11 700 000 tokens was stolen from COSS exchange

11 700 000 tokens was stolen from COSS exchange


Reddit user with nickname u/blockchainified informed the community that COSS exchange had a vulnerability which led to theft of his funds. The account was hacked using 2FA brute force and 11 700 000 tokens was stolen. COSS said that this is not the first occasion of such a theft. Nevertheless, of course, the exchange claims that the theft occurred through the fault of the user. However, not all so simple...


Author's spelling and punctuation saved:


"This hack happened on October 14, 2018. I woke up early in the morning my local time. Right away I turned on the laptop and checked my inbox where I discovered the abnormally large volume of letters from the COSS Exchange. There were a few thousands of them. Each letter informed me about a failed attempt to enter my account on the Exchange.

https://monosnap.com/file/g77PukIXek90mSkixZD00gDe3rWskh

https://monosnap.com/file/nahoOFWZZwSeiObX82nTTxkrs3PNLs

All the security measures were taken properly:

https://monosnap.com/file/79XrZrCLUTYWyjqRbWpMdbw5sGEi0V

I received all of the e-mails when I slept. I rushed to check the account and discovered that all my holdings were gone. More specifically, they were sold on low-liquid markets at the rates substantially lower than the market ones.

https://monosnap.com/file/ZF2LuWlV5rbwsO6FycUu4mea9ByL2f

In no time I turned to the support of the Exchange and informed about the incident. I wrote about this situation on Reddit and in the public Telegram group of the Exchange. Naturally, the first reaction that I experienced from the community was humiliation and accusations of stupidity. Many called me a dumb fool because I stored funds on the Exchange and so on. No need to point out how I kept the funds. I have what I have now. So on a weekly basis, the Exchange shares the trading fees with the holders of its tokens. The profit is distributed among token holders proportionally to the number of tokens they possess. That's why I decided to keep my tokens with COSS exchange.

The exchange claims:

https://medium.com/@coss.io/coss-io-october-24th-2018-updates-180ca2bb003b

https://monosnap.com/file/bXFU7D1CQamFzrZpi8TRskjqsiW1C2

They forgot to mention one small fact that access to my account was received using vulnerability which allowed hacker to perform brute force attack on my 2FA.

I was not the only victim as COSS declares in their medium blog and hacker indeed used exchange’s vulnerability:

https://monosnap.com/file/X48I4OrgYBgw5vAORRQLJtrcved06l

COSS Exchange was under DDOS + Brute force attack

They’ve shut down an entire exchange for ~24 hours:

https://monosnap.com/file/7AHQbzugClSxUwlx2lHFIpadtxhiqv

What was that if not an exchange’s vulnerability?

The Exchange claims that the hacker had my password. Of course, the most natural and the easiest thing is to accuse the user of being responsible for the accident. But I can assure you that it is far from being the case. I have been in this industry since the end of 2011, and I do know how to generate and store wallets, passwords etc. I neither use Android smartphones, nor computers with Windows OS. I do not use SMS 2FA. I am meticulous and do not do bullshit. What if it was some internal job? Or users data base leaked? Ok, let's assume that I happened to become a victim/target of a hacker, who somehow managed to access my login and password (what I doubt A LOT). However, I had a 2FA verification installed for this occasion.

https://monosnap.com/file/79XrZrCLUTYWyjqRbWpMdbw5sGEi0V

It was designed exactly for the situations like the one I described above. 2FA enables to keep the funds safe even if the password/login was compromised. Recently I received a report from COSS compliance, in which they admitted that the brute force attack took place. After 25,000 trials the attack was successfully completed.

https://monosnap.com/file/va2jo4vKoY8BMpCiqVr2lp7AGT8AvO

The hacker got the access to my account and sold all my funds for nothing. After all the Exchange ignores my messages about refund and steps towards that. They’ve only stated amount of assets they were able to recover and

https://monosnap.com/file/K53lHFblRaeOLIVt6CUAF3P4tvE2LO

claiming that it was the user's (mine) fault that the hacker managed to access the funds.

https://monosnap.com/file/McRLu9kY0vZuSGmVqU3ViDa2IljTkV

How come? How would the hacker have accessed the funds if the Exchange had not allowed to perform the brute force attack? Even if it was me who had compromised the password in some magic way, 2FA had to serve the last stand. The hacker managed to brute force it using Exchange’s vulnerability and the Exchange has not stopped the brute force attack. Remember, there were 25,000 trials

https://monosnap.com/file/w1OOclQrPSuJFY4GzSpHCHABipfgKa

If I had additional time, I would manage to respond and prevent the hack. Even if there was my fault, but only 50%, the other half is that exchange gave the opportunity to the hacker to brute force 2FA. In this regard, I publicly call the COSS Exchange to refund me at least 50% of my account's balance.

Assets I had:

~11 700 000 coss tokens (30kk$ at ATH period)

~14 BTC

19 000 eos to refund in full (EOS node was down and hacker wasn’t able to withdraw EOS)

https://monosnap.com/file/kv0QqQd9nsLszRAJFE5vzJKx8J5aLQ

~ 22 ETH

The Exchange should bear the sole responsibility for the accident if its internal vulnerability allowed the hacker to accomplish his/her brute force attack.

If it would be possible to bypass 2FA protection with a brute force attack, every exchange/platform, as well as 2FA providers (generally Google), would be brought into disrepute and would face severe claims from their users. Basically, the whole industry would become a mess. If the case, exchanges/platforms would suffer multi-billion dollar losses, in particular, translating into even more significant losses for the industry as a whole.

No matter what decision COSS exchange will take I call other exchanges to add an extra security feature to protect user’s funds. TRADING PASSWORD. This will prevent anybody to sell user’s assets on the low liquidity markets for cents even if the password was compromised and exchange grants brute force attacks.

I’m not promoting anybody, just facts:

Bitfinex doesn’t have it

Binance doesn’t have it

Poloniex doesn’t have it

Gate.io HAS IT.

English is not my native language so sorry about typo and other mistakes."


Your login password, to access your account online or by phone and a dealing password for trading and money withdrawal transactions. It seems like a really good way to save users' funds. Unfortunately, it is usually easier for exchanges to push the blame on the user than to be responsible for platform errors.


Report content on this page

Report Page

Please submit your DMCA takedown request to dmca@telegram.org