Bitcoin Forum

"To protect the successful merchant processing business BIPS has decided to temporarily close down its consumer wallet initiative."

Concerned


"BIPS has been a target of a coordinated attack and subsequent security breached. Several consumer wallets have been compromised and BIPS will be contacting the affected users."

When?

"All existing users will be asked to transfer bitcoins to other wallet solutions, and users affected by the security breach will be contacted."

How?

I among other have emailed support(at)bips(dot)me and as far as I can tell no one has heard back..  some additional communication would be fantastic.

so BIPS has been TradeFortress'd?

I'd like to believe that isn't the case.  I'll keep the thread up to date if/ when I hear from BIPS service

Ouch! terrible to see that. Secure your bitcoins!

To think I moved them only days prior from MTGox...  Is there a recommended wallet service to use?  I know large amounts should be kept in cold storage.  Is the wallet service from blockchain a good one to store a small amount of coin?

Thanks, Now I'll go to sleep with my fingers crossed hoping my coins are not lost or stolen...

It would appear BIPS has lost most or all the bitcoins that were held in its consumer wallets, among them some of mine.

https://bitcointalk.org/index.php?topic=252308.msg3645043#msg3645043https://bips.me/press

There seems to be a conspiracy of silence around this. 
And now they have put the payments part of the site back up, without any announcement - do they plan to try and pretend that nothing has happened?

Strange as BIPS is shown on the original bitcoin.org page as a ‘recommended’ web wallet. 


Why are they still shown on bitcoin.org as a 'recommended' web wallet?

unbelievably frustrating....  I didn't own a lot of coins but the ones I purchased I paid less than $100 each for.  I wonder if there is a special risk insurance company out there that would write a policy to protect companies like this.

blockchain is a good choice for a wallet when you need to transfer what not. I personally don't store any online unless I am planning on immediately transferring.

Security is key with these things. So much things to worry about.

I got a vague email from BIPS this morning letting me know about the statement they released on November 19th..  No details about what they plan to do yet...

hm, that sucks.  When I was a newbie I sent 0.05 BTC out to another wallet, and it never arrived.  It just said "Claim Email'.  I never got my coins back, and support never answered nor worked on their site.  Hopefully they'll go up again...

I've emailed and PM'd them with no reply.  The silence is disconcerting, as is the timing of the "hack". It would be foolish to simply take things on their word and and walk away from thousands in BTC.  Who's to say they didn't simply walk away with the funds?   

I'm not saying "theft" yet, but if BIPS wants me to believe they got hacked, the burden of proof is going to be on them to prove it.  If they will not, or if they continue this silence, I and others will get law enforcement involved.  I'm already in touch with other BIPS users, some of whom are in Denmark and have easy access to the police there.

Is there an amount yet announced?

Dominic, not so far.  Kris Henrikson is the owner and he's not saying much at all.  I had literally that day (the 15th) written in my planner to move my BTC to a more secure place.  I got home that night, researched paper wallets, set one up, went to log in to BIPS and boom they're down.  I earned those BTC selling puzzles on my website back when they were around $100.  Can't afford to replace them at todays prices.  Feel sick...this is a loss of more than just BTC, it's my hopes for the long term value that's down the drain.  I'm gonna go smoke a Rocky Patel I've been saving and see if that helps :-/

I got this PM from Kris yesterday:


I'm just hoping its a simple filesystem wipe out which can be backed up easily. I'm trusting and believing still, hoping I get the coins back. Have always supported BIPS since its inception (see my sig) and have also helped fix bugs (got rewarded for it too) and also open-sourced an API client for free. Trusted because I knew the owner was not anonymous and wouldn't possibly be stupid enough to do a TradeFortress. It'll be great if Kris is open about his problems with the community.

Crossing fingers again tonight it seems..  Quite stressfull... Anyone know if I can sell my kidney to replace my coins?

So sorry! Hope you recover it all!

Thanks man.  Don't suppose you want to buy some really nice puzzles? I take BTC :)

www.cubicdissection.com

They do look good! Checked the site out. I'm not really much of a puzzle enthusiast though.

I chose BIPS because of their reputation and the services they could provide. I am a company director and entrusted them with 4.8 bitcoins and  transfered £..... To purchase more just before the ddos. I am very dissapointed at their lack of response to my emails and their apparent lack of concern about what has happened. For them to mention in their latest announcement that the wallets were a free service means nothing. To say they are passing details on to the authorities sounds like they are taking the first steps to absolve themselves of any responsibility. If BIPS wants to be a large respected company in the future, the should stand up now and be counted. Offer all those that lost coins compensation.

https://bitcointalk.org/index.php?topic=252308.80

"It is imperative to understand that everything was wiped out from our servers and getting functionality back is priority #1.
The wallet part of BIPS was a free service to make payments easier for users.
Web Wallets are like a regular wallet that you carry cash in and not meant to keep large amounts in.
Hence we offered a paper wallet as a cold storage alternative for those who wanted a safe storage solution.
We will be contacting all affected users as already proclaimed.
We will need their consent to hand over information to the authorities for further investigation, which hopefully can assist in catching the thief.
Those who were not affected and have a bitcoin balance will also be contacted.
Most balances left are minuscule, but if you had more than a few satoshi’s in your wallet you are affected, and will be contacted.

Another priority is doing forensics data recovery to be able to investigate and assist authorities in finding the attacker.
Technical information will not be disclosed for security reasons.

Stolen coins have been isolated and server logs have been retrieved from data recovery:
https://blockchain.info/address/1LuG91tcSQxKj32BsCoRkX7yQLfj9LtkCs

Please be advised that attacks are not isolated to us and if you are storing larger amounts of coins with any third party you may want to find alternative storage solutions as soon as possible, preferably cold storage if you do not need immediate access to those coins:
www.coindesk.com/hacker-attack-polands-bitcoin-exchange/
www.coindesk.com/czech-bitcoin-exchange-bitcash-cz-hacked-4000-user-wallets-emptied/"


From Kris at bips... not a great way to start my Friday...

OK people. I'm one of the unlucky "whales" who stored a lot of bitcoins with bips.me.  I lost about 90 bitcoins. They haven't contacted me yet, but from what I glean from these forums, my bitcoins have already gone and been spent on Russian hookers.

So. I'm willing to accept that I will never get these bitcoins back, but I'm not willing to accept that bips.me will continue on to glory, handling bitcoin transactions for merchants, getting (more?) venture funding, etc. 

In my mind, it's 'either or' - either I get my bitcoins back, or bips.me takes their website down and opens up under a completely new name. But not both.

With this in mind, I'm seeking out other 'whales' - people who lost significant numbers of bitcoin on bips.me.  If there's enough of us, what we do is get together and hire a lawyer in Denmark, and start from there. It will be worth it.

Here is a signup form:

https://docs.google.com/forms/d/1v8AL3scMErzSLPRSOhGuGXn9pzHjWNTrSE2YWEQIpxs/viewform

I am the first person to sign up, with my 90 missing bitcoins.

If nobody else signs up, or if the total number of signups doesn't add up to more than 250 bitcoins, I'll give up.

Also. I very much doubt that this was an 'inside job' or some kind of fraud. Danish people don't do those sorts of things. They just don't. However, that doesn't mean that these guys shouldn't have to start from scratch again.

Not a "whale" but I consider the potiential value of 3 coins to be very significant...  90 coins.. I'd be crying literialy.... :'(

I am out about .39 btc  but my money was in the address up to the 20th and was not pulled out until later then the crash.  my money was pulled out at about 23:39 pm the 20th of nov Greenwich time.


https://blockchain.info/address/1AyWHY6kCMi4F221J7aPheiYdAvkDbcdPp

https://blockchain.info/tx/4d6bc489bdb2f32d397eb2aa3844f2e6711b934399af5f62b11c9ded8c84edbf

My guess is the money above was saved by bips  if you look at it the amounts were tiny

the highest was 1.2 btc the lowest was under .1 btc


What annoys me is not the .39   but I have an account with cloudhasher  and they are going to continue to put money into that address over the next 9 months.  I am really fucking annoyed.  But my losses may only be .7 or .8 btc when all is said and done.

  Now for someone with 90 coins oh that hurts.  good luck to you ghengis34

How are you able to look this info up?  I have the BIPS address I used to deposit the coins a few days prior to the heist...

I hope everyone gets their money back.

ghenghis - I have signed up to your list.  As I suspected it is all gone.  As BIPS is listed as one of the 'preferred' web wallet options in bitcoin.org (alongside Blockchain and Coinbase) I would have thought they were a little better prepared - they are not exactly a newly established exchange in E Europe. And what are they doing with their site up?  They don't seriously expect to continue in the merchanting business after this do they?

Oh they certainly do...

Count those bitcoins lost forever unfortunately especially considering BIPS response to it.

go to www.blockchain.info   in the middle of the page is a search engine put your  btc address  and you will see the info.

If the coins were pulled on the 20th like mine you are most likely okay.  if they where pulled on the 16th-18th   you are less likely okay.

Would the address I used on MTGOX to transfer the funds to BIPS be the address I enter to view it?  I don't kno what the other address is (private address?) since I can't view it when I log into BIPS

Hey my address is this: https://blockchain.info/address/1PGXTsbbrnXBnTgEdssRCH8Ukc57DvapcP

I don't see any coins pulled after the 31st of October. So are my coins safe then?

damn 90 bitcoins?  :o

I also don't see any activity on my address from what I can tell since they were deposited on 11/8

no that is not good.  what bips does is transfer from your deposit address  to a second address.  since your monies were moved way before the breach you do not know what happened to them in the holding wallet.  my timing was the .4 btc   was put in about 1 hour to 10 hours before the breach and then moved  3 days after the breach was found it is easy to trace the history.

 I need to study the address you gave me.  maybe I can figure the moves made after you put the coins in.

Goddamn right.  Even if they actually did get hacked (which I'm not willing to accept without proof), the security of their site was nothing like they advertised.  I'd bet they won't give technical details on the hack because it would reveal negligence.
 


May be doubtful, but I'm not willing to walk away from my BTC on the strength of a cultural stereotype.  Prove it or I'm assuming they stole it.  No offence, but I think any other affected users would be foolish to take any other stance.

There needs to be a way to reverse transactions when things like this happen.  It doesn't need to be  like what Visa/ mastercard or paypal does..  Just some form of recourse built into the system.   

OKAY your btc has been flagged    it was put here on the  the 31st of oct.

https://blockchain.info/address/1PGXTsbbrnXBnTgEdssRCH8Ukc57DvapcP  the address you gave us.  it was moved on the 31st of oct to this address


https://blockchain.info/address/14xMNNgzDtkmrPhkEZohGg3nHkPFw96hDz    then moved on the same day to a flagged address that has 'easycoin scam' marked on it.


tx ids  go   in this order :

1)https://blockchain.info/tx/37b7e6df916b32113e9dda776d6127c0566106fcca89a750537ad27ccab11462  incoming

2)https://blockchain.info/tx/fcd34fecf7898c2420e7a5b36a8ffd34d5583c1a73428f63d6d64eb7639af06a  out to a bips.me holding address common practice normal for online wallets to pool deposits

3)https://blockchain.info/address/14xMNNgzDtkmrPhkEZohGg3nHkPFw96hDz   out to an un known address with a tag (easycoin (scam?)   I am thinking this is a flag from bips  marking a problem transfer.

my address does this


https://blockchain.info/address/1AyWHY6kCMi4F221J7aPheiYdAvkDbcdPp


1)           https://blockchain.info/tx/e56f87a67251525aa3bc69118bccb19335db90b10305b10366b81fe74630be56          my .39345 btc came in on the 17 of nov

2)  17 to the 20 shit hit the fan my coins were frozen

3)https://blockchain.info/tx/4d6bc489bdb2f32d397eb2aa3844f2e6711b934399af5f62b11c9ded8c84edbf  my coins where moved here late nov 20th.

and all coins moved here  at this address

https://blockchain.info/address/1PhABsySjnnjMigE6YSBtaQAqZAwaX9h64    that was done late  nov 20th    more moves done since then  but I am thinking these are still in control of by bips.me 

 my coins were clearly moved after the shut down   when they claimed the system was partially restored.    all in all it is a fucking mess for a lot of people.

Wow, I'm a Zen Cart ecommerce designer and after looking at all Zen Cart/Bitcoin plugins I chose BIPS - YESTERDAY! I had no issue creating a new account and installing the software on demo site. I can't believe there were no warning or announcements anywhere to be seen, if It wasn't for this post I would not have known of any breach. Luckily I had yet to transfer BTC's to test their plugin - whew!

Sorry to hear the losses on here, I hope you find restitution quickly.

Dave Ward
Kitchener, ON, Canada

The thing is that there will be crooks who try to steal money, even if you put all the security measure you can find. You just have to pray that you aren't the one to be crooked... :(

Dave . Be very careful. Not only have they lost my bitcoins but I sent them £.... Via bank transfer to purchase more on the Friday the 15th and have heard nothing from them since. Did they loose all their bank deposits as well?

The timing of this is scary, because this nearly caught me as well.

A week  prior a coworker and I were having a conversation and started talking about web-wallets. After reading up online I came to the conclusion I wanted nothing to do with BIPS and scooted my measly 0.03BTC or so away from them. A week later and this happens.

I initially chose BIPS because it was recommended on the "choose your wallet" page and the site seemed reasonable well put together. I feel like it doesn't deserve a spot there anymore..

Seems like with increased BTC value this will keep happening more and more often.

Its a good point.

If you follow the some of the deposits to BIPS on the blockchain, the balance form the wallets are moved to secondary addresses owned by BIPS, together with other deposits, and then moved again and again.

We have heard that some coins are recovered. How are you going to decide who lost coins and who still got a balance?

I withdrew 3.82761346 BTC from MTGOX to BIPS address 1PrCvhnTVqc6C9VcsWibPYTeQHyLrFJGEb on November 6th.

Then Spent .861 BTC sending it to 1CK8gvdupixuWWsPxo2dZLtXqZkVaYkhwA on the same day it was deposited.

My balance when BIPS went down should have been 2.96661346 (might have included the .001 fee)

https://blockchain.info/address/1PrCvhnTVqc6C9VcsWibPYTeQHyLrFJGEb?sort=1 (https://blockchain.info/address/1PrCvhnTVqc6C9VcsWibPYTeQHyLrFJGEb?sort=1)

Can you give me a crash course in understanding tracing the transactions?

I was very surprised there wasn't more posts about this when I created this thread.

  hard to do.  but here goes


NOV 7   this id is the deposit

https://blockchain.info/tx/6991b1997f7175e56f3aa242dd2553d2b56936a204c25fb2800ab6718c806a17


https://blockchain.info/address/1PnhVVr2LgPNkbK3vnFepFzVk84mHSNpt9    this appears to be your   2.966xxx


next move is here


https://blockchain.info/tx/98a83e636a86e375abbfb9eddb42bcd2100bc8cced5b4e41d8cc5b0bbc54d89c

and the money sits in this address

https://blockchain.info/address/1MTzsVSe5D2FDDeM9UjqkpKuJTdu5Snegb   notice the .01 fee removed.


that wallet is like a tellers drawer in the bank.  next up this move

https://blockchain.info/tx/87615f9363a17cdfd214b79a03510fab0cbc52f49d7180452402fa37af2b65f6

most money  is here   https://blockchain.info/address/1ANuFn4qjzh1uxVJoRiRGosCyHEueEwnxr   this got a little money most likely a fee.


https://blockchain.info/address/1NGS8XBNpKQV7sCfQo1Fifg1WBicAxdkrV


most money is still here  https://blockchain.info/address/1ANuFn4qjzh1uxVJoRiRGosCyHEueEwnxr   2.8… btc

next move is this




https://blockchain.info/tx/92c24d58ad65548ba57d9d5ea6dfcf79ee892cd9e5882c013d49960060249f91   this is a merge of the 2.8 plus other to here

https://blockchain.info/address/1CuLB5gVR1uS2C3KTNLBiRMrqiizyycF9q

https://blockchain.info/address/1AEXdHBmtcFSG5Qb7Vb6fgG1vpm2JFhjZU   at this point it has been co-mingled   in and out of multiple wallets. 

  you could argue   that there is a trail and that 2.8 of the coin is yours but  we are only up to NOV 9th.

 think that the coins may have  entered a bankers cash drawer.  you really lost the chance to trace them in most cases. 

https://twitter.com/bips


 the twitter account is pretty dead.  more then a day since they spoke on it.

When something like that happens and you think an action is required, please report it! There's an "About bitcoin.org" page for this purpose
http://bitcoin.org/en/about-us

BIPS is now removed from the wallets listed on bitcoin.org .


This kind of comment concerns me. There is a red warning on each web wallet on bitcoin.org and users are forced to read them before looking at them. This was mainly designed to educate users about the risk of using these services, assuming that it was better than nothing given that people would be using them anyway. But a comment like this one seems to suggest this wasn't enough in some cases and can confuse some people into thinking these wallets are recommended despite the disclaimer.

Should we keep trying to educate users using disclaimers and by listing only web wallets with a "clean history", or should we stop listing them completely to make sure they don't appear like they are recommended (and leave users not informed about their risks or which one have some established reputation).

Kris is coming online every day atleast twice but choosing not to reply to messages or helpdesk ticket. I'll keep messaging him every day from now on until he replies. If he doesn't, i'll bump it up to every hour :P I hate it when people don't show the simple courtesy to even reply.

I came across bips by chance personally. The vendor I made my first purchased from was using them so I set up my first wallet there also.  Prior to bips I kept them on the exchange purchased.   I think it would be a great idea to sticky a warning in the Newbie and general bitcoin discussion forum to educate users about the risks of web based wallets.

I didn't even know I could download a software based wallet prior to losing my coins or I would have done that. FYI.. I joined the started with bitcoin in march of this year.

As it should I suppose, I did read the warning but I suppose it's easy to brush those off as an "Oh pfft that will probably never happen, it's just a disclaimer" But in bitcoin it's just not. It should be plainly stated that because of the price demand BTC has worked up to and it's inherent decentralization and control that these attacks/scams/robberies happen at an alarming frequency to those who don't know how to protect their coin. I had a discussion over on reddit about the wallet system and I'll copy it in here, it's basically a recap of what happened when I tried to install bitcoin-QT before going to a web wallet and some improvements I think we can make to help introduce newer users as I was shortly ago:

I had 1.1335 coins at bips.me, bought them less than a year ago and kind of forgot about the whole account. I got the mail about the security breach, logged back in and can no longer see any coins or activity logs on the account.

What's odd is that I went to my mail to see if I can find the transaction details for my purchase and found the link to my wallet activity https://blockchain.info/address/14zpn5EGTBKLZGRroBZn7uzTBUWFqJo4cs

It seems like all the coins would have been taken out of the account just hours after they were put there, over half a year ago. I guess the blockchain reports etc. can't be tinkered with, so it must be the case?

I started thinking that did I transfer the coins over to mtgox account so I could sell them more easily, but my mtgox account is also claiming no transaction history.

Is there any hope to recover my coins, or are they gone forever? Paid only ~80$ for them, so it's not a massive loss, but at current rates it still stings. I guess that's what I get for wanting a convenient online wallet.

does anyone have a physical address for BIPS? or a physical address for Kris where he might be visited? 

We are getting together a group of people who have lost money as a result of this scheme.  Please get in touch if you have lost bitcoins in this scam.  Curiously we have a number of US holders - can't think it would be ideal for Kris if it were reported to the US authorities that he had breached US law by for example offering securities to US persons without being registered with the SEC.  Orange jumpsuit, perp walk and dungeon time for him. 

I don't see how there can be any future for Kris or BIPS in the bitcoin community.    There should be a blacklist on which we list people who take people's bitcoins and fail to show their face afterwards.  Shall we leave it to private enterprise to organise such a blacklist?  Or would the bitcoin.org guys like to add a page on which we list these sorts of people so people can check it?

Why would you even put your money in any online wallet and risk it to be hacked?
 Blockchain.info looks to be the best online wallet currently and they claim they don't have access to your wallet and pass (and mostly this is correct), but what's wrong with paper wallets? it just takes 10 mins to upload the key from a paper.

Use of  bitcoin does require the use of an online wallet. This is the case if  Bitcoin is  going to be accepted mainstream.

I too lost  here - but I blame the hacker - not the victim. From what I read the file system was wiped.  Curious as to why a hacker would do that. Usually get in - get the info  - get out.  Wiping the server clean ensures there is no trace of  how.

I believe some thought needs to be put into the who - as well as the how.

I do also note  a  number of online wallets  have had problems. A number of  the leading wallets in various countries  have been taken down recently.   Denmark, Poland, Czechoslovakia.

Rather than thinking all about me,  let's think all about we.  The BTC  community  has been targeted (and probably always will be) by those who seek to  devalue it.

They seek to destroy the work of hours spent  working out systems that are for the improvement of all.

Why is that?  If the hacker is successful then the value  drops.  And  who profits from that?  The  established systems  would seem to have the most to gain.  Food for thought.

It helps to read the terms.  I think the security was ok -  obviously not enough - hindsight is  20/20.  But one can lock the doors and the thief still breaks the window - or  burns the house down.

I hope Kris - and Bips -  continue.  I hope they focus on the merchant services.  I hope they prosper.

And -  I do hope they find  a  way to  recompense.  But  hey  I'm human.;) 

If they don't - then I will still use their merchant services. 

 Well, this kind of shit could happen to any of the merchants out there.

I have always founds BIPS to be a good service but unfortunately bad things happens...hackers should be blamed and not them.

Those people are burned anyway and it seems unlikely to continue doing business with bitcoins. The real issue here is that the community should be proactive and i don't know about bips but some other incidents wasn't so unexpected...

from where i see, there is no better option than being patient wait and observe the progress they are doing
give them time to clean the mess on their own way and allow them to come with the best possible solution for both them and us.

or we can just continue vent our despair here purposeless...

The problem is that people's money dissapear more and more often as the price rises. Everyone is saspicious and usually things end with customers losing their money  :-\ Asking for patient is to much imo.

As promised I'd update when I heard back from BIPS,  I recieved an email today from Kris.  I added a bitcoin address to my account as requested.

.... text removed per request...

Message (presumably from Kris) on my helpdesk ticket:

"I am on my fifth day without sleep doing data recovery as to find more server logs.

Please allow us patience."

 ::)

Sorry, but when you put restoring the ability to process transactions above getting my thousands of dollars of BTC back, I can't find much patience to spare.

Reminder that there's still no evidence whatsoever that a hack occurred.  I'm amazed at the people here who are willing to walk away from their balances on the flimsy word of someone they have never met.

How does one add an external bitcoin address on bips?

Look under the payouts section on the main login page.  There is a spot there to enter a address

I agree with you, and it already happened more than once before with others, It's impossible to stop such things, hackers will always find a way to make our day harder, that's the risk we are taking and we have nothing to do but to accept the fact as it is.

so you saying by making assumption and suspecting everyone would help in recovering your BTC sooner?

one of my precious wallet with 2 figures of btc also victimize here, and i really want to see them back

No i think people should stay calm and assess things clearly. However that's not easy to do when services fail you one after the other.

I think staying calm is a relative thing given the history of these sites being hacked or turning out to be scams.  Certainly the management at BIPS has done little to help assuage the fears of those affected.  In fact I would argue that their lack of communication has exacerbated them.

I have been in touch with Kris and while I cannot share any details, he has convinced me that he is taking this very seriously.  I retract my earlier implications that he stole the coins himself.  I'm convinced now that they were hacked, and that he is working hard to fix things and make them right.

That's all I got, but I thought I would let you guys know.  This is a shit situation for everyone  :-[

Well, this market is still very new, so you must treat the investment you make in BTC as something very risky.
I also owned BTC in my webwallet in BIPS. Sure, I lost it all, but high risk does not come with guarantees and I get that and will continue using the processor services of BIPS, as I find their system easy and cost efficient.

As far as I'm aware coinbase can do many of these same things and has a full payment API built in, also a better track-record thus far as well.

Why is it that i'm seeing too many newbie/junior accounts commenting similar stuff here?

I got the same info. Waiting for my coins :P

Isnt' that obvious? And pathetic if i may add   :'(
Also discouraging about how that problem is going to end  ::)

I was not aware that posting here was a prerequisite to having an opinion.  The BTC market is  wide - and does not revolve around posting in this forum. And - newbies are allowed to post only here.;)

As a user of Bips - and one who lost coins-  I am entitled to an opinion. And to be able to post it - regardless of the views of allegedly more distinguished members.

The thread is about the security breach. 

What happened to Bips was bad. This does not make Bips people bad. This is the opinion of  some (myself included).  Bips have no responsibility to return what was stolen. Perhaps many would prefer they did, but the fact is we are dealing with a commodity that- if stolen- there is no redress. We all knew that.

As evidenced above some have been in touch with Bips and have realised that the truth has been told, as much as it can be. 

Waiting for my coins to be returned is not something I will spend my time on.  There is work to be done - that is more productive.

Looks like the coins are gone forever. Kris made a statemant in a local newspaper:
http://politiken.dk/oekonomi/virksomheder/ECE2143335/cyber-kriminelle-roever-dansk-firma/

He says the work now is primary to recover logs and data to hand over to the police... So its all gone. Why could they not just be open about it, so we're not keeping our hopes up.

I also got a message from Kris 3 days ago about adding an external bitcoin address for transfer of my lost 13 coins, but no coins has been transfered. But it kept my hopes up and made me shut up for a while... Good strategy! But not very honest...

doesn't it supposed to mean a good start?
cooperating with the authorities and start the investigation further
they can't trace the money without a lot of help from higher places

I agree - it seems like a good holding strategy to keep our hopes alive and forestall more aggressive action.  

In the circumstances I do not understand this forgiving attitude from other people posting on this forum.  
I do not see any future for BIPS / Kris in the bitcoin community unless our balances are restored or at a minimum he comes totally clean and offers some recovery or a way to recover.  

These are our bitcoins. We trusted BIPS/Kris when they provided a consumer wallet.  BIPS were listed on bitcoin.org.  I do expect redress or at the very least a frank and open statement of the full position, something that has been notably absent.  

Just tell us the full unvarnished truth and set out a roadmap for recovery or recourse. Spare us all this smoke and mirrors stuff.  If the bitcoin are all gone and there is no hope of recovery Kris can at least have the courtesy be totally honest about this, provide full disclosure on what happened (including logs so we can all check where the coins went) and if he wants any future in the BTC community he can offer us shares in BIPS as partial compensation, fiat or some of his own bitcoins.  

Okay i'm convinced that it is Kris operating shill accounts to cool down the problem. I am also convinced that he stole our coins (and he is possibly even associated with another scam site - will disclose details soon). Now I think legal route is the only option. I waited enough and gave him a lot of time to refund my coins. Its despicable that he can't even reply to his customers publicly and resort to using shill accounts. Despite stealing his customers coins, he has the nerve to not even discuss the hack openly (absolutely zero information about the hack). He is just buying time and all this nonsense of spending 5 sleepless nights going through server logs is plain BS (its already 10 days now). And its BS that he isn't liable to the coins lost. Lets see what the courts have to say in this regard.

Kris: I have added the external address as you requested. I'm giving you 72 hours for you to return my 3.3BTC to that address. If you don't you'll need to face the consequences. I don't care if others are going to go the legal route... I'm determined to go at it alone and will take it to the logical end.

Kris at least try replying from the same shill account. Its laughable and at the same time insulting to your customers. Instead of doing this BS focus on refunding your users.

BIPS sucks big time, I lost 3 bitcoins 2 months back

Coinbase are US based. Why would I deal with US based company if i am located in Europe.

So, you are saying unless I have a number of posts I cannot post in the thread that is about the company which had my bitcoins and which was a victim of security breach?
Or you prefer to read posts with opinions that you would like to hear?
Obviously your view is very limited on where this problem stands and how big this is.
It is not only you here.

Well, for Kris himself it might be a good idea to prepare his case and defense if some of us decides to try him legaly in court for our losses. But for us who lost the bitcoins it's really no point, since the coins are already transfered irreversable to somebody untraceable in an unknown jurisdiction. Pretty low chances of finding the crooks. Makes a hell of a more reasonable case to try Kris legaly and hold him accountable. Both for making this never happen again, and to ruin the BIPS brand, if Kris just continues operations as nothing happened (which looks like he is doing from where i'm sitting)...

Do they have something simiar to a small claims court in Denmark?   Do the members seeking legal action even know if under Denmark law if there is a foot to stand on?   

Because BTC is gaining traction and attracting new members. But I suppose I too would question if I saw something similar. A lot of us newbies had to learn the hard way that online wallets like BIPs are vulnerable. I was nearly one of them, bailed out a week before.

If anything though you should be happy to see a surge in growth, it's what makes the value rise. Supply/Demand.

so we are talking scapegoat here?
somebody has to pay for the losses even though they were also the victim, true?

lets put it in more plain words;
We don't give a damn about you Kris! you could rob a bank, hack others, screw anybody you knew just get our money back!!!

I've only heard "I can't promise anything right now" from Kris, that doesn't exactly give me confidence I'd ever see my money again, nor is it sufficient information about what exactly happened.

I trusted BIPS with a sum that's very significant for me personally and damn right I'm going to hold them accountable if disappears, not let it slip.

The lack of communication and evidence makes this all seem really shady and it doesn't help there's a bunch of new accounts trying to shush the people who are upset with thousands of dollars vanishing in thin air.

Until I either receive proper evidence of what happened and information on how BIPS is going to handle it with authorities, I'm going to think Kris is a reasonable suspect and looking how to take both legal and social action on this.

"You shouldn't trust a web wallet" isn't a valid excuse to swipe this under the rug. It was entirely reasonable for people to think the service will keep their money safe and it failed to do so. In many countries of EU, including where I live, ticking a mandatory checkbox in TOS form can't remove the service provider's liability to keep user data safe, especially when it comes to money.

You are right on that this is not about Kris Henriksen personally. He's representing a commercial company that did and still market themself with "Your data is secure at BIPS", etc. Obviously this is not a true statement, and some of us found that out in a really bad way, with substantial loss of economic value.

BUT the worst part of this whole stinking story, is the lack of communication from BIPS and it's CEO, Kris Henriksen. They choose to handle this mess with a strategy that pretty much left us, their affected customers, out in the dark. He himself or through any proxy has not to date had the courtesy to tell me what the status is with my lost balance and if they have any plan on compensating me for any part of the lost coins. I mean, for god's sake, just let us know! And after that, good or bad news, everyone can go ahead in their own way of handling this (legal process or not).

Perhaps he could offer part of BIPs in the form of shares to the customers who lost Bitcoins in proportion to their lost Bitcoins. 

This would be one way to offer compensation, (may not ever catch up to the growing value of the actual bitcoins stolen but at least it would be some thing).

Also it would go a long way in protecting the Image and reputation of Bips.

Has anyone heard from BIPS/Kris recently?

Two days since last response, now BIPS site is barely loading. Lots of traffic or perhaps another DDOS?

At this point I'm assuming the money is gone and it'll be quite a fight with BIPS to get it compensated for, but any information would be welcome.

For all i know after the attack there wasn't even an update or a warning on the front page about what happened.
I don't know if there is one now but it looks to me that someone pretends that nothing happened  :P

Nop, not a single word from Mr. Kris Henriksen or anyone else at BIPS. I'm resending a support ticket and e-mail everyday now until someone answer my two simple questions of 1) is the money gone forever, and 2) will BIPS compensate me for any part of the lost value.

But nothing yet. However Kris does of some reason have infinite time to talk to the press about what happened where he always denies the claim of running away himself with the bitcoins, so he obviously read the Bitcoin Forum and probably this message too (Hello Kris!, nice to see you here) =)

This mess starts to become a slapstick comedy from their part. I mean, it's not that I want Kris or anyone at BIPS to walk away from their house or not be able to feed their family because of this. I will survive even if my money is never returned.

Now it's all about standing up as a honest human being facing the consequenses of your actions and promises. If you as a individual or a company make a promise to your clients that their critical data is safe with you, and that promise is broken. Well then you can choose two ways to handle this; A) Say you're sorry and that you will try to make it up to them even if the data is gone forever, or B) Tell your clients in a fancy way that they are idiots that trusted you in the first place.

Anyone choosing route B, i.g rationalizing away their role of accountability by arrogance, can expect people to be pretty angry with them for a very very very long time. This individual or company has consumed their right to operate in a free market, and should be shut down in it's existing form as an example of unacceptable business ethics. Case closed.

If Kris make some leagal research himself, like my business lawyer did, he will soon find out that there are plenty similar situations in the old financial world. Multiple financial services will ask for your money to hold them for you for free, or even paying you a good interest rate. It's a free service/wallet/account BUT the receiver are fully responsible for your money while kept in their hands. If it was stolen, they would have to pay it back or close business.

So, for Kris as the CEO of BIPS to act like nothing has happened (choosing route B) he is simply asking for a legal/social backlash. Everyone in the bitcoin community have the right to know if this is a viable business strategy in the future of digital money, and we will use this case to find out (so we atleast get something positive out of this mess). If BIPS goes free, then that is the end of this story. If not, BIPS pays up or close business. Kris will survive, keep his house and feeding his family – but with another company and hopefully alot more humble...

Summed the situation and my thoughts in a very rational way, +1.

If Kris contacts you, please share an update here.

People are very upset and very hostile towards Kris, me included, but I hope he understands it's nothing personal and it's better to just come out and state how things are and what he is planning to do about this.

Prolonging this and remaining silent will only escalate things and make this a lot worse.

Kris was interviewed to a danish news site eailer today:
http://translate.google.com/translate?sl=da&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.version2.dk%2Fartikel%2Fny-forklaring-om-det-store-danske-bitcoin-roeveri-ddos-angreb-var-kun-et-roegsloer-55179&act=url

A short summary:
- The DDoS not the actually attack. Just a way to remove the focus from the sys admins so they could get through another security hole.
- There was a bug with the way their algorithm works with hot and cold wallets. ALL bitcoins were in the hot wallet and because of this they were easier to access by hackes.
- All funds are lost for the users. According to Kris he/BIPS are not responsible due to their TOS.
- Kris advice people NOT to use hot wallets anymore - only with very low amounts of Bitcoins.
- Kris tells BIPS will continue as a payment provider - but have closed down there wallets for good.

I think thats a pretty good summary of the article. Otherwise - try the above google translation :)

Its BS. Kris was the only guy working on BIPS. Lemme share with you guys a bug I helped fix. The secret that you entered in your IPN page was generating wrong hashes for any word that was 8-16 characters in length (weird?). I had to literally beg Kris to understand that this is a serious bug and had to write various test cases to demonstrate it. When he realized that there was indeed a bug he chose to just publish a "Enter less than 8 characters and greater than 16 characters" or something like that instead of actually fixing it. When I questioned him, he told me that he wrote his own crypto lib functions. Which fool would try to rewrite crypto when there are so many well tested modules available? This kind of shit brings in all the security loop-holes.


Tell the world the technical details of the bug. I bet Kris hasn't fixed it yet. If he couldn't find time to fix that buggy PHP hashing module I bet he is still using that same shitty hand written module (or many more like that) for everything inside BIPS.


BS here as well. I can write whatever I like in my TOS. But when it comes to the courts the TOS is as good as shit. You need to make sure your TOS doesn't violate the law first. The very fact that he is saying that he isn't responsible for the funds lost is itself BS. I'll see you in court Kris... the deadline of 72 hours is ending soon.


Thanks for the advice Saint Kris.


I'll make sure you do not.


Thanks :)

How does/did the TOS violate the law?  Which law does it violate?

You had to beg Kris to  realise there was a bug.  And, knowing there was a bug, you left your funds there.  OK....  I wish I was  as smart as you...


This kind of statement makes you appear smart, but it is actually without any foundation.

As for your assertion I am Kris, or Kris's shill or  any derivation of that  - I am not.   I lost  btc in this hack.  Unlike you however, I am not looking for a scapegoat.

It's called being an adult and taking responsibility for one's own actions.  If you argue that Kris has to take  responsibility for  the hack, then you are, by implication, saying he did it. 

You yourself allegedly knew the code was not sound.  Yet you didn't tell anyone else, and  in fact kept your btc  stored in Bips.  If you are so good at finding bugs, why did you not start your own service instead of  using  what you saw as an inferior product..  However, such questions divert from the  topic, which is the breach.

It happened.  We lost our btc.  The lesson seems to be to not use hot wallets.

Oh yeah? I bet you haven't written a single line of code in your life.


Obviously you aren't looking for a scapegoat. You stole our funds, why would you feel anything at all?


Nice try Kris. The first thing about being an adult is to man up and become transparent about the so called "hack". The very fact that there is absolutely zero information on the hack shows you are the thief. Period.


Kris (or you) did not do the hack. The hack never happend. He (or you) just moved all the funds to a new address... in plain simple words Kris (or you) just stole our funds. If it was a hack I want all the technical details laid out in public domain. The onus is one you (Kris) to prove he (you) is innocent.


Okay Kris I'll answer your questions (wish you used your real name here instead). Firstly when I asked you to fix the bug you told me clearly that you will fix it asap (and that you were upgrading your systems and needed some time). Now I gave you that benefit of doubt. Now I never in my wildest dreams thought that upgrading your systems meant steal your customers funds.

Secondly, when I say violate law I did not mean the TOS violates law. I shouldn't have mixed two different things in the same sentence (was clearly pissed). What I'm trying to say is you can write whatever you want in your TOS. When it comes to legalities the TOS is used only by customers to demand their rights to a defaulting service. If you are the owner, you don't have any say as you can change the TOS at any time. Its like a rental agreement. The tenant has more legal rights compared to the owner. TOS gives the customers more legal ammunition to go after the owner of the defaulting service... not the other way round. So either you (Kris) have a really bad lawyer or are just talking shit to divert attention from the main issue: theft of our funds. By the way I have already consulted my lawyer and I'll be going ahead with legal proceedings.

e aynen e evet e tabi

do you have personal vendetta with Kris or what?
If you were that close with Kris that you knew so much of Bips operational,
and you knew there was weakness with Bips security config as you mentioned,
why didn't you do something before?
or you could have place your btc somewhere else instead of keeping it there??

stop embarrassing yourself mate

The whole thing is too suspicious, too suspicious.
Kris has spend his time running around and tolled the media that its is not his fault and the wallets security is the users responsibility.

The worse thing is that he is getting away this scam.
No action has been taking since 22 Nov.
We are talking about 1295 BTC!!!
Why is there no details published of any kind?

I say he is a liar and a crock!

Wth? Are there some kind of online wallet fanboys around? I mean i can understand fanboys of artists or athletes but bips fanboys? For real?

This person must be either Kris or someone related to him. Awfully suspicious when there's new accounts exclusively defending BIPS in this thread.

When you build a business around keeping money safe, there's no room for error. The absolute worst way you could ever screw over your users is by compromising their wallets.

If you manage the lose a million dollars of someone else's money, you can't expect there would be no consequences. Of course people are going to be extremely upset.

It's becoming pretty obvious all the money is gone and BIPS is an absolutely awful company nobody should ever trust, but the only way Kris could safe his face is to step forward and address the situation.

If he decides to remain silent and act like nothing happened, people are going to make it personal. There's no way around it.

Only thing I have heard from Kris was a PM asking me to remove info provided in a ticket sent to me..



Please be so kind as to remove the ticket text I wrote to you from public domain.

"Hi,

1) If ...........

There is a reason this is written below.

*************
This email is intended only for the person to whom it is addressed and may contain information that is privileged and exempt from disclosure. Please be aware that forwarding or distributing it is strictly prohibited.

Whats the difference between bips and coinbase?

Stop using your shill accounts Kris. We know its you. Come out in the open about the hack and save yourself some embarrassment.

No he isn't getting away. I'm already in touch with my lawyer. I'm going to drag this fool to the court. We are mapping out a plan to tackle this as its outside of my country. Anyone else planning to sue him?

Coinbase hasn't been "hacked" yet. :)

Coinbase is not only an online wallet. You can link your bank account with them and buy and sell bitcoins also.
Although when the price is on an uptrend you may experience some surprises when trying to buy coins  :P :P

I might join if I knew where to start - that is why I wanted Kris' physical address - so we could serve notice on him... on the face of it it appears that the coins were just outright nicked... I guess he saw the price rise and couldn't resist it

me = kris?
nope

related to him?
well i knew him for a while, chat many times with him but those never last over 2 minutes (strictly business talk)

and you saying my posts here looks like "exclusively defending Bips"?
oh man, if i really intend to do so - none of you would stand a chance... please trust me on this :)

upset/ extremely upset/ mad - do whatever you feels right to do mate...
you have all the rights to express anything you like about Bips just as much as i do to express mine ;)

So why choose bips over coinbase? Coinbase even has insurance so "hacked" accounts will get all the btc their lost btc back.

Ok Kris thanks for the lecture.

EDIT: Read between the lines.

Just an alert. Kris Henriksen's account (https://bitcointalk.org/index.php?action=profile;u=11921) has not been active since December 1st 2013. So has he finally decided to run now that some of us are pursuing legal remedies? Anyone communicated with him last can share their details here if they wish. Many are contacting me with his personal details (including account numbers, addresses etc). So Kris if you are reading this through your shill accounts know that you can run but cannot hide.

http://www.version2.dk/artikel/ny-forklaring-om-det-store-danske-bitcoin-roeveri-ddos-angreb-var-kun-et-roegsloer-55179

"It was wrong announced. After the first DDoS attacks were hackers inside and found a hole and then deleted the total and masked what they had done afterwards with the large DDoS attacks which struck the connection to the SAN and got the servers to crash , "says Kris Henriksen to Version2.

"The service was divided into 'cold wallet' where customers Bitcoins was locked down, and a 'hot wallet' where they were offloaded when there had to be moved around on them. But because of an error in the algorithm, the entire portfolio of Bitcoins ended up standing in 'hot wallet' department."


"With the success we've had with all the people have bought and sold, the algorithm moved it all over in hot wallet. It took hackers saw a hole that they could exploit, "said Kris Henriksen.

This version of the story was told only to Version2 and no press release that said that the previous press release by BIPS was the incorrect version.

Now BIPS has released a press release today: https://bips.me/press which still does not contain the version told to Version2.

Be careful when you get a mail or anything asking you to give consent by BIPS. According to my lawyer it might be a sly attempt at getting consent to "yes the coins have not been stolen by BIPS". Does anyone (from Denmark) have any contacts at Danish National IT Forensic Police department? Can someone check if a case is registered with them and whether they really are assisting BIPS?

EDIT: What kind of shitty code had Kris written that moved all coins from 'cold wallet' to the hot wallet? So that means people who paid for the cold storage were being fleeced extra bitcoins for something that wasn't even secure. Great!

FROM KRIS:


Okay Kris, now you have made it hard on yourself. I'm going to go public with all your details, including the scams you are associated with today. This kind of attitude will eventually bring yours and BIPS downfall.

I have asked Kris numerous times to refund my coins without resorting to slander. Not once in his communications did he mention that he won't be refunding or even gave me any hope of a refund. All he did was employ usual tactics of delaying communicating the obvious truth with a hope that with time customers will forget about this theft and move on (like we have done for so many other previous hacks).

I'll also disclose all private messages, mails that we sent to each other back and forth and also anything that I find suspicious about your dealings with BIPS and its users publicly.

I'm already in touch with my lawyer (like I said in my previous posts) and be rest assured that I'll be dragging your ass to court. You have been given too much time by all the customers with absolutely zero information on your end about the hack (absolutely zero transparency). I don't give a damn about you closing my account as I'm not going to gun for those 3.3BTC anymore (the time for refunding has expired long ago). And whats the use of a account where I can neither deposit nor withdraw BTC? You closing my account is a joke and a futile attempt at replying to my accusations.

I'll make sure you land behind bars for betraying the trust your customers hold in you. And now that you have said publicly that you won't be refunding your customers (from your Press Release and Version2 interview) I appeal to all the BIPS customers to send me a PM with your BIPS username and the BTC amount you had stored with them. I'm going to make a list of all the people who have been scammed by BIPS and will be forwarding it to my lawyer. If you guys want to help me in fighting the case I would appreciate it if you can give me any details you can (including PM's between you and Kris, any emails exchanged etc or even getting information from concerned authorities in Denmark). I don't want help in any other way (including donations) as I'll fight this case with the money out of my own pocket. I hate it when people betray my trust and take me for granted.

Also this piece of information from BIPS press release is really interesting:


ROFL! So that means anyone operating a free service with 0 revenue generated from it are not liable to loss/theft of customer data (in this case bitcoins). This is a new legal definition coined by BIPS. Similar to Trendon Shavers claiming "Bitcoin isn't real money"... for which SEC showed him the middle finger. I can't wait for Denmark courts to do the same to Kris Henriksen.

In case you haven't seen it.  It is better than radio silence at least.  :)

"Wallet Status Update

We sincerely apologise for the limited information that has been available up to now, but we have not had and are still short of facts to be able to make sufficient thorough official statements.

Most of what was recoverable from our servers and backups has now been restored and we are currently working on retrieving more information to get a better understanding of what exactly happened, and most of all what can be done to track down who did it.

1295 bitcoins in total were sent to an external wallet by the attackers.
https://blockchain.info/address/1LuG91tcSQxKj32BsCoRkX7yQLfj9LtkCs
Those bitcoins are not retrievable unless we can find the perpetrators and somehow make a demand they return the coins.
The Danish National IT Forensic Police department have agreed to assist us examining what data there is.

It appears that in order to file a police report for theft, we may need consent from all affected parties to lodge, as according to the police they can not classify this as a theft due to the current non regulation of bitcoin. We are currently looking in to details surrounding this further, awaiting a response from our lawyers and the police department.

Will there be any reimbursement available?
Please bear in mind that the wallet service was a free service and thus there has been 0 revenue generated from it. Hence BIPS is unable to reimburse bitcoins lost unless the stolen coins are retrieved.
We are discussing the possibility of a compensation plan with our legal advisors, but are unable to comment further on this for now.

Practical information:

There are a few account holders who have a small balance of bitcoins in their wallets after the attack. Some have also had payments sent to their BIPS wallet bitcoin addresses and we recovered these on November 19th sending them to an external wallet for safety reasons. These coins will naturally be available for withdrawal by the respective owners. Any bitcoins sent to old addresses after November 19th will also be available to withdraw by those they belong to.

Some merchants have accumulated sales that have been converted to Fiat over time, but not yet reached their minimum payouts. Their balances will also be available in their chosen currency with an option to have them paid out immediately or paid manually together with their new accumulated balance.

For all of the above instances, we are currently working on setting up a clone containing old wallet info and transactions, please grant us patience ..

Notice:

Our mailing system was wiped out during the attack and is still not restored. That means that if we send out mass emails, a large number of these will never reach their destination or end up in Spam folders (some email providers will even auto delete them).

Please check the news section of our helpdesk for more updates and information regularly in case you are amongst the ones who are not receiving our emails."

I suggested to Kris that we have a Skype conference call with him where we can find out what happened and discuss way forward.  This seems a way forward if BIPS wants to reach an agreed, amicable solution.

 Well I was in the newer we saved your coin status and was told   I may see my .39 btc.  Time will tell.


BTW 1200 plus coins were stolen at the 500 usd level so about 600,000 was stolen  it is now more like  1.3 million.

Yes, count me in too. The last days development gives me a gut feeling that Kris has some part in the scam, or is completely incompetent as a CEO. Either way his current operations should be shut down by legal or social means. BIPS lost it's reason to exist in the Bitcoin community by how this mess is handled.

BTW I live and run a brand consultancy firm in southern Sweden (only 10 min from Denmark), so I ofcourse can represent a legal case localy, but more important, I know very well how to kill a brand. Lets just say; storytelling works both ways...

Hi is a crock   >:(

And he bought himself enough time to getaway.

No sign of Kristian, no sign of BIPS.
He definitely ran away with all the coins, that crock!

I have a friend in Denmark if you need to report something.

Ask if Denmark has an "Danish National IT Forensic Police Department".

Kristian Henriksen claims that they are handling the case.
I have never heard about any "Danish National IT Forensic Police Department".

I have seen no evidence that there was any kind of attack.
All I have seen is a bitcoin transfer of 1295 BTC, that do not prove anything.

Its obvious that the plan was to be vague as possible... then just slip away hoping everyone just forgot about their coins.  My initial investment was to be used as part of a home down payment.. I won't forget.

I dont think it was an intended scam. Just got a PM from him and apparently they are working very hard.

I think you are right, Kristian is working hard on getting away with this scam.
Interesting how many people has "talked" with him over the phone and got convinst that he is the most honest man in the world.

If he is still active it most likely means that he is trying to make up whats lost.

Really? It's still attive?
And is working very hard?
 ::)
Who are you?