http://ecrypto.net/ is down - No surprises

[Oldminer]

Anyone here living in BC, Canada able to go pay this guy a visit?

I also just saw the "grinning" cow on the website. He wouldn't have posted it, if he were in over his head. Seems to me, he just ran with all the money he collected.

This is very unfortunate for the people who deposited their coins there.

Which exchange do you trust besides Cryptsy?

I trust cn.bter.com and (maybe) vircurex.

P.S.

Name: bruce degrosbois
Organization: sitemagik
Street: 19613-42 ave
City: langley
State/Province: BC
Postal Code: v3a3a3
Country: CA
Phone: +1.6045399527

Experience
Recreation and Tourism Alumni Event Coordinator at Vancouver Island University
Professional Driver at AC Taxi
Coder at Coastal Webmasters (Self-employed)
Assistant Manager at Agape Ministry
Manager at Edmonton Restaurant Slowpitch League, Edmonton, AB
Coder at Coastal Webmasters (Self-employed)



(From Linkedin) Experience

CEO
Ecrypto
October 2013 – Present (3 months)Vancouver, Canada Area
Ecrypto is developing the worlds most advanced cryptocurrency trading platform. Ecrypto is currently in Alpha development with an expected Beta release date of December 1, 2013.
http://www.Ecrypto.net

Projects

Understanding Bitcoin
March 2013
I suspect Bitcoin is a game changer much like windows was. It is hard not to love it once you understand it. The growth of Bitcoin is unprecedented and surprisingly the percentage growth of the alternate digital currency called Litecoin has been even higher. Many millionaires have been created by this and for the rest of us, well we missed the boat - this time.

I see understanding Bitcoin as...more
HeartofGoldProject.ca(Link)



Simon Fraser University
Urban Planning Certificate, Urban Planning
2013 – 2014 (expected)
RFABC
Masters certificate, facility management
2012 – 2013
I have been doing the courses for the past year and a half. I currently need 1 course to complete my certificate, however the course has not been offered - ever. Will complete it ASAP

[1715095725]

1715095725

[erre]

i wish i lived in canada...

no way to set up a legal action? I didn't lost so much money, but i would be glad to applicate to a collective action...

[paradiselife]

I am in Canada I have no problem taking actions for people outside of Canada, PM me if you have any ideas

[KingGoon]

  ahahahahah

[mr_random]

If he had good intentions and was hacked he should release a statement.

[HyAfo]

I am in Canada I have no problem taking actions for people outside of Canada, PM me if you have any ideas

We need to hire some killer and let him pay by his blood ,silkroad2 coming service .

[mr_random]

This is his plenty of fish dating profile: http://www.pof.com/viewprofile.aspx?profile_id=25769873

I learned about Bruce that he is "a walking miracle - I am a 1 in 25 million survivor." Also, "there was a time in my life when I was a star athlete and an artist"



This appears to be his localbitcoins profile: https://localbitcoins.com/accounts/profile/smagik/ Last active 1 day ago. Verified phone number.

[BrewCrewFan]

Amazing he can get one localbitcoin just very recently yet can not update us here?

Ah well, lesson learned. I normally give people the benefit of the doubt, because most people are good people, but guys like this ruin it for the rest. Of course I used caution due to the site being new so I only lost around 1 mil lotto coins....days worth of mining then and was worth a lot more then than now but stilll...  Kinda wished once I saw the site having issues I would have pulled them if I could have.

Now every legit startup exchange is going to have a problem doing just that, starting up, due to assholes like this that burned many people and lost tons of money.

[HyAfo]

Updated
He removed his facebook face  , sure scam .
https://www.facebook.com/smagik

I will start a bounty to make him pay with his bl^^d   
 

[Nullu]

This guy wasn't too smart, was he? There's going to be a lot of angry people who want answers.

[bluemyst]

UPDATE!!

Explanation for loss of service and plans for recovery and repayment.

From the day Ecrypto started operating it was under attack. Many attempts to penetrate the servers occured and attempts to hack my personal accounts were constant. Unfortunatly on the morning of December 28 the attacker was successful in gaining entry to the wallet servers. Things were operating normally when I noticed the wallet balance had gone to -11 BTC. A few minutes later the wallet servers stopped responding completly, and access to them through the command line became impossible. Digital Ocean began to investigate the problem and after some time sent this response.

Greetings,

I appreciate your patience. After loading your droplet's into a recovery environment, it appears that someone has compromised both of your droplet's, and stolen your bitcoin from the `W2` droplet. This is confirmed from the `.bash_history` file, which the attack did not effectively remove. In an attempt to cover their tracks, they attempted to wipe out your droplets filesystem with `rm -rf /`, but mistakenly left the `/root` folder, which left some of the data for the blocks you had found.

On the `W1` droplet, it is not apparent if there were any *coin's transferred, as the .bash_history folder over there was effectively wiped out prior to the `rm -rf /` on that droplet.

For your reference, both droplets remain in the recovery environment right now, and have the drives mounted. I've taken a few screenshots of the console and pulled of the transfer of your 11 bitcoin on blockchain.info to confirm the theft:
http://screencast.com/t/Ba7Mvgh6md0
http://screencast.com/t/1eKtogngnw
https://blockchain.info/address/19Xn6GPjMoj8FMLMWg77Wq7PNiFSUsZxSV

Given the nature of bitcoin, this theft is effectively irreversible. Unfortunately, even if the data of your droplet's did remain intact, the theft would remain irreversible.

I would certainly be quite suspicious of this compromise, as if these bitcoin were just transferred last night, it would seem someone associated with you, or the other party, is well aware of your two mining droplets, or may have had access to the droplet's prior.

Unfortunately, there is truly nothing more that we are able to do for you at this point.

Regards,
Russell Mitchell | Support Team

There is noone with access to the account information hare so clearly this was a pure hack. I made great efforts to make the servers impossible to hack, however the hacker simply walked right in and stole everything. The coins they did not steal, they deleted. Since the attack I have just been sick to my stomach. Ecrypto has taken 6 months of 16 hour days to build, and anyone suggesting this was a theft by me is a complete fool. The total stolen was only 11 BTC which is not a huge amount. If the hacker had waited, they would have been able to steal a significant amount more, but it is obviously just an impatient child. I am currently reworking the entire setup, making significant changes that will make it impossible to penetrate. The wallet servers will have NO communications with the website server at all, and gaining access to them should be impossible. The weak point will be the weak passwords that Digital Ocean automatically generates for servers, but since the wallet server will have no connection with the website, even finding the server will be nearly impossible. I will also change the location of the wallet server at least once a week, and transfer the majority of BTC and LTC in the wallets into cold storage for additional security.

So the next question is, when will you get the coins you lost back? We have backup images of the wallet balances at the time of the attack. When the site comes back up, 100% of fees collected by the site will go to pay back lost coins. Not only will you receive the coins you lost, you will receive a 50% bonus. So for every 2 coins you had at the time of the attack - you will receive 3 coins as repayment.

Unfortunatly this is the best I can do for now. I personally suffered a large loss as well which makes it impossible to repay the lost coins faster than the plan.

When will the service resume operations? I am thinking a month or so. I need to make the servers bulletproof, and that will take time. If you feel the need to rant or call me names you can email ecryptox@gmail.com. Reasonable emails will be responded to ASAP.

[Oldminer]

There is noone with access to the account information hare so clearly this was a pure hack. I made great efforts to make the servers impossible to hack, however the hacker simply walked right in and stole everything. The coins they did not steal, they deleted. Since the attack I have just been sick to my stomach. Ecrypto has taken 6 months of 16 hour days to build, and anyone suggesting this was a theft by me is a complete fool. The total stolen was only 11 BTC which is not a huge amount. If the hacker had waited, they would have been able to steal a significant amount more, but it is obviously just an impatient child. I am currently reworking the entire setup, making significant changes that will make it impossible to penetrate. The wallet servers will have NO communications with the website server at all, and gaining access to them should be impossible. The weak point will be the weak passwords that Digital Ocean automatically generates for servers, but since the wallet server will have no connection with the website, even finding the server will be nearly impossible. I will also change the location of the wallet server at least once a week, and transfer the majority of BTC and LTC in the wallets into cold storage for additional security.

So the next question is, when will you get the coins you lost back? We have backup images of the wallet balances at the time of the attack. When the site comes back up, 100% of fees collected by the site will go to pay back lost coins. Not only will you receive the coins you lost, you will receive a 50% bonus. So for every 2 coins you had at the time of the attack - you will receive 3 coins as repayment.

Unfortunatly this is the best I can do for now. I personally suffered a large loss as well which makes it impossible to repay the lost coins faster than the plan.

When will the service resume operations? I am thinking a month or so. I need to make the servers bulletproof, and that will take time. If you feel the need to rant or call me names you can email ecryptox@gmail.com. Reasonable emails will be responded to ASAP.

Thanks for the update, but whats with the cow? One would think if you honest you would have put up some sort of message to at least let people know whats going on? And why respond now only after the owners personal details are posted all over the forum? If you are genuine about repaying monies lost with a 50% commission then this is admirable, though I hope for your sake you are not simply trying to placate investors fears & are able to follow it through.

[mr_random]

Thanks for the update. The old posting pof dating profile trick usually works   Tbh it looks like you're only updating because you're realised you can't just run away from this without consequences. Why has it taken you so many days to issue *any* kind of statement?

I made great efforts to make the servers impossible to hack, however the hacker simply walked right in and stole everything.

Someone suggested you was not sanitising user input on your GET variables? Is this true? Because it would leave the doors to your database wide open for anyone to walk in via SQL injection.

[Nullu]

Well, we've got a response. He's told us what's supposedly happened, so all we can do is wait to see if he keeps his word. As long as this is not somehow some way to placate people, and the site will be coming back, and people will be reimbursed, then that is something. I'm willing to give anyone the benefit of the doubt, but the wall of silence has been worrying a lot of people.

The cynic in me would say that it's strange how we've now heard an update now that all his personal details have been revealed, but hey, I'm just suspicious like that. Benefit of the doubt. Everybody should get it at least once.

Thanks for the update. The old posting pof dating profile trick usually works   Tbh it looks like you're only updating because you're realised you can't just run away from this without consequences. Why has it taken you so many days to issue *any* kind of statement?

I made great efforts to make the servers impossible to hack, however the hacker simply walked right in and stole everything.

Someone suggested you was not sanitising user input on your GET variables? Is this true? Because it would leave the doors to your database wide open for anyone to walk in via SQL injection.

I believe I mentioned SQL injection as a possibility in the original thread on ecrypto. It's basic security 101 for SQL and user input though.

[tabnk]

I'm still have 243 earth coin at there, how to retrieve back ? Any help ? .

[Nullu]

I'm still have 243 earth coin at there, how to retrieve back ? Any help ? .

He says he'll be relaunching the site with better security and paying people anything that was taken with interest. That's what he's stated, anyway.

[mr_random]

I believe I mentioned SQL injection as a possibility in the original thread on ecrypto. It's basic security 101 for SQL and user input though.

Someone specifically said the GET variables were not being sanitised. I didn't check myself at the time. If that is the case then it's almost certainly how the hacker gained entrance so easily. A single un-escaped input gives the hacker complete control over the server.

[Nullu]

I believe I mentioned SQL injection as a possibility in the original thread on ecrypto. It's basic security 101 for SQL and user input though.

Someone specifically said the GET variables were not being sanitised. I didn't check myself at the time. If that is the case then it's almost certainly how the hacker gained entrance so easily. A single un-escaped input gives the hacker complete control over the server.

There's no way to check for GET sanitation on the front end of the site that I'm aware of, as it happens on the server after it retrieves the input. An SQL query is just a string, like any data. If you're coding a website that processes financial transactions and don't know how to prevent SQL injection, then you shouldn't be coding financial websites period. I cannot express how basic knowledge that is in secure web development.

If this is what caused the hack, then I'm sorry, but I wouldn't put a single Dimecoin on Ecrypto.

[g0re79]

I'm still have 243 earth coin at there, how to retrieve back ? Any help ? .

LOL

[mr_random]

I believe I mentioned SQL injection as a possibility in the original thread on ecrypto. It's basic security 101 for SQL and user input though.

Someone specifically said the GET variables were not being sanitised. I didn't check myself at the time. If that is the case then it's almost certainly how the hacker gained entrance so easily. A single un-escaped input gives the hacker complete control over the server.

There's no way to check for GET sanitation on the front end of the site that I'm aware of, as it happens on the server after it retrieves the input. An SQL query is just a string, like any data. If you're coding a website that processes financial transactions and don't know how to prevent SQL injection, then you shouldn't be coding financial websites period. I cannot express how basic knowledge that is in secure web development.

If this is what caused the hack, then I'm sorry, but I wouldn't put a single Dimecoin on Ecrypto.

Yes I am assuming the person who claimed there is no GET sanitisation injected into the sql to test his hypothesis, otherwise it would make no sense since there's literally a million ways to penetrate a server.

It is v basic php security which you'll learn in any beginner's book on php. This is why I posed OP the question, to ascertain how much of a php noob he is. Unfortunately the fact his site got hacked so damn quickly suggests in itself it was a basic security hole he left uncovered and not some sophisticated hack attempt.