Major Announcement - Exco.in is closing operations

Regarding: http://blockexplorer.nu/address/BKRTuyKdxNuUseLp5MCSaPhMvjwpKWtioL

There are many transactions for each of the NBT addresses listed on the exco.in front page. Therefore, the appearance of one of these addresses in an address’s transaction graph may only mean that the address owner used exco.in. It would be much more helpful if @Excoin would list transaction IDs for stolen funds instead of addresses.

What terrible news! Excoin always struck me as one of the most innovative exchanges. Their API was certainly markedly different from all other exchanges I have dealt with. How horrible to have suffered such an attack and how like Excoin to be transparent and open about it. Thank you for the brave offers to liquidate personal assets in support of the loss
The loss of shareholder funds is a massive blow too. I agree with Jordan that there seem to be unanswered questions but I trust that we will find out all details of the attack in time.
I’m very interested to hear the plans in your new motion Jordan. Hopefully the plans will help to mitigate some of this exchange risk.

Interesting that the attack utilised NBT and NSR to move funds away from Excoin. I suppose that a by product of having high liquidity is that we may become an unwitting vehicle for crimes like this (similar to the USD). The only positive I can find in the situation is that the news of this may push some more people to find out about Nu.

1 Like

Excoin posted the outgoing BTC, NBT and NSR addresses. the total received amount of BTC on those was 1336 BTC and 43064 NBT. assuming they have not been used much before this would be the loss of Excoin.

BTC:
1AaKKtfWVVwwUEzwXwQxasvSqmrnTQX6zQ : 366.73852178
1NdbyjbAK4kBna2TQV8wNje5TfRR2tWxfJ : 48.63889353
1BtxvnnACtYRbWnmgaNu6HN8UfBQW5QtQR : 27.15
1AaKKtfWVVwwUEzwXwQxasvSqmrnTQX6zQ : 366.73852178
1BnNn2LsVbn8DDWx5ABrDF1Vkc2epchf7Z : 27.70094707
1PANRuwAet9F6WSVZLC2fkuxTeMFxvdzFZ : 66.24195844
12RFmHYjNSpAwLJjMHzAU91zLe9Wd7T2Fc : 14.8318297
1MCw31vCtyvtpyeNsmsuVpTFuKEXfmDb7m : 43.2308
1FYgqo8waWDYyjmGqifDtgbSfG7Pp1QA7M : 82.4259
1MY7qYCTsKfkvoXMq6XWYVUGKwsVsY5JjW : 38.7239
1B7k9aTwxAspzrGiQ3shBjB6DLmPPM3jSG : 25.0
1PwXMcNZVAeDddQ6p9S12vFSAfuHMU1q3W : 27.11
1MY7qYCTsKfkvoXMq6XWYVUGKwsVsY5JjW : 38.7239
1B7k9aTwxAspzrGiQ3shBjB6DLmPPM3jSG : 25.0
1PwXMcNZVAeDddQ6p9S12vFSAfuHMU1q3W : 27.11
13KUvkpxqbS5DiMwQscBar1pBtVvsQHhwM : 1.69983218
1BtxvnnACtYRbWnmgaNu6HN8UfBQW5QtQR : 27.15
19cRmsjcyUfiVPdy7DFu3FUfPhDKbkCruG : 27.67
17JiGNa1xprKrkvEFNvGtVYf7UekoSTqzE : 27.14
19cRmsjcyUfiVPdy7DFu3FUfPhDKbkCruG : 27.67
total loss 1336.69500448

NBT:
BHrY63eUcNMXeY4wx5cUUyGTNxjxPrteKp : 5034.4697
B7dRpykKPViao7VzUL3pWYK7vRoXPQygJ4 : {u’exists’: False}
BHBCqXWe9K85x2J3gr5X11h3QNrSJkQE9V : 3388.782
BHrY63eUcNMXeY4wx5cUUyGTNxjxPrteKp : 5034.4697
B9x1KgYaWEz4mkuLwQ2DMm4eBs6kUpbrKU : 7044.34
BEZx8xGZfuiaJL2PVoBJx3je51kDv57TQ9 : 2674.147
BSyrARuTDwKChftRUiVjAXwTHr2pwZpV94 : 603.3249
BRCKA2rZkje7hp6zsh18vrv7aLdWXK3GRS : 1074
BKt7G4oMrPmkBLKbCZq8eTK7riT26YKxqS : 1829
B4eHmVLCKD1PuiKRcoNokYPPdJ1QCRXWms : 5247
BNPrcPHF1GhcrH5SVqRha4Mzef7gkYoact : 1949
BH8Bz1tYR5mm2hEfYZgiJeVfnDxpMvAA9a : 245.9244
BDWqf6PRRVN4hxHyYqeWaP1y4DUiD1t1ms : 3197
BPD9zQZMR7LhNc7hDtye5iV6UGRvPjQKdc : 2041
BK9KqjVNgW2Mhm9CnzLnK8qaUCcx4jcdhk : 2617
BHgqCEe3LjYkyG1xiM66Esp3MWmqNnT92s : 1085
total loss: 43064.4577

NRS
SMVTMUmhCa8AGbvR4B8AmsWExHUgkaEhsE
SgFzG93yKJqbTw1TM1nwvtesGBF7jFG4dY

1 Like

What a blow to the liquidity and Kiara’s funds (was it her own money?).
60k of Tiers2 buy liquidity vanished. Wait we can still try to track down ‘Ambiorx’ and put a bounty on his arrest to retrieve the funds, I believe.

Anyway, what does not kill Nu makes it stronger.

I am totally fine with the above, i.e not getting dividends and increasing the value of NSRs in the mean time as long as Nu withdraws a huge lesson from this loss.

On a final note, this kind of exchange loss caused by an attacker reminds me of the early days of bitcoin with mtgox being DDoSed…That means that the liquidity of NBTs is valued and gives us some hints regarding the bright future of Nu.

There are still 121k buy liquidity in Tiers 1, displayed in the client.
Should it display 121k - 60k (253.45 btc lost) ?

One huge lesson is already sketched here:

@JordanLee was already preparing that to incentivize the LPC operation to develop into what has been proposed by the white paper and to get rid of custodians that are provided with liquidity by the NSR holders.
The liquidity operation is meant to be a paid service but with funds that the LPC provide.
The recent attack on excoin seems to have sped up the release of this idea.
I hope it addresses this kind if concern:

3 Likes

No, the numbers you see displayed in the liquidity information section of the client are real-time numbers. The stolen Excoin liquidity that Kiara had has not been represented in the liquidity info feed for a few days (the DDoS made it impossible for NuBot to connect to the exchange to collect the information to report).

That is what I thought. Tks for your clarification.

I wanted to post my thoughts on how the attack appears to have been carried out, and why Kiara’s exposure was not due to a failure or bug in NuBot or her security model.

I’m waiting for confirmation from @Excoin to validate this as more than speculation, so take the following with a grain of salt until that happens.


“Why was Kiara affected by this attack?”

The DDoS was making it impossible for NuBot to successfully place/cancel orders. I don’t have access to the data yet, but my assumption is that at least some of her orders were caught “on book” and the thief was able to take advantage of that API outage in ways that are impossible (with the current structure of centralized exchanges) to detect or defend against.

Normally this would be a “bad” position to be in, but not necessarily catastrophic…if the BTC used to buy the NBT was really there. At worst, she may have been exposed to a loss due to mis-priced sales as the exchange rate fluctuated and NuBot was not able to cancel and replace the NBT on order. For every sale made, she would have held the BTC that she received, and no new buy-side orders would have been placed because the API could not connect.

However, if the BTC used to “buy” these NBT didn’t really exist (due to the “null transaction” bug that Samantha described in her statement) Kiara’s account would not have been actually credited, only debited, and the fact that she could not have placed the BTC up on the buy-side would not have made any difference because there were no funds to actually place there.

To Kiara and NuBot, everything would have appeared normal–other than the issues of connectivity–because the exchange’s internal accounting would have have show trade history and currency balances that reconciled.

This is definitely a learning experience, and one that I know I’ll personally use as a catalyst to redouble efforts ways to attempt to identify scenarios like this in real-time and respond accordingly. However, it once again highlights the problem of exchange default risk. Decentralized exchanges are the logical step, but the current offerings still need a significant amount of work to make them more than just novelties. Solving the fiat > decentralized exchange > fiat problem is a tough one, and has to be solved at this point in time. For most of us are still a few years away from being able to “live solely on digital currencies”.

2 Likes

Interesting analysis. In the end an exchange is a closed system. While external users can make assumptions about the security and default risk, it’s hard to know. Most of exchange risk discussion in Bitcoin has been focused on “proof of reserves”, although that does not actually mitigate risk in any significant way. The important part is that the money is there as claimed and outgoing funds are legitimate.

I don’t understand why an exchange would process a withdrawal request over such significant amounts. Say the exchange holds 2000 BTC and a user wants to withdraw 1500 BTC - what is the likelihood of that being a legimiate withdrawal? 0%. And yet, their system treated this transaction like any other. If such large amounts of funds can leave the cold wallet like that, there were no security processes in place.

I agree it’s a longterm problem, and not easy to solve. The way to really deal with this would be a) exchanges evolve to an extent where some minimal security practises are followed. MtGox, recent Bitstamp hack, Mintpal suggest we’re far away from it. b) allow for external audits of some kind. I.e. trusted auditors check the system, without the exchange having to release its entire source code. I don’t know of any proposals which could eliminate default risk. Opentransactions suggests Voting Pools, but really that is no different than a decentral ledger, and the code base does not suggest they know what they are doing.

The explanation that I received was it was not a single, large withdrawal, but a series of much smaller ones that were large in aggregate.

interesting comment here from bitshares community… https://bitsharestalk.org/index.php?topic=14250.msg185493#msg185493exco.in - aren’t this the blackwavelabs guys we kicked out of delegate positions?” might be worth clarifying this

2 Likes

I was contacted by Nikolai (Toast) that if we intergrated BTS into our system we could request to be a delegate to help pay for the development costs.

We started investigating the process and were interested in pursuing this, however he left out the fact that we would have to pay 885 USD up front to even campaign to become a delegate.

We decided we would build a bridge wrapper for BTS and request delegation for this process. As an experiment I put the money up and began campaigning, after several days of people asking us not to spend the delegate money and other ridiculous requests we were given delegation status. Most of their criticism was that we were involved with NuBits and they felt anyone who was involved with NuBits which to them is a clear scam has bad judgement (this came from forum moderators and community leaders).

We then had to buy a VPS and setup the client incurring even more costs. During this time there were hard forks and other issues we ran into and just running the client costs us several hours of work.

After many days of campaigning, setting up the VPS and paying the initial fee we were elected to be a delegate and we began to slowly receive BTS and work on the wrapper.

After beginning to work on the wrapper, every day we were hounded with questions about when the wrapper would be ready within days of starting. While the community overlooked other critical and relevant questions (Asking us about our experience, asking us to verify our identity with PGP, etc) they instead hounded us if we would spend the BTS and when the wrapper would be done.

I was even told by a community leader that “it may be a miscommunication because many of his tech guys didn’t know what a wrapper was”. I told him that I would question the credentials of any people claiming to be “tech guys” who don’t know what a software wrapper is and linked him to google search for the phrase “software wrapper”.

Instead of spending countless more hours answering the same questions we had already answered several times, I chose to tell the community we would rather focus on development than answering questions on their forums.

In the end our delegation status was removed before we even covered the original 885 entry costs not to mention the countless hours spent maintaining the client and campaigning to be a delegate. We lost countless hours and a significant amount of money and we came away with the conclusion that the BTS community had a childish approach to competition and poor management skills.

I believe that the distributed delegation system is very interesting but I believe the BTS community is incredibly unhealthy.

They would like a system where they can hire contracters to do small jobs, but the upfront costs of becoming a delegate and the amount of time it takes to campaign makes it very hard for small contractors to enter. The risk vs. reward is heavily against small contractors and the large stake holders of BTS would rather people work for free for their benefit before allowing people to become delegates. In essence they have a system that doesn’t fit their desired goal, and refuse to acknowledge anything wrong.

You can find all my posts on their forums where I argue these point and they sidestep answering my criticisms of their system.

I think the system is good but the community due to a early bubble and bad distribution will never reach the full potential. I hope someday someone takes their codebase and creates a community that isn’t entirely focused on creating early adopters who suffered losses in the first bubble.

1 Like

If anyone additional information is needed from me please contact me at admin@exco.in

I will respond fast as possible, I have not ceased working. I have been combing the logs to determine the exact cause and collect as much information on the DDOS and bug as possible.

Drunkonsound is trying to convince me if we can pay back all of our creditors to rebuild the trading engine from scratch and relaunch an improved version. I will keep everyone up to date on this plan, but my focus is on determining the cause and ensuring members get their money back.

2 Likes

thanks for your efforts. i hope you made it

Ronny from CCEDK has openly said he has the identity of the thief but refuses to give out any information.

I suspect this is because either the money was laundered on his exchange which is counter to their image of anti-laundering and he directly benefits from Exco.in failing since we were starting to take a large portion of his market cap.

This is an open request that CCEDK actually work with us to capture the criminal who stole large sums of money from Exco.in users instead of refusing to help for personal gain.

2 Likes

Tks for the details.

Wo. Seriously if it is true, then we have there a strong way to put pressure on the thief.
If @ronny wants Nu to grow, then he should help us retrieve the lost 60k NBT who belong to the shareholders, by revealing somehow the identity of the thief, assuming that he has it.

Essentially all of the CCEDK volume is from NBT/BTC. Exco.in was making major headway in the NBT marketplace, we were on a path to eclipse CCEDK within months. However now with both Exco.in and BTER gone CCEDK stands to be the largest player in NBT/BTC. CCEDK directly benefits from withholding this information.

All we were met with was flimsy claims that they can’t trust Excoin a established/respected exchange over a suspected thief so no information could be given out.

We would be taking this information to the authorities not seeking vigilante justice. What they are doing is simply wrong and not only hurts the Nu project but the trust in cryptocurrency in general.

Exchanges should be working together to root out bad actors not playing power politics to maintain a stranglehold on the market share.

Although I’d have appreciated it if this would have been solved in private between you and ronny, I agree that it would be in the interest of Nu shareholders if CCEDK cooperates.

In the end I can imagine that if you start a lawsuit against the hacker in Denmark (or probably any other country in the EU), the police will request the data from CCEDK anyway at some point. I don’t see any reason to make this process so complicated though.