Excoin Exchange To Shut Down Amid Claims Of Theft

The altcoin exchange Excoin has announced that it will soon shut down afterĀ alleging that an attacker was able to withdraw all the bitcoins from the exchange.

With a trading engine written in Go, Excoin launched what was predominantly a Blackcoin exchange back in November of 2014. Excoin also featured a proof of reserve page which reassured members that their funds were securely stored and accounted for.

As a result of the alleged theft, Lead Developer Samantha Chen posted the following announcement:

February 6th and 10th, the user 'Ambiorx' was able to gain access to all the Bitcoins on the Exco.in exchange. As a result we no longer have the means necessary to continue operation and are deeply saddened to announce we will be shutting down operations this month. The trading engine has been disabled and Exco.in user accounts will remain active, with the exception of Ambiorx's account and those who may be affiliated.

Users are now able to withdraw their remaining funds from Exco.in with new deposits having been disabled. If you have any issues withdrawing, please contact support we will assist you as soon as possible.

Exco.in will be liquidating its assets and holdings and converting it to BTC to make it available to our members.

We are sincerely sorry that things have come to this. Our goal was to provide a service for a community we sincerely cared about and wished to support.

We will do everything we can to make sure every member is reimbursed properly.

We would greatly appreciate any assistance in locating 'Ambiorx' and we will be available for support until operations cease.

Technical explanation:

Upon initial investigation it appears that during the DDOS two separate trades spiraled out of control either due to a bug or an exploit and transferred a very large number of small Bitcoin transactions to Ambiorx's account.

Ambiorx did not notify us and we had not realized due to their account not reporting any suspicious activity. The transfers in question were missing the trade ids, so they did not raise alerts in our system and were unable to correctly associate with the trade. Which resulted in the trade attempting to re-initiate the transfers endlessly. We had investigated the trades during this period and noticed two trades with issues caching trade data but it appeared minor at the time and they had the correct number of associated transfers. We fixed the caching issues with the trades and moved forward.

Ambiorx used the fraudulently obtained Bitcoins to purchase as much of the NBT and NSR on the site that they could buy and transferred it to off site addresses (included at the end of this message). The bugged/exploit trade continued to fill his account with new Bitcoins as he continued to spend them. From February 6th to the 11th, the remainder of the NBT, BTC and much of the NSR was drained from the site to the addresses listed below.

We noticed the hot wallets dwindling but assuming it was members moving their funds off site during the DDOS, we loaded all the cold balances onto the site so that users would not have withdrawals interrupted during our periods of up time.This fatal mistake allowed Ambiorx to continue to drain the site.

We are still investigating the exact cause of the bug or exploit and if anything else happened on the servers we have yet to notice. Excoin is still under DDOS attack which makes it very difficult to investigate the causes of these issues. We will provide more information about the attack as we learn more.

Samantha Chen (YT)
Exco.in Lead Developer

Email me at admin@exco.in for any clarification or questions

I will make myself available on IRC on freenode for questions.

I will be resigning from Blackwave Labs and looking for regular full time employment to help pay back the lost funds. I will also ask drunkonsound to help cover my loses with Blackwave Labs holdings as well.

Information We Have Collected On 'ambiorx'
Suspected Thief:

Username:
ambiorx

Email Address:
exco@comtecservices.be

IP Addresses:
141.101.105.65
141.134.108.38
62.210.170.27
171.25.193.20
194.150.168.95
82.116.120.3

IRC Records:
ambiorx (8d866c26@gateway/web/freenode/ip.141.134.108.38)

Suspected IRC Aliases:
arrakian [~arrakian@gateway/tor-sasl/arrakian]
scytale [~scytale/tor-sasl/scytale]
facedancer [~arrakian@gateway/tor-sasl/facedancer]

BTC Addresses:
1AaKKtfWVVwwUEzwXwQxasvSqmrnTQX6zQ
1NdbyjbAK4kBna2TQV8wNje5TfRR2tWxfJ
1BtxvnnACtYRbWnmgaNu6HN8UfBQW5QtQR
1AaKKtfWVVwwUEzwXwQxasvSqmrnTQX6zQ
1BnNn2LsVbn8DDWx5ABrDF1Vkc2epchf7Z
1PANRuwAet9F6WSVZLC2fkuxTeMFxvdzFZ
12RFmHYjNSpAwLJjMHzAU91zLe9Wd7T2Fc
1MCw31vCtyvtpyeNsmsuVpTFuKEXfmDb7m
1FYgqo8waWDYyjmGqifDtgbSfG7Pp1QA7M
1MY7qYCTsKfkvoXMq6XWYVUGKwsVsY5JjW
1B7k9aTwxAspzrGiQ3shBjB6DLmPPM3jSG
1PwXMcNZVAeDddQ6p9S12vFSAfuHMU1q3W
1MY7qYCTsKfkvoXMq6XWYVUGKwsVsY5JjW
1B7k9aTwxAspzrGiQ3shBjB6DLmPPM3jSG
1PwXMcNZVAeDddQ6p9S12vFSAfuHMU1q3W
13KUvkpxqbS5DiMwQscBar1pBtVvsQHhwM
1BtxvnnACtYRbWnmgaNu6HN8UfBQW5QtQR
19cRmsjcyUfiVPdy7DFu3FUfPhDKbkCruG
17JiGNa1xprKrkvEFNvGtVYf7UekoSTqzE
19cRmsjcyUfiVPdy7DFu3FUfPhDKbkCruG

NBT Addresses:
BHrY63eUcNMXeY4wx5cUUyGTNxjxPrteKp
B7dRpykKPViao7VzUL3pWYK7vRoXPQygJ4
BHBCqXWe9K85x2J3gr5X11h3QNrSJkQE9V
BHrY63eUcNMXeY4wx5cUUyGTNxjxPrteKp
B9x1KgYaWEz4mkuLwQ2DMm4eBs6kUpbrKU
BEZx8xGZfuiaJL2PVoBJx3je51kDv57TQ9
BSyrARuTDwKChftRUiVjAXwTHr2pwZpV94
BRCKA2rZkje7hp6zsh18vrv7aLdWXK3GRS
BKt7G4oMrPmkBLKbCZq8eTK7riT26YKxqS
B4eHmVLCKD1PuiKRcoNokYPPdJ1QCRXWms
BNPrcPHF1GhcrH5SVqRha4Mzef7gkYoact
BH8Bz1tYR5mm2hEfYZgiJeVfnDxpMvAA9a
BDWqf6PRRVN4hxHyYqeWaP1y4DUiD1t1ms
BPD9zQZMR7LhNc7hDtye5iV6UGRvPjQKdc
BK9KqjVNgW2Mhm9CnzLnK8qaUCcx4jcdhk
BHgqCEe3LjYkyG1xiM66Esp3MWmqNnT92s

NSR Addresses:
SMVTMUmhCa8AGbvR4B8AmsWExHUgkaEhsE
SgFzG93yKJqbTw1TM1nwvtesGBF7jFG4dY

Information We Collected From the DDOS

DDOSer Name
DD4BC Team

DDOSer Email
dd4bc@Safe-mail.net

Identified DDOS IP Addresses:
104.131.204.15
104.131.213.10
104.154.38.52
107.170.150.138
130.211.185.192
146.148.40.57
172.245.55.112
184.172.15.235
50.97.173.18
5.255.253.51
66.249.69.136
66.249.69.88
66.249.75.104
66.249.75.184
66.249.75.216
66.249.75.88
66.249.79.111
66.249.79.119
66.249.79.127
66.249.79.135
66.249.79.4
66.249.79.95

Email messages, logs and information from our database with personal information removed can be provided to those interested in assisting the investigation.

If you are interested in assisting please contact me at admin@exco.in for more additional details and questions.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>