Bitcoin Forum
November 03, 2024, 04:24:22 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 »
  Print  
Author Topic: Instawallet claim process  (Read 79262 times)
Boussac (OP)
Legendary
*
Offline Offline

Activity: 1221
Merit: 1025


e-ducat.fr


View Profile WWW
April 04, 2013, 04:53:44 PM
Last edit: November 14, 2013, 09:52:42 AM by Boussac
 #1

Dear Instawallet users,

I am a co-founder of Paymium, the company behind Instawallet.

We have now finished our analysis of the events that lead to the suspension of the service.
An intruder was able to access the instawallet database. As a result, all "hidden" urls, i.e wallets, have been compromised and are no longer safe to store bitcoins.
Funds were stolen: a police report was filed by Paymium with BEFTI ( Brigade d’Enquêtes sur les Fraudes aux Technologies de l’Information, a unit of the French "Police Judiciaire") and an investigation is in progress.
Computer forensic analysis is in progress with independent auditors.
We will be able to refund all instawallet balances up to 50 BTC per wallet.
In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.

Important information on claims submission:

1. For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim.

2. After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded.
If several claims have been filed for the same url, we will process those claims on a case by case basis, under the presumption that the claim we received first belongs to the legitimate balance holder.

3. Claims for wallets that hold a balance greater than 50 BTC will be processed on a case by case and best efforts basis.
The number of such wallets represents less than 0.5% of the number of funded wallets in our records.
In other words, 99.5% of instawallets will be fully refunded.

If you file a claim with Paymium, please do not contact us regarding your claim until the 90-day period has elapsed.
We will need to wait the end of the period to send the refunds as some people might have forgotten about their instawallet and need time to retrieve it.

Thanks for your patience and understanding.

EDIT:
The reason some of you have not seen their payout is simply that they did not approve the proposed payout.
We need discharge from the people we pay out otherwise there is no way to remove the liability from our books.
The discharge is required also because the database might have been tampered with: even though it may be minimal and partial, there is a non zero probability that the proposed amount does not match the expected amount.
Payouts may be approved until the end of the year. Unapproved payouts will be considered as donations after the end of the year.
A sendmany transaction will be sent  in January 2014 to those who filed a claim on time but failed to approve their payout so far.
To approve a payout, simply visit your wallet page (do not forget to type https://www.instawallet.org/w/yourwalletsecreturl in full). Thanks for your cooperation in getting these claims resolved.

Boussac (OP)
Legendary
*
Offline Offline

Activity: 1221
Merit: 1025


e-ducat.fr


View Profile WWW
April 04, 2013, 04:54:01 PM
 #2

reserved

Boussac (OP)
Legendary
*
Offline Offline

Activity: 1221
Merit: 1025


e-ducat.fr


View Profile WWW
April 04, 2013, 04:54:15 PM
 #3

reserved

Boussac (OP)
Legendary
*
Offline Offline

Activity: 1221
Merit: 1025


e-ducat.fr


View Profile WWW
April 04, 2013, 04:54:38 PM
 #4

reserved

steelboy
Hero Member
*****
Offline Offline

Activity: 756
Merit: 1000



View Profile
April 04, 2013, 05:06:57 PM
 #5

But the 0.5% of wallets you can't refund in full will contain the majority of the money. How many btc were stolen?
steelboy
Hero Member
*****
Offline Offline

Activity: 756
Merit: 1000



View Profile
April 04, 2013, 05:15:07 PM
 #6

But the 0.5% of wallets you can't refund in full will contain the majority of the money. How many btc were stolen?

Also, what about transactions over 50btc that were sent out of a wallet before the website went offline but did not reach destination? Support was contacted as was Davout on the forum. Surely this must be repaid in full?

Apologies for my shortness, I am obviously worried about my coins.
trout
Sr. Member
****
Offline Offline

Activity: 333
Merit: 252


View Profile
April 04, 2013, 05:15:31 PM
 #7


1) do you still have a database of outgoing transactions that were not broadcast?
For several hours before instawallet went offline, outgoing transactions had not been sent
out. Will you be able to process claims for those? (I'm an unlucky owner of one such wallet,
and it held over 50BTC,  so I'm worried)


2) there's an additional  way to prove ownership of a wallet: sign a message with keys for addresses that
were used to fund a wallet (not everyone has those keys, but some of us do). This can be useful
if more than 1 claim is submitted for the same wallet.

3) can you say how much funds were stolen?
tvbcof
Legendary
*
Offline Offline

Activity: 4732
Merit: 1277


View Profile
April 04, 2013, 05:16:40 PM
 #8

If you could, please state:

 1) That the claim infrastructure will be accessible by visiting the URL of the instawallet (if true.)

 2) When the infrastructure is in place to make a claim.

 3) The type of information needed to make a holding claim.   Such as:

    - extra contact info such as a bitcointalk.org username of a contact e-mail address if it may be useful in order to resolve conflicting claims.

    - a recollection of the recent utilization patterns.

    - anything else which may require some thought on the user's part.

From a user perspective, I would like to visit the URL one time and input all the necessary information without needing to halt to do a lot of research, etc.

Thanks.

sig spam anywhere and self-moderated threads on the pol&soc board are for losers.
trippp
Newbie
*
Offline Offline

Activity: 47
Merit: 0


View Profile
April 04, 2013, 05:17:14 PM
 #9

When will you start receiving claims?
Joost
Member
**
Offline Offline

Activity: 68
Merit: 10



View Profile
April 04, 2013, 05:31:36 PM
 #10


An intruder was able to access the instawallet database. As a result, all "hidden" urls, i.e wallets, have been compromised and are no longer safe to store bitcoins.


So, how are they any good to handle the refunds with / base refunds upon? Surely the hacker could just submit all the URL's he found (and copied) straight into the refund process and cash out again?  Tongue
steelboy
Hero Member
*****
Offline Offline

Activity: 756
Merit: 1000



View Profile
April 04, 2013, 05:42:44 PM
 #11

This. What info could we have that the hacker does not?

Also, did the hacker know the balances of each URL or did they have to search each one?
Timbo925
Sr. Member
****
Offline Offline

Activity: 352
Merit: 250



View Profile
April 04, 2013, 06:02:54 PM
 #12

Their were people with more than 50BTC on an instawallet?  Shocked
Why would anyone do this... Guess they learned a lesson.
hous
Member
**
Offline Offline

Activity: 98
Merit: 10


View Profile
April 04, 2013, 06:05:31 PM
 #13

steelboy will be a hero member by the time he gets his coins back!!

Have you phoned him steelboy?
steelboy
Hero Member
*****
Offline Offline

Activity: 756
Merit: 1000



View Profile
April 04, 2013, 06:20:26 PM
 #14

steelboy will be a hero member by the time he gets his coins back!!

Have you phoned him steelboy?

Lol

I have called and left a message.
trout
Sr. Member
****
Offline Offline

Activity: 333
Merit: 252


View Profile
April 04, 2013, 06:43:36 PM
 #15

This. What info could we have that the hacker does not?

I can name at least one : the IP address(es) from where the wallet were usually accessed. He may know the addresses (if they are stored in the database) but he may have some difficulties submitting the claim from one of them.

I hope (and I think) that Paymium will watch from where the claims are submitted and in case of doubt (TOR exit, known proxy) they will ask for more details from the one who fills the claim.

tough luck then for those that were accessing their wallets through tor
hous
Member
**
Offline Offline

Activity: 98
Merit: 10


View Profile
April 04, 2013, 06:56:05 PM
 #16

Whats tor?
steelboy
Hero Member
*****
Offline Offline

Activity: 756
Merit: 1000



View Profile
April 04, 2013, 07:00:44 PM
 #17

What
This. What info could we have that the hacker does not?

I can name at least one : the IP address(es) from where the wallet were usually accessed. He may know the addresses (if they are stored in the database) but he may have some difficulties submitting the claim from one of them.

I hope (and I think) that Paymium will watch from where the claims are submitted and in case of doubt (TOR exit, known proxy) they will ask for more details from the one who fills the claim.

tough luck then for those that were accessing their wallets through tor

Well I can't imagine someone installing tor and then using instawallet (except for mixing coins on a very short term basis), but why not ? If they previously accessed their wallet from tor and claim it via tor it should be ok.

What about the date that they were created? Do you think the hacker would have this info?
SgtSpike
Legendary
*
Offline Offline

Activity: 1400
Merit: 1005



View Profile
April 04, 2013, 07:14:36 PM
 #18

Why not more information?  You failed to answer some very basic questions that everyone is wondering:
- How much was stolen?
- How much will those with more than 50 BTC be missing when they attempt to make a claim?
- Why aren't you covering the stolen amounts out of your own coffers?  It was your site security that failed, not the fault of your users.
- Given that your company is insolvent (obviously, or you would be able to pay everyone back in full), are you not afraid of being sued for the remaining amounts and then being investigated for criminal activity as a result?  It is against the law (at least in the US, not sure about European countries) to display favoritism to one creditor vs another when you know the company is insolvent.  All account holders should be taking the same haircut and be repaid by the same percentage of their original balance.

FWIW, I have no stake in the game.  I am just disappointed in how this is being handled.
twolifeinexile
Full Member
***
Offline Offline

Activity: 154
Merit: 100



View Profile
April 04, 2013, 07:24:52 PM
 #19

Ultimately, which information a true client could submit that the hacker could not for the claim?
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
April 04, 2013, 07:27:21 PM
 #20

Ultimately, which information a true client could submit that the hacker could not for the claim?
A true client could potentially get third parties to vouch for their identity, those who had sent bitcoins into and received bitcoins from that address.
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!