Coinapult Hot Wallet Hack: Difference between revisions
No edit summary |
(Another 30 minutes complete. Created a logo graphic. Populating in detailed about information on the service. Some on the notice which was placed on the website.) |
||
| Line 1: | Line 1: | ||
{{ | {{Case Study Under Construction}}[[File:Coinapult.jpg|thumb|Coinapult Logo/Homepage]] | ||
This appears to have not affected any customer deposits. In general, hot wallets cannot be considered safe storage. | This appears to have not affected any customer deposits. In general, hot wallets cannot be considered safe storage. | ||
| Line 10: | Line 10: | ||
== About Coinapult == | == About Coinapult == | ||
Coinapult was a Panama-based wallet service with a goal of simplifying Bitcoin usage for individuals and businesses alike<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. Through their website, they offered a range of services to enhance accessibility and usability in the cryptocurrency space, including sending Bitcoin by email and SMS<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. These features enable users to send Bitcoin to anyone, even those unfamiliar with the cryptocurrency, through email or simple text messages<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. Additionally, Coinapult provided payment processing services for businesses, ensuring no fees, guaranteed pricing, and daily bank settlements<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. Merchants could use Coinapult to accept Bitcoin payments quickly and easily, expanding their payment options without incurring additional fees<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. | |||
Locks, a feature offered by Coinapult, enables users to easily receive, save, and spend Bitcoin while mitigating price volatility<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. Users could receive, lock, unlock, and spend Bitcoin seamlessly, allowing for instant transactions worldwide. Locks provided a simple and fast way for both new and experienced users to engage with Bitcoin without needing to speculate on its price<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. It promised a convenient tool for introducing newcomers to Bitcoin and facilitating regular Bitcoin payments for more experienced users<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>.<ref name=":1">[https://www.youtube.com/watch?v=AxriIkGaY60 Coinapult Locks - YouTube] (Accessed Feb 28, 2024)</ref> | |||
Coinapult offered a hassle-free service for businesses that were looking to integrate Bitcoin payments<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. Businesses were promised the ability to provide more payment options and enhance their payment processing capabilities with no fees and user-friendly features<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. Coinapult also provided developer resources for integrating Bitcoin services into applications, including ready-to-use API clients and shopping cart plugins<ref name=":0">[https://web.archive.org/web/20150227230113/https://coinapult.com/ Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST] (Accessed Feb 28, 2024)</ref>. | |||
== The Reality == | == The Reality == | ||
| Line 47: | Line 32: | ||
!Description | !Description | ||
|- | |- | ||
| | |July 18th, 2014 5:29:41 PM MDT | ||
| | |Locks Video Promotion | ||
| | |A video is put on YouTube to announce the Coinapult locks program<ref name=":1" />. | ||
|- | |- | ||
| | |March 17th, 2015 11:55:00 AM MDT | ||
| | |Coinapult Under Maintenance | ||
| | |The Coinapult website is placed under maintenance, according to their homepage<ref name=":2">[https://web.archive.org/web/20150319090158/https://coinapult.com/ Coinapult Homepage Archive March 19th, 2015 3:01:58 AM MDT] (Accessed Feb 28, 2024)</ref>. | ||
|- | |||
|March 19th, 2015 3:01:58 AM MDT | |||
|Coinapult Website Notice Captured | |||
|The first time that the Coinapult homepage is captured with a notice placed for users. Coinapult notifies users they are currently investigating a security breach of the hot wallet and advises customers to refrain from sending Bitcoin to existing Coinapult addresses immediately, including Lock Addresses<ref name=":2" />. Updates on the situation will be provided as they become available<ref name=":2" />. The company has contained the situation, ensuring the safety of all funds except for the 150 BTC withdrawn during the breach. Investigations are ongoing to determine the method of attack, and until the attack vector is identified and patched, Coinapult will not re-enable its services<ref name=":2" />. If the process extends beyond a few days, the company promises to issue manual refunds to affected customers<ref name=":2" />. | |||
|} | |} | ||
| Line 60: | Line 49: | ||
== Total Amount Lost == | == Total Amount Lost == | ||
According to the homepage notice, the total loss is 150 bitcoin<ref name=":2" />. | |||
The total amount lost has been estimated at $43,000 USD. | The total amount lost has been estimated at $43,000 USD. | ||
| Line 66: | Line 57: | ||
== Immediate Reactions == | == Immediate Reactions == | ||
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed? | How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed? | ||
“Coinapult COO and CFO Justin Blincoe stressed that the hot wallet was used only for funds owned by the bitcoin wallet and service provider, and that no customer funds were affected.” | |||
== Ultimate Outcome == | == Ultimate Outcome == | ||
Revision as of 16:25, 28 February 2024
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
This appears to have not affected any customer deposits. In general, hot wallets cannot be considered safe storage.
This exchange or platform is based in Panama, or the incident targeted people primarily in Panama.
https://www.reddit.com/r/Bitcoin/comments/7crwcb/why_i_dont_trust_coinapult_from_ex_employee/
https://bitcoinwiki.org/wiki/coinapult
About Coinapult
Coinapult was a Panama-based wallet service with a goal of simplifying Bitcoin usage for individuals and businesses alike[1]. Through their website, they offered a range of services to enhance accessibility and usability in the cryptocurrency space, including sending Bitcoin by email and SMS[1]. These features enable users to send Bitcoin to anyone, even those unfamiliar with the cryptocurrency, through email or simple text messages[1]. Additionally, Coinapult provided payment processing services for businesses, ensuring no fees, guaranteed pricing, and daily bank settlements[1]. Merchants could use Coinapult to accept Bitcoin payments quickly and easily, expanding their payment options without incurring additional fees[1].
Locks, a feature offered by Coinapult, enables users to easily receive, save, and spend Bitcoin while mitigating price volatility[1]. Users could receive, lock, unlock, and spend Bitcoin seamlessly, allowing for instant transactions worldwide. Locks provided a simple and fast way for both new and experienced users to engage with Bitcoin without needing to speculate on its price[1]. It promised a convenient tool for introducing newcomers to Bitcoin and facilitating regular Bitcoin payments for more experienced users[1].[2]
Coinapult offered a hassle-free service for businesses that were looking to integrate Bitcoin payments[1]. Businesses were promised the ability to provide more payment options and enhance their payment processing capabilities with no fees and user-friendly features[1]. Coinapult also provided developer resources for integrating Bitcoin services into applications, including ready-to-use API clients and shopping cart plugins[1].
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| July 18th, 2014 5:29:41 PM MDT | Locks Video Promotion | A video is put on YouTube to announce the Coinapult locks program[2]. |
| March 17th, 2015 11:55:00 AM MDT | Coinapult Under Maintenance | The Coinapult website is placed under maintenance, according to their homepage[3]. |
| March 19th, 2015 3:01:58 AM MDT | Coinapult Website Notice Captured | The first time that the Coinapult homepage is captured with a notice placed for users. Coinapult notifies users they are currently investigating a security breach of the hot wallet and advises customers to refrain from sending Bitcoin to existing Coinapult addresses immediately, including Lock Addresses[3]. Updates on the situation will be provided as they become available[3]. The company has contained the situation, ensuring the safety of all funds except for the 150 BTC withdrawn during the breach. Investigations are ongoing to determine the method of attack, and until the attack vector is identified and patched, Coinapult will not re-enable its services[3]. If the process extends beyond a few days, the company promises to issue manual refunds to affected customers[3]. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
According to the homepage notice, the total loss is 150 bitcoin[3].
The total amount lost has been estimated at $43,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
“Coinapult COO and CFO Justin Blincoe stressed that the hot wallet was used only for funds owned by the bitcoin wallet and service provider, and that no customer funds were affected.”
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
Coming soon.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 Coinapult Homepage Archive February 27th, 2015 4:01:13 PM MST (Accessed Feb 28, 2024)
- ↑ 2.0 2.1 Coinapult Locks - YouTube (Accessed Feb 28, 2024)
- ↑ 3.0 3.1 3.2 3.3 3.4 3.5 Coinapult Homepage Archive March 19th, 2015 3:01:58 AM MDT (Accessed Feb 28, 2024)