Major Announcement - Exco.in is closing operations

Full announcement available at https://exco.in

The Nu team will comment in this thread as we investigate the situation. We have just learned of this announcement and condemn the malicious attacks on @Excoin.

Update:

The exchange has been removed from www.nubits.com/exchanges.

Our LPCs are reviewing liquidity information to see if our operations have been damaged in the attack.

This is really terrible news. I always experienced excoin as an excellent exchange.
That the funds were leaked in form of NSR and NBT is an important detail here. We need to know how much the hackers exactly obtained and where these coins were moved (like e.g. a known exchange address).

2 Likes

From the publicly available NSR addresses, we can see that 600,000 NSR were stolen. I am in the process of scanning the publicly available NBT addresses right now.

Edit: There appears to be approximately 38,000 NBT in the accounts posted in the announcement, not including one duplicate address and one invalid address. We are working to see how much of that may be shareholder funds in the form of LPC holdings.

The NSR were split up in 10k blocks … do exchanges that? I would assume they disable this feature or set it to a very large number.

The first NBT address could be an exchange address. The coins are send in 5,000 NBT blocks to different addresses and one of the recipients has a 320,000 balance and is place two on the NBT rich list: BKRTuyKdxNuUseLp5MCSaPhMvjwpKWtioL

1 Like

Has Open Transactions released voting pools yet? Voting pools should be able to stop people from hacking exchanges and stealing all the funds.

1 Like

KTm had the following on deposit at Exco.in:

BTC: 253.45436845
NBT: 13495.29309314

It is not yet clear if any of this will be available for withdrawal. In the worst case that it is all lost, there is presently 116540 NBT in tier 1 liquidity that can readily absorb the NBT loss. This does not include funds in tier 2, tier 4, what is available via NuShare sales or interest rates.

We have been in the process of implementing tier 3 liquidity, which will be held by LPCs off exchange but available for automated deposit onto the exchange. In scenarios like this, tier 3 liquidity cannot be lost. So we were already on a path to making tier 1 and tier 2 liquidity much thinner because additional funds will be moved from tier 3 as needed. Today, we had more in tier 1 because tier 3 is not yet automated. Tier 3 automation will do much to mitigate the loss in events like this.

While shareholders must bear the loss in this case because KTm was using shareholder funds, if the original design of decentralized liquidity had been implemented on Excoin today then shareholders wouldn’t bear any loss at all. Many of you are aware that full implementation of decentralized liquidity (and a complete phase out of LPCs using shareholders funds) has been a high priority for me. The only globally pinned topic on this forum focuses on that transition.

What does it mean that shareholders will bear this loss? It means the lost funds won’t be available for dividends, NuShare buy back and burn (would have increased the NuShare price), or NuBit buy back and burn (would have decreased network liabilities).

I had resolved to introduce a motion several days ago. I’m still composing that, but I will reveal that it includes completely ending the operations of KTm and Jamie in 90 days. I will also present a vision of how liquidity operations will function in their absence as we continue moving toward our original design of zero reserves.

8 Likes

While I can’t confirm the two are related, it is likely these stolen NSR were just sold at Bter which shows that 647,000 NSR were sold in the half hour after 14-02-2015 9:00 Bter server time. The temporary damage to the NSR price has already been sustained, if this was the stolen NSR being sold.

1 Like

Interesting. I look forward to hearing about this.

Shareholders:

@JordanLee was able to get the message out before I was finished collecting all relevant information but I have updates.

It was confirmed by Excoin’s team that my exchange account was one of those affected. The funds that Jordan listed in his comment are what my account shows as my “correct” balance, and what would be available for withdrawal if this user, ‘Ambiorx’, had not discovered a way to attack Excoin’s wallets.

My withdraw-able balance is zero.

Losses Sustained During Theft:

  • 13,495 NBT
  • 253.45 BTC (valued at ~60k NBT)

The most recent communication with Excoin’s staff indicated that they would be doing everything in their power to satisfy at least some of the loss (liquidation of physical assets, external cryptocurrency reserves, etc.). I do not have a timeline for when this will occur, and while I am optimistic that their team will be able to recoup at least some of the losses–until it actually happens–I must treat it as a 100% loss.

I will continue to communicate with Samantha and the rest of the Excoin team into the future. Additional details, when they are available, will be shared with you here.

//Kiara

3 Likes

As I understood it, @Excoin maintained most of their coins in cold storage with publicly published addresses. How were these funds compromised? If they weren’t, why wouldn’t most BTC be refunded?

According to their announcement they made the assumption that people are withdrawing funds due to the ddos, so they manually replenished the funds using the cold storage.

From the announcement:

Ambiorx used the fraudulently obtained Bitcoins to purchase as much of the NBT and NSR on the site that they could buy and transferred it to off site addresses (included at the end of this message). The bugged/exploit trade continued to fill his account with new Bitcoins as he continued to spend them. From February 6th to the 11th, the remainder of the NBT, BTC and much of the NSR was drained from the site to the addresses listed below.

We noticed the hot wallets dwindling but assuming it was members moving their funds off site during the DDOS, we loaded all the cold balances onto the site so that users would not have withdrawals interrupted during our periods of up time.This fatal mistake allowed Ambiorx to continue to drain the site.

Looking at http://blockexplorer.nu/address/BKRTuyKdxNuUseLp5MCSaPhMvjwpKWtioL/1/oldest we can see that this NBT address was first used on September 23, 2014 (the release day of NuBits).

To my knowledge, only CCEDK and BTER were operating at launch. It would be very helpful if the custodians, @Ronny from CCEDK and Lin from BTER take a closer look at activity happening on their exchanges right now.

1 Like

This is sad news and my heart goes out to Kiara,

Top 100 riches ShareHolders, I ask you to join me and donate 1BTC worth of peercoin each in celebration of us going Open Source. Lets not let Ambiorx spoil this.

If this is ok @tomjoad or @KTm please send me a wallet address for my donation tomorrow. Let’s put this in our rearview mirror.

2 Likes

Sorry to hear this, Kiara and Exco.in.
The shareholders should post a bounty of 60K NBT (full stolen amount) to track Ambiorx down and get the stolen fund back.

2 Likes

Sorry to hear this

[quote=“tomjoad, post:14, topic:1451”]
Looking at http://blockexplorer.nu/address/BKRTuyKdxNuUseLp5MCSaPhMvjwpKWtioL/1/oldest we can see that this NBT address was first used on September 23, 2014 (the release day of NuBits). To my knowledge, only CCEDK and BTER were operating at launch.[/quote]

If this person bought these NuBits at one of these two exchanges and withdrew them to that address, is it possible to find out who this person’s identity is through CCEDK or BTER’s customer records? I’m not sure if the exchange managers would be able to aid us in exposing this person, or if personal identity information like this has to be kept confidential.

Edit: Nevermind, I think I got confused here. Ignore my post.

1 Like

Regarding: http://blockexplorer.nu/address/BKRTuyKdxNuUseLp5MCSaPhMvjwpKWtioL

There are many transactions for each of the NBT addresses listed on the exco.in front page. Therefore, the appearance of one of these addresses in an address’s transaction graph may only mean that the address owner used exco.in. It would be much more helpful if @Excoin would list transaction IDs for stolen funds instead of addresses.

What terrible news! Excoin always struck me as one of the most innovative exchanges. Their API was certainly markedly different from all other exchanges I have dealt with. How horrible to have suffered such an attack and how like Excoin to be transparent and open about it. Thank you for the brave offers to liquidate personal assets in support of the loss
The loss of shareholder funds is a massive blow too. I agree with Jordan that there seem to be unanswered questions but I trust that we will find out all details of the attack in time.
I’m very interested to hear the plans in your new motion Jordan. Hopefully the plans will help to mitigate some of this exchange risk.

Interesting that the attack utilised NBT and NSR to move funds away from Excoin. I suppose that a by product of having high liquidity is that we may become an unwitting vehicle for crimes like this (similar to the USD). The only positive I can find in the situation is that the news of this may push some more people to find out about Nu.

1 Like