Bitcoin Forum

Last Saturday there was an issue with my bitcoin24 account and my bitcoins was sold by someone else. The administrator TAiS46 sent me an email late at night asking if the order was mine and if I had place the order by mistake. I replied that it wasn't and since then nothing has been done. Since then I have tried to work with him about the issues they have but I after almost a week I have gotten nowhere.

I want my money back and also want to warn others about this site.


Nothing has been done though. (Not that "some" of my bitcoins would be satisfactory)

The issue is very serious. Someone used my api key and sold all my bitcoins (>500 !) in my account on the dollar market causing a flash crash. The price went down to $0.14, and the average price ended up around $18.

No sanity checks was made by the system. It happily sold everything.

The sell order was obviously not placed by me because the two IP numbers used was not mine, and both were TOR exit nodes.

A strange detail is that the thief tried to sell twice but the first attempt wasn't succsessful. I have not received a reason for that.

The perpetrator didn't get the api key from me, because it is stored on disk encrypted by aes. It is only decrypted by the script I use from time to time. I also have an unencrypted wallet on the same machine which would have been empty if someone got access to it.

My web browser is running in a virtual machine, and if someone got the api key from my side it must have been while being logged into bitcoin24. How that could have happened I have no idea.

More likely, I think, is that the exchange itself is compromised. I have realized now that I am not the first victim of this. It has happened several times before. As recently as two days earlier the same thing happened three times to someone else. As a matter of fact, the exchange have a history of outlier trades. I have even been on the winning side once, but the trade was reverted a few days later.

Here is the USD market for the last three months:
http://bitcoincharts.com/charts/btc24USD#rg90zigHourlyztgSzm1g50zm2g25zl

and the EUR market
http://bitcoincharts.com/charts/btc24EUR#rg90zigHourlyztgSzm1g50zm2g25zl

The exchange is apparently run in a very sloppy manner. The trade history does not match the current balance, and sometimes trades just disappear. I starting to suspect that TAiS46 is using client funds for his own purposes.

In any case, there is no way an audit could even be made. The data is not there.

I'm really sorry to hear you have been the victim of fraud :(

I have had good experiences with bitcoin-24, and I do have the impression the owner is honest, however I believe your story and I am really sorry that this happened to you :(

Thank you for warning me about the danger of holding coins at that exchange. Can I tip you for that?

Thank you but you don't need give me money ;)

Interesting stuff.

Searching for bitcoin-24 scam only shows this topic; can you show us the examples of the other scams? J/w because I use the site and do not want to lose my pitiful amount of bitcoins.

"I starting to suspect that TAiS46 is using client funds for his own purposes."

Strangely or not, after waiting for my SEPA deposit sent on 26.03 (still not credited at the time I'm writing) I begun thinking the same. These transfers usually reach the destination account the next business day. Very rarely it could take up to 3 business days. Pretending that you're assaulted with new customers with a ton of new deposits gives you the chance to actually manipulate the funds as you like for more than a week. Such as buying BTC and waiting for the price to raise... what could go wrong? :P
On top of that, after sending 2 or 3 messages to support through online form (an email can be lost in a spam filter, but a form submission?!?!) without getting any answer, I submit a new form message to support pretending that I will do that every hour until my issue is solved. The answer came in a matter of several hours only, the content would be quite hilarious if my money wouldn't be involved: "what's wrong?
I can't find another massage from you."
Maybe the support person was referring to the missing hourly messages I promised to send?
If my issue will be solved, even with this pretty large delay, I will certainly provide updates here.

That's frustrating to read! I'm waiting for a SEPA deposit at BTC-24 as well. After the Bitcoin Central debacle I figured I'd settle with a (fairly) big player for safety..  :-\

No I don't know exactly what happened in the other cases. But no exchange has a frequency of extreme prices like bitcoin-24 and I do know what happened to me. Before my own issue I didn't think the same way. During the weekend, I caught the end of a discussion in the chat where one guy was complaining about losing money, but I came too late to get exactly what the issue was, and I didn't think much about it until later. Perhaps it is wrong of me to speculate about what actually happened, though.

So far, TAiS46 has seemed a bit careless but friendly and helpful. All issues have been resolved in the end, but some have been quite serious. It was also he who alerted me this time.

The system his runs seems not reliable though.

- trades have been executed without being recorded in the history
- I have been able to buy bitcoins for exactly zero price! (that was changed later)
- my balance once changed by ~400 BTC overnight, and that got resolved by him just changing my balance in the database. That makes the discrepancy between recorded trades and actual balance very big.
- Once I was able to sell 1 BTC for way over market price, because the trading engine allowed for crossing bid and ask (changed after I filed a support ticket)

All this makes me think that he has a very unorganized financial situation. And even good people can do bad things in a difficult situation.

Well as far as I understand he is a one man band, which would make me very uneasy holding large amounts on the site. After reading your thread I'm even scared of putting 250 euros on it TBH.

However, it's a great site. The guys is obviously a very talented dev, now what he needs is a team around him, business dev, a security system administrator, etc... he needs a plan on how to raise money from his devoted users so he can afford those things. If I knew him I'd gladly have a brain storm with him to try and help him out but unfortunately I don't ;-)

If you are trading like 500 bit coins you should definitely do it on mtgox, i guess safety is better there? Has to be, right?!

No, I will never use mtgox ;)

Of course I shouldn't have had that much money in the exchange but the incredible price increase makes you forget the actual value...

Anyway, I have received a response from support where it is confirmed that the same thing happened to three other users and that my bitcoins have been partially restored awaiting more thorough investigation. This is good news but the question remains, how could this have happened?

I would love to hear from any of the other victims.

What's especially sad is that the thief seems to have gotten away with the loot. If the admin had acted as soon as he saw the problem that might have been prevented.

An attacker would withdraw your coins they wouldn't sell them. Sounds like they cracked the api and are trying to figure out how to withdraw coins, trial and error but are selling them instead. Change your passwords, enable 2FA and disable api if it lets you in settings. LR accounts get fleeced all the time by cracking api passwords which is why it's disabled by default now.

That's great that they have been partially restored, it shows that the owner is serious about the site, it'd be quite painful to restore any amount due to hacking, surely. I hope you get the rest back, as for the security of the site, i am sure it will only get better. The web site is quite amazing considering its made by one dev. Good luck!

Happy to hear part of your coins are back. Please let us know if you get them back in full or not.

Bitcoin-24 for me has been of immense value. I am simply shocked that he offers an exchange with NO charges for trades. And even for sending and withdrawing euro's the charges are ridiculous at 1€ per sepa transfer no matter what amount. This business model of free trading benefits the users immensely, all at a great cost to him! He does receive donations but those are nothing compared to say a 1% fee on trades or withdrawals. Those donations cannot cover the huge expenses it would take to have decent customer support.
 
Ofcourse if you lose hundreds of coins via fraud, I understand the balance is turned negative. So my sympathies for that.


Sometimes euro sepa transfer to and from the exchange go very fast, like 1-2 days, but mostly it takes 3-5 days. And it has happened to me that a fiat withdrawal simply did not arrive after 2 weeks, also no reply to my customer support tickets and emails. So I had to hunt him down on the chat and even irc, something I didn't even know. Finally he got back and indeed, something had gone wrong and the fiat withdrawal hadn't even processed and he explained what had gone wrong with the bank and website system and initiated it correctly. Frustratingly I also asked to cancel the withdrawal since I changed my mind in the meantime but, again due to lack of support, he missed that and processed it anyway. He did apologize and took responsibility for what had gone wrong and even added a feature to the website that allows to cancel euro sepa withdrawals which I like very much.

So I'm happy in the end but I was very worried and frustrated for a while.


I think we as users have a choice here. It's obvious that he needs to make more money from this exchange so he can hire people for support. I would love that the website remains free so my request is, please donate! We have a real gem here that could change the whole exchange business model from very expensive and unavoidable (% fee) to very cheap and voluntary (donations).

Why the attacker didn't withdraw coins I don't know. If you have the api key it is perfectly possible, unless the user has activated the sms confirmation feature. I hadn't done that I must admit (because I will emigrate soon and won't have my number anymore), but even the site admin thought I had...

But if you as an attacker don't know if the sms confirmation is enabled or not, the surest way to get the money without setting off any alarms would be to buy them cheap. The thing is that bitcoin-24 is mainly a Euro market. The dollar market hardly used at all and is very illiquid. In my case he managed to buy 75% of my coins for $0.14, which is not bad for him.

But how do you crack an api key made up of 32 random characters? You can't do offline cracking either. You would need to do a huge number of api calls and that doesn't seem feasible to me.

My advice to users is to disable the api key for now. If you do that I think you are safe. I wish the exchange would make an official statement warning about it.


Yes, you are absolutely right.

If API is disabled and two step verification is enabled, do you think that your balance would have been safe? I just started using two step verification and i am not sure if there is known cases of google auth failing with security yet.

That's what has me puzzled as well. I reckon that if the API key would've been predictable from some feature of your account (email, username, something like that) more people would have been duped. It's really weird that it happened to you and a few minor other cases (as can be seen in that outlier graph).

Yes, perhaps the api key is the hash of your username or something, and the hacker figured it out. I must ask about that.

That's what I'm saying it can't have been, or he would surely have taken more. If it was that predictable, what stops him from going after really big fish? Or do you reckon you were the big fish on there?

I could very well have been one of the biggest fish with the api enabled.

Anyone has any idea why SEPA transfers from Bitcoin-24 take so damn long? Currently waiting on two transfers from them, a standard SEPA transfer initiated about a week ago and a "same day" transfer initiated on Friday. Both of them are still "processing" on the site, so it's a pretty far cry from what they promise in terms of delivery. I thought the extra cash you pay for Same Day transfer was supposed to bring the money to you faster...

I can't tell you why, but I too am waiting for the sepa withdrawal that I requested last Wednesday. Still processing...
Did a withdrawal from Bitstamp at the same time, money in my account yesterday!

Same here.
Did a regular withdrawal last week, and several "same-day", and none has been processed yet.  :-\
I'll think of switching to another exchange for futher withdrawals if it takes too long.

This doesn't look good...did a withdrawal only few hours ago. You guys scare the shit out of me.
Have you tried contact them through email?

OTOH from what I've heard 2 weeks are not uncommon for SEPA transfers at Bitcoin-24.

It it reassures you, I have already done several withdrawals in the past, and everything went fine. If I still don't have any news for my "same-day" withdrawals tomorrow, I'll contact the site admin. Although I guess he's just overwhelmed by a large amount of withdrawal requests.
But a public announcement about that would be nice.

Thanks man.

looks like they are beginning to payout... i will report when moneys on my bank account

Same here, I just received 3 e-mails regarding the 3 "same-day" withdrawals I did on the 7th and yesterday.
I'll report as soon as money arrives on my bank account, but I guess it shouldn't take long now.

Just so you are aware, the maximum time between a SEPA payment order being raised and the value of the order being credited to the beneficiary account is no longer than one business day - ref: http://www.gtb.db.com/content/en/858.html. In some cases same day credit transfers are available when a payment order is made before a specified time. If you're waiting longer than 1 business day (that's Monday to Friday, with payments on Friday arriving on the following Monday), you shouldn't be.

You gotta love those amateur exchanges, that are programmed using programmer's logic, where if the book isn't full enough it will happily execute a sell from $250 down to $0.15 just because there are no buyers. Just ignore 60 years of exchange markets history, where real exchanges have put limits in place where if a rate drops say 10% trading is halted to get back liquidity in the market.
And besides, no sane market (although even mgtox does) presents clients with an average (weighted) price, average prices are detrimental to proper trading, only morons pay any attention to that. Only price that matters is the current price and the high/low figures, not any average.

That's the theory.
I have done a lot of SEPA transfers which have taken more time than that, just because some banks wait one more day to credit the beneficiary account so that they can gather interests...

Maybe the payment cutoff time is a factor. Certainly in the UK, under the Payment Services Regulations 2009, the banks are obliged to credit the money as soon as it arrives*. I guess interpretation of the EU regulations may vary from country to country.

Edit: *Well, the same or next business day if the payment arrives after the cutoff time.

On my UK accounts payments are always instant. On my German accounts it has taken up to 3 business days. It kind of sucks.

From a Dutch account, I've always been able to SEPA within 48 hours to Bitcoin Central. With Bitcoin-24, however, I havn't seen anything arrive even after 6 days! Is this normal behaviour?

Hey!

Don't hijack my thread with your SEPA troubles. Start your own, if you want to discuss that.

When I asked about how the api key is generated, I got a reply:

but when asking about how / when he will resolve the issue I get only silence. He said earlier that he needed to write a script to sort it out but if he cannot do that in ten days it isn't happening. I have urged him to make some public statements about the questions regarding transfers and quality of service at his exchange but he chooses to ignore that too.

Does anybody ave any information that can help explain this? (Except him being scammy)

I guess the transfer arrived at least 3 days ago, but I've heard bitcoin-24 is a one man band, so he may just have not gotten to it yet.

I agree that this thread should not be hijacked with SEPA processing times. Your problem consists of a guy not checking his bank account, use Sofortüberweisung if you can't wait.

I had a similar problem in February. Someone from tor bought 100 BTC over my account from the open market at shit prices. Coins were still in my account (you need an email-Confirmation to withdraw). After some discussing with the admin, he did a rollback and I had most of my money back. Still, shocking to see that he kept the problem and hoped for the best instead of either banning tor or at least examining how someone got my password. Just fyi, I am running a custom built gentoo box, so don't ask me if I upgraded my virus scanner often enough. API was and still is disabled.

My personal guess is that some once had access to the database in the past and got the (probably) MD5 hashes, did a scan against one of the many rainbow table servers and found a hit or two. Unlikely since my pass then was a 6 letter word, a number and a unicode symbol, but it might explain why he re-salted the password database (thereby fucking up everyone's records so that you had to request a new pass via email...) some weeks later.

Things often don't run smoothly there. One time the blockchain-wallet that does the payouts included a low-priority transaction in a payout-chain, thereby making the bitcoins of 30 transactions inaccessible for 24 hours. This is probably reproducible if someone sends 0.001 BTC from a slow input to 1BTC24yVKQdQNAa4vX71xLUC5A8Za7Rr71. Haven't tried it yet, but a "normal" transaction I sent there got included in a payout before it was confirmed.

One time, the address allocation was broken, fun to see 4 guys transfer funds to the same wallet you just put 30 BTC in with no response for 3 hours...

And don't even start reading the chat. Lots of fanboys praising the beauty of twitter bootstrap and the fact that, when (not if) there is a problem, the Tais is usually there to calm them down. But underneath there is a bunch of cron-jobs and php-scripts which keep it running until something breaks.

So yeah. Keep your balances in EUR when you're on btc24, and when you do trading, ask the chat if everything is running fine before touching anything.

Personally, I don't suspect malevolence behind these incidents, including yours, mostly because Simon is somewhat traceable. I have no clear answer on how he makes his money, but if I had to guess: Place an order and wonder about the one bot that modifies its orders faster than you can hit F5 and the fact that the trading volume shown in bitcoincharts is about 5-10x of what gets moved over the one (why?) payout address he has (shown above).

Nothing wrong with it. Just be sure you know that it's a 1-man operation, that he is confirmed to do a lot of trading himself and that twitter bootstrap looks nice even if the code behind it doesn't.

Thank you for that information. Now we have confirmation that the anomalies shown on the EUR graph from bitcoincharts are the exact same issue. It can safely be assumed that all 17 outliersin the beginning of february are examples of the same problem. This means it has happened in total at least to 20 people, and the administrator has been aware of the risk for over two months. That is shocking.

I really hope more of these people will chime in.

And to this day he has not said anything publicly. Now, he has all but disappeared.


He did re-salt the passwords, I remember that now. I have a strong 32 character password though, and I never use the same one twice. I'm not so sure it could have happened that way.

Was your bitcoins sold via the api?


Yes, I have wondered about how that bot can be so quick...
But the trading volume is not really related to what people withdraw. Especially on a trading friendly (free) exchange like btc24. The same money can be traded over and over again.

Just tried checking it out and site is down....

Can you elaborate on what exactly happened? How did someone get your API key?

Elaborate about what? I have no idea have anybody could have gotten the key. Have you actually read my post?

I did read your post (but in a TLDR kind of way). The "API key" caught my eye.

You claim that API key was not compromised, and assuming that you indeed ran it in a VM, seem very unlikely (but not impossible) that it was compromised... unless your VM has a trojan (possible). Can you guarantee that your computer was not compromised?

Unless the API key was compromised, it seems very strange. But then everything on Bitcoin-24 is strange.

Bumping FYI.