BitStamp - hacked and down

[mayax]

They changed the temporary website design, that's something 

I really hope they are not buying time 

5 Mil to cover. they should do it otherwise Ripple and other companies related with Bitstamp will go down. the scandal will be huge

[mayax]

They changed the temporary website design, that's something  

I really hope they are not buying time  

This is from nejc kodric's tweeter

Nejc Kodrič ‏@nejc_kodric  9h9 hours ago
We are fully rebuilding our systems from the ground up so that customers can use @Bitstamp with full confidence and trust.
-------

Nejc Kodrič ‏@nejc_kodric  8h8 hours ago
To clarify, we are still working to resume full services in the coming days.  I don't have an exact time estimate to share yet.

-------
My earlier tweet of 48 hours was a rough timeframe.  We are testing our redeployed system internally before going live again to customers.

-------
Nejc Kodrič ‏@nejc_kodric  7h7 hours ago
We will keep you posted on twitter and the website when we have a more exact ETA.

--------

So, do they rebuilt the whole platform or do they only change the server?

The first case is impossible. Nobody can make a platform in a week.

The second case: how do they fix the bug so fast? 3-4 days is a very short time to discover and to fix a bug in a such platform.
They have to discover,fix and change the server which must be configured.

[onemorebtc]

The first case is impossible. Nobody can make a platform in a week.

it is possible to write a btc exchange in one week. but i wouldnt use it because its untested and full of bugs.

but:
they dont need to develop a new design,
internal fiat deposit processes and apis are ready
i guess the matching engine is on a dedicated backendserver and dont need a change (at least i would design it that way; not sure about others)

[Nagle]

https://www.cryptocoinsnews.com/bitstamp-resume-operations-next-24-hours/

it will be full operational in 6 hours.

7 hours later, didn't happen.

I believe it will be up soon

9 hours later, didn't happen.

13 hours later, didn't happen.

Their page now has only vague comments about their timetable: "We appreciate customers’ patience during this disruption of services. We are working to transfer a secure backup of the Bitstamp site onto a new safe environment and will be bringing this online in the coming days."

The key point here is that they are not processing withdrawals. They're not even talking about processing withdrawals. They're supposedly focusing on getting their trading platform back up, as if that matters to their depositors.  Whenever a financial service has trouble processing withdrawals, that is a big red flag. This is exactly the sort of thing Mt. Gox pulled. There was always some excuse from Mt. Gox. Too many people let them get away with it. Mt. Gox stopped withdrawals in June of 2013, despite any contractual right to do so. That was when it was time to begin applying legal pressure. But Bitcoin suckers hung on all the way to the bankruptcy at the end of February 2014, eight months later.

As I wrote previously, if you're in the UK, send them a statutory demand for payment of a debt to start the 21-day clock. Do it now. That puts heavy pressure on them to start withdrawals. 

[R2Pleasent]

I initiated a Withdrawal via bank 04/01/2015.  They claim to have trouble with their Bitcoin systems, but that does not excuse them from sending my bank wire.  Cool story about your exchange Bitstamp, but you can still process my wire.

[mayax]

I initiated a Withdrawal via bank 04/01/2015.  They claim to have trouble with their Bitcoin systems, but that does not excuse them from sending my bank wire.  Cool story about your exchange Bitstamp, but you can still process my wire.

contact their bank. they have millions in their account. you must receive the wire.

[mayax]

The first case is impossible. Nobody can make a platform in a week.

it is possible to write a btc exchange in one week. but i wouldnt use it because its untested and full of bugs.

but:
they dont need to develop a new design,
internal fiat deposit processes and apis are ready
i guess the matching engine is on a dedicated backendserver and dont need a change (at least i would design it that way; not sure about others)

i think it is impossible to detect the hacking problem. there are a lot of functions and you must verify them ALL including the APIs.
it should take 2-3 weeks at least if they don't want to be backed again.
Imagine their programmer must read all the code and to realize if the problem is from server or from their platform.
not easy at all....

[Nagle]

I initiated a Withdrawal via bank 04/01/2015.  They claim to have trouble with their Bitcoin systems, but that does not excuse them from sending my bank wire.  Cool story about your exchange Bitstamp, but you can still process my wire.

That's an even bigger red flag. That's a strong indication of them not having funds.

[smoothie]

I initiated a Withdrawal via bank 04/01/2015.  They claim to have trouble with their Bitcoin systems, but that does not excuse them from sending my bank wire.  Cool story about your exchange Bitstamp, but you can still process my wire.

That's an even bigger red flag. That's a strong indication of them not having funds.

So they officially shut down their site (trading etc) on the 5th from their first post on their main page.

So if a wire was initiated and confirmed prior to that...I can't see why it would be delayed in any way.

There is no good reason I can think of as the initiation of withdraw happened before they noticed they were hacked and shut down functionality of their site.

Tsk tsk tsk 

[crazy_rabbit]

I initiated a Withdrawal via bank 04/01/2015.  They claim to have trouble with their Bitcoin systems, but that does not excuse them from sending my bank wire.  Cool story about your exchange Bitstamp, but you can still process my wire.

That's an even bigger red flag. That's a strong indication of them not having funds.

Oh really? Maybe it's more of a strong indication that they have reason to worry the hacker might have been in the system earlier than they think, already sold bitcoins and was hoping to withdraw FIAT before being caught.

Not to mention the lawsuit that would have come from bitcoin holders suing the company for allowing Fiat holders to remove money from a system before they had 100% secured it and done a forensic analysis. Not to mention give a copy all the data to the investigating authorities.

[crazy_rabbit]

https://www.cryptocoinsnews.com/bitstamp-resume-operations-next-24-hours/

it will be full operational in 6 hours.

7 hours later, didn't happen.

I believe it will be up soon

9 hours later, didn't happen.

13 hours later, didn't happen.

Their page now has only vague comments about their timetable: "We appreciate customers’ patience during this disruption of services. We are working to transfer a secure backup of the Bitstamp site onto a new safe environment and will be bringing this online in the coming days."

The key point here is that they are not processing withdrawals. They're not even talking about processing withdrawals. They're supposedly focusing on getting their trading platform back up, as if that matters to their depositors.  Whenever a financial service has trouble processing withdrawals, that is a big red flag. This is exactly the sort of thing Mt. Gox pulled. There was always some excuse from Mt. Gox. Too many people let them get away with it. Mt. Gox stopped withdrawals in June of 2013, despite any contractual right to do so. That was when it was time to begin applying legal pressure. But Bitcoin suckers hung on all the way to the bankruptcy at the end of February 2014, eight months later.

As I wrote previously, if you're in the UK, send them a statutory demand for payment of a debt to start the 21-day clock. Do it now. That puts heavy pressure on them to start withdrawals. 

But if you're right- and the house of cards has already collapsed from within- then they would declare bankrupcy anyway and your demand for payment is worthless. If your wrong, and they are fine and just being extra diligent about making sure all is okay before restarting service, then you're impatient and will earn their ire.  All we can do is wait- so far they have given us no reason to not trust them. But of course, "walk softly and call your lawyers". :-)

[oldtimegin]

Hey crazy rabbit you have been around for a long time, why do you always come into threads like this being so incredible naive?

Here is a post from you from February:

I highly, highly, doubt Gox is going belly up. They handle an enormous volume both in trade and deposit/withdrawals. Obviously there is some sort of issue that needs to get solved. Maybe there is some sort of issue that only crops up with very large withdrawal volume. Either way, chill out. :-)

Seems you have not learned much. When stuff like this happens the correct response is always to act fast and be very aggressive. Everyone with money stuck on Stamp should really take the advice of smoothie and Nagel.

Oh really? Maybe it's more of a strong indication that they have reason to worry the hacker might have been in the system earlier than they think, already sold bitcoins and was hoping to withdraw FIAT before being caught.

You must never have tried withdrawing from Bitstamp or you would know their KYC/AML routines are very strict. Do you really think a hacker who is sitting on 5m in Bitcoin would give up his identity to withdraw a little bit of fiat?

[CoinCidental]

Hey crazy rabbit you have been around for a long time, why do you always come into threads like this being so incredible naive?

Here is a post from you from February:

I highly, highly, doubt Gox is going belly up. They handle an enormous volume both in trade and deposit/withdrawals. Obviously there is some sort of issue that needs to get solved. Maybe there is some sort of issue that only crops up with very large withdrawal volume. Either way, chill out. :-)

Seems you have not learned much. When stuff like this happens the correct response is always to act fast and be very aggressive. Everyone with money stuck on Stamp should really take the advice of smoothie and Nagel.

Oh really? Maybe it's more of a strong indication that they have reason to worry the hacker might have been in the system earlier than they think, already sold bitcoins and was hoping to withdraw FIAT before being caught.

You must never have tried withdrawing from Bitstamp or you would know their KYC/AML routines are very strict. Do you really think a hacker who is sitting on 5m in Bitcoin would give up his identity to withdraw a little bit of fiat?

its possible that this hack has been planned over several months ...........its very possible the hacker registered using a stolen identity or fake passport etc 

5 million is a lot of money so this attack might have been well planned

its also possible the loses are even bigger than stated (more than they can repay etc ) and theyre wondering WTF to do about it 

[oldtimegin]

its possible that this hack has been planned over several months ...........its very possible the hacker registered using a stolen identity or fake passport etc 

Agree with this, but that still does not mean he would withdraw fiat as you need to withdraw to an account in the same name of the ID you have sent to Bitstamp.

[CoinCidental]

its possible that this hack has been planned over several months ...........its very possible the hacker registered using a stolen identity or fake passport etc 

Agree with this, but that still does not mean he would withdraw fiat as you need to withdraw to an account in the same name of the ID you have sent to Bitstamp.

in eastern european countries the banking laws are very lax compared with usa or uk and corruption is rife  etc
you could probably open an account with a fake ukranian or  bulgarian driving licence etc

these are available to criminals fairly easily ,even on silk rd but i think its unlikely the hacker will convert to fiat anytime soon 
and when he does it will be in small chunks because nobodys going to walk into a bank and withdraw 5 million in cash for btc
he just stolen

[akustik]

i dont see any good news about bitstamp
it s going to be scam
i hope i am wrong but it look like mygox..

[ioxoi]

But if they recover, I think all people will have more trust like before

No, this case only demonstrates, that bitstamp don't have a correct  protection, detection and auditing measures, after a mail to ALL their customers a few hours after, they close the service and the hacker continues cleaning the bitstamps wallets and bitstamp without transfer their founds to a secure wallet for more of 1 day.

no, no, bad security is very, very expensive.

[crazy_rabbit]

Hey crazy rabbit you have been around for a long time, why do you always come into threads like this being so incredible naive?

Here is a post from you from February:

I highly, highly, doubt Gox is going belly up. They handle an enormous volume both in trade and deposit/withdrawals. Obviously there is some sort of issue that needs to get solved. Maybe there is some sort of issue that only crops up with very large withdrawal volume. Either way, chill out. :-)

Seems you have not learned much. When stuff like this happens the correct response is always to act fast and be very aggressive. Everyone with money stuck on Stamp should really take the advice of smoothie and Nagel.

Don't confuse naive with supportive. I've had serious problems with Bitstamp in the past and they have resolved all of them with professionalism. The same was true for me with Gox. At the time, I had genuine reason to trust them and I generally play the devil's advocate on most issues.

That said- I did close the statement with: "Call your Lawyers". I would argue its more naive of you to think you have any recourse other than the legal system. They either come through on their promise, or you sue them.

So your idea is to act fast and be aggressive. Are you offering to hold Bistamps CEO's family hostage?  EDIT: Aggressive AND productive. EDIT2: I toned down my own aggressive wording to contribute to a civil discussion.

Oh really? Maybe it's more of a strong indication that they have reason to worry the hacker might have been in the system earlier than they think, already sold bitcoins and was hoping to withdraw FIAT before being caught.

You must never have tried withdrawing from Bitstamp or you would know their KYC/AML routines are very strict. Do you really think a hacker who is sitting on 5m in Bitcoin would give up his identity to withdraw a little bit of fiat?

I withdraw all the time and I've gone through all the legal nonsense required for their KYC/AML routine. That said nothing in their routine is that difficult to fake. Passport Scan? Utility Bill? Government ID? Considering how easy those are to fake, you might be surprised to learn that getting a poor person in the former communist block countries to give you power of attorney on their bank account is easier then photocopying their ID.

Now, withdrawing $5 million in cash isn't something that would go unnoticed, but you're assuming that all they stole was those 18K BTC. How was Bitstamp supposed to know this for sure AT THE TIME THEY SUSPENDED SERVICE? For all they know, they might be approving fiat withdrawls for tens of thousands of FIAT across any number of fake bank accounts. Maybe Bitstamp has been bleeding for quite awhile now and they didn't know it? Maybe someone else's earlier hack on the system left them exposed to this newer, more impatient thief? The possibilities are endless and the right thing to do was to suspend everything pending a thorough review.

Also, not to mention- Smoothie and I have jousted on a number of occasions and I quite respect his/her opinion. That said- he/she is not Bitstamps legal council. I can't imagine a situation where anyone reasonable could support processing withdrawals while simultaneously being robbed. They did the right thing, even if it screws us the customer. They stopped everything, probably did a system snapshot, and called the police.

So yeah, hope for the best because you can't do a single damned thing about it at this point. But because I HAVE learned from my experience with Gox, I have ALSO already called my lawyer. So should you.

[mayax]

what police? from Slovenia or UK?

Someone called the Bitstamp "office" from UK and there is only an address there....
They have to announce UK police because Bitstamp is a an UK company. I doubt they did it....

[picolo]

Hey crazy rabbit you have been around for a long time, why do you always come into threads like this being so incredible naive?

Here is a post from you from February:

I highly, highly, doubt Gox is going belly up. They handle an enormous volume both in trade and deposit/withdrawals. Obviously there is some sort of issue that needs to get solved. Maybe there is some sort of issue that only crops up with very large withdrawal volume. Either way, chill out. :-)

Seems you have not learned much. When stuff like this happens the correct response is always to act fast and be very aggressive. Everyone with money stuck on Stamp should really take the advice of smoothie and Nagel.

Don't confuse naive with supportive. I've had serious problems with Bitstamp in the past and they have resolved all of them with professionalism. The same was true for me with Gox. At the time, I had genuine reason to trust them and I generally play the devil's advocate on most issues.

That said- I did close the statement with: "Call your Lawyers". I would argue its more naive of you to think you have any recourse other than the legal system. They either come through on their promise, or you sue them.

So your idea is to act fast and be aggressive. Are you offering to hold Bistamps CEO's family hostage?  EDIT: Aggressive AND productive. EDIT2: I toned down my own aggressive wording to contribute to a civil discussion.

Oh really? Maybe it's more of a strong indication that they have reason to worry the hacker might have been in the system earlier than they think, already sold bitcoins and was hoping to withdraw FIAT before being caught.

You must never have tried withdrawing from Bitstamp or you would know their KYC/AML routines are very strict. Do you really think a hacker who is sitting on 5m in Bitcoin would give up his identity to withdraw a little bit of fiat?

I withdraw all the time and I've gone through all the legal nonsense required for their KYC/AML routine. That said nothing in their routine is that difficult to fake. Passport Scan? Utility Bill? Government ID? Considering how easy those are to fake, you might be surprised to learn that getting a poor person in the former communist block countries to give you power of attorney on their bank account is easier then photocopying their ID.

Now, withdrawing $5 million in cash isn't something that would go unnoticed, but you're assuming that all they stole was those 18K BTC. How was Bitstamp supposed to know this for sure AT THE TIME THEY SUSPENDED SERVICE? For all they know, they might be approving fiat withdrawls for tens of thousands of FIAT across any number of fake bank accounts. Maybe Bitstamp has been bleeding for quite awhile now and they didn't know it? Maybe someone else's earlier hack on the system left them exposed to this newer, more impatient thief? The possibilities are endless and the right thing to do was to suspend everything pending a thorough review.

Also, not to mention- Smoothie and I have jousted on a number of occasions and I quite respect his/her opinion. That said- he/she is not Bitstamps legal council. I can't imagine a situation where anyone reasonable could support processing withdrawals while simultaneously being robbed. They did the right thing, even if it screws us the customer. They stopped everything, probably did a system snapshot, and called the police.

So yeah, hope for the best because you can't do a single damned thing about it at this point. But because I HAVE learned from my experience with Gox, I have ALSO already called my lawyer. So should you.

If Bitstamp lost 19,000 BTC it was a good move to stop operations. If they lost more, stopping operations was also the move to make.