Thread

We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account. We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information. I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked. We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys. Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised. This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.
The Bullish ₿itcoiner's avatar The Bullish ₿itcoiner
PSA: An autowithdraw exploit for @Mysterious Hamster has been confirmed. Check your settings if you’re using this wallet. Felt bad for not giving them more time to respond privately, but hopefully this saves some of your sats. View quoted note →
View quoted note →

Replies (29)

Big Yikes.
Mysterious Hamster's avatar Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account. We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information. I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked. We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys. Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised. This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys. View quoted note →
View quoted note →
🛡️
Maybe I'm not an asshole for raging against nsec pasting culture after all. But that's a separate topic.
Mysterious Hamster's avatar Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account. We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information. I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked. We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys. Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised. This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys. View quoted note →
View quoted note →
🛡️
Lmao year of our lord 2025 and people are still raw dogging nsecs?
Mysterious Hamster's avatar Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account. We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information. I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked. We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys. Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised. This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys. View quoted note →
View quoted note →
🛡️
move your funds out of coinos.io they had many security flops, this just being the last one
Mysterious Hamster's avatar Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account. We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information. I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked. We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys. Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised. This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys. View quoted note →
View quoted note →
🛡️
I’m sorry but this is simply unacceptable. One to be storing private keys in the first place this way and two if you have known hackers that have hacked you before to that degree you need to tell everyone I mean EVERY ACCOUNT about this. nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpp4mhxue69uhkummn9ekx7mqwjqt9e
Are you still using your nsec to login somewhere, anon?
Mysterious Hamster's avatar Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account. We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information. I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked. We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys. Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised. This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys. View quoted note →
View quoted note →
🛡️
This is why remote signing, extensions, possibly sub keys, etc all need to be a standard. This sort of problem at scale would be a disaster. #Nostr keys are precious and a major problem still remains that many clients or services still have a place to paste private keys to login or use the service. Be extremely careful with this and if you aren’t sure if you are using keys client side only, then opt out until a better option is available. Love CoinOS btw, this isn’t a dig and they’ve implemented most of the above options for this reason. Just really important to know the trade offs with things like this. nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpp4mhxue69uhkummn9ekx7mqwjqt9e
🛡️
Once upon a time I remember we used to complain bitcoin/nostr stuff wasn't attacked enough as people liked the projects. These days attacks are constant, sophisticated and from every direction, many state sponsored. Its ultimately a good thing for hardening and something users should be prepared for using bleeding edge, but of course very painful. I salute you brave users/developers🫡
Mysterious Hamster's avatar Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account. We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information. I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked. We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys. Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised. This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys. View quoted note →
View quoted note →
Transparency and full disclosure. It's not the easy way, it's the right way. Thank you Coinos.io for your continued efforts to harden and fight off the actors who will inevitably go after sats wherever they may be. It is more important than even, that we all learn to self custody and do regular sweeps to protect ourselves from these threats. 💪🫡
Mysterious Hamster's avatar Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account. We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information. I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked. We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys. Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised. This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys. View quoted note →
View quoted note →
Sorry guys. This kind of failure is unacceptable. This is why users need to have self custodial user friendly wallets. This is what always happens when you rely on a third party for your wallet, and that third party has any control whatsoever. Coinos themselves are at fault for this issue, but only in so far that this will happen to every single custodian, at one point or another. They made some bad security decisions, but that's unimportant. They could have done everything correctly and eventually something would have happened anyway. This is why self custody is necessary. Mistakes happen, most of the time the custodian is not evil or malicious, it's the very ability to have control over another's funds or data that is the problem, almost never who the controller is. What coinos did right is the user friendlyness. I liked coinos, it works, the ui is clean and simple, and getting setup is incredibly easy. But they took custody of user funds, and that's always a problem in the making. The wallet integrated in animestr will be entirely self-custodied, and still be as intuitive as coinos (if not more)
Mysterious Hamster's avatar Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account. We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information. I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked. We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys. Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised. This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys. View quoted note →
View quoted note →
🛡️
image
Mysterious Hamster's avatar Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account. We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information. I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked. We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys. Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised. This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys. View quoted note →
View quoted note →