C-Cex Has Frozen Your BTC! Not to be Trusted

[SlidingHorn]

What Happened
Due to their poor security, C-Cex's exchange was exploited by a user pumping DRK, and they allegedly lost 300 BTC due to the exploit.  They have now placed *all* BTC balances on hold, and are stating that they may hold these until their "investigation" is completed - which can take up to a month.

User's Profile Link
https://bitcointalk.org/index.php?action=profile;u=220467

This is not exactly to say they're scammers - however, it is to say that you should be extremely cautious about trusting them with your coin if they cannot secure it.

Will update when more information is available.

Update #1  
User has stopped responding via Skype & has now banned me (coincidentally the only person who's left negative feedback on their profile) from the chat on the website. (This was an auto-ban, apparently...now un-banned)

Update #2
After several requests, they responded on Skype by simply posting their twitter address.  When I said that this in no way answered my questions, he then, indeed, took the time to answer the questions I asked.  

Update #3
The admin and his cheer leader are claiming that the "thief" is sending BTC back through a tumbler.  In the meantime they are giving back assets to those who dealt in the currency used for the exploit, while those who had not involved themselves at all with said currency are still left with our dicks in our hands.  

It has been suggested MANY times that the admin secure a loan using other altcoins earned via the site's transaction fees as collateral and *every time* he has ignored it and said absolutely nothing.  This leads me to believe that he really has no interest in paying people back in a timely manner.

My conclusion at this point:
Site administrator is (and I'm sorry to say it) incompetent in terms of running a secure site - an absolute necessity for running an exchange.  

DO NOT, under *any* circumstances, allow this guy access to your assets.

[TribalBob]

Unnecessary FUD.

C-CEX pushed new code to the site yesterday which contained a flaw which allowed a single user to add fraudulent BTC (BTC which did not exist) to their account.

They then withdrew all the BTC they could (all the BTC in the exchange wallet) and used the rest of their fraudulent BTC to purchase DRK which they then promptly withdrew and dumped at Poloniex.

Upon realizing there was an accounting error, the @Support took the site down and began investigating the cause of the issue. They have since fixed the faulty piece of code and re-opened the exchange which is working perfectly fine for all new balances. All new balances can be safely deposited, traded and withdrawn, only past balances of BTC and DRK have been affected.

C-CEX knows which user is responsible, has contacted them and is waiting for a reply.

In the meantime, C-CEX is refunding/releasing frozen funds as they are audited, verified and funds are available.

C-CEX has been honest and transparent about the situation unlike other exchanges that have been hacked/exploited in the past.

Trading is still functional and people ARE trading. As the exchange earns funds from new trades, users WILL be returned their balances.

In the meantime, let's give C-CEX credit for being honest about what happened and for getting the flaw patched before the attacker was able to exploit it further.

[SlidingHorn]

Unnecessary FUD.

C-CEX pushed new code to the site yesterday which contained a flaw which allowed a single user to add fraudulent BTC (BTC which did not exist) to their account.

They then withdrew all the BTC they could (all the BTC in the exchange wallet) and used the rest of their fraudulent BTC to purchase DRK which they then promptly withdrew and dumped at Poloniex.

Upon realizing there was an accounting error, the @Support took the site down and began investigating the cause of the issue. They have since fixed the faulty piece of code and re-opened the exchange which is working perfectly fine for all new balances. All new balances can be safely deposited, traded and withdrawn, only past balances of BTC and DRK have been affected.

C-CEX knows which user is responsible, has contacted them and is waiting for a reply.

In the meantime, C-CEX is refunding/releasing frozen funds as they are audited, verified and funds are available.

C-CEX has been honest and transparent about the situation unlike other exchanges that have been hacked/exploited in the past.

Trading is still functional and people ARE trading. As the exchange earns funds from new trades, users WILL be returned their balances.

In the meantime, let's give C-CEX credit for being honest about what happened and for getting the flaw patched before the attacker was able to exploit it further.

You've done nothing but cheerlead them the whole time.

I'll give them "credit" when they secure a loan or do something to immediately repay ALL their customers

[c-cex]

Yes. One of our users were able to add about 310 BTC on his balance that he did not own. After that he bought all DRK he could and withdrew it. Our politic now is to work further. All new deposits/withdrawals/trades works instantly. We intend to reimburse all the BTC to customers, but it will take time.
This affected only BTC. All altcoin balances are accessible for trades and withdrawals.
This happen only by our own fault.

[SlidingHorn]

Yes. One of our users were able to add about 310 BTC on his balance that he did not own. After that he bought all DRK he could and withdrew it. Our politic now is to work further. All new deposits/withdrawals/trades works instantly. We intend to reimburse all the BTC to customers, but it will take time.
This affected only BTC. All altcoin balances are accessible for trades and withdrawals.
This happen only by our own fault.

Side question - answer whenever you have time....

Why not dox the MFer and let everyone get your BTC back for you?

[JoelKatz]

If it's not too embarrassing, now that the hole has been closed, could you disclose some technical details about the nature of the hole and how it was exploited? It could help someone else avoid the same, or a similar, mistake.

[defaced]

Ok, so they added fake btc to their account some how, which they used to buy drk and then withdrew DRK.  So that means you lost users dark but still have everyones bitcoins?

If that is so, why are everyones bitcoins frozen.

What really doesnt make sense is, why are my bitcoins frozen when I didnt make any trades on drk?

C-cex said to me earlier on Skype that all the bitcoin were stolen from the server.

[lojack]

.

[anonymousxx1503]

I am currently working with the ccex staff to recoup btc, wanna make somes things clear, I am not a hacker, it is over my head, I tried to withdraw .2btc it turned into 143btc once the btc was sold to dark at pumped prices and reexchanged on polo it was much less, when the dark was bought, dark went into my account not btc, the btc should still be on the exchange, also, I tried to withdraw amounts of btc @78, 20, 8, 17.4....none of these withdrawls ever went through, the only btc withdrawl that went through for me was for 3btc.also have handed admins credentials to polo acct, site is getting ddossed so admin will have access once over, retrieving other funds as we speak

Why the hell did you dump so much dark, you single handedly drove down the price and shook peoples confidence in the coin.

[lojack]

.

[slyA]

I am currently banned from chat for saying "I do not want to bitch at OP"

[lojack]

.

[slyA]

Still no access to polo, account there has 15000 more dark 48btc and 5000000mintcoin, still have to send admin mint from cold wallet as well, be patient

If this is genuine. Thank you mate. You could as well have not responded but sincerely, the fact that you did means a lot. Thank you.

[MickGhee]

 :Di dont think the company is untrustworthy. i do however feel i shouldnt be penalized  for them being exploited i paid for all my coins bigg ups for claiming all responsability and i trust i will get my monies just wish i could buy some drk right now

[lojack]

.

[SlidingHorn]

I am currently banned from chat for saying "I do not want to bitch at OP"

I can verify that this is an auto-ban based off of word filtering.  It is not the site Admin attempting to "silence opposition" as I originally thought, lol

[zombie6]

just heard of this drama, if the guy returns the lost funds of users that would be admirable

[slyA]

Polo is back online.

[lojack]

.

[lojack]

.