CoinByCall was compromised on 29/Apr/2015. The attacker managed to steal all Bitcoins from our wallet by transferring them to his own.
He got access to the user database and changed the BTC addresses of about 110 accounts (out of 5200) to his own BTC address. He lowered the payout threshold of these accounts and after the payout mechanism got triggered, the system sent the BTC balance of about 50 user accounts to the attacker.
The system then stopped to create more transactions because the wallet didn't have any coins left.
Those ~50 users lost their Bitcoin balance. In total about 1.2 BTC were stolen.
We've restored the user database with the original users' BTC addresses and changed all passwords of all user accounts. Please perform the following steps to receive your new password via E-Mail:
1. Go to
http://coinbycall.com/login2. Enter your username at "login"
3. Enter at least 6 digits (can be anything) at "password"
4. Click on "Forgot Password?"
Your new password will then get E-mailed to you. If the E-Mail address you registered with is fake you are out of luck and your account is non-recoverable. In this case you may create a new account.
Calls were not lost.
It may take until Monday before payouts are resumed.
Although the attacker tried to hide his identity by using proxies, he made several mistakes. Therefore we were able to track the attacker down to an individual living in New England in the US. He's using Comcast to access the internet and we got several IP addresses with timestamps, for example IPv4 50.163.62.xxx on 29/Apr/2015:16:57:09 GMT+0200. His IPv6 is 2601:6:3d00:a60:f8e0:ccca:xxxx. He's got a Nexus 5 phone.
Some words to the attacker: Although the stolen amount is low, we *will* involve law enforcement and pass all documentation to them if the stolen funds are not transferred back to 1DNxMwkUt8wWoM4wfKbgySzVFsExhfWSYD by 04/May/2015. Is 1.2 BTC really worth it? Think twice about it.
We apologize for the inconvenience.
