crypsty hacked over 1.5 yrs ago. 13000 BTCs and 300,000 ltc

[bitwho]

http://blog.cryptsy.com/

Announcement
Cryptsy has had problems for some time now and it’s time to let everybody know exactly why.  These problems were NOT because of any recent phishing attacks, or even a ddos attack, nor does it have anything to do with me personally.
About a year and a half ago, we were alerted in the early AM of a reduction in our safe/cold wallet balances of Bitcoin and Litecoin, as well as a couple other smaller cryptocurrencies.   After a period of time of investigation it was found that the developer of Lucky7Coin had placed an IRC backdoor into the code of wallet, which allowed it to act as a sort of a Trojan, or command and control unit.   This Trojan had likely been there for months before it was able to collect enough information to perform the attack.  It does not appear that this was the original developer for LK7, as on 5/22/2014, we received this message from the new developer who wanted to maintain the codebase:
—
Hello,
Lucky7Coin is not maintained and I would like to take care of it. I have announced that on bitcointalk.org in Lucky7Coin thread. You’re the only exchange for this coin and I hope you will let me take care of it. I’m responsible. You don’t have to be afraid of errors or forks. I’m developing multipool and I know bitcoin internals and protocol.
https://bitcointalk.org/index.php?topic=295157.msg6861797#msg6861797
For a start I’ve changed irc network, so clients could synchronize blockchain. Please upgrade as soon as you can.
Github repo:
https://github.com/alerj78/lucky7coin
Branch “master” will always be for stable version, branch “devel” could be dirty. In a 2-3 weeks I’ll release new version with p2pool support and checkpoints. Before that I’ll contact you to check few blocks hashes for checkpoints and make sure there is no fork.
I hope we can cooperate and make this coin live again!
Jack
—
These are the approximate figures taken:
Bitcoin:  13,000 BTC
Litecoin:  300,000 LTC
This of course was a critical event for Cryptsy, however at the time the website was earning more than it was spending and we still have some reserves of those cryptocurrencies on hand.   The decision was made to pull from our profits to fill these wallets back up over time, thus attempting to avert complete closure of the website at that time.   This worked fine for awhile, as profits decreased due to low volume and low Bitcoin prices, we would adjust our spending accordingly.  It wasn’t until an article from Coinfire came out that contained many false accusations that things began to crumble.   The article basically caused a bank-run, and since we only had so much in reserves for those currencies problems began. 
Our current customer liabilities for BTC is around 10,000 BTC, so as you can see we would like to see the Bitcoins returned for both our users and for ourselves.
Here are the transaction details from the Bitcoin wallet:
https://www.walletexplorer.com/wallet/0c07e0bec1002bd2
As you can see,  2014-07-29 13:17:36 is when the event occurred.   A very interesting fact here, however, is that those Bitcoins have not moved once since this happened.    This gives rise to the possibility they can be recovered.   In fact, I’m offering a bounty of 1000 BTC for information which leads to the recovery of the stolen coins.
If you happen to be the perpetrator of this crime, and want to send the coins back no questions asked, then you can simply send them to this address: 
1KNi4E4MTsF7gfuPKPNAbrZWQvtdQBTAAa
If they are returned, then we will assume that no harm was meant and will not take any action to reveal who you are.  If not, well, then I suppose the entire community will be looking for you.
Some may ask why we didn’t report this to the authorities when this occurred, and the answer is that we just didn’t know what happened, didn’t want to cause panic, and were unsure who exactly we should be contacting.   At one time we had a open communication with Secret Service Agent Shaun Bridges on an unrelated matter, but I think we all know what happened with him – so he was no longer somebody we could report this to.    Recently I attempted to contact the Miami FBI office to report this, but they instead directed me to report it on the I3C website.  I’ve not heard anything from them.
I think the only real people who can assist with this are the people of the Bitcoin community itself.
Trades and withdrawals will be suspended on the site indefinately until some sort of resolution can be made.
Here are our options:
1.   We shut down the website and file bankruptcy, letting users file claims via the bankruptcy process and letting the court make the disbursements.
-   or –
2.   Somebody else comes in to purchase and run Cryptsy while also making good on requested withdrawals.
-   or –
3.   If somehow we are able to re-aquire the stolen funds, then we allow all withdrawal requests to process.
I’m obviously open to any other ideas people may have on this.

[1714736557]

1714736557

[1714736557]

1714736557

[1714736557]

1714736557

[Hollowman338]

..and another one bites the dust.

Decentralized exchanges need to happen.  Instantdex or Etherex, whoever, hurry up

[cryptomann420]

..and another one bites the dust.

Decentralized exchanges need to happen.  Instantdex or Etherex, whoever, hurry up

                                                                                                                                               
Iam sure most everyone saw this coming! Will the new one in China be NEXT?

[solid12345]

..and another one bites the dust.

Decentralized exchanges need to happen.  Instantdex or Etherex, whoever, hurry up

...or people just need to stop trusting their coins with former porn tsars and magic the gathering trading card dealers. There are plenty of big Bitcoin exchanges that are fully insured in the event of theft and funded by respectable business people with a reputation to keep, problem is the alt world is alot murkier.

[jabo38]

Crypsy is offering a pretty big bounty to get their coins back.

I am guessing the hacker will take the half million dollars and walk.

[box0214]

..and another one bites the dust.

Decentralized exchanges need to happen.  Instantdex or Etherex, whoever, hurry up

it already happened... nxt asset exchange using supernet's multigateway. its just missing the marketing strength it needs.

[sidhujag]

..and another one bites the dust.

Decentralized exchanges need to happen.  Instantdex or Etherex, whoever, hurry up

it already happened... nxt asset exchange using supernet's multigateway. its just missing the marketing strength it needs.

Bitshares decentralized exchange too...

Btw where is popen and pclose defined? I know bitcoin has system call but that wont return data im sure this guy wants to pipe the data to a log and send the log so popen was needed as dooglus said.. But where is popen in the code?

[mikhael]

..and another one bites the dust.

Decentralized exchanges need to happen.  Instantdex or Etherex, whoever, hurry up

                                                                                                                                               
I am sure most everyone saw this coming! Will the new one in China be NEXT?

Of course its been months since Cryptsy started stopping withdrawals, locking users accounts and then this happened.

[iGotSpots]

Gox -> Cryptsy
Malleability -> Backdoor

Same cup of soup, just reheated; both equally 'believable'

Not to mention a $7 million dollar loss not being reported in nearly two years? At this point it doesn't even matter if the blog is true or not. The only difference is which pile of shit it's going to land in

Karma is one cold-hearted bitch

[CoinHoarder]

So predictable. I am sorry to those who lost fund. 

The "we were fine until the coinfire article" struck a nerve. They were not fine before that... I think the issue started when they were hacked to the tune of 13,000 BTC and 300,000 LTC. 

I wonder how many times people will have to get Goxxed before they start using decentralized solutions such as Bitshares, Nxt/Supernet MultiGateway/InstantDex, Nushares/Nubits, or B&C Exchange? 

Disclaimer: I am an investor in all of the above projects.... because I can tell the future.  

[iGotSpots]

I wonder how many times people will have to get Goxxed before they start using decentralized solutions such as Bitshares, Nxt/Supernet MultiGateway/InstantDex, Nushares/Nubits, or B&C Exchange?

Disclaimer: I am an investor in all of the above projects.... because I can tell the future.  

Shilling where it doesn't belong is why nobody gives a shit

[CoinHoarder]

I wonder how many times people will have to get Goxxed before they start using decentralized solutions such as Bitshares, Nxt/Supernet MultiGateway/InstantDex, Nushares/Nubits, or B&C Exchange?

Disclaimer: I am an investor in all of the above projects.... because I can tell the future.  

Shilling where it doesn't belong is why nobody gives a shit

Hating on the only existing solutions to this issue is what this forum does, so I am not surprised by this response. Pushing people away from the only solutions pushes them towards centralized exchanges, which in turn pushes them towards getting goxxed. Do you always support thieves and inept businessmen? Or, do you only support them in this certain scenario when it props up whatever coins' value you happen to be bag holding?

You guys are delusional if you think these coins (or something similar) isn't going to be insanely valuable one day. In my opinion, these coins are in the best position to corner the decentralized exchange market and I have 2% to 5% of my portfolio in each one.

[sidhujag]

I wonder how many times people will have to get Goxxed before they start using decentralized solutions such as Bitshares, Nxt/Supernet MultiGateway/InstantDex, Nushares/Nubits, or B&C Exchange?

Disclaimer: I am an investor in all of the above projects.... because I can tell the future.  

Shilling where it doesn't belong is why nobody gives a shit

Huh it is relevant.. Your post is nonsense

[iGotSpots]

Take your bagholding elsewhere, nobody cares

[sidhujag]

Why dont u go try to find the hacker who stole instead of wasting time with nonsense posts kiddo?

[Arrakeen]

This Vern asshole really loves to throw the blame around.  As if a news article is to blame for him scamming his customers?  And to top it off, an official blog post saying "we still accepted your money for a year after 'being robbed'"

Let's look at just a few of the asshole's excuses & methods of stealing everyone's money!

'Equipment changes'
'Update issues'
'Denial of Service attack'
'brief outages'
'hardware swap'
'Server Failure'
'Scammers'
'Phishing attempts using our customer data'
'database issues'
'mailserver issues'

...and the INSANELY RIDICULOUS fees they've imposed, then INCREASED before shit started to really hit the fan.

How, just HOW could people continuously put up with bullshit like that?

[markm]

I read somewhere that Cryptsy had specifically denied running on fractional reserve, but this recent Big Vern blog post, if it is legitimate, seems to be claiming they have in fact been running on fractional reserve?

In addition to their purported outright claims that they were not on fractional reserve one could simply look at the massive profits available to anyone able to run arbitrage loops (by remaining able to withdraw bitcoins, as Cryptsy itself was presumably capable of doing, being in charge of the withdrawal-preventing measures).

So it seemed pretty obvious that even if they had lost some coin at some point the arbitrage opportunities alone would enable them to easily make up their losses.

Also, cold wallets are by definition cold. How could a trojan daemon running in its own virtual machine possibly enable the moving of coins by another daemon running on another virtual machine?

-MarkM-

[GTO911]

Why would they add lucky7coin?

Adding shitcoins=doom

It took them ages to support legitimate projects like Monero, but they were fast at adding scam coins. I say fate well deserved

[smoothie]

How do we know Cryptsy and its cronies didn't "hack" themselves and then now are claiming "we got hacked 1.5 years ago"

Kinda late eh? 

[smoothie]

Some may ask why we didn’t report this to the authorities when this occurred, and the answer is that we just didn’t know what happened, didn’t want to cause panic, and were unsure who exactly we should be contacting.   At one time we had a open communication with Secret Service Agent Shaun Bridges on an unrelated matter, but I think we all know what happened with him – so he was no longer somebody we could report this to.    Recently I attempted to contact the Miami FBI office to report this, but they instead directed me to report it on the I3C website.  I’ve not heard anything from them.

This is a load of bullshit ^

"were unsure who exactly we should be contacting"

"did not want to cause panic "

The problem with their shitty excuses is that as an exchange they had a RESPONSIBILITY to inform their customers/users the moment money got stolen.

But of course I don't believe they actually lost any money. I believe this is a whole charade to misdirect blame to the PHANTOM HACKER.

The new phrase to be coined is "You got VERNED!"