.

[yurinov]

nice site, i like how you made asset on nxt, much more security for  member

[ranlo]

Site was taken offline because of an exploit in the deposit mechanism. Investigating now.

Shit.

Was it abused or reported when someone found it?

Hacker tooks funds from hot wallet from what I can gather 

Where were you getting info from? I was actually out all day and saw his post while I was out so past that, I'm in the dark.

[hopenotlate]

May someone please address me to historical site data?
I mean wagered, profit, invested, investor profit ..and so on.

Are them available somewhere ?

[FanEagle]

How can allow themselves to do such things?
People, don't use exploits to gain money, send a ticket and get rewarded!

[Quickseller]

I'll post an update tomorrow. Just to clear things up quickly: The hacker stole Bitcoin from the Hotwallet by depositing non-existing BTC. I analysed all the player deposits and no player had any such fake deposits. This only happend on the BTC site, so NXT site is completely unaffected anyway.

How were they able to deposit fake BTC? Is this something that would be easily fixable?

[ranlo]

I'll post an update tomorrow. Just to clear things up quickly: The hacker stole Bitcoin from the Hotwallet by depositing non-existing BTC. I analysed all the player deposits and no player had any such fake deposits. This only happend on the BTC site, so NXT site is completely unaffected anyway.

How were they able to deposit fake BTC? Is this something that would be easily fixable?

Yeah, I'm not following this either. TTM waits for confirmations, so if the network has confirmed them, they should be good (aka not fake). Plus if no accounts had the deposits, how were they able to withdraw? .

[FanEagle]

Wow, just wow, unbelievable that they still do this kind of actions.

[ranlo]

I'll post an update tomorrow. Just to clear things up quickly: The hacker stole Bitcoin from the Hotwallet by depositing non-existing BTC. I analysed all the player deposits and no player had any such fake deposits. This only happend on the BTC site, so NXT site is completely unaffected anyway.

How were they able to deposit fake BTC? Is this something that would be easily fixable?

Yeah, I'm not following this either. TTM waits for confirmations, so if the network has confirmed them, they should be good (aka not fake). Plus if no accounts had the deposits, how were they able to withdraw? .

Short version: we used block.io as a callback provider. Someone bruteforced the deposit password and our system trusted this source (should have double checked)

Really interesting stuff! I wouldn't even know where to start when exploiting things like that. As irritated as I get when people do hacks like this, there's also a certain level of respect I have for their ability to find loopholes and such.

That said, I wish they'd leave TTM (and my investments!) alone, :p.

[HCLivess]

I dont want to sound malicious, but I'm grateful the NXT is not affected.

[ranlo]

Is there any update to this situation yet? Especially regarding how it affects investors to both sites?

[Quickseller]

The site will not go up in the next few days, if at all. So please PM me if you had funds on the site. For the investors: I will calculate the NAV and process all withdrawals starting from saturday when I am back at home.

That is too bad. ToTheMoon was a really fun game and I think it had a lot of potential.

Do you have an estimate of the losses from the hacker and the losses from the whales that took the site profile down a bit?

Can you publish the txid's of the withdrawals that were based on fake deposits?

[ranlo]

The site will not go up in the next few days, if at all. So please PM me if you had funds on the site. For the investors: I will calculate the NAV and process all withdrawals starting from saturday when I am back at home.

Is there any update to this situation yet? Especially regarding how it affects investors to both sites?

Investors will be refunded at the NAV, and I will eat the losses from the hack. I don't think I have the time and resources to keep the site running for now. especially considering the possibility of another hack.

PM sent! Hopefully the NAV is looking good, .

Are you taking down the NXT one as well, or just the BTC?

[Quickseller]

The site will not go up in the next few days, if at all. So please PM me if you had funds on the site. For the investors: I will calculate the NAV and process all withdrawals starting from saturday when I am back at home.

That is too bad. ToTheMoon was a really fun game and I think it had a lot of potential.

Do you have an estimate of the losses from the hacker and the losses from the whales that took the site profile down a bit?

Can you publish the txid's of the withdrawals that were based on fake deposits?

I lost about 30-35 BTC to the hacker.

The profit of the site was at 5.627116 BTC with 7.507149 BTC in free bits distributed.
THe profit of the nxt site was -175907.39 NXT and 115754.02 NXT in free NXT distributed.

Is the 5.627 site profit reflective of the losses due to the hacker?

Do you know what the total bankroll was?

[Quickseller]

If someone wants to have the address of the hacker, he moved all funds into one wallet (presumable a tumbler): https://blockchain.info/address/3DeXWvsJgbwUf1G8ocqLeotjUz7azK7Eh8

That is a Cubits.com deposit address, and it appears to be some kind of exchange. If he has used that address for other purposes, then more information may be able to be figured out about him. It might be helpful to contact cuebits.com to see if they can provide any information on the person behind that deposit address

[Mediator]

The site will not go up in the next few days, if at all. So please PM me if you had funds on the site. For the investors: I will calculate the NAV and process all withdrawals starting from saturday when I am back at home.

That is too bad. ToTheMoon was a really fun game and I think it had a lot of potential.

Do you have an estimate of the losses from the hacker and the losses from the whales that took the site profile down a bit?

Can you publish the txid's of the withdrawals that were based on fake deposits?

I lost about 30-35 BTC to the hacker.

The profit of the site was at 5.627116 BTC with 7.507149 BTC in free bits distributed.
THe profit of the nxt site was -175907.39 NXT and 115754.02 NXT in free NXT distributed.

Wow The bad news for investors! then how  bitcoin your investors whether they will lose bitcoin and you will shut this website ?

[Quickseller]

If someone wants to have the address of the hacker, he moved all funds into one wallet (presumable a tumbler): https://blockchain.info/address/3DeXWvsJgbwUf1G8ocqLeotjUz7azK7Eh8

That is a Cubits.com deposit address, and it appears to be some kind of exchange. If he has used that address for other purposes, then more information may be able to be figured out about him. It might be helpful to contact cuebits.com to see if they can provide any information on the person behind that deposit address

How did you gather that its a cubits address?

https://www.walletexplorer.com/address/3DeXWvsJgbwUf1G8ocqLeotjUz7azK7Eh8

Walletexplorer.com is a very useful website/tool to analyze the blockchain

[ranlo]

I wrote the company.

I hope they are willing to help deal with this problem. I know in the past a few pools were nice enough to reject transactions that were related to scammers (and while I disagree with centralization, I think having a way to police ourselves is paramount).

[ndnh]

If someone wants to have the address of the hacker, he moved all funds into one wallet (presumable a tumbler): https://blockchain.info/address/3DeXWvsJgbwUf1G8ocqLeotjUz7azK7Eh8

That is a Cubits.com deposit address, and it appears to be some kind of exchange. If he has used that address for other purposes, then more information may be able to be figured out about him. It might be helpful to contact cuebits.com to see if they can provide any information on the person behind that deposit address

If it indeed an address of Cubits (all cubits addresses does indeed start with a 3), you might be able to track what happened to the bitcoins at least for a while if you successfully contact all those sites the hacker used to well.. tumble the bitcoins.

It is a payment gateway, and AFAIK it is used in many sites and I believe even is some casinos etc. The hacker then sent it to a cubits address of say a site like betchain, got transferred to the merchant site, and the hacker most probably withdrew from the merchant site (to another site with an anonymous account?).


Edit: This guy has been doing this from 2015-09-29

How exactly did this happen? Isn't it possible to know whether there is some problem by simple tallying everything (deposits - total player lost [faucet, bonus, rake, wins,..] - withdrawal = player balance on site  and  checking balances in all addresses of the site tallies with what it should be - which is more important.)? Or do a weekly audit or something?

I lost about 30-35 BTC to the hacker.

why is it an estimate?

[ranlo]

If someone wants to have the address of the hacker, he moved all funds into one wallet (presumable a tumbler): https://blockchain.info/address/3DeXWvsJgbwUf1G8ocqLeotjUz7azK7Eh8

That is a Cubits.com deposit address, and it appears to be some kind of exchange. If he has used that address for other purposes, then more information may be able to be figured out about him. It might be helpful to contact cuebits.com to see if they can provide any information on the person behind that deposit address

If it indeed an address of Cubits (all cubits addresses does indeed start with a 3), you might be able to track what happened to the bitcoins at least for a while if you successfully contact all those sites the hacker used to well.. tumble the bitcoins.

It is a payment gateway, and AFAIK it is used in many sites and I believe even is some casinos etc. The hacker then sent it to a cubits address of say a site like betchain, got transferred to the merchant site, and the hacker most probably withdrew from the merchant site (to another site with an anonymous account?).


Edit: This guy has been doing this from 2015-09-29

How exactly did this happen? Isn't it possible to know whether there is some problem by simple tallying everything (deposits - total player lost [faucet, bonus, rake, wins,..] - withdrawal = player balance on site  and  checking balances in all addresses of the site tallies with what it should be - which is more important.)? Or do a weekly audit or something?

I lost about 30-35 BTC to the hacker.

why is it an estimate?

Bit-X also starts with a 3. That said, if it's not Cubits, try Bit-X and see if they can shed any light, .

[ranlo]

NAV calculations of the BTC and NXT game and the instructions on how to redeem:



Please redeem your BTC within 4 weeks.

PS: if you had funds as a player on the site, please PM me if you haven't yet.

Just liquidated my NXT ones and sent you back the BTC ones.