Cryptsy the real truth

no access to chatbox since tonight

Announcement from cryptsy

Cryptsy has had problems for some time now and it’s time to let everybody know exactly why. These problems were NOT because of any recent phishing attacks, or even a ddos attack, nor does it have anything to do with me personally.

About a year and a half ago, we were alerted in the early AM of a reduction in our safe/cold wallet balances of Bitcoin and Litecoin, as well as a couple other smaller cryptocurrencies. After a period of time of investigation it was found that the developer of Lucky7Coin had placed an IRC backdoor into the code of wallet, which allowed it to act as a sort of a Trojan, or command and control unit. This Trojan had likely been there for months before it was able to collect enough information to perform the attack. It does not appear that this was the original developer for LK7, as on 5/22/2014, we received this message from the new developer who wanted to maintain the codebase:


Lucky7Coin is not maintained and I would like to take care of it. I have announced that on in Lucky7Coin thread. You’re the only exchange for this coin and I hope you will let me take care of it. I’m responsible. You don’t have to be afraid of errors or forks. I’m developing multipool and I know bitcoin internals and protocol.

For a start I’ve changed irc network, so clients could synchronize blockchain. Please upgrade as soon as you can.

Github repo:

Branch “master” will always be for stable version, branch “devel” could be dirty. In a 2-3 weeks I’ll release new version with p2pool support and checkpoints. Before that I’ll contact you to check few blocks hashes for checkpoints and make sure there is no fork.

I hope we can cooperate and make this coin live again!


These are the approximate figures taken:
Bitcoin: 13,000 BTC
Litecoin: 300,000 LTC

This of course was a critical event for Cryptsy, however at the time the website was earning more than it was spending and we still have some reserves of those cryptocurrencies on hand. The decision was made to pull from our profits to fill these wallets back up over time, thus attempting to avert complete closure of the website at that time. This worked fine for awhile, as profits decreased due to low volume and low Bitcoin prices, we would adjust our spending accordingly. It wasn’t until an article from Coinfire came out that contained many false accusations that things began to crumble. The article basically caused a bank-run, and since we only had so much in reserves for those currencies problems began.

Our current customer liabilities for BTC is around 10,000 BTC, so as you can see we would like to see the Bitcoins returned for both our users and for ourselves.

Here are the transaction details from the Bitcoin wallet:

As you can see, 2014-07-29 13:17:36 is when the event occurred. A very interesting fact here, however, is that those Bitcoins have not moved once since this happened. This gives rise to the possibility they can be recovered. In fact, I’m offering a bounty of 1000 BTC for information which leads to the recovery of the stolen coins.

If you happen to be the perpetrator of this crime, and want to send the coins back no questions asked, then you can simply send them to this address:


If they are returned, then we will assume that no harm was meant and will not take any action to reveal who you are. If not, well, then I suppose the entire community will be looking for you.

Some may ask why we didn’t report this to the authorities when this occurred, and the answer is that we just didn’t know what happened, didn’t want to cause panic, and were unsure who exactly we should be contacting. At one time we had a open communication with Secret Service Agent Shaun Bridges on an unrelated matter, but I think we all know what happened with him – so he was no longer somebody we could report this to. Recently I attempted to contact the Miami FBI office to report this, but they instead directed me to report it on the I3C website. I’ve not heard anything from them.

I think the only real people who can assist with this are the people of the Bitcoin community itself.

Trades and withdrawals will be suspended on the site indefinately until some sort of resolution can be made.

Here are our options:

  1. We shut down the website and file bankruptcy, letting users file claims via the bankruptcy process and letting the court make the disbursements.
  • or –
  1. Somebody else comes in to purchase and run Cryptsy while also making good on requested withdrawals.
  • or –
  1. If somehow we are able to re-aquire the stolen funds, then we allow all withdrawal requests to process.

I’m obviously open to any other ideas people may have on this.

Jan 14th, 2016

Phishing Attempt

There is a phishing attempt going around prompting users to go to a cryptsy-refund website. Do not go to this website or give your login details on any website other than the official Cryptsy website.

There were two avenues of the Phishing attempt. One was via SMS, using our provider Twilio and gained entry into our logs and sending ability via a weak password on that account. The passwords on this account have been secured. The other avenue was via email using the same mailing service we use (Mailgun), but was not sent using our account. It is uncertain where the email list for this Phishing attempt was attained from, as we do not show any unauthorized access to our Mailgun account nor our internal systems. We are still investigating this matter.

If you were a victim of this phishing, you should log into your account at Cryptsy immediately and do the following:

  1. Change your password and enable 2fa if you don’t already have it enabled.

  2. Check your pending withdrawals, we currently have withdrawals disabled so if you see one that shouldn’t be there you can request to have it cancelled.

Regarding other issues that have been apparent at Cryptsy for the last couple months, I will be making another post to explain what has been happening in the next couple days.


more about this

1 Like

That’s sad for the customers.

Good for future exchange users that decentralized exchanges like BCE offer mitigation.

It seems there are far more ways than we can imagine for an exchange to be hacked!

If BCE reputed signers can be attacked systematically by the wallet applications they run, they are prone to such failure, too.
That would be different from attacking a single signer, which couldn’t cause harm due to multisig.

As long as widely used and well inspected code gets used, the risk is very low.

Fot those of you who remember the early days of Nu where exchanges were reluctant running closed source wallet applications (which the Nu wallet application was back then): that’s one reason.


I’m sorry if this has been answered already but why they didn’t use a virtual machine? Or in in the case of BCE, if the signers used a separate VM for every wallet then what could be a problem?

I’ve removed Cryptsy from exchange listings as a result of the confirmed theft.


Since I’ll be doing testing for B&C I’ve been thinking of a means to script it so that each daemon runs inside its own docker container while utilizing a persistent external data dir on the host. We’ll see how it turns out when I get there.

1 Like


BigVern @cryptsy · few hours ago
50 wallets have been open for withdrawals. More will be opening over next few days