|
|
|
|
The block chain is the main innovation of Bitcoin. It is the
first distributed timestamping system.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
Rikafip
Legendary
Offline
Activity: 1750
Merit: 5989
|
|
February 19, 2024, 08:18:16 PM |
|
It got hacked a few hours ago.
As far as I know, they got hacked yesterday. Can't say that I ever heard of them, let alone use them. Huh, in that article they say that eXch is Ethereum mixer
|
|
|
|
dkbit98
Legendary
Offline
Activity: 2226
Merit: 7141
|
|
February 19, 2024, 09:53:32 PM |
|
The team did confirm the hack and denied that it was an inside job. They're currently in maintenance mode.
I don't think they are coming back any time soon, like they say on their website. Even if they come back they are probably going to change to fully kyc, and they will have hard time recovering from this loses. But I would love to hear what they have to say, last time they logged in and posted was in the end of January: https://bitcointalk.org/index.php?topic=5482815.msg63576532#msg63576532 As far as I know, they got hacked yesterday. Can't say that I ever heard of them, let alone use them.
They are all over the forum, and they have registered account here since 2018: https://bitcointalk.org/index.php?action=profile;u=2387384
|
. .HUGE. | | | | | | █▀▀▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ . CASINO & SPORTSBOOK ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ | | |
|
|
|
tabas
|
|
February 19, 2024, 11:43:00 PM |
|
I see that's the reason why the website says they're on technical maintenance currently. It got hacked a few hours ago.
As far as I know, they got hacked yesterday. Can't say that I ever heard of them, let alone use them. Huh, in that article they say that eXch is Ethereum mixer The article author don't realize that it's a competitor to their business. I don't understand if there are funds from their customers telling that they're safe. Are they talking about the recent transactions that were sent to them? because no one can hold funds there as the transactions gets confirmed, the conversion is sent afterwards quickly CMIIW.
|
|
|
|
hugeblack
Legendary
Offline
Activity: 2506
Merit: 3647
Buy/Sell crypto at BestChange
|
|
February 20, 2024, 07:10:57 AM Last edit: February 20, 2024, 08:07:44 AM by hugeblack |
|
I've used them about 4 times since the beginning of this year, everything was fast and good, it's unfortunate to see them stop working. I think, is a small exchnage with about $10 million, but $26 million is not an easy matter to compensate, and most likely the government agencies that will deal with them will demand more stringency regarding customer data. So I think it will be the last time I will use them (if they come back), even though my experience with them was good.
|
|
|
|
LoyceV
Legendary
Offline
Activity: 3304
Merit: 16620
Thick-Skinned Gang Leader and Golden Feather 2021
|
|
February 20, 2024, 08:41:02 AM |
|
Does anyone have a recent snapshot of their "Reserves" on BestChange? I can only find a snapshot from almost 4 years ago, when their reserves were only $38,489. How did they go from that to 26 million in a hot wallet?
|
|
|
|
Synchronice
|
|
February 20, 2024, 09:38:38 AM |
|
How did they go from that to 26 million in a hot wallet?
Are you seriously asking? It's super simple. You create an exchange, start small, then implement KYC, ask depositors to submit KYC documents on your website, there is a chance that they will refuse it and might give up on their money. Then, over time, you come up with another better solution, that means, you partner with blockchain analysis companies and you confiscate the money of high depositors. At first you confiscate $2000, then $5000, then $8000 and so on. Over time, you go from 38K to 26 Million by keeping deposits in your wallet instead of sending to the receiver.
|
|
|
|
Potato Chips
|
|
February 20, 2024, 10:57:45 AM |
|
Nice article. I'm used to news outlets mistakenly referring little to no KYC measures CExes as decentralized exchanges so seeing eXch as ethereum mixer is new lol and yet another, let's shift the blame for the lack of KYC: FixedFloat, which advertises itself as an "instant, fully automatic cryptocurrency exchange with Lightning Network," prioritizes privacy over safety, operating without requiring account registration or identity verification. This lack of KYC measures is appealing to privacy-conscious users, but it poses significant risks for both the platform and its users in the event of a hack, as investigators have limited information to work with. I'm sure the hackers would've given fixedfloat their real name and home address /s No mention what sort of attack was used so who knows if they even have to trade for this.
Does anyone have a recent snapshot of their "Reserves" on BestChange?
I've looked into snaps from a couple months ago and their reserves were constantly increasing. The final amount at Feb 13th was at $45M, see: https://web.archive.org/web/20240213024353if_/https://www.bestchange.com/list.html
|
|
|
|
LoyceV
Legendary
Offline
Activity: 3304
Merit: 16620
Thick-Skinned Gang Leader and Golden Feather 2021
|
|
February 20, 2024, 04:16:56 PM |
|
Thanks, I didn't find it at archive.org. This means they had more than 50% in their hot wallet. Needless to say: that's incredibly dumb.
|
|
|
|
LTU_btc
Legendary
Offline
Activity: 3052
Merit: 1330
Slava Ukraini!
|
|
February 20, 2024, 08:26:58 PM |
|
Another day - another exchange got hacked. I think I've never heard their name before and it's nothing surprising as it's relatively small exchange. Seems that they didn't put their heads into sand and trying to communicate, that's at least some positive sign. Will be interesting to follow how things will developp further. I've used them about 4 times since the beginning of this year, everything was fast and good, it's unfortunate to see them stop working. I think, is a small exchnage with about $10 million, but $26 million is not an easy matter to compensate, and most likely the government agencies that will deal with them will demand more stringency regarding customer data. So I think it will be the last time I will use them (if they come back), even though my experience with them was good. Yeah, it's small exchange, but still, $26 million is huge money, no idea how they're going to compensate it. And for scammers it's more than enough money to retire, but probably they're not going to do it.
|
|
|
|
Yamane_Keto
|
|
February 21, 2024, 02:37:20 AM |
|
This means they had more than 50% in their hot wallet. Needless to say: that's incredibly dumb.
Their description of the hack indicates that the security structure allowed hackers to access the basic functions of the service. It is a complete failure and appears to be access to cold storage, as I see in the explosion that the 1,700 Ethereum were transferred from one address. If they were in the hot wallet, there would have been a large number of addresses. “The problem was in our infrastructure, which was compromised due to flaws and insufficient protection,” the company said. “This allowed the attackers to gain access to some of the functions of our service.”
|
|
|
|
yhiaali3
Legendary
Offline
Activity: 1694
Merit: 1862
#SWGT CERTIK Audited
|
|
February 21, 2024, 04:58:50 AM |
|
In a subsequent statement, FixedFloat assured customers their funds were safe, clarifying that the financial losses impacted only the service itself and not user-held assets. "FixedFloat does not perform the functions of a custodial service—that is, it does not store user funds. We will provide more information later," the platform tweeted.
Is this true, does FixedFloat really “do not store user funds”? As far as I know, all centralized exchanges use user funds and do not isolate exchange assets from user assets, especially those that are not subject to regulatory laws. FixedFloat said that it will fulfill all payment obligations as soon as it resumes its operations, but of course they did not specify a time for that, and until that time, user funds will remain stuck. I hope that the exchange’s words are true and that user funds have not been affected.
|
|
|
|
LoyceV
Legendary
Offline
Activity: 3304
Merit: 16620
Thick-Skinned Gang Leader and Golden Feather 2021
|
|
February 21, 2024, 07:38:08 AM |
|
Their description of the hack indicates that the security structure allowed hackers to access the basic functions of the service. It is a complete failure and appears to be access to cold storage That is by definition impossible. If hackers can access it without physically breaking into the building, it wasn't cold storage. Unless it was in cold storage and an employee manually approved a withdrawal from cold storage that was made without an deposit. That would be a new level of stupidity. Is this true, does FixedFloat really “do not store user funds”? As far as I know, all centralized exchanges use user funds and do not isolate exchange assets from user assets, especially those that are not subject to regulatory laws. In an ideal scenario, an instant exchange only holds the user's funds until it has enough confirmations to complete the transaction and send back the other coin.
|
|
|
|
FinneysTrueVision
Sr. Member
Offline
Activity: 1652
Merit: 365
Top Crypto Casino
|
|
February 21, 2024, 09:22:58 AM |
|
In a subsequent statement, FixedFloat assured customers their funds were safe, clarifying that the financial losses impacted only the service itself and not user-held assets. "FixedFloat does not perform the functions of a custodial service—that is, it does not store user funds. We will provide more information later," the platform tweeted.
Is this true, does FixedFloat really “do not store user funds”? As far as I know, all centralized exchanges use user funds and do not isolate exchange assets from user assets, especially those that are not subject to regulatory laws. FixedFloat said that it will fulfill all payment obligations as soon as it resumes its operations, but of course they did not specify a time for that, and until that time, user funds will remain stuck. I hope that the exchange’s words are true and that user funds have not been affected. FixedFloat is an instant exchange like exch.cx. You can use it without creating an account. The only users who would have lost money would be those who were in the process of swapping or receiving a refund. I’ve used them several times since they are one of the few exchanges with lightning support but the recent controversy they had with a user on the forum, where they were asking invasive questions about the source of their funds, made me skeptical about using them again.
|
|
|
|
un_rank
|
|
February 21, 2024, 10:45:17 AM |
|
I’ve used them several times since they are one of the few exchanges with lightning support but the recent controversy they had with a user on the forum, where they were asking invasive questions about the source of their funds, made me skeptical about using them again.
They have had several of such complaints off the forum before now which leads me to think that this was always coming with the kind of service they offered. Some users who tried to trade on an 'instant' exchange 2 days before the hacked still had funds stored in it till it closed withdrawals. Requests for private info for no apparent reason also increased recently before the hack. - Jay -
|
| .SHUFFLE.COM.. | ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ | ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ | . ...Next Generation Crypto Casino... |
|
|
|
dkbit98
Legendary
Offline
Activity: 2226
Merit: 7141
|
|
February 21, 2024, 06:28:32 PM |
|
Their description of the hack indicates that the security structure allowed hackers to access the basic functions of the service. It is a complete failure and appears to be access to cold storage, as I see in the explosion that the 1,700 Ethereum were transferred from one address. If they were in the hot wallet, there would have been a large number of addresses.
There is no real difference between using cold and hot wallet addresses. Only difference for cold wallets is that keys/phrases are stored offline, everything else is the same looking from outside. Cold storage access can only happen with leak from the inside. In an ideal scenario, an instant exchange only holds the user's funds until it has enough confirmations to complete the transaction and send back the other coin.
That would operate in snail speed especially for larger transactions, and someone for sure owned $26 million worth of Bitcoin and ethereum that was hacked.
|
. .HUGE. | | | | | | █▀▀▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ . CASINO & SPORTSBOOK ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ | | |
|
|
|
arabspaceship123
Full Member
Offline
Activity: 868
Merit: 190
I'm a web developer. Hire me for your work.
|
|
February 21, 2024, 09:08:21 PM |
|
Have ppl heard of instant exchanges getting hacked it's first time I've seen this. Hackers must've been given inside info. They've lost $26M from instant exchange last month so why'd they delay their announcement.
|
█████████████ ARABSPACESHIP 123 سفينة الفضاء العربية ١٢٣ ████████████ | | || | avatar & signature available to rent | || | | ██████████████████████ Hire me to design your websites ██████████████████████
|
|
|
stompix
Legendary
Offline
Activity: 2884
Merit: 6310
Blackjack.fun
|
|
February 22, 2024, 07:56:50 AM |
|
"it was an external attack caused by vulnerabilities in our security structure.” “The problem was in our infrastructure, which was compromised due to flaws and insufficient protection,” the company said. Is this the first one in a while that comes out with a clear statement like this, we had flaws, our infrastructure security was rubbish, we know we screwed up, it's a miracles it lasted that long? Anyhow, at $26M and with bad publicity I can't see them making a real comeback, even if there will be no customers loss people will be warry of it, such a loss might trigger some extra fleecing on clients to recoup some of that! In an ideal scenario, an instant exchange only holds the user's funds until it has enough confirmations to complete the transaction and send back the other coin.
I don't get it. If I send Bitcoins and want monero, the moment I sent a coin it's not mine anymore, it's the property of the exchange and they release my monero coins, why would there be a limit on how long they can hold that?
|
. .BLACKJACK ♠ FUN. | | | ███▄██████ ██████████████▀ ████████████ █████████████████ ████████████████▄▄ ░█████████████▀░▀▀ ██████████████████ ░██████████████ █████████████████▄ ░██████████████▀ ████████████ ███████████████░██ ██████████ | | CRYPTO CASINO & SPORTS BETTING | | │ | | │ | ▄▄███████▄▄ ▄███████████████▄ ███████████████████ █████████████████████ ███████████████████████ █████████████████████████ █████████████████████████ █████████████████████████ ███████████████████████ █████████████████████ ███████████████████ ▀███████████████▀ ███████████████████ | | .
|
|
|
|
LoyceV
Legendary
Offline
Activity: 3304
Merit: 16620
Thick-Skinned Gang Leader and Golden Feather 2021
|
|
February 22, 2024, 04:41:27 PM |
|
In an ideal scenario, an instant exchange only holds the user's funds until it has enough confirmations to complete the transaction and send back the other coin. I don't get it. If I send Bitcoins and want monero, the moment I sent a coin it's not mine anymore, it's the property of the exchange and they release my monero coins, why would there be a limit on how long they can hold that? The question was if they really don't store user funds. My answer was related to the short time between depositing and receiving your exchanged coins. It could be up to about an hour to get enough confirmations. What they do with the coins after that is indeed not your concern.
|
|
|
|
Potato Chips
|
|
February 22, 2024, 08:31:26 PM |
|
Have ppl heard of instant exchanges getting hacked it's first time I've seen this. Hackers must've been given inside info. They've lost $26M from instant exchange last month so why'd they delay their announcement.
Did you mean 'this' month? But I'm not that surprised since instant exchanges like fixedfloat are pretty much a simplified version of the custodial and centralized exchanges we're used to -- e.g. kucoin, binance etc.-- created for quick trades. We may not leave our coins there for long but they do have the attack prone hot wallets for daily transactions.
|
|
|
|
DaveF
Legendary
Offline
Activity: 3472
Merit: 6267
Crypto Swap Exchange
|
|
February 23, 2024, 12:19:15 PM |
|
I was always under the impression that sites like this didn't even store user funds. Don't know why but, I was thinking they were just using the APIs of other exchanges to make the trades and skimming a small % off the top to make their profit.
There were a few of them in the past that operated that way. Put together a pretty interface, no real KYC, and just take a small cut.
Saw this when I went to do a small swap of some alts I found a paper wallet for when cleaning up and didn't want to be bothered finding an exchange that actually traded them and setting up an account and so on....
-Dave
|
|
|
|
shield132
|
|
February 23, 2024, 09:13:47 PM |
|
I was always under the impression that sites like this didn't even store user funds. Don't know why but, I was thinking they were just using the APIs of other exchanges to make the trades and skimming a small % off the top to make their profit.
There were a few of them in the past that operated that way. Put together a pretty interface, no real KYC, and just take a small cut.
Saw this when I went to do a small swap of some alts I found a paper wallet for when cleaning up and didn't want to be bothered finding an exchange that actually traded them and setting up an account and so on....
-Dave
You might won't believe but local bank in my country was offering crypto exchange service via a child company and the child company was really using an API of other exchanges to make the trades. They fixed it once they became popular. Btw when I visit fixedfloat.com it redirects to ff.io <-- I bet that they want to make this accident look like they didn't experience any hack at all and all of this happens because they purchased a new domain and want to move whole database on a new one.
|
|
|
|
arabspaceship123
Full Member
Offline
Activity: 868
Merit: 190
I'm a web developer. Hire me for your work.
|
|
February 23, 2024, 10:59:44 PM |
|
They aren't supposed to hold funds after they're exchanging. They should've sent swapped funds to destination addresses so how's $26M stolen? I was always under the impression that sites like this didn't even store user funds. Don't know why but, I was thinking they were just using the APIs of other exchanges to make the trades and skimming a small % off the top to make their profit.
There were a few of them in the past that operated that way. Put together a pretty interface, no real KYC, and just take a small cut.
Saw this when I went to do a small swap of some alts I found a paper wallet for when cleaning up and didn't want to be bothered finding an exchange that actually traded them and setting up an account and so on....
-Dave
|
█████████████ ARABSPACESHIP 123 سفينة الفضاء العربية ١٢٣ ████████████ | | || | avatar & signature available to rent | || | | ██████████████████████ Hire me to design your websites ██████████████████████
|
|
|
LoyceV
Legendary
Offline
Activity: 3304
Merit: 16620
Thick-Skinned Gang Leader and Golden Feather 2021
|
|
February 24, 2024, 08:01:59 AM |
|
I was always under the impression that sites like this didn't even store user funds. Don't know why but, I was thinking they were just using the APIs of other exchanges to make the trades and skimming a small % off the top to make their profit.
There were a few of them in the past that operated that way. Put together a pretty interface, no real KYC, and just take a small cut. Now that you mention it: I also thought that's how they operate, especially since they have a fixed and dynamic fee rate. But withdrawal fees of most exchanges are a problem for that business model. Unless they get a custom deal, most exchanges charge far more to withdraw than an instant exchanger can earn from small trades. It would make sense to only handle large transactions through a CEX, and handle small ones by themselves. That way they'd only need $26k instead of $26M in their hot wallet.
|
|
|
|
Synchronice
|
|
February 24, 2024, 10:07:29 AM |
|
I was always under the impression that sites like this didn't even store user funds. Don't know why but, I was thinking they were just using the APIs of other exchanges to make the trades and skimming a small % off the top to make their profit.
There were a few of them in the past that operated that way. Put together a pretty interface, no real KYC, and just take a small cut. Now that you mention it: I also thought that's how they operate, especially since they have a fixed and dynamic fee rate. But withdrawal fees of most exchanges are a problem for that business model. Unless they get a custom deal, most exchanges charge far more to withdraw than an instant exchanger can earn from small trades. It would make sense to only handle large transactions through a CEX, and handle small ones by themselves. That way they'd only need $26k instead of $26M in their hot wallet. Many exchanges have fixed and dynamic fees, I think this gives them the possibility to charge you more percentage during trade while protecting you from slight volatility that god knows whether happens or not. By the way, if it's possible to create an exchange via API, then how do they deal with high risk deposits? Let's say that: A is an instant exchange B is a big exchange that gives API to A How does B deal with high risk deposits that comes from someone sending dirty coins to A instant exchange? Does B send a request to A to tell its user to submit KYC documents? Or how does it happen?
Seems, fixedfloat is live but some browsers warn me that fixedfloat is dangerous to visit: Attackers on the site you're trying to visit might trick you into installing software or revealing things like your password, phone, or credit card number. Chrome strongly recommends going back to safety. Karma exists!
|
|
|
|
LoyceV
Legendary
Offline
Activity: 3304
Merit: 16620
Thick-Skinned Gang Leader and Golden Feather 2021
|
|
February 24, 2024, 10:25:30 AM Last edit: February 24, 2024, 12:57:02 PM by LoyceV Merited by Synchronice (1) |
|
if it's possible to create an exchange via API, then how do they deal with high risk deposits? Let's say that: A is an instant exchange B is a big exchange that gives API to A
How does B deal with high risk deposits that comes from someone sending dirty coins to A instant exchange? Does B send a request to A to tell its user to submit KYC documents? Or how does it happen? I've seen topics about it: Basically, A claims B froze their funds based on arbitrary conditions (despite A claiming in their terms they use their own funds), and A makes up arbitrary terms for the user to get back their funds. It doesn't make much sense. The whole "freezing" and "dirty" is BS anyway, exchanges would gladly send those funds to other users again: The funds remain frozen at our addresses, and when the frozen funds are seized by the authorities, they are also sent from our addresses. That's not true. You say the funds "remain frozen", but that can't be since you've mixed them already. The first transaction was mixed in this transaction and that same output was used to sent to another address. The second transaction was mixed in this transaction and also sent to another address. None of the funds were frozen in your wallet, you're normally using them to pay other people. To summarize: if those funds came from criminal activity as you claim, you've now sent it to other innocent users who now own those "tainted" Bitcoins. It sounds very much like you only care about "taint" when it's convenient for you.
|
|
|
|
DaveF
Legendary
Offline
Activity: 3472
Merit: 6267
Crypto Swap Exchange
|
|
February 26, 2024, 09:02:07 PM |
|
I was always under the impression that sites like this didn't even store user funds. Don't know why but, I was thinking they were just using the APIs of other exchanges to make the trades and skimming a small % off the top to make their profit.
There were a few of them in the past that operated that way. Put together a pretty interface, no real KYC, and just take a small cut. Now that you mention it: I also thought that's how they operate, especially since they have a fixed and dynamic fee rate. But withdrawal fees of most exchanges are a problem for that business model. Unless they get a custom deal, most exchanges charge far more to withdraw than an instant exchanger can earn from small trades. It would make sense to only handle large transactions through a CEX, and handle small ones by themselves. That way they'd only need $26k instead of $26M in their hot wallet. Once again as an assumption, I had in my mind that they lack of withdraw fess was covered by the rates that were not that good. I *know* that is how a couple of other places worked. The rate you saw was what you would get if you went to a full regular exchange minus the withdraw fee minus their cut. I know that when I was moving some forked BCH that I had with them last year I followed the coins to some other exchange. The BTC I got back was from a small wallet, no idea who's it was. -Dave
|
|
|
|
Yamane_Keto
|
|
February 27, 2024, 01:08:14 AM |
|
https://fixedfloat.com service is partially back, trading pairs such as Bitcoin, Ethereum, and Monero are still temporarily suspended, only a few tokens besides LTC are allowed. February 27, 2024 Their description of the hack indicates that the security structure allowed hackers to access the basic functions of the service. It is a complete failure and appears to be access to cold storage -- --
I did not find an official statement from them. I read some articles that talked about the reason and it seemed, as I mentioned, a complete failure of the system, as one of the articles mentioned that private key exploit. On-chain Details show that the attack lasted for more than two hours. The hackers emptied their ETH balance first, and then after an hour, the same thing was repeated for Bitcoin, for more than half an hour. In both cases, the damage could have been mitigated, as the Bitcoin wallets were emptied after more than an hour from the suspicious movement of ETH wallets. FixedFloat Exploit
|
|
|
|
dkbit98
Legendary
Offline
Activity: 2226
Merit: 7141
|
|
February 27, 2024, 09:58:21 PM |
|
https://fixedfloat.com service is partially back, trading pairs such as Bitcoin, Ethereum, and Monero are still temporarily suspended, only a few tokens besides LTC are allowed. They came back faster than I expected, and after reading their latest blog posts I can say they had very poor protection, and slow reaction to initial hack. According to their twitter account they are now making a planned transition to new short domain ff.io: https://twitter.com/FixedFloat/status/1761267221051977842
|
. .HUGE. | | | | | | █▀▀▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ . CASINO & SPORTSBOOK ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ | | |
|
|
|
FinneysTrueVision
Sr. Member
Offline
Activity: 1652
Merit: 365
Top Crypto Casino
|
|
April 01, 2024, 11:10:34 PM Last edit: April 01, 2024, 11:50:59 PM by FinneysTrueVision |
|
It seems like they were probably hacked again. Their website went offline some hours ago. Millions in ETH, stablecoins, and BNB has been transferred from their hot wallets and some of it has been swapped using eXch. The ETH wallet 0x4E5B2e1dc63F6b91cb6Cd759936495434C7e972F was the same one that was hacked in February.
|
|
|
|
stompix
Legendary
Offline
Activity: 2884
Merit: 6310
Blackjack.fun
|
|
April 02, 2024, 01:47:12 PM |
|
The ETH wallet 0x4E5B2e1dc63F6b91cb6Cd759936495434C7e972F was the same one that was hacked in February.
Waaaaiiit a minute! Let's assume they were not hacked this time until confirmation but! they are still using the same hot wallet the same address that was hacked last time? They didn't even change that and they were up and running like nothing happened? They didn't even mention what went wrong the first time, the services were not fully back but they kept using the same system and the same addresses? Common, this is unbelievable!
|
. .BLACKJACK ♠ FUN. | | | ███▄██████ ██████████████▀ ████████████ █████████████████ ████████████████▄▄ ░█████████████▀░▀▀ ██████████████████ ░██████████████ █████████████████▄ ░██████████████▀ ████████████ ███████████████░██ ██████████ | | CRYPTO CASINO & SPORTS BETTING | | │ | | │ | ▄▄███████▄▄ ▄███████████████▄ ███████████████████ █████████████████████ ███████████████████████ █████████████████████████ █████████████████████████ █████████████████████████ ███████████████████████ █████████████████████ ███████████████████ ▀███████████████▀ ███████████████████ | | .
|
|
|
|
LoyceV
Legendary
Offline
Activity: 3304
Merit: 16620
Thick-Skinned Gang Leader and Golden Feather 2021
|
|
April 02, 2024, 01:59:01 PM |
|
Let's assume they were not hacked this time until confirmation but! they are still using the same hot wallet the same address that was hacked last time? My speculation: maybe the wallet wasn't compromised, but the rest of the system. Like: someone made it look as if they made a transaction without making a deposit, after which the payment was sent.
|
|
|
|
dkbit98
Legendary
Offline
Activity: 2226
Merit: 7141
|
It seems like they were probably hacked again. Their website went offline some hours ago. Millions in ETH, stablecoins, and BNB has been transferred from their hot wallets and some of it has been swapped using eXch.
This hack is now officially confirmed on FixedFloat twitter account. I can't believe this is actually happening in the same way like last time, and something seriously stinks here. It sounds to me like there is some information leak from inside this exchange. On April 1, we were again attacked by the attackers who were behind the February 16 hack. The attackers did not stop there and continued to use various methods to try to hack our service again. Thanks to the enormous work done to improve the security of our infrastructure, we were able to successfully repel their attacks and continue to work.
However, despite all our efforts, unfortunately, hackers managed to discover a vulnerability of a third party whose services we use. Although such third-party attacks are beyond our control, we take all necessary measures to strengthen the security of our service and will work to prevent similar incidents in the future.
We would like to emphasize that financial losses affected only our service; hackers stole funds to ensure the liquidity of the service, that is, the company’s funds and user funds were not affected. We also want to emphasize that FixedFloat does not perform the functions of a custodial service, that is, it does not store user funds.
We are currently in the process of an active investigation. Details of the incident cannot yet be disclosed due to the ongoing investigation. https://twitter.com/FixedFloat/status/1775172224216875223
|
. .HUGE. | | | | | | █▀▀▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ . CASINO & SPORTSBOOK ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ | | |
|
|
|
stompix
Legendary
Offline
Activity: 2884
Merit: 6310
Blackjack.fun
|
|
April 03, 2024, 01:53:40 PM |
|
My speculation: maybe the wallet wasn't compromised, but the rest of the system. Like: someone made it look as if they made a transaction without making a deposit, after which the payment was sent.
Let's assume that would be true, now which one of the old crypto users who has been around for years and knows about security would just say, we know what the bug is, the rest is safe, let's keep the same wallet that was drained because changing one line is way too complicated They got lazy at least to say, that, if the second hack is a hack at all. This hack is now officially confirmed on FixedFloat twitter account. I can't believe this is actually happening in the same way like last time, and something seriously stinks here.
Stinks is underestimating this, I read that twice and I still can't understand a few things: Thanks to the enormous work done to improve the security of our infrastructure, we were able to successfully repel their attacks and continue to work. However, despite all our efforts, unfortunately, hackers managed to discover a vulnerability of a third party whose services we use This seems like successfully repelling all the attack on all fronts while losing all your army and retreating 200 miles. Then: We would like to emphasize that financial losses affected only our service; hackers stole funds to ensure the liquidity of the service, that is, the company’s funds and user funds were not affected. So those were not customer money nor company funds, was it the hacker's own money, or what cause if somebody provided liquidity for your company then it's your company money, and you're going to have to pay it back!!!! The first one might have been a genuine hack, this one sounds like an exit...s word!
|
. .BLACKJACK ♠ FUN. | | | ███▄██████ ██████████████▀ ████████████ █████████████████ ████████████████▄▄ ░█████████████▀░▀▀ ██████████████████ ░██████████████ █████████████████▄ ░██████████████▀ ████████████ ███████████████░██ ██████████ | | CRYPTO CASINO & SPORTS BETTING | | │ | | │ | ▄▄███████▄▄ ▄███████████████▄ ███████████████████ █████████████████████ ███████████████████████ █████████████████████████ █████████████████████████ █████████████████████████ ███████████████████████ █████████████████████ ███████████████████ ▀███████████████▀ ███████████████████ | | .
|
|
|
|
DaveF
Legendary
Offline
Activity: 3472
Merit: 6267
Crypto Swap Exchange
|
|
April 03, 2024, 07:45:56 PM |
|
Yeah, something is not right. Or, and this is just a guess the original hack was worse then they thought it was and they had more access to the systems then FF thought so they just had to wait for wallets to be refilled and do it again.
Shrug, whatever, so long as no user funds were lost then it's an internal issue. If you don't take security seriously then that's on you.
Should have been down for weeks while every line of code was checked.
If it really was a 3rd party that was at fault, then why would ANY 3rd party have access to your hot wallets....
-Dave
|
|
|
|
arabspaceship123
Full Member
Offline
Activity: 868
Merit: 190
I'm a web developer. Hire me for your work.
|
|
April 07, 2024, 11:59:41 PM |
|
They've lost $26M in hot wallets so we've got to know if they're being targeted by outside hackers or inside info helping inside hackers. They haven't told ppl because they're investigating. FixedFloat weren't well known before their hacks now ppl are talking about them for the wrong reasons.
|
█████████████ ARABSPACESHIP 123 سفينة الفضاء العربية ١٢٣ ████████████ | | || | avatar & signature available to rent | || | | ██████████████████████ Hire me to design your websites ██████████████████████
|
|
|
dkbit98
Legendary
Offline
Activity: 2226
Merit: 7141
|
|
April 08, 2024, 04:51:08 PM |
|
This seems like successfully repelling all the attack on all fronts while losing all your army and retreating 200 miles.
Whatever they did to ''improve'' their service now made them look like a bunch of amateurs. This sounds like a classic backdoor access to me, building taller walls won't help to protect you from this. So those were not customer money nor company funds, was it the hacker's own money, or what cause if somebody provided liquidity for your company then it's your company money, and you're going to have to pay it back!!!! The first one might have been a genuine hack, this one sounds like an exit...s word!
Maybe, but whenever I hear the story about evil hackers I have doubts if they really exist or if they exist who hired them. Should have been down for weeks while every line of code was checked.
Exactly. If first hack happened and I was the owner of FF, I would never continue to work and get back so quickly like they did.
|
. .HUGE. | | | | | | █▀▀▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ . CASINO & SPORTSBOOK ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ | | |
|
|
|
examplens
Legendary
Offline
Activity: 3276
Merit: 3169
Crypto Swap Exchange
|
|
April 09, 2024, 10:06:39 AM |
|
Should have been down for weeks while every line of code was checked.
Exactly. If first hack happened and I was the owner of FF, I would never continue to work and get back so quickly like they did. They needed to be robbed twice to accept the seriousness of the situation, now they have been in maintenance for 8 days. I wouldn't bother checking the old code, it's probably safer for them to start everything from scratch. Did they announce somewhere what the amount is in this second incident?
|
|
|
|
RickDeckard
Legendary
Offline
Activity: 1008
Merit: 3007
|
|
April 09, 2024, 10:33:49 AM |
|
Did they announce somewhere what the amount is in this second incident?
A security research firm told Coindesk[1] that there were suspicious transfers of around ~ 3 million ETH. I have just checked the website and it continues in maintenance mode so I guess that they haven't solved the problem. According to a recent tweet of them[2] they were once again attacked by the same group: On April 1, we were again attacked by the attackers who were behind the February 16 hack. The attackers did not stop there and continued to use various methods to try to hack our service again. Thanks to the enormous work done to improve the security of our infrastructure, we were able to successfully repel their attacks and continue to work.
However, despite all our efforts, unfortunately, hackers managed to discover a vulnerability of a third party whose services we use. Although such third-party attacks are beyond our control, we take all necessary measures to strengthen the security of our service and will work to prevent similar incidents in the future.
We would like to emphasize that financial losses affected only our service; hackers stole funds to ensure the liquidity of the service, that is, the company’s funds and user funds were not affected. We also want to emphasize that FixedFloat does not perform the functions of a custodial service, that is, it does not store user funds.
We are currently in the process of an active investigation. Details of the incident cannot yet be disclosed due to the ongoing investigation.
[1] https://www.coindesk.com/markets/2024/04/02/bitcoin-lightning-exchange-fixedfloat-sees-suspicious-transfers-of-3m-to-ethereum-tron/[2] https://twitter.com/FixedFloat/status/1775172224216875223
|
|
|
|
logfiles
Copper Member
Legendary
Offline
Activity: 1974
Merit: 1653
Top Crypto Casino
|
|
April 09, 2024, 10:55:53 PM |
|
We would like to emphasize that financial losses affected only our service; hackers stole funds to ensure the liquidity of the service, that is, the company’s funds and user funds were not affected. So those were not customer money nor company funds, was it the hacker's own money, or what cause if somebody provided liquidity for your company then it's your company money, and you're going to have to pay it back!!!! The first one might have been a genuine hack, this one sounds like an exit...s word! [/quote]I had a laugh when I also read that part. Like if the $26M+ is not customer's money nor company's money. Then whose money is it? Did someone just stash it in the address that just happen to be fixedfloat's and then hackers came in and stole it? I think it's just a matter of time before we get an announcement that they are shutting down, or they will probably stay in maintenance mode indefinitely.
|
|
|
|
LoyceV
Legendary
Offline
Activity: 3304
Merit: 16620
Thick-Skinned Gang Leader and Golden Feather 2021
|
|
April 10, 2024, 07:06:26 AM |
|
We would like to emphasize that financial losses affected only our service; hackers stole funds to ensure the liquidity of the service, that is, the company’s funds and user funds were not affected. So those were not customer money nor company funds, was it the hacker's own money, or what cause if somebody provided liquidity for your company then it's your company money, and you're going to have to pay it back!!!! The first one might have been a genuine hack, this one sounds like an exit...s word! This sounds like an inside job: first drain the company, than drain the next guy involved.
|
|
|
|
DaveF
Legendary
Offline
Activity: 3472
Merit: 6267
Crypto Swap Exchange
|
|
April 10, 2024, 02:58:02 PM |
|
We would like to emphasize that financial losses affected only our service; hackers stole funds to ensure the liquidity of the service, that is, the company’s funds and user funds were not affected. So those were not customer money nor company funds, was it the hacker's own money, or what cause if somebody provided liquidity for your company then it's your company money, and you're going to have to pay it back!!!! The first one might have been a genuine hack, this one sounds like an exit...s word! This sounds like an inside job: first drain the company, than drain the next guy involved. Sound like they are being vague on purpose. Had they said this: No customer funds were lost. The funds we have to run the company on a day to day basis (hosting, payroll, etc) were not lost. The only funds lost were those that were in hot wallets that were needed to run the service on a day to day basis. Is much more clear. But at that point they have no wiggle room. The generic ambiguous statement that they put out can mean just about anything. Also, English may not be their native language, they may not know what they said outside of Google Translate.... -Dave
|
|
|
|
|