|
tucenaber (OP)
|
 |
April 05, 2013, 08:35:13 AM |
|
Last Saturday there was an issue with my bitcoin24 account and my bitcoins was sold by someone else. The administrator TAiS46 sent me an email late at night asking if the order was mine and if I had place the order by mistake. I replied that it wasn't and since then nothing has been done. Since then I have tried to work with him about the issues they have but I after almost a week I have gotten nowhere. I want my money back and also want to warn others about this site. I will try to restore your offer and get some BTC from you back.
But I can't promise it to you.
Nothing has been done though. (Not that "some" of my bitcoins would be satisfactory) The issue is very serious. Someone used my api key and sold all my bitcoins (>500 !) in my account on the dollar market causing a flash crash. The price went down to $0.14, and the average price ended up around $18. No sanity checks was made by the system. It happily sold everything. The sell order was obviously not placed by me because the two IP numbers used was not mine, and both were TOR exit nodes. 2350752 2013-04-01 18:13:24 5220 create ask api Price: 0.14 Amount: 566.09140204 Offer: 2440971 89.168.113.128
/.../
2340895 2013-04-01 16:26:43 5220 cancel trade api BTC back - Price: 0.10000 Amount: 566.09140204 Offer: 2435765 92.23.89.9
2340859 2013-04-01 16:22:49 5220 create ask api Price: 0.1 Amount: 566.09140204 Offer: 2435765 92.23.89.9
A strange detail is that the thief tried to sell twice but the first attempt wasn't succsessful. I have not received a reason for that. The perpetrator didn't get the api key from me, because it is stored on disk encrypted by aes. It is only decrypted by the script I use from time to time. I also have an unencrypted wallet on the same machine which would have been empty if someone got access to it. My web browser is running in a virtual machine, and if someone got the api key from my side it must have been while being logged into bitcoin24. How that could have happened I have no idea. More likely, I think, is that the exchange itself is compromised. I have realized now that I am not the first victim of this. It has happened several times before. As recently as two days earlier the same thing happened three times to someone else. As a matter of fact, the exchange have a history of outlier trades. I have even been on the winning side once, but the trade was reverted a few days later. Here is the USD market for the last three months: http://bitcoincharts.com/charts/btc24USD#rg90zigHourlyztgSzm1g50zm2g25zland the EUR market http://bitcoincharts.com/charts/btc24EUR#rg90zigHourlyztgSzm1g50zm2g25zlThe exchange is apparently run in a very sloppy manner. The trade history does not match the current balance, and sometimes trades just disappear. I starting to suspect that TAiS46 is using client funds for his own purposes. In any case, there is no way an audit could even be made. The data is not there. |
|
|
|
|
RationalSpeculator
Sr. Member
 Offline
Activity: 294
Merit: 250
This bull will try to shake you off. Hold tight!
|
|
April 05, 2013, 01:25:37 PM |
|
I'm really sorry to hear you have been the victim of fraud  I have had good experiences with bitcoin-24, and I do have the impression the owner is honest, however I believe your story and I am really sorry that this happened to you Thank you for warning me about the danger of holding coins at that exchange. Can I tip you for that? |
|
|
|
|
|
tucenaber (OP)
|
|
April 05, 2013, 01:38:29 PM |
|
Thank you but you don't need give me money  |
|
|
|
|
|
MPOE-PR
|
|
April 05, 2013, 04:27:35 PM |
|
Last Saturday there was an issue with my bitcoin24 account and my bitcoins was sold by someone else. The administrator TAiS46 sent me an email late at night asking if the order was mine and if I had place the order by mistake. I replied that it wasn't and since then nothing has been done. Since then I have tried to work with him about the issues they have but I after almost a week I have gotten nowhere. I want my money back and also want to warn others about this site. I will try to restore your offer and get some BTC from you back.
But I can't promise it to you.
Nothing has been done though. (Not that "some" of my bitcoins would be satisfactory) The issue is very serious. Someone used my api key and sold all my bitcoins (>500 !) in my account on the dollar market causing a flash crash. The price went down to $0.14, and the average price ended up around $18. No sanity checks was made by the system. It happily sold everything. The sell order was obviously not placed by me because the two IP numbers used was not mine, and both were TOR exit nodes. 2350752 2013-04-01 18:13:24 5220 create ask api Price: 0.14 Amount: 566.09140204 Offer: 2440971 89.168.113.128
/.../
2340895 2013-04-01 16:26:43 5220 cancel trade api BTC back - Price: 0.10000 Amount: 566.09140204 Offer: 2435765 92.23.89.9
2340859 2013-04-01 16:22:49 5220 create ask api Price: 0.1 Amount: 566.09140204 Offer: 2435765 92.23.89.9
A strange detail is that the thief tried to sell twice but the first attempt wasn't succsessful. I have not received a reason for that. The perpetrator didn't get the api key from me, because it is stored on disk encrypted by aes. It is only decrypted by the script I use from time to time. I also have an unencrypted wallet on the same machine which would have been empty if someone got access to it. My web browser is running in a virtual machine, and if someone got the api key from my side it must have been while being logged into bitcoin24. How that could have happened I have no idea. More likely, I think, is that the exchange itself is compromised. I have realized now that I am not the first victim of this. It has happened several times before. As recently as two days earlier the same thing happened three times to someone else. As a matter of fact, the exchange have a history of outlier trades. I have even been on the winning side once, but the trade was reverted a few days later. Here is the USD market for the last three months: http://bitcoincharts.com/charts/btc24USD#rg90zigHourlyztgSzm1g50zm2g25zland the EUR market http://bitcoincharts.com/charts/btc24EUR#rg90zigHourlyztgSzm1g50zm2g25zlThe exchange is apparently run in a very sloppy manner. The trade history does not match the current balance, and sometimes trades just disappear. I starting to suspect that TAiS46 is using client funds for his own purposes. In any case, there is no way an audit could even be made. The data is not there. Interesting stuff. |
|
|
|
|
simplydt
|
|
April 05, 2013, 04:44:51 PM |
|
Searching for bitcoin-24 scam only shows this topic; can you show us the examples of the other scams? J/w because I use the site and do not want to lose my pitiful amount of bitcoins.
|
|
|
|
|
|
arlekyn13
|
|
April 05, 2013, 05:23:20 PM
Last edit: April 05, 2013, 05:49:56 PM by arlekyn13 |
|
"I starting to suspect that TAiS46 is using client funds for his own purposes." Strangely or not, after waiting for my SEPA deposit sent on 26.03 (still not credited at the time I'm writing) I begun thinking the same. These transfers usually reach the destination account the next business day. Very rarely it could take up to 3 business days. Pretending that you're assaulted with new customers with a ton of new deposits gives you the chance to actually manipulate the funds as you like for more than a week. Such as buying BTC and waiting for the price to raise... what could go wrong?  On top of that, after sending 2 or 3 messages to support through online form (an email can be lost in a spam filter, but a form submission?!?!) without getting any answer, I submit a new form message to support pretending that I will do that every hour until my issue is solved. The answer came in a matter of several hours only, the content would be quite hilarious if my money wouldn't be involved: "what's wrong? I can't find another massage from you." Maybe the support person was referring to the missing hourly messages I promised to send? If my issue will be solved, even with this pretty large delay, I will certainly provide updates here. |
1CmrswU7JYpi9WNC8EHWCV3aam1FJsW2Zu - to show appreciation for my work
|
|
|
Joost
Member
Offline
Activity: 68
Merit: 10
|
|
April 05, 2013, 05:34:17 PM |
|
Strangely or not, after waiting for my SEPA deposit for 9 days (still not credited at the time I'm writing) I begun thinking the same.
That's frustrating to read! I'm waiting for a SEPA deposit at BTC-24 as well. After the Bitcoin Central debacle I figured I'd settle with a (fairly) big player for safety..  |
|
|
|
|
|
tucenaber (OP)
|
|
April 05, 2013, 06:57:37 PM |
|
Searching for bitcoin-24 scam only shows this topic; can you show us the examples of the other scams? J/w because I use the site and do not want to lose my pitiful amount of bitcoins.
No I don't know exactly what happened in the other cases. But no exchange has a frequency of extreme prices like bitcoin-24 and I do know what happened to me. Before my own issue I didn't think the same way. During the weekend, I caught the end of a discussion in the chat where one guy was complaining about losing money, but I came too late to get exactly what the issue was, and I didn't think much about it until later. Perhaps it is wrong of me to speculate about what actually happened, though. So far, TAiS46 has seemed a bit careless but friendly and helpful. All issues have been resolved in the end, but some have been quite serious. It was also he who alerted me this time. The system his runs seems not reliable though. - trades have been executed without being recorded in the history - I have been able to buy bitcoins for exactly zero price! (that was changed later) - my balance once changed by ~400 BTC overnight, and that got resolved by him just changing my balance in the database. That makes the discrepancy between recorded trades and actual balance very big. - Once I was able to sell 1 BTC for way over market price, because the trading engine allowed for crossing bid and ask (changed after I filed a support ticket) All this makes me think that he has a very unorganized financial situation. And even good people can do bad things in a difficult situation. |
|
|
|
|
|
simplydt
|
|
April 05, 2013, 07:39:06 PM |
|
Well as far as I understand he is a one man band, which would make me very uneasy holding large amounts on the site. After reading your thread I'm even scared of putting 250 euros on it TBH.
However, it's a great site. The guys is obviously a very talented dev, now what he needs is a team around him, business dev, a security system administrator, etc... he needs a plan on how to raise money from his devoted users so he can afford those things. If I knew him I'd gladly have a brain storm with him to try and help him out but unfortunately I don't ;-)
If you are trading like 500 bit coins you should definitely do it on mtgox, i guess safety is better there? Has to be, right?!
|
|
|
|
|
|
tucenaber (OP)
|
|
April 06, 2013, 03:44:44 AM |
|
No, I will never use mtgox Of course I shouldn't have had that much money in the exchange but the incredible price increase makes you forget the actual value... Anyway, I have received a response from support where it is confirmed that the same thing happened to three other users and that my bitcoins have been partially restored awaiting more thorough investigation. This is good news but the question remains, how could this have happened? I would love to hear from any of the other victims. What's especially sad is that the thief seems to have gotten away with the loot. If the admin had acted as soon as he saw the problem that might have been prevented. |
|
|
|
|
|
moni3z
|
|
April 06, 2013, 04:53:08 AM |
|
An attacker would withdraw your coins they wouldn't sell them. Sounds like they cracked the api and are trying to figure out how to withdraw coins, trial and error but are selling them instead. Change your passwords, enable 2FA and disable api if it lets you in settings. LR accounts get fleeced all the time by cracking api passwords which is why it's disabled by default now.
|
|
|
|
|
|
simplydt
|
|
April 06, 2013, 06:59:22 AM |
|
That's great that they have been partially restored, it shows that the owner is serious about the site, it'd be quite painful to restore any amount due to hacking, surely. I hope you get the rest back, as for the security of the site, i am sure it will only get better. The web site is quite amazing considering its made by one dev. Good luck!
|
|
|
|
|
RationalSpeculator
Sr. Member
Offline
Activity: 294
Merit: 250
This bull will try to shake you off. Hold tight!
|
|
April 06, 2013, 09:01:53 AM |
|
Happy to hear part of your coins are back. Please let us know if you get them back in full or not.
Bitcoin-24 for me has been of immense value. I am simply shocked that he offers an exchange with NO charges for trades. And even for sending and withdrawing euro's the charges are ridiculous at 1€ per sepa transfer no matter what amount. This business model of free trading benefits the users immensely, all at a great cost to him! He does receive donations but those are nothing compared to say a 1% fee on trades or withdrawals. Those donations cannot cover the huge expenses it would take to have decent customer support.
Ofcourse if you lose hundreds of coins via fraud, I understand the balance is turned negative. So my sympathies for that.
Sometimes euro sepa transfer to and from the exchange go very fast, like 1-2 days, but mostly it takes 3-5 days. And it has happened to me that a fiat withdrawal simply did not arrive after 2 weeks, also no reply to my customer support tickets and emails. So I had to hunt him down on the chat and even irc, something I didn't even know. Finally he got back and indeed, something had gone wrong and the fiat withdrawal hadn't even processed and he explained what had gone wrong with the bank and website system and initiated it correctly. Frustratingly I also asked to cancel the withdrawal since I changed my mind in the meantime but, again due to lack of support, he missed that and processed it anyway. He did apologize and took responsibility for what had gone wrong and even added a feature to the website that allows to cancel euro sepa withdrawals which I like very much.
So I'm happy in the end but I was very worried and frustrated for a while.
I think we as users have a choice here. It's obvious that he needs to make more money from this exchange so he can hire people for support. I would love that the website remains free so my request is, please donate! We have a real gem here that could change the whole exchange business model from very expensive and unavoidable (% fee) to very cheap and voluntary (donations).
|
|
|
|
|
|
tucenaber (OP)
|
|
April 06, 2013, 10:19:49 AM |
|
An attacker would withdraw your coins they wouldn't sell them. Sounds like they cracked the api and are trying to figure out how to withdraw coins, trial and error but are selling them instead. Change your passwords, enable 2FA and disable api if it lets you in settings. LR accounts get fleeced all the time by cracking api passwords which is why it's disabled by default now.
Why the attacker didn't withdraw coins I don't know. If you have the api key it is perfectly possible, unless the user has activated the sms confirmation feature. I hadn't done that I must admit (because I will emigrate soon and won't have my number anymore), but even the site admin thought I had... But if you as an attacker don't know if the sms confirmation is enabled or not, the surest way to get the money without setting off any alarms would be to buy them cheap. The thing is that bitcoin-24 is mainly a Euro market. The dollar market hardly used at all and is very illiquid. In my case he managed to buy 75% of my coins for $0.14, which is not bad for him. But how do you crack an api key made up of 32 random characters? You can't do offline cracking either. You would need to do a huge number of api calls and that doesn't seem feasible to me. My advice to users is to disable the api key for now. If you do that I think you are safe. I wish the exchange would make an official statement warning about it. Bitcoin-24 for me has been of immense value. I am simply shocked that he offers an exchange with NO charges for trades. And even for sending and withdrawing euro's the charges are ridiculous at 1€ per sepa transfer no matter what amount. This business model of free trading benefits the users immensely, all at a great cost to him! He does receive donations but those are nothing compared to say a 1% fee on trades or withdrawals. Those donations cannot cover the huge expenses it would take to have decent customer support.
/.../
I think we as users have a choice here. It's obvious that he needs to make more money from this exchange so he can hire people for support. I would love that the website remains free so my request is, please donate! We have a real gem here that could change the whole exchange business model from very expensive and unavoidable (% fee) to very cheap and voluntary (donations).
Yes, you are absolutely right. |
|
|
|
|
|
simplydt
|
|
April 06, 2013, 10:25:47 AM |
|
If API is disabled and two step verification is enabled, do you think that your balance would have been safe? I just started using two step verification and i am not sure if there is known cases of google auth failing with security yet.
|
|
|
|
|
Joost
Member
Offline
Activity: 68
Merit: 10
|
|
April 06, 2013, 10:53:10 AM |
|
But how do you crack an api key made up of 32 random characters? You can't do offline cracking either. You would need to do a huge number of api calls and that doesn't seem feasible to me.
That's what has me puzzled as well. I reckon that if the API key would've been predictable from some feature of your account (email, username, something like that) more people would have been duped. It's really weird that it happened to you and a few minor other cases (as can be seen in that outlier graph). |
|
|
|
|
|
tucenaber (OP)
|
|
April 06, 2013, 11:56:03 AM |
|
But how do you crack an api key made up of 32 random characters? You can't do offline cracking either. You would need to do a huge number of api calls and that doesn't seem feasible to me.
That's what has me puzzled as well. I reckon that if the API key would've been predictable from some feature of your account (email, username, something like that) more people would have been duped. It's really weird that it happened to you and a few minor other cases (as can be seen in that outlier graph). Yes, perhaps the api key is the hash of your username or something, and the hacker figured it out. I must ask about that. |
|
|
|
|
Joost
Member
Offline
Activity: 68
Merit: 10
|
|
April 06, 2013, 12:16:23 PM |
|
But how do you crack an api key made up of 32 random characters? You can't do offline cracking either. You would need to do a huge number of api calls and that doesn't seem feasible to me.
That's what has me puzzled as well. I reckon that if the API key would've been predictable from some feature of your account (email, username, something like that) more people would have been duped. It's really weird that it happened to you and a few minor other cases (as can be seen in that outlier graph). Yes, perhaps the api key is the hash of your username or something, and the hacker figured it out. I must ask about that. That's what I'm saying it can't have been, or he would surely have taken more. If it was that predictable, what stops him from going after really big fish? Or do you reckon you were the big fish on there? |
|
|
|
|
|
tucenaber (OP)
|
|
April 06, 2013, 04:45:32 PM |
|
I could very well have been one of the biggest fish with the api enabled.
|
|
|
|
|
|
Dhomochevsky
|
|
April 09, 2013, 01:01:56 PM |
|
Anyone has any idea why SEPA transfers from Bitcoin-24 take so damn long? Currently waiting on two transfers from them, a standard SEPA transfer initiated about a week ago and a "same day" transfer initiated on Friday. Both of them are still "processing" on the site, so it's a pretty far cry from what they promise in terms of delivery. I thought the extra cash you pay for Same Day transfer was supposed to bring the money to you faster...
|
|
|
|
|
|
