Cryptsy reported on 01.12.16 that Cryptsy email servers were somehow hacked, and evidently compromised the bad part is when any user logs into cryptsy.com they got a email, saying Cryptsy has closed.
http://imgur.com/yTzrgzh Shortly after users also reported 2FA e-mail system was sending them this type of email.
See image: http://imgur.com/yTzrgzh
Not too worry no customers verification info has been compromised / Verified by @Horus / Head of Security w Cryptsy
The 1st site they used for this phishing scam, was shut offline almost immediately, by a small 60GB DDoS, we found out it was located in Roadtown, Virgin islands. Then shortly after the site was shut off, they changed name servers, and moved to another server located somewhere in Netherlands.
Then we decided to try to entrap them with use of there online chat support.
The site has also blacklisted w google and a few other well known sites for admins.
We managed to carry on a conversation with a few different fake support requests on the phishing page.
Also attached are some screen shots of the chat.
Scammers phishing cryptsy uses for BTC asking for BTC donations to get funds back.
You can check the balance here: BTC ADDRESS
We're had our security team members, in live chat for a few hours, many new accts, were created to help trick them and to nab the new ip's they logged in with each time.
The "Phishing Scammers" even made new cryptsy acct's to gave us a "new" tradekey" As we guessed they created new dummy accts w bogus emails and spoofed ip's. Here is some of the poor chat support they tried too give us to trick users into donating BTC.
See attached screen shot's taken during this whole endeavor..
Asking for donations for funds, https://imgur.com/BEXWFE7
Thanks to everyone who worked on trying to catch these scamming ass holes.
The administrator has disabled public write access.
The following user(s) said Thank You: NerdLifeLabs
Cryptsy has since resumed trading, although withdraws are still paused. Since this attack any requests to withdraw funds have been canceled.
Here is the notice you will see once you login to your Cryptsy.com account.
Important System Notification
Phishing Attempt:: There is a phishing attempt going around prompting users to go to a cryptsy-refund website. Do not go to this website or give your login details on any website other than the official Cryptsy website. There were two avenues of the Phishing attempt. One was via SMS, using our provider Twilio and gained entry into our logs and sending ability via a weak password on that account. The passwords on this account have been secured. The other avenue was via email using the same mailing service we use (Mailgun), but was not sent using our account. It is uncertain where the email list for this Phishing attempt was attained from, as we do not show any unauthorized access to our Mailgun account nor our internal systems. We are still investigating this matter. If you were a victim of this phishing, you should log into your account at Cryptsy immediately and do the following: 1. Change your password and enable 2fa if you don’t already have it enabled. 2. Check your pending withdrawals, we currently have withdrawals disabled so if you see one that shouldn’t be there you can request to have it cancelled. Regarding other issues that have been apparent at Cryptsy for the last couple months, I will be making another post to explain what has been happening in the next couple days. BigVern UNTIL WE ARE ABLE TO DETERMINE EXTENT OF THE PHISHING ATTEMPT, ALL WITHDRAWALS WILL BE CANCELLED AND ARE PAUSED
I'll keep you all posted as im notified.
The administrator has disabled public write access.
The following user(s) said Thank You: NerdLifeLabs
CRYPTSY USERS READ THIS ASAP
Direct from Cryptsy Blog
￩ Return to Cryptsy.com
What's Happening at Cryptsy?
Cryptsy has had problems for some time now and it’s time to let everybody know exactly why. These problems were NOT because of any recent phishing attacks, or even a ddos attack, nor does it have anything to do with me personally.
About a year and a half ago, we were alerted in the early AM of a reduction in our safe/cold wallet balances of Bitcoin and Litecoin, as well as a couple other smaller cryptocurrencies. After a period of time of investigation it was found that the developer of Lucky7Coin had placed an IRC backdoor into the code of wallet, which allowed it to act as a sort of a Trojan, or command and control unit. This Trojan had likely been there for months before it was able to collect enough information to perform the attack. It does not appear that this was the original developer for LK7, as on 5/22/2014, we received this message from the new developer who wanted to maintain the codebase:
Lucky7Coin is not maintained and I would like to take care of it. I have announced that on bitcointalk.org in Lucky7Coin thread. You’re the only exchange for this coin and I hope you will let me take care of it. I’m responsible. You don’t have to be afraid of errors or forks. I’m developing multipool and I know bitcoin internals and protocol.
For a start I’ve changed irc network, so clients could synchronize blockchain. Please upgrade as soon as you can.
Branch “master” will always be for stable version, branch “devel” could be dirty. In a 2-3 weeks I’ll release new version with p2pool support and checkpoints. Before that I’ll contact you to check few blocks hashes for checkpoints and make sure there is no fork.
I hope we can cooperate and make this coin live again!
These are the approximate figures taken:
Bitcoin: 13,000 BTC
Litecoin: 300,000 LTC
This of course was a critical event for Cryptsy, however at the time the website was earning more than it was spending and we still have some reserves of those cryptocurrencies on hand. The decision was made to pull from our profits to fill these wallets back up over time, thus attempting to avert complete closure of the website at that time. This worked fine for awhile, as profits decreased due to low volume and low Bitcoin prices, we would adjust our spending accordingly. It wasn’t until an article from Coinfire came out that contained many false accusations that things began to crumble. The article basically caused a bank-run, and since we only had so much in reserves for those currencies problems began.
Our current customer liabilities for BTC is around 10,000 BTC, so as you can see we would like to see the Bitcoins returned for both our users and for ourselves.
Here are the transaction details from the Bitcoin wallet:
As you can see, 2014-07-29 13:17:36 is when the event occurred. A very interesting fact here, however, is that those Bitcoins have not moved once since this happened. This gives rise to the possibility they can be recovered. In fact, I’m offering a bounty of 1000 BTC for information which leads to the recovery of the stolen coins.
If you happen to be the perpetrator of this crime, and want to send the coins back no questions asked, then you can simply send them to this address:
If they are returned, then we will assume that no harm was meant and will not take any action to reveal who you are. If not, well, then I suppose the entire community will be looking for you.
Some may ask why we didn’t report this to the authorities when this occurred, and the answer is that we just didn’t know what happened, didn’t want to cause panic, and were unsure who exactly we should be contacting. At one time we had a open communication with Secret Service Agent Shaun Bridges on an unrelated matter, but I think we all know what happened with him – so he was no longer somebody we could report this to. Recently I attempted to contact the Miami FBI office to report this, but they instead directed me to report it on the I3C website. I’ve not heard anything from them.
I think the only real people who can assist with this are the people of the Bitcoin community itself.
Trades and withdrawals will be suspended on the site undefinately until some sort of resolution can be made.
Here are our options:
1. We shut down the website and file bankruptcy, letting users file claims via the bankruptcy process and letting the court make the disbursements.
- or –
2. Somebody else comes in to purchase and run Cryptsy while also making good on requested withdrawals.
- or –
3. If somehow we are able to re-aquire the stolen funds, then we allow all withdrawal requests to process.
I’m obviously open to any other ideas people may have on this.
Jan 14th, 2016
There is a phishing attempt going around prompting users to go to a cryptsy-refund website. Do not go to this website or give your login details on any website other than the official Cryptsy website.
There were two avenues of the Phishing attempt. One was via SMS, using our provider Twilio and gained entry into our logs and sending ability via a weak password on that account. The passwords on this account have been secured. The other avenue was via email using the same mailing service we use (Mailgun), but was not sent using our account. It is uncertain where the email list for this Phishing attempt was attained from, as we do not show any unauthorized access to our Mailgun account nor our internal systems. We are still investigating this matter.
If you were a victim of this phishing, you should log into your account at Cryptsy immediately and do the following:
1. Change your password and enable 2fa if you don’t already have it enabled.
2. Check your pending withdrawals, we currently have withdrawals disabled so if you see one that shouldn’t be there you can request to have it cancelled.
Regarding other issues that have been apparent at Cryptsy for the last couple months, I will be making another post to explain what has been happening in the next couple days.
Jan 13th, 2016
I feel I need to give a response to the recent Coinfire article. Like their previous article, they’ve make a lot of claims without giving any kind of proof to their claims. I know many people don’t take coinfire very seriously these days, which is good. However there are some out there that may not really know that the kind of “News” these guys produce is not always reliable.
We have never been investigated for anything, period. We have never gotten any letters from any of the agencies that they have stated in their article, nor have we been contacted via phone or any other method. It’s safe to say that this article and their reporting are completely false. My guess is that whomever wrote this article has personal reasons for writing it and are attempting to hurt our business and reputation.
We will be reviewing our legal options against this libelous article.
Oct 5th, 2015
In response to coinfire
I’d like to make a statement regarding coinfire’s article claiming we are lying about being fully licensed.
First off, we’ve never made any claims about being fully licensed at the state level. I’m unsure where they received their information from, but like every other Bitcoin company in the US, we do not have state level MSB licenses. Are we working to acquire them? Yes, but the process can take years.
There is no company that is fully licensed at the state level in the US. None.
Coinfire claims to have tried contacting us, but I’m unsure the method they were attempting. I’ve not seen anything from them requesting information. Had they asked, we would have told them that we do not have state level licenses - just like anybody else who asks that question. They certainly would not have had to call state by state requesting information because we would have told them we do not carry state licenses.
We do, however, fully comply with our Federal MSB requirements. This includes filing SAR (Suspicous Activity Reports) and CTR (Currency Transaction Reports). We also have one of the most extensive KYC programs in the industry, scrub accounts against the OFAC list, and perform Transaction Monitoring. At a federal level, we are compliant.
Federal compliance is the only claim we have ever made and will make.
I invite the writer at coinfire to contact me so I can show him what we do have, and what we don’t. I’m sure we could chat for hours about the woes of a Bitcoin related company attempting to get licenses from all the states.
It seemed to be a good investigation, but it was based on a false premise.
May 1st, 2015
Cryptsy and XPY Prime Node
Hey guys, long time no blog.
There seems to be some confusion and misinformation out there as to why we would want an XPY prime node.
I can tell you that is was certainly NOT so we can take the stake.
A goal of a decentralized system is to keep it decentralized - if you have too many important nodes in a system like this in the hands of the very few, it can very bad. These nodes need to be distributed to as many trusted entities as possible. I hope that you guys consider us a trusted entity.
I can tell you that many of the prime nodes out there are in the control of a very small group of people. Am I “part of their group”? No. They have no say or control of anything here including the prime node. However, I value their input in the same way I value the input of all Cryptsy users. Good or bad, any input you have only helps us grow.
So I’ll say it again, the ONLY reason we are running a prime node is to protect the XPY network. To us XPY is a coin. It’s isn’t GAW, it isn’t some foundation, it is simply a coin with a lot of users. The fact that there is quite a bit of controversy in the XPY community often overshadows this basic fact.
So what are we going to do with the stake that this prime node produces? Well, we haven’t done anything yet. You can see all staking has been sent to this address from the time we started:
Some ideas we had internally was to either “burn” the coins, or we could find a neat way to give them back to the XPY users. One idea we had was to offer staking on any XPY balances users hold at Cryptsy. Another idea we had was to give away coins randomly to users who trade in the XPY/BTC markets.
So I call out to the community to tell me what you would like us to do with them? If the majority of Cryptsy users would like to see them burned, then that is what we will do. If you have any other awesome ideas for distribution, then let’s hear them.
Apr 27th, 2015
Cryptsy Lockbox & Improved Currency Converter Tool
Greetings Cryptsy Users,
Two new features have been released today that I wanted to tell you about.
Cryptsy has always tried to be the leader in developing a safe and secure environment for trading. Today we have released Cryptsy Lockbox. Cryptsy lockbox allows you to store funds you hold on your account more securely. When you move funds to a lockbox, those coins will not be availalbe for trade or withdrawal. The lockbox is a time-lock system, you can set the time lock for 1 hour, 6 hours, 12 hours, or 24 hours. When a lockbox release request is made and approved from one of the email accounts set for the lockbox, the system will notify you every hour of a pending release via email and optional SMS alerts. If somehow you find you didn’t make the request, you can cancel it by clicking a link in the email. Once the allotted time has passed since the request was approved, you lockbox funds will be restored to your Cryptsy balance and will be available for trade or withdrawal.
You can access the lockbox from your Cryptsy balances page.
Who should use lockbox:
- Users to are not going to be trading for awhile due to vacation or another reason should store their funds in the lockbox. If you don’t plan on trading or withdrawing those coins for awhile, then store them.
- Users who store large amounts of coin on their local computer. The majority of hacks that we have seen in the past have occurred on the end users computer. If your computer is compromised, stolen, or damaged your local wallets are at risk. Cryptsy takes great measures to ensure our wallets and keys are stored safe and securely and make backups of our wallets to very secure locations often.
- Services who hold funds in their own wallets. If you run a service that stores funds in your own wallets, and do not want to worry about the security of your wallets, then you can store them into a Cryptsy Lockbox for safekeeping.
New Improved Currency Converter:
The new currency converter is back and better than ever. You can find the currency converter under the tools menu at Cryptsy. Using the converter you can convert any currency into any other currency, including USD if you are verified. You can specify either the sending amount and we will convert to show you the receiving amount, or you can specify the receiving amount and we will show you how much to send.
Soon we will be enhancing the converter tool even more by allowing you to send funds to an address to complete the conversion process, as well as providing these tools via the API. We feel this tool will be essential in the creation of merchant payment tools that use any currency traded at Cryptsy.
Nov 7th, 2014
MN Mining Contracts
There has been quite a bit of concern about the mining contracts recently, and we share those concerns.
These contracts were originally purchased at CloudHashing. Therefore they use the CloudHashing mining pool. Recently this pool has been producing poor results. We have no control of the equipment, pool, or payouts of these contracts. We simply make the disbursement to the current holders when a Block Found payment is made by CloudHashing to us. We do not keep any of the disbursement.
If you are a CloudHashing user, then I’m sure you’ve seen the same issue.
It was always known that these contracts would diminish over time, however sometimes a day or two go by without any found blocks, we think this can be resolved by switching to a new pool
In the next week or so I will be doing a few things:
1. I will contact CloudHashing and see if we can move over to a pool which produces more consistent results. This may mean the payouts could be lower, but at least day to day they would have more consistent payouts.
2. I will be adding additional hashing power to the MN contracts. I will pay for this myself and will not charge for power. I will also use a pool that consistently finds blocks. The payouts received from the additional hashing power will be paid on top of the payments received from CloudHashing. Uncertain at this time how much hashing power I will add, but initially I’m looking at 20 TH.
3. I will be merging the 2 current MN contracts into a single entity. We have MN1 which represents 1 GH/s and MN2 which represents 10 GH/s. The new ticker will be MN and MN1 would be converted 1 to 1, and MN2 converted 1 to 10. Payouts from Cloudhashing will be merged and payed out as we do now.
4. We may also offer contract holders another exit from MN by allowing to swap for hashing power at Mintsy when that site comes online.
I hear your feedback, and know that I am working to resolve the issues described above.
Oct 28th, 2014
Response regarding lawsuit
There was quite a bit of PR pushed out yesterday from a law firm that stated that they were filing a lawsuit against Cryptsy and myself. The complaint alleges that Crytpsy misled users and was negligent in security. They represent a single user. We have close to 300,000 users at this point. We have reviewed the unofficial complaint and believe that it is without merit. We intend to defend the case vigorously.
We would like to note that we have not received any documentation or official notification concerning any lawsuit yet. We also find it unprofessional that the law firm decided to push out such a large PR campaign prior to serving any notice. It should also be noted that according to the user terms of our site, disputes are to be handled via arbitration.
We realize that there have been a few "Bad Actors" in the crypto-currency space running exchanges and other services. Cryptsy strives for transparency and doing what is right. This lawsuit attempts to place us in the same group as many of these bad actors, but this is simply not how we operate. We are not a fly by night operation, we are a company that plans to be around for a long time. Our desire is to be the model of how to operate a crypto business.
As I’m sure many of you are aware, we take security very seriously. We pride ourselves on being one of the most secure places to trade on the internet. The crypto-currency space has been the target for a lot of hackers over the last year due to the increase in value of Bitcoin. These hackers not only target Cryptsy users, but users of many other Bitcoin services.
In this case the attack on the user making the claim came from within their own computer. This is currently one of the most common attacks by hackers. While we try to educate our users on how to secure their local environment, we ultimately have no control of a users computer system.
So as a reminder I’d like to reiterate a few security tips:
- Do not leave your computer logged into your Cryptsy account when you are away from your computer
- Do not install browser extensions from unknown developers
- Do not install mining software from unknown developers on the same computer you use to access Cryptsy
- Run a virus scan regularly.
- Make sure you use 2fa on your Cryptsy account
Oct 24th, 2014
Announcing digitalX Mintsy
Mining the Future…
In cooperation with DigitalBTC, together we are putting together the most comprehensive and easy to use mining system in the world.
Mintsy.co is now open for pre-enrollment:
Start mining bitcoins and altcoins on our cloud instantaneously
Buy and trade hashfracs, litefracs and xfracs
Get paid the coins you mine straight into your Cryptsy or another account
Buy bitcoins and altcoins in the future at a discount
Connect your own equipment
Pre-enroll and be entered into a competition to win $5000 in Bitcoin!*
More surprises come when we launch
What is a frac?
A hashfrac is a contract for 100GH/s of SHA256 (eg. Bitcoin) mining power with a set expiry date and all costs inclusive. Similarly, a litefrac is for Scrypt mining, and xfrac is for X-type algorithms.
Pre-enroll today to join our mailing list to keep up to date with development, beta testing, final release dates, and to enter into a chance to win $5000 worth of Bitcoin.
Sep 17th, 2014
Updates to Cryptsy Points Program and New Balance Rebates
What’s new with Cryptsy Points?
We have changed how Cryptsy Points are awarded. Previously it was based on how much you paid in fees. However, this was not beneficial for users who perform many “Maker” trades since they do not pay fees. We have changed it so it is now based on your trade volume.
How Many Points Will I Earn?
For every 1 BTC of trade volume you have, you will earn 0.1 Cryptsy Points. Cryptsy points are divisible down to 8 decimal places, so even if you only have 0.1 BTC of trade volume you will receive 0.01 Cryptsy Points. You will also earn 20% of the points each of your referrals earn.
So lets say you had a trade volume of 1 BTC in a given day and you had 10 referred users who also had 1 BTC in trade volume each on that day.
Points Earned Directly 0.1 CP
Points Earned from Referrals 0.2 CP
Total Points Earned that Day 0.3 CP
What Are Balance Rebates?
Balance rebates are basically a cut of our collected transaction fees for users who hold balances in certain currencies on our exchange. Currently the currencies we collect fees on are BTC, LTC, and USD. Users who have a balance in these currencies will be included in the pool of users who get a daily rebate in the same currency.
How Much Will I Earn in Balance Rebates?
We pay a 2% rebate. Balance calculations include available and held for order balances. So even if all your funds are held for open orders, they are included in the calculation.
So for example: We collect 10 BTC in trade fees in a day. This leaves 0.2 BTC available for rebates (2%). If you had 100 BTC on account and between all users the sum of all balances was 10,000 BTC, then you would receive 1% of the total rebate for that day. In this case that would be a 0.002 BTC daily rebate. Balances and rebates are calculated and distributed separately for each of the BTC, LTC, and USD currencies.
When Do I Get Paid My Cryptsy Points and Balance Rebates?
The program which calculates payouts and makes disbursements runs after midnight EST every day. Usually around 2am EST.
Aug 14th, 2014
The administrator has disabled public write access.