Instawallet claim process

[repentance]

One card people might want to keep in reserve is contacting Bitcoin-Central's partnering financial institution.  Bitcoin-Central made a huge deal about being "legitimate" and I'm sure that the financial institution they're using to cloak themselves in legitimacy would be interested to learn that another service operated by the same principals has lost user funds and is being very evasive about answering questions in relation to that loss.

Good point, but didn't that deal fell through, or am I misinformed?

You may be right, I haven't really kept up with what's been happening with Bitcoin-Central.

I just don't like Paymium playing the "it was a free service" card.  When you hold large amounts of other people's funds, you're accountable whether you charge for that service or not.  If you're not willing to be accountable, then don't operate the service.  

Also, it should be possible to ring these people and confirm whether or not the incident was, in fact, reported to them.

Brigade d’Enquêtes sur les Fraudes aux Technologies de l’Information, a unit of the French "Police Judiciaire"

As the OP maintains that independent auditors are involved in investigating this incident, it might be beneficial to advise users which firm has been retained to conduct the forensic analysis.

The onus is entirely on Paymium to prove their claims regarding this incident having been reported to law enforcement and the involvement of auditors.  Providing such proof in the OP would have gone a long way towards restoring credibility, but it's not to late to do so now.  Calling people trolls (other thread) and evading reasonable questions does not engender confidence in Paymium's professionalism or their ability to run their other services competently.

[1714533390]

1714533390

[1714533390]

1714533390

[1714533390]

1714533390

[tvbcof]

One card people might want to keep in reserve is contacting Bitcoin-Central's partnering financial institution.  Bitcoin-Central made a huge deal about being "legitimate" and I'm sure that the financial institution they're using to cloak themselves in legitimacy would be interested to learn that another service operated by the same principals has lost user funds and is being very evasive about answering questions in relation to that loss.

Good point, but didn't that deal fell through, or am I misinformed?

You may be right, I haven't really kept up with what's been happening with Bitcoin-Central.
...

I don't know either, but it's a Godamn good idea.  I bet the bank's marketing department would just loooove to have their name dragged through the Bitcoin muck in mainstream news sources, so as long as they entertained any relationship at all it might be that their legal department could be convinced to take an interest in the situation.

[Tronlet]

Read my post earlier in the thread, it's quite possible to handle claims (at least some of them) on an ongoing basis.

I assume you mean either this:

10. Your stated claims process on the Instawallets site states: “If several claims have been filed for the same url, we will process those claims on a case by case basis, under the presumption that the claim we received first belongs to the legitimate balance holder.”. Please will you describe the logic of that? If a hacker has the URLs then surely he can file a claim as quickly as any legitimate account holder? And if you’re assuming that the first claim is likely to be the more “legitimate” one then why wait 90 days? Your logical methodology makes little sense and I would appreciate clarification.

11. You also state that “Claims for wallets that hold a balance greater than 50 BTC will be processed on a case by case and best efforts basis.” Please clarify why the “arbitrary” figure of 50 BTC has been chosen. This comment suggests that you have lost a certain number of coins and need to limit your total payout to what you have left. Please confirm if this is how it is, or if there is another reason for this figure?

or this:

The 90 day claim process is highly questionable, and it's a typical scammer way of evading and delaying the process. After 90 days, people will have 'forgotten', many give up, because they only have small amounts and so on... Lot's of accounts (read: unique urls) should be possible to verify beyond doubt given pieces of information, and should be handled manually on an ongoing basis, then those remaining in an uncertain state should be held until the 90 days are up, and then be released to the person claiming it. To avoid having to pay out to some hacker who've submitted multiple claims, some verification would be possible to do, to ensure multiple claims does not go to the same person. (I know some may have more instawallets, but it's a difference in having 2-3 and having 45...)

There are many pieces of info that could be used to determine whether it's a legitimate claim or not, and these could be handled on an ongoing basis.

For instance a user could be using the same ip for most of his access to instawallet, and he might even be able to remember transactions in or out of instawallet, and he may even have access to adresses from which he previously have sent coins, and can prove he control these, perhaps he even have screenshots from an exchange showing withdrawals to his adress, or have transaction history in a local wallet.

Also, it depends on how much information the hacker got from the database. How much does he know about the users, and how easy would it be to fake a claim ? That's rather important information needed to determine the course of action.

Neither of these quotes have logic I find all that convincing. The one point I'll grant you is that instawallet will no doubt make money off of this, whether or not it's a scam, because of the number of people that will have forgotten after 90 days.

However, that doesn't mean that, assuming it isn't a scam, they shouldn't exercise this level of security anyway. Maybe they should be more lax on wallets under .25 BTC in balance, but they've arbitrarily decided on two divisions instead of three, one below 50 BTC and one above 50 BTC.

All of the methods of determining wallets that you speak of are things I'm sure they'll do, if more than one claim is filed or if the wallet has a balance of 50 BTC or more.

it depends on how much information the hacker got from the database. How much does he know about the users, and how easy would it be to fake a claim ? That's rather important information needed to determine the course of action."

Yes, and it's also something that shouldn't be publicized, in the interest of reducing the number of false claims.

On a final note, it's preferable that bitinstant wouldn't have to process the claims at all, and could just return them immediately. Of course, this is an impossible ideal. There are a lot of wallets, and a claims process isn't something very easy to automate, and the number of wallets mean that it would take potentially, probably, far more than 90 days for them to process all the claims manually.

The 90 day wait is an easy way to verify, with zero human work, the majority of the claimed wallets, of which there will presumably be many. If they were to try and do them all case-by-case as you suggest, in the interest of not having to wait 90 days, there would be a backup and the majority of users would most likely have to wait longer than 90 days, in the end. The 90 day wait comes closest to that impossible ideal.

Edit: Actually, the "forgetting after 90 days" problem depends on how they implement the claims system. If you could just give them an address at the very beginning of the claims process to send the funds to if there are no other claims, then forget about it, then that problem would be abolished more or less.

[bumbo]

An intruder was able to access the instawallet database. As a result, all "hidden" urls, i.e wallets, have been compromised and are no longer safe to store bitcoins.

Why would that be the case? If you stored strong salted hashes of the URI keys, then it would be next to impossible for the attacker to brute force valid URIs out of your DB. The fact that the actual keys appear to be stolen and you set up a long time (3 months) instead of a short time for claims process raises suspicion.

Please do officially confirm that you did not store the secret in plain text on a webserver.

Also, how do you store user passwords in other Paymium services? Thanks.

[tvbcof]

An intruder was able to access the instawallet database. As a result, all "hidden" urls, i.e wallets, have been compromised and are no longer safe to store bitcoins.

Why would that be the case? If you stored strong salted hashes of the URI keys, then it would be next to impossible for the attacker to brute force valid URIs out of your DB. The fact that the actual keys appear to be stolen and you set up a long time (3 months) instead of a short time for claims process raises suspicion.

Please do officially confirm that you did not store the secret in plain text on a webserver.

Also, how do you store user passwords in other Paymium services? Thanks.

A little history (as I understand it):

'Instawallet' was conceived of and implemented by a user named ~jav.  He seemed to me like a pretty straight up guy.

~jav got tired of it and/or busy and ~davout adopted it because 'it was to cool to let die' or something along those lines.  I don't recall if I started using it before or after this switch.

It would make perfect sense to me if ~jav never really put in the effort to adequately secure the thing.  It would be a good reason to drop it since such work would be tedious.  Remember, back in those days BTC were not worth anything near what the are today.

It would also make sense that ~davout never got around to either evaluating th implementation, or doing the necessary security work (assuming he was even capable.)  He has likely been very busy with other projects.  In short, it would not surprise me if it were true that theft of the database would result in loss of the URL's.

As I recall, ~jav open-sourced it and ~davout just took his work so perhaps some of these conjectures about at least the original ~jav vintage implementation could be verified.  A good task to run down at a later date since it is late tonight and I'm tied up most of tomorrow.

---

But, as I said in the other note, the ONLY thing that adequately explains the evasiveness about the supposed police report is that it is bullshit.  And the only thing that adequately explains them lying about that is that they are, in fact, the perps.

This in turn means that they have all the URL's and and all the coins and the mythical 'attackers' do not.  They could give all of them back at any time if they so chose.

[Herodes]

Tronlet: Many good points. Since I don't have data about the site, I have no idea how many users there are on this service.

At least there's one very outspoken member of the community on this thread claiming he has 100 BTC outstanding, and that he has screenshots of everything, why could not people like that be helped at the very least ?

Also, no police report number ?

And at one point they claim that bitcoins are stolen, yet later they claim everybody's bitcoins are safe. Which is it ?

[Amitabh S]

And at one point they claim that bitcoins are stolen, yet later they claim everybody's bitcoins are safe. Which is it ?

I think what they are implying that coins were stolen from instawallet but bitcoin-central's coins were not stolen. I may have misunderstood.

[pyedpyper]

Tronlet: Many good points. Since I don't have data about the site, I have no idea how many users there are on this service.

At least there's one very outspoken member of the community on this thread claiming he has 100 BTC outstanding, and that he has screenshots of everything, why could not people like that be helped at the very least ?

Also, no police report number ?

And at one point they claim that bitcoins are stolen, yet later they claim everybody's bitcoins are safe. Which is it ?

To clarify: I have screenshots of all the Paymium pages as they evolved during the down time, as well as the trail of my coins through the blockchain from my Instawallet accounts to Paymium's various cold storage wallets. But not screen shots of my open Instawallet accounts. (There would have been no reason to take these.)

And yes the continued avoidance of supplying the police report number remains. I hope Boussac will simply just provide it and thereby avert a messy situation.

Of course if Paymium is just flat out lying about this then they are understandably in a difficult position. Fraud charges against directors and loss of all credibility in the Bitcoin community would follow swiftly.

The fact that this basic detail is not being supplied sadly points to the fact that they are lying. However, I intend to maintain positivity until noon tomorrow, at which point I will be taking legal action good and proper.

[AndreyE]

I see no claim in process.
Am I looking the wrong way?
It's been quite some time.

[Tronlet]

Tronlet: Many good points. Since I don't have data about the site, I have no idea how many users there are on this service.

At least there's one very outspoken member of the community on this thread claiming he has 100 BTC outstanding, and that he has screenshots of everything, why could not people like that be helped at the very least ?

Also, no police report number ?

And at one point they claim that bitcoins are stolen, yet later they claim everybody's bitcoins are safe. Which is it ?

Maybe once the claims process is opened they will be helped, and perhaps faster than others since the 90 day period is only for the sub-50 BTC ones.

Also, Instawallet might be planning on replenishing the stolen ones out of their own pocket, or maybe they were just talking about bitcoin-central. Realistically, as long as a small number of coins were stolen, all wallets should be able to be reimbursed, due to the number of wallets that will never be claimed.

On the lack of a police report number, they could just not want to make such a thing public, but especially their lack of even an explanation for a lack of a police report number makes this the point where I kind of cross over from trying to provide valid defenses, to just playing devil's advocate.

Boussac, seriously. At least acknowledge the requests for a police report number? Apologies if you have, I haven't read every post.

Edit: Now I have.

Also, I should note that I still am not too worried about Instawallet, just because they are doing poorly in one area of dealing with this does not necessarily mean they are fully lying.

[Tronlet]

I see no claim in process.
Am I looking the wrong way?
It's been quite some time.

As Boussac said, the claim is scheduled to open up April 12th. So far, things are as far as anyone outside of Instawallet knows, on schedule.

UPDATE

We are currently developing and preparing the online claim form.  
We appreciate your patience as we work with limited resources.  
We regret not being able to do more as Instawallet was a free service (zero fees) and could not pay for additional resources.  
However, we would like to reassure you that we will have the claims processed in due time, by the end of the initial 90-day period.  
The claim form is schedule for delivery by Friday, April 12th.

[pyedpyper]

Tronlet: Many good points. Since I don't have data about the site, I have no idea how many users there are on this service.

At least there's one very outspoken member of the community on this thread claiming he has 100 BTC outstanding, and that he has screenshots of everything, why could not people like that be helped at the very least ?

Also, no police report number ?

And at one point they claim that bitcoins are stolen, yet later they claim everybody's bitcoins are safe. Which is it ?

Maybe once the claims process is opened they will be helped, and perhaps faster than others since the 90 day period is only for the sub-50 BTC ones.

Also, they might be planning on replenishing the stolen ones out of their own pocket, or maybe they were just talking about bitcoin-central. Realistically, as long as a small number of coins were stolen, all wallets should be able to be reimbursed, due to the number of wallets that will never be claimed.

On the lack of a police report number, they could just not want to make such a thing public, but especially their lack of even an explanation for a lack of a police report number makes this the point where I kind of cross over from trying to provide valid defenses, to just playing devil's advocate.

Boussac, seriously. At least acknowledge the requests for a police report number? Apologies if you have, I haven't read every post.

He has not once acknowledged that question (now put to him repeatedly by many different forum members), let alone answered it.

And, in my opinion, there can be no sane, rational or legal reason to not provide that information. Especially in light of the problems the withholding of that information is causing.

Of course, more specifically, Boussac is also persisting in witholding his real name and present formal relationship to Paymium.

All suspicious activities. Or perhaps he just has a raging ego and cannot take being "told" what to do (or even respond to a request he does not feel like answering). Either way it is grossly unprofessional, in bad faith, and will do endless harm to Paymium's reputation.

Boussac, I ask you again - respectfully, humbly, amicably and in good faith:

Would you please give your real name, your current position at Paymium, and the police report file number (or other verifiable proof that Paymium has actually filed a case with the police).

So simple...

[tvbcof]

...
Of course, more specifically, Boussac is also persisting in witholding his real name and present formal relationship to Paymium.
...

You bring up a good point.  I would say that from a legal perspective nothing communicated to or by 'Boussac' has any meaning.  Paymium could always just say 'Boussac at bitcointalk.org?  Never heard of the guy' if we are unfortunate enough to need to take this thing any distance.

I think that all communications should go through official channels starting at whatever can be obtained from the Paymium family of web sites and including any e-mail addresses which are referenced through official e-mails or snail-mails from them.

I am sorry to report that so far I have gotten no bites on my solicitation for the initial legal work associated with ensuring that police reports have been filed.  I think it is time to explore other more mainstream channels.  I would appreciated assistance from any user in France who may have the ability to help identify and evaluate potential legal assistance.

I have also set up the following:

  https://sites.google.com/a/tcilgl.com/paymium/

I would like to publish as much information obtained by the community as possible which may be helpful in our efforts.

I would also love it if someone else had a better idea or wished to take a management role in this effort.  I suck at management and hate it and have a lot of other things I would rather do, but I don't want to let this thing just die away.  Crooks believe (correctly) that they can shit all over the Bitcoin userbase and get away with it without a fight.  This is wrong and and bad for the ecosystem and it pisses me off and I feel some desire to see it change even if I have to put in some effort.

[pyedpyper]

...
Of course, more specifically, Boussac is also persisting in witholding his real name and present formal relationship to Paymium.
...

You bring up a good point.  I would say that from a legal perspective nothing communicated to or by 'Boussac' has any meaning.  Paymium could always just say 'Boussac at bitcointalk.org?  Never heard of the guy' if we are unfortunate enough to need to take this thing any distance.

I think that all communications should go through official channels starting at whatever can be obtained from the Paymium family of web sites and including any e-mail addresses which are referenced through official e-mails or snail-mails from them.

I am sorry to report that so far I have gotten no bites on my solicitation for the initial legal work associated with ensuring that police reports have been filed.  I think it is time to explore other more mainstream channels.  I would appreciated assistance from any user in France who may have the ability to help identify and evaluate potential legal assistance.

I have also set up the following:

  https://sites.google.com/a/tcilgl.com/paymium/

I would like to publish as much information obtained by the community as possible which may be helpful in our efforts.

I would also love it if someone else had a better idea or wished to take a management role in this effort.  I suck at management and hate it and have a lot of other things I would rather do, but I don't want to let this thing just die away.  Crooks believe (correctly) that they can shit all over the Bitcoin userbase and get away with it without a fight.  This is wrong and and bad for the ecosystem and it pisses me off and I feel some desire to see it change even if I have to put in some effort.

This is why it was my first question. The whole thing is meaningless without identity confirmed. Paymium appears to have no phone number and only one email address - which it is impossible to get a response from. They appear not to even have proper offices. Looks like all smoke and mirrors to me at this point.

And I'm sure this is why Boussac, whoever he is, is avoiding these questions. Still, criminal charges filed against the listed directors of Paymium will likely bring them out into the light.

[Phinnaeus Gage]

Sadly, I just learnt why this forum is lagging today from so many users--the price dropped.

After I first starting using IW due to sales of leather products by Martin, I eventually amassed over 1,000 bitcoins spread over two wallets (at the time). I was able to afford to lose them then at the lower price point, and paid them no mind as the price slowly rose. Most recently, I split the wallet's contents up into other IW wallets settling them back into only two wallets, one of which being a whole number, the other containing decimals. Recently, a third wallet was created and funded, having less than a full bitcoin in it.

The main wallet I vowed to myself not to touch, letting it do grow. Basically, the same for the second wallet containing ~10% of the first, with the intention of making another purchase of some kind.

Thanks to InstaWallet going down and not having access to my funds, I never had the opportunity to cash out, and still can't. Meanwhile, the owners can't even provide us a police report they so claim exist.

Currently, I have ~$100,000 worth of barn wood in storage. If the building burned now and I lost it all due to not having insurance (which I do not), it wouldn't phase me. But a police report would have been made if arson is expected, especially if I was storing a client's paid order, they would demand to see such a report. Said client can easily assume I resold his wood to some other prior to the fire and is looking for some sort of reassurance, albeit it wouldn't be much.

No motherfuckin' way would I email the client back and tell him that I was providing a free service by storing his paid for lumber and rest assure that delivery is forthcoming.

About a couple three weeks ago I was concerned about IW, but was reassured all is well, hence putting my concerns on the back burner. Two days after this mess started was when I got wind of this episode. Since then, I've seen nothing promising coming from the IW camp--only promises.

Thanks to only having URLs stored on Chrome, not even knowing two of the Bitcoin addresses, I'm not feeling good about my prospects. Each time I transferred, BlockChain showed the wallet containing $0 and immediately moved to a different IW wallet address even though the site shown my dollar amount the same. Fuck, I could set up the same type of system, but now thanks to IW nobody would fall for my scam. Then again there's still hope due to seeing people defending every new ASIC vaporware that comes on the market.

I've yet to read what the heck is going on at Mt. Gox today, but I'll assume it's not good. This no look like a good day for Bitcoin, but I have Butterfly Faith that This Too Will Pass.

~Bruno K~

PS: (opted not to proofread--apologies)

EDIT: Just looked at the Mt. Gox price for the first time today and see that it's going back up. Will now hunt down and read what happened today. Glad to see my VaporCoins^TM are gaining value again.

[tvbcof]

A little history (as I understand it):
...
As I recall, ~jav open-sourced it and ~davout just took his work so perhaps some of these conjectures about at least the original ~jav vintage implementation could be verified.  A good task to run down at a later date since it is late tonight and I'm tied up most of tomorrow.
...

I did a little hitorical reading and captured a few things of interest.  Does not look like Jan ever open-sourced things.

  https://sites.google.com/a/tcilgl.com/paymium/home/unorganized-info/instwallet_history

Unless he is more full of shit than I would expect, it looks like ~davout should have and could have noticed if the database held sensitive data in plain-text.  Whether he told ~ballsac so he could, if he chose, answer the question asked is unknown.

Reminder to self:  If someone claims a 'military grade server', run, don't walk away from the bozo.

[steelboy]

Boussac has been online again and has not responded to the questions. 

[pyedpyper]

A little history (as I understand it):
...
As I recall, ~jav open-sourced it and ~davout just took his work so perhaps some of these conjectures about at least the original ~jav vintage implementation could be verified.  A good task to run down at a later date since it is late tonight and I'm tied up most of tomorrow.
...

I did a little hitorical reading and captured a few things of interest.  Does not look like Jan ever open-sourced things.

  https://sites.google.com/a/tcilgl.com/paymium/home/unorganized-info/instwallet_history

Unless he is more full of shit than I would expect, it looks like ~davout should have and could have noticed if the database held sensitive data in plain-text.  Whether he told ~ballsac so he could, if he chose, answer the question asked is unknown.

Reminder to self:  If someone claims a 'military grade server', run, don't walk away from the bozo.

Thanks for this - will come in handy.

If Paymium did in fact hold the wallet URLs on their server in an unencrypted format then this would amount to gross negligence in my opinion. It is unthinkable to me that anyone in this business could even consider doing that for a second. And yet this is what they seem to be suggesting. So...

Option 1: They held the whole wallet URL in plain text, which is what the "hacker" got hold of, and is now why it is unsafe to have the site up. This means they are a bunch of clowns from a technical point of view, and should not be trusted around Bitcoins at all. And are liable for grossly negligent behaviour (bordering on criminally negligent behaviour given that they were holding other peoples money in trust).

OR

Option 2: The wallet URL database was properly encrypted and secured (as one would naturally expect - without even being technically minded). This then raises the obvious question of how the fuck any "hacker" could do anything with it?? And points to the possibility that there was no hack at all and the whole thing is made up.

Given that Boussac refuses to give even his real name and position at Paymium, I think it is highly unlikely he will address this question here (it was asked in my original list of 12). Paymium's CTO will definitely have to address this in the soon to follow legal enquiry if they insist on not addressing it publicly here.

I still hope that they do address it here, as I personally want Paymium to prosper, and be a respected part of the Bitcoin community. Let's hope. Boussac has a couple of hours yet...

[repentance]

Given that Boussac refuses to give even his real name and position at Paymium, I think it is highly unlikely he will address this question here (it was asked in my original list of 12). Paymium's CTO will definitely have to address this in the soon to follow legal enquiry if they insist on not addressing it publicly here.

I still hope that they do address it here, as I personally want Paymium to prosper, and be a respected part of the Bitcoin community. Let's hope. Boussac has a couple of hours yet...

In my opinion this is giving us an indication of how they'd behave if one of the services they didn't operate for free suffered losses and it definitely doesn't inspire confidence.

[Phinnaeus Gage]

A little history (as I understand it):
...
As I recall, ~jav open-sourced it and ~davout just took his work so perhaps some of these conjectures about at least the original ~jav vintage implementation could be verified.  A good task to run down at a later date since it is late tonight and I'm tied up most of tomorrow.
...

I did a little hitorical reading and captured a few things of interest.  Does not look like Jan ever open-sourced things.

  https://sites.google.com/a/tcilgl.com/paymium/home/unorganized-info/instwallet_history

Unless he is more full of shit than I would expect, it looks like ~davout should have and could have noticed if the database held sensitive data in plain-text.  Whether he told ~ballsac so he could, if he chose, answer the question asked is unknown.

Reminder to self:  If someone claims a 'military grade server', run, don't walk away from the bozo.

Read link. Looks to me somebody finally wanted to get paid for all the free services they been providing. What better way to do that then to yell HACKED! My only beef now is that they didn't even bother to use vaseline, albeit I enjoyed the sex.

Now, for the umpteenth time--POLICE REPORT NUMBER. Let me give you hint as to what we're asking for: When you contacted the police about the hack, they filled out a form. That form has a number on it. You received a copy. Just give us the number and we will no the rest.

If you can't do that, don't bother coming here and posting bullshit like it-was-a-free-service-so-it-doesn't-count.