Bitcoin Forum

Hello,

I am sorry to say it, but I am leaving MintPal. I really liked there webpage and trading platform. But, I have to leave after this issue.

The issue:

I logged onto MintPal from a PC at a friends house. I was on multiple times throughout the afternoon. I was following WC, viewing the page every once and a while, but I was out in the morning, and was going to get back in around 1700 satoshis.  That evening, after I got back to my PC at home, I saw I owned 3000 WC. I was like, I never bought WC? The trade price was 2116 satoshis, a lot more than where I was gonna get in. Of course, I was not going to get in (I already owned coins). Looking into the trade records, I see the trade was placed a minute after I logged into the MintPal for that time. That is impossible, as it takes 30 seconds just to make a trade blindly, let alone look at the charts. So I messaged MintPal support. Here is dialog: (If you do not want to read the dialog skip to the end)


Me opening ticket:

Hello,

I logged into my account today, and I was following Whitecoin. I was out of it at the time, so I was not following it carefully. I saw it dropped to 1700ish. I did not think anything of it. Then, I saw my balance of WC as 3000, I was really confused. I think there was an Unauthorized Trade on my account. I have changed my password in case someone hacked my account. I would like to get my BTC back, the 0.063BTCish that was charged my account. I am down %20 right now, on 0.063, not much for you, but a bunch for me. Can you fix this?

Thanks,
Brandon

Them:

Hi Brandon,

I'm afraid once coins have been traded or withdrawn there is nothing we can do.

Thanks

My reply:

Jason,

I understand if I complete a trade there is no way to reverse it. But in this case, I did not do the trade. Somehow, your software completed a trade without me (a bug in your software???), or someone got into my account, whether on the front end (website) or back end (server). Either way, it is not my fault that this happened. Maybe you should require email confirmation to trade. This does not help my experience at MintPal.

Thanks,
Brandon

Them:

Hi Brandon,

You can check the login history on your account to see if someone else logged in and did it.

It would be best to set up 2FA on your account if you do not currently have it.

Regards,
Jay
MintPal

Me:

I can set up 2FA, but that still does not change the fact that I am still out my BTC.

I see the trade went through at 19:15 and 19:28 MintPal time.

 The closest login attempt was 19:14, and that was me. I did not put a trade in a minute after I logged in.

Thanks,
Brandon


Them

Hi Brandon,

It's simply impossible that the trades would happen by themselves, and we would have it the orders logged in our system being placed by your IP. Checking your order history in our database, we can see a buy order was placed at price 0.00002116 at 7:15pm (I don't believe it was ever this high, so it must have auto traded at the best price). Other trades would be from older orders you had placed in the markets.

Regards,
Jay
MintPal  

Note: The support person (Jay) closed the case, I had to reopen it.  Why did he close the case, it was not resolved?

Me:

Hello,

Can you tell me the IP the order was placed from?

Thanks,
Brandon

Them:

Hi Brandon,

The IP is (IP of my friends house), which does look like yours based on your other login history.

It might be worth scanning your computer for keyloggers/spyware if you're absolutely certain you didn't place that order.

Regards,
Jay
MintPal

Me:

Hello,

Yes, I was on that computer for a time. I will definitely check it for spyware. I am very sad that you cannot fix this, the total trade was only 0.06 BTC, MP makes 7.5 BTC a day right now. I only have 0.16 BTC in my balance, so this is huge to me. I am certain I did not place this order, I would not have opened this ticket.

Thanks,
Brandon

Them:

Hi Brandon,

Please let us know if you find any malware that could have been responsible for the trade

Thanks

Me:

Hello,

There is no malware on that PC. Note: I scanned with Malwarebytes. I have used malwarebytes before, and it is reliable and has always found malware.

Thanks,
Brandon

Me:

This is not closed. It has not been resolved, the BTC is not back in my account. Note: Here is another spot where they closed the case.

Them:

Hi Brandon,

Im afraid we have the proof that the order was done with your IP. We can't just credit you because then everyone could just start claiming they didn't make an order when they lose out.

There is nothing we can do regarding this I am afraid.

Regards,
Jay
MintPal

Me:

Can I have the proof it was done by our IP?

Them:

Brandon,

The proof can be seen by looking at your login history, somebody logged into your account from your IP address moments before the order was submitted. We also have the access logs from our webservers, looking through those it's quite clear the order was submitted from your IP. The first two entries are the login process, the third is the order submission.

69.249.134.181 - - [19/Apr/2014:19:14:16 +0000] "GET /login/market/WC/BTC HTTP/1.1" 200 20422 "https://www.mintpal.com/market/WC/BTC" "Mozilla/5.0 (Windows NT 6.0; rv:28.0) Gecko/20100101 Firefox/28.0"
69.249.134.181 - - [19/Apr/2014:19:14:27 +0000] "POST /action/authenticateUser HTTP/1.1" 200 56 "https://www.mintpal.com/login/market/WC/BTC" "Mozilla/5.0 (Windows NT 6.0; rv:28.0) Gecko/20100101 Firefox/28.0"
69.249.134.181 - - [19/Apr/2014:19:15:11 +0000] "POST /action/addOrder HTTP/1.1" 200 143 "https://www.mintpal.com/market/WC/BTC" "Mozilla/5.0 (Windows NT 6.0; rv:28.0) Gecko/20100101 Firefox/28.0"

Thanks

Me:

This is where I am confused. I placed an order 1 minute after I logged in? I tested it, and it takes 30 seconds to do it blindly, let alone have time to check charts. I NEVER trade without researching it, you can look at my past history. So, I see what you are saying, but I think the server records on your end were forged or glitched.

Them:

Brandon,

You are entitled to your opinion however we have stated the facts on several occasions. The odds are severely stacked against your argument, the fact is that the logs clearly show the order having been submitted from your IP address, the login history clearly shows you (or somebody from your IP address) logging into your account moments before the order was submitted.

Regardless of the above, as we have mentioned already, we will not be returning the BTC balance.

Thanks

Me:

I understand what you are saying.

I am a little disappointed about this, that MP will lose a customer over such a small amount. I will be moving my balance to Cryptsy. I really like MintPal's website, but oh well.

Me:

Also,

I am very suprised that such a big exchange, and a reputable one, would risk making a customer unhappy. But, I am not you, nor making MintPals decisions. I am just saying, If I would be running MintPal, that I would put more importance to keeping customers happy.


Me:

Also, I am a software developer, and I know that 1. records can be forged and 2. bugs/glitches do happen, expecially in complex trading software.

Them:

Brandon,

Sorry that you feel you have to leave. Enjoy Cryptsy.

Thanks Note: He closed the case here again. I did not reopen it.



In Summary

I am very dissapointed MP would lose a customer over this. I have withdrawn my balance to cryptsy already. Also, I feel that they are boasting "great support", and this was far from it. Reasons:

1.

Closed the case multiple times, acting like it was resolved.

2.

Repeatedly stating they will not refund the BTC, it seemed I was talking to a wall.


There are more you can catch if you read the dialog.

If you are MintPal:

If this gets resolved I will delete this post. Maybe there is a misunderstanding here, but right now I cannot see it.

Closing:

Whether you chose to believe me or not, please consider this message.

If you do not: My other account is thecryptodude01, it has been hacked.

Thank you for reading this!

Logged in from a friends house and you don't use 2FA?

But it's their system that has a "bug"?

Have to agree here.  Someone on that computer made a transaction that lost money.  Why would any exchange wear the loss?

If they decided to wear the loss every time someone claimed they didnt make a transaction that ended up loosing money they would go broke in days.

Seriously why log in on a computer you dont take responsibility for the security of in any case.

You cost this company more than 0.06BTC in the time of their employees. I think they were very patient to go through this with you. To suggest this is some sort of inside job doesn't make sense on a risk/reward basis.

Absent any other evidence anyone would agree with MintPal, here.

I was the only one logged in on that computer. I always logged out right after I got in. I am saying there system has a bug because I cannot reasonably log in and then within 1 Minute and complete the trade. Bugs do happen. It is up to you to believe me about this. If you don't, I respect your opinion. But, I know that the computer there did NOT make a trade, so on my end I know it was a MintPal bug. It is hard to get you guys to believe me. Believe what you want. I am leaving MP before I get toasted on more money. Maybe they were patient to go through this with me, but I think not.

What more evidence do you need?

This is completely your fault and Mintpal's response was correct.  The order came from your computer.  Either you entered it accidentally (simplest and most likely explanation) or some other program on the computer caused the trade (very unlikely since there would be no benefit to a virus writer to make that trade).  It's the same as if your phone called a per-minute sex line or an expensive international call.  It doesn't matter if it was a butt dial or your friend or a virus on your phone that made the call.  Your equipment called the number, it's your responsibility not theirs.

I agree that Mintpal was correct in their decision.  I know you said that you ran Malwarebytes, but it sounds like you have some sort of security issue since your previous username on here was hacked.

I'll be signing up for MintPal now.
Glad you helped verify how good their support is.  :)

This is insane. Even if you were hacked you shouldn't get any money back. This is ridiculous. This was either you or your friend. My bet is that this was you and you hoped that they would refund you after seeing this on bitcointalk.

Gotta go with the crowd on this one. MintPal has been amazing in terms of support and they are right in this case. I was hacked before and it is not pleasant but there are simple steps that we can take to prevent it. Make sure you secure your account if you're gonna put money in it. Sorry for your loss.

Hello all!

I understand what you are all saying. I know for a fact I am not lying, but I understand if you think I am. I am just looking to watch out for other people, and that is why I posted this. If you do not want to believe, suit yourself.

Personal answer to each of you:

coiner8:

Chose what you want to believe. I know for a fact that I was the only one on that computer, and I did not enter the trade.

Wolf_Pack:

Security issue? Look at the news at the top of this site.


I got hit by that before I was able to change it.

Bit_Happy:

Suit yourself!

MrWDunne:

That is not true, but believe what you want.

Rulishix:

I believe this was a server error on there end, but yes, I agree.

Why do you feel that yourself being hacked entitles you to a reimbursement of any sorts?

I don't feel I was hacked. I think this was a server error on there end.

The support gave you session information, including the user agent and the exact data and time that the requests were sent. If this was serverside the requests would not have been sent.

Records can malfunction, they can be forged.

I am not saying this is what happened, but the agent could have been lying.

Just hold your WC.

Give it a few weeks, and be glad that you accidentally pressed the button.

So you're saying that:

• someone, either an attacker or insider at MintPal has come up with a way to do transactions on behalf of customers
• it's sophisticated enough to tamper with their server logs to the point of inserting the same user agent that the customer normally uses
• their attack happens only at the times when the customer is actually logged in
• they used this tool to steal… 0.06BTC?

Assuming you and your friend are 100% honest then don't you think it is far more likely that your browser is infected with some sort of malware that automatically kicks off transactions and withdrawals?

Anything else implies a lot of effort or a conspiracy for very very little reward.

If more people start popping up with similar stories then it could be more likely that there's something wrong at MintPal, but until then in my opinion the balance of probability is something like this in order of decreasing likelihood:

• You made a mistake and are now lying about it
• Your friend did the trade
• Your friend's computer is compromised with something that your antivirus doesn't detect
• MintPal's software is buggy and they are inventing logs to cover this up
• MintPal has an insider doing fraud and they are inventing logs to cover it up
• MintPal was compromised by an outside attacker and they are inventing logs to cover it up

I appreciate that you say #1 and #2 are completely impossible and that you believe that #3 is not the case, but unless other people are also experiencing similar issues then anything but #1-#3 seems very unlikely.

It's good that you reported it here though as it's probably the only way that people experiencing similar issues will ever find out that they're not alone.

Well, all they need is access to the database and the logs. They access the Database, find the password, log in, and complete the trade. They then log out, change the logs, and they are done.


Copy and paste from the previous log. Not that hard.


Two things could of happened here:

I logged in, and they were watching and completed the trade
They logged in and then changed the records to show I logged in

I could of logged in, I was off and on at that time, but either way.

Yes, a small amount, but it could be:

They were testing it on a smaller amount
Proof of Concept



Well, I would of complained about my loss on BC that was almost double that. I take full responsibility for that, because I placed the trade.
Possible, but my friend does not know anything about Cryptocurrencies.
Possible, but Bitcoin related malware, on a computer's first time use for Crypto related stuff?


Possible, but I think the logs were real and they were compromised.

This is what I think, but that the logs exist and they were compromised.
Possible, but I think the logs were real and they were compromised.

Thanks  ;) Also, if it was a MintPal employee, if they see this it might scare them away from doing another "trade".

This is so dumb that didn't bother reading the rest; you have obviously never been near the backend of any kind of web application or you'd know that:

A) Passwords are never stored in plain text, especially in a high security situation such as a bitcoin exchange.

B) If "all they had" was direct access to the database...why would they need your password?  And why would they do a single trade on your account with amounted to losing you what like $20??

If the hackers had direct access to the database they could (or at least attempt to) clear out your entire balance and everyone else on the system.
They basically could do anything they want with your account without having to login or need your password.

I really hope such a thing as "KaChingCoin" does not actually exist if you are the "dev" for it.

Seriously, if this is so "dumb", why reply posting? Plus, I am a developer, and I have been near backends. Anybody with an IQ of over 100 and access to the database could do this. If you would of read the rest, maybe you could answer B

+1 For basically all of that

Passwords in even only semi-secure sites are not stored in plain text.......

So no someone didnt grab your username, password and user agent from the DB, make a quick transaction for stuff all money and then cover their tracks.

If someone was that damned good they would have emptied the exchanges hot wallets not brought you shares that lost money.

Maybe they will, we shall see

Keep using MintPal, that is fine. I had an issue, and I know it is not my fault. I am out of MintPal because I don't want to get hurt on the larger scale.

Never have used them but i have dealt with people who make mistakes and then wanted someone else to pay for it.

Thats what im seeing right here.

If WC went up 5000% would you have done the same thing? Mintpal is the shit, only exchange besides Coinbase I trust.

I would have told people also if WC went up.

If you ever develop anything coin related please let me know so I can stay the fuck away from it.

Hate to say it but I get the feeling your security could have been better.  Not placing any blame just giving an opinion.   

Whats wrong with Mintpal ? i can't reach the website anymore  ???

Nothing.  I'm logged on right now.

Since the migration I have missing btc deposits. Also I cannot login because it will not accept the 2fa code !!!!!!

yea its fucked