchange
into sending then tons of money.

~~~
baddox
Burglary traditional implies physical entry of a perpetrator into physical
building or space. I assume it would not apply to "breaking into" a computer
or network in most modern legal systems. Regardless, this would almost
certainly be considered larceny, as well as computer fraud.

------
puranjay
I swear Dick Cheney could run for President right now and have more
credibility than any Bitcoin exchange.

I know there are a lot of BTC champions here, but as a former investor, the
writing is on the wall: BTC is dead.

The coin will die, the concept will live on.

Which was Bitcoin's true power anyway.

~~~
grubles
People can whine all day long about exchanges being hacked but until there is
a significant vulnerability within bitcoin itself, it isn't dead. If you were
around when everyone was excited about the technology of bitcoin and not
excited about making "mad profitz", this would be clear.

