Bitcoin Forum

Edit 13-Oct-2013:

Apparently the people at Bitstamp aren't just thieves, they're incompetent too.  If you signed up for API access back when they were using account passwords for API authentication (i.e. before "API keys") you can still withdraw your BTC via the "old" API from an unverified account.  Not sure if this works for the new API too (never used it).  My account had an "enable old API" switch (turned on) so I don't know if newer accounts are offered this option, or if you can turn it back on once it's been turned off.

Zero balance, six confirms, account closed.  Howdaya like themapples?

~et

If this post helped you, consider leaving me positive 0-BTC feedback (https://bitcointalk.org/index.php?action=trust;u=42407).

----

This is unbelievable.  With no warning (unless you're "facebook friends" with them) Bitstamp is refusing to let customers withdraw BTC they've deposited.  They're even refusing requests to close accounts.

Bitstamp never emailed me about this policy (even though they've sent me dozens of emails in the past to confirm trades/withdrawals).

Now they've basically stolen my money and won't give it back unless I send enough high-resolution documentation to steal my identity to some dude in Slovenia.

I've offered to let them wire the funds to my US-based bank, which has full AML documentation for me on file and who will confirm that I am the signatory for the account.

I want to stop using bitstamp and get my coins back.  They're refusing to close my account.  Scam scam scam.

Apparently they've stolen from a whole lot of people now:

https://bitcointalk.org/index.php?topic=307862.msg3305812#msg3305812
https://bitcointalk.org/index.php?topic=307862.msg3313417#msg3313417
https://bitcointalk.org/index.php?topic=306458.msg3307139#msg3307139
https://bitcointalk.org/index.php?topic=306458.msg3307596#msg3307596
https://bitcointalk.org/index.php?topic=306458.msg3307765#msg3307765

Is this to be an empathy test? Capillary dilation of the so-called blush response? Fluctuation of the pupil. Involuntary dilation of the iris...

We call it Voight-KampffGoxxed for short.

Bitstamp announced few weeks ago they will only allow deposit/withdrawals for verified accounts only.

I guess dudes from US are totally reliable with customer information.

I have no such email from them.  Yet I have all sorts of emails from them about other far less-important stuff.



Some of them, and the bank where I keep my account is one such.  That's why I keep my account there, after all.

That and the fact that if it all goes sideways they can be sued in the country I live in.

Highlighting by me, see https://en.bitstamp.net/article/bitstamp-new-verification-requirements/ as well as the notification in your account.

If you fail to look into your account for weeks and then don't want to supply KYC info, just ask the "Gigamining" people how much it helps to complain.

Uh, yeah, so like I said, I was not notified.  Immediately upon being notified by the big green text saying you can no longer withdraw unless you send us identity-theft-enabling documents I ceased any "continued use" and asked to close my account, which they are now refusing to do.  They failed to uphold their own terms by notifying me in advance.  At all times I made sure my Account contained up-to-date contact information.



Actually my trading software supports their API and pings my account to check its balance a few times an hour and displays it (in a list of overall positions) in the corner of my screen.  No message was ever returned via the API regarding this.

That aside, what if I had gone on a three-week vacation?  I mean seriously, "you went on vacation for three weeks" just doesn't sound like a legitimate excuse to confiscate somebody's account balance, no matter how you spin it.  Three years?  Sure.  Three weeks?  No way.

I guess it's hard for them to close accounts and issue refunds due to legal issues.

Notifying customers by email would have been smart choice though.


I suspect there are plenty of Bitstamp accounts which can't be verified as aliases were supplied instead of real identities.

I call absolute bullshit on that.  Whatever "legal issues" didn't prevent this eight days ago don't prevent it today.  No new AML laws were passed in Slovenia this week.  Besides, my offer to have my own bank provide AML cover eliminates this concern yet they still won't do it, so something more is at play here.

I think they just got greedy and saw a lot of account balances they knew were less than the value people assign to the risk of having their identity stolen.



Ergo, massive theft from customers.

I think most of the accounts that are now locked out, unable to withdraw and verify their account have fake identities behind them.

If identity behind your account is indeed real then just provide it and get it over with.

Their notification system was publicly announced in their terms of use as previous poster said and notification by email wasn't mentioned in their terms. Even though I think they ought to have done it, it wasn't a requirement. They will lose some customers over this, which could have been easily avoided and that's a shame.

No, mine is real, and they're welcome to verify it by calling up my bank, checking the signatory on the account, and wiring the funds.



No thank you, I'd rather not send digital copies of exactly what anybody would need to steal my identity.  Nor do I like being blackmailed for this sort of thing.



No, the terms say nothing whatsoever about a "notification system".  My account was kept up to date with the information they needed in order to notify me.  Their terms indicate they have a duty to notify me and they did not do that.

A Bitcoin company in breach of contract?! Inconceivable!

Laff, you said "company"  :D

No really, this is again an example that should remind people to take a closer look at who you're dealing with.

Look at bitstamps supposed adress and google it : 5 Jupiter House Calleva Park, Aldermaston

Not only is this again a mail forwarder, but it is one of THE most infamous RL adresses on the net due to the absurdly high amount of scams being run though it.

Remember, there is no reason for a legitimate company to hide behind mail forwarders, virtual offices, proxy registrants etc. In contrast to the real economy however 99% of bitcoin "companies" hide behind exactly that type of curtain. And those that do invariably turn out to be either scams or to be run by hacks.

Google your adresses, people, it'll save you a lot of grief.

In case you missed it, this change was announced a month before on their page and on various other channels (unfortunately for you not via mail, though they do state that their changes will be communicated ONLY via your account page, not via the mail address on your account).
I just looked up ToS changes from Paypal and Facebook that I received and they usually also just give a 1 month grace period, so I don't see anything outrageously different here.

Also in case you haven't noticed: DPR from SilkRoad and a few other high value sellers from there have been arrested. It is likely that they also have some links to Bitstamp, so while there were no new laws, there was certainly a change in the external environment that will make them more paranoid about anything Bitcoin.

Bitstamp itself is from Slovenia and likely only registered a UK Ltd. because it is cheaper there and regulations in the financial sector are even more generous than in Slovenia. Also it might be easier to get an answer from british officials regarding regulations of shady/very new financial constructs, as they are used to see that daily compared to Slovenian regulators.

Yet another reason I am not sending these jokers scans of my passport.

No, it is because a huge amount of scams is run by a slavic group through that very adress very successfully already

No, they do not state this.  Now you're making shit up.

From the ToS:
Not via the mail address in your account, not via the API (WTF, srsly?!), not via Facebook or via smoke signals.

If you don't trust them, why did you deposit money with them in the first place?

Like I said, you were making shit up.  Where's the "ONLY"?

My Account contains the up-to-date information (email address, postal address, and phone number) through which they can notify me.  They did not do that.

Absolutely nothing about goggle-plus, twatter, or fakebook in there.  And my Account does not contain information for these services, so they can't contact me on tweeter "through my Account".




There are different levels of trust.  We're not talking about thousands of BTC here.  Not even hundreds.  But enough to make them scammers.

Discussion here is useless anyways - submit KYC info to them, contact their support or write it off... it is not the first time that BTC customers are asked for "doxx or go home" nor will it be the last. If you keep a balance on a service but do not care about their ToS, you are up for trouble, just as you found out right now.

"Only" comes from the only mention on where you will be notified: "through your account", not "through the means of reaching you entered on your account". They even specifically write in their ToS that they consider e-mails as an insecure medium (which is true).

Why should Bitstamp trust your bank, that for all they know you could have submitted fake documents to a decade ago? If someone from MI5 asks them about YOUR account, they need to show YOUR data, not say "well, he has a bank in the US, maybe ask them...".

The Bitstamp policy change was announced in a fairly low-key manner. They posted on their thread here in bitcointalk, in a thread on reddit, and in the "news" section on their site. But there was no mass e-mail and no multi-page/site-wide pop-up notice that a majority of users would see. A sly move on their part. That their volume is over-taking MtGox just goes to show where the industry is heading in terms of compliance, or depending on how you look at it, the lack of true options available for real-money bitcoin exchanges (the new dwolla policy only emphasizes that).

Exchanges have always been the sore point in the bitcoin ecosystem, and anything which provides incentives for new ones or helps existing ones work around the legacy banking system will be a great boon for bitcoin. I'm talking about ripple of course.

Im glad i don't use bitstamp

Its not their fault you don't keep up with announcements.   SOL eh.

In case you're having trouble reading between the lines, that's exactly what I've done.



The point of this thread is to make sure their reputation takes the necessary hit.  If they had pulled nonsense like this two years ago, I would have been less surprised.  Honestly the fact that they're handling this so poorly now -- when they are a serious contender for top bitcoin exchange due to extended goxfail -- is really surprising.



Oh good, that's what I thought.

If this is the reason they don't want to email this rather important policy announcement, then maybe they should not have put it on bitcointalk, twitter, facebook, google+ etc, etc.

I believe information posted on those mediums can be also considered insecure.

Oh right, so that's why they send all of my deposit/withdraw notifications via email.

*facepalm*

How this usually works is like this: we give you a date, if you don't comply with the rules until then you will go to jail. Bitstamp is only covering their ass, they don't care about your documents.

Not notifying people through e-mail might not be the best thing, but their tos doesn't state they would, so they did absolutely nothing wrong.

Now you got Stamped! (in the face)

"We call it Voight-Kampff for short"  8)

Deactivated my account last night. Glad the only thing I ever did with Bitstamp before that was sign up.

I have withdrawn my recent trade there via SEPA transfer, it arrived in a day or two, was not even checking.

Submitting ID was a pain in the ass (and last time i've withdrawn it wasn't there), but otherwise nothing like OP is going on about.

Well, I did mention that before.

Yes, and the rules are satisfied by:

Interesting but what makes you think that a company using Ripple would be exempt from AML/KYC requirements ?

Not exempt, but it might be much closer than a Slovenian company registered in the UK with an Italian bank... or a japanese company founded by US-citizens with polish/french/no bank. Ideally your gateway is a bank or business in your jurisdiction, potentially even with a branch in your city.

OP is comfortable with giving his ID to a local bank who reports to who-knows-whom, while he is not comfortable to send it to the EU with much stricter privacy laws, because it is out of his jurisdiction. Using ZipZap for example, he would be easily able to deposit and trade USD on his "home turf".

Not really. The rules are get scans of id documents, not get other bank to cover for you. It is not up to them to decide what is a satisfactory way of id-ing a person. Put yourself in their shoes, would you really risk it? I don't think you would. When your boss tells you to do something do you also say "I didn't follow your orders, but this is equally as good!"?

bottomline - this thread is FUD

I agree only on one point - that BTC should be available to move without account confirmation, for those who wanted to withdraw theirs after new regulations. If you want to trade or withdraw fiat - comply with rules.

I agree that the announcement was low key and there is no reason they could not have emailed their account holders.  As soon as I heard (on reddit I think) I could not believe it would apply to BTC and once I realized it was, I bailed.  Have they offered any reason for why this had to apply to BTC as well as fiat?  Damn shame.

Can you get your BTC out by trading them for XRP?

They cant, not even in fascist America BTCs are regulated to comply with AML/KYC.

Got my BTC; see update to first post.

Sweet.  Congratulations and nice work!  You might think about outlining a recipe for someone who doesn't really know how to use the API and may not have used one before so that they might get some justice before the loophole is closed.

Yeah, unfortunately the software I used for this is not released and is not really releasable at this point…

I don't know what other trading software is out there, but if it supports withdrawal-via-API that should work.  Any decent arbitrage bot would have this.

Here is their API documentation:

 https://direct.bitstamp.net/api/

The API call you want is "BITCOIN WITHDRAWAL" accessed via HTTP POST to this URL:

  https://www.bitstamp.net/api/bitcoin_withdrawal/

The call is a simple POST and you add two parameters "user" and "password" (the endpoint is SSL so this is at least somewhat okay).  So something approximately close this this should work:


… where you replace "31337" with your numerical user id on bitstamp, "mypass" with your password, "1.0" with the number of BTC to withdraw and "1PC9aZC4hNX2rmmrt7uHTfYAS3hRbph4UN (https://blockchain.info/address/1PC9aZC4hNX2rmmrt7uHTfYAS3hRbph4UN)" with the destination address.

My account is closed now so I can't test this.

This will not work if you asked for an API key; in that case you have to use their newer API and I don't know if the loophole exists there too or not.  You also have to have the "enable old API" setting switched on in your account; mine was switched on when they created it since I had been using the API… I'm not sure what the default is for new accounts or if they'll let you switch it on if you've never used it before.  My account might have been grandfathered.

They're shutting off the old API in two weeks so my guess is they might have some bitrot in that code and are afraid to change it.

Excellent workaround, lets hope they dont close it soon.

Holy crap, you really ARE Elden Tyrell.  :o

Yes, they didnt inform their customers properly, i for one have never seen that well hidden page.

Thanks for the tip. But you should do AML to help funding terrorists.

No, they're thieves for refusing to give me back my coins (until I hacked their API).

If they allow to change the user info on the account, ill send in my kyc docs to them to withdraw btc for people, for 1% of what's in account each.

Yes it was absurd that they didn't email their customers about this.  I just luckily heard someone talking about it online or I wouldn't have been aware.  I didn't use my real name on my Bitstamp acct, so I quickly got my funds out of there.

However, I think you probably could just change a fake name to your real one and then send in the KYC docs and could get your funds out.  However, I don't blame you if you don't want to send all that stuff to Slovenia...there is some risk involved for sure.

I'm still wondering what a full set of identity docs would be worth.  There must be some user here who has a quasi-criminal friend who could shed light on this.  If so, let's take the following example:

 - male, age 30's
 - lives in a major metro area in the US.
 - pulls in a six-figure salary.
 - respectable credit score.
 - credit cards with $10k-ish credit limits.

Any ideas?

I'd like to know as well, mostly to shut up the people who keep bleating "just send them yer doxx".

A lot of people outside the USA underestimate how astronomically bad the identity-security situation is here, and how much stuff around here is based on the totally broken identity system.  You can't even rent a place to live without getting tangled up in it (something that foreign grad students are constantly getting screwed by).

The US is notorious for lack of information privacy laws, and that sucks, but most states have identity security laws, notably California's which makes it a crime to fail to notify customers if a business suffers a data breach that exposes identity information.  This means that we at least find out about these breaches as long as the company has at least one customer in California and one employee in the US who isn't wiling to go to jail to cover his boss' ass.

Sadly these laws are strong only because the identity-verification system is so pathetically weak.  Other countries (http://en.wikipedia.org/wiki/Estonian_ID_card#Cryptographic_use) with sensible identity-security systems don't need them.

Thanks eldentyrell for the idea! My coins where held hostage too, and i don't trust them enough to send them my identity documents.

The good news is: the withdrawal trick with the old API still works with the new API with a newly generated API key.
Be quick if you want to withdraw. Who knows how long that is working. Details are here: https://www.bitstamp.net/api/

Next time you can register a company for £99 in the UK, verify with company documents, withdraw and then delete all

Or buy some bum a bottle of vodka for £10 and use his id.

so if they post that now all transaction have a 50 btc fee and post it and 1 minute later enforce it against you, you are ok with that?

HAHAHA!

It's actually strange that a company asks for people for ID documents, yet they don't provide any information about themselves on their site except a forwarding address of their shell company.
Does anybody know just where Bitstamp offices actually are and who are the people behind it?

And while KYC requirements are understable for depositing/withdrawing fiat, applying it to BTC withdrawals is an obvious attempt by them to steal some coins. I'm a verified user on Bitstamp, because a couple of months back I had to send my ID documents to somebody somewhere (in Slovenia maybe?) just to get my money out. How is this legal?

It's great that you found out they forgot to limit the API. Congratulations on getting your coins back. Hope this lasts...