Replies (67)
We have disabled all auto-withdrawals for the time being until we get a better handle on the situation.
Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.
We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.
I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.
We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.
Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.
This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.
View quoted note →
There is no such thing as rotating Nostr keys
Wow. I hope I never did something stupid with my nsec.
But we really need to find a way to stop this single point of failure.
💯
Once your key is compromised it's over. New game plus 😬😅
If you can dump an image of your disks to an encrypted external drive, the best time was before you changed anything. The next best time is right now.
Keep your nsec safe people. Don’t just copy and paste it everywhere.
View quoted note →I hope everybody learns a valuable lesson about third parties
New game plus lmaoooo I cant not zap that
Galera, um aviso importante.
Saquem seus sats da Coinos, estão surgindo muitos relatos de carteiras drenadas.
A
@Mysterious Hamster se pronunciou recentemente alegando de que está investigando o caso. Houve um vazamento de dados causado por um exploit em janeiro que pode ter armazenado alguns dados de usuários e os atacantes podem estar usando tais dados para adentrar a Coinos e saquear o saldo.
Leiam mais aqui:
Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.
We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.
I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.
We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.
Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.
This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.
View quoted note →
I love Nostr; but, generally speaking, nsecs shouldn't yet be counted on to keep anything important secure... except maybe by someone who *really* knows what their doing - which necessarily means they would know not to be sharing their nsec(s) with any 3rd parties.
View quoted note →I didn't want to know this,😔
Np I’ll just rotate my keys…. Wait a minute
like, inside out or?
That is a business professional way of saying, ‘you’re fucked’
I’m just bouncing off the elliptic curve here
I’m still inside
Big Yikes.
Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.
We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.
I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.
We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.
Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.
This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.
View quoted note →
lemme know when you make it the whole way around pls
update I tried this and now I have become a shift register
👀 careful out there fam.
View quoted note →@node heads up, not sure if you're still using coinos but nsec may be compromised
Thanks Cuban. Saw that. Never used the forwarding feature. But I emptied the wallet and switched to primal NWC just in case.
I know you are currently fixing things. Is this why I cannot login to my coinos?
😂
I worry I could end up where I started on the curve
That’s the stuff that keeps me up at night
whatever rotates your key man
Maybe I'm not an asshole for raging against nsec pasting culture after all. But that's a separate topic.
Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.
We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.
I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.
We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.
Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.
This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.
View quoted note →
a handful:
oh my
Pretty much 🤣😂
Ooof!
Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.
We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.
I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.
We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.
Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.
This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.
View quoted note →
GM
This seems to happen quite often to them. 🤔
Not good
Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.
We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.
I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.
We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.
Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.
This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.
View quoted note →
Might be worth checking for this address too.
View quoted note →Good luck with the investigation. Here’s to coming out stronger from this. 👊
Are you still having issues logging in? Please email support@coinos.io
Yeh. "login failed". My account wasnt connected with NOSTR
Lmao year of our lord 2025 and people are still raw dogging nsecs?
Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.
We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.
I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.
We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.
Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.
This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.
View quoted note →
Unable to zap.... No lightening wallet found.
move your funds out of coinos.io they had many security flops, this just being the last one
Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.
We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.
I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.
We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.
Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.
This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.
View quoted note →
He already posted about an ongoing investigation:
View quoted note →I’m sorry but this is simply unacceptable. One to be storing private keys in the first place this way and two if you have known hackers that have hacked you before to that degree you need to tell everyone I mean EVERY ACCOUNT about this.
nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpp4mhxue69uhkummn9ekx7mqwjqt9e
Why are you storing private keys on file? That seems very irresponsible
😳😳😳👀🤦♂️
Think he means create new Nostr keys entirely ? 🤔
"recommending to rotate nostr keys" ahahaha
View quoted note →Are you still using your nsec to login somewhere, anon?
Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.
We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.
I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.
We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.
Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.
This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.
View quoted note →
It happens to the best of us
Keep up the great work. Thanks 🫡
This is why remote signing, extensions, possibly sub keys, etc all need to be a standard. This sort of problem at scale would be a disaster. #Nostr keys are precious and a major problem still remains that many clients or services still have a place to paste private keys to login or use the service.
Be extremely careful with this and if you aren’t sure if you are using keys client side only, then opt out until a better option is available.
Love CoinOS btw, this isn’t a dig and they’ve implemented most of the above options for this reason. Just really important to know the trade offs with things like this.
nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpp4mhxue69uhkummn9ekx7mqwjqt9e
Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.
We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.
I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.
We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.
Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.
This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.
View quoted note →
Once upon a time I remember we used to complain bitcoin/nostr stuff wasn't attacked enough as people liked the projects. These days attacks are constant, sophisticated and from every direction, many state sponsored. Its ultimately a good thing for hardening and something users should be prepared for using bleeding edge, but of course very painful.
I salute you brave users/developers🫡
Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.
We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.
I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.
We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.
Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.
This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.
View quoted note →
I’m still here for you <3
TKay tried flipping, it was not effective!
I hope you all learn a valid lesson from this. I Storing private keys is massively irresponsible and you should be held accountable.
Transparency and full disclosure. It's not the easy way, it's the right way. Thank you Coinos.io for your continued efforts to harden and fight off the actors who will inevitably go after sats wherever they may be. It is more important than even, that we all learn to self custody and do regular sweeps to protect ourselves from these threats. 💪🫡
Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.
We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.
I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.
We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.
Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.
This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.
View quoted note →
![Anhern Sarsalor [finally back]'s avatar](https://image.nostr.build/0ef9488eed98a6091f4c3aa85d4acde81615321da8f156bdd8020c6eca9125c3.jpg)
Sorry guys. This kind of failure is unacceptable. This is why users need to have self custodial user friendly wallets. This is what always happens when you rely on a third party for your wallet, and that third party has any control whatsoever.
Coinos themselves are at fault for this issue, but only in so far that this will happen to every single custodian, at one point or another. They made some bad security decisions, but that's unimportant. They could have done everything correctly and eventually something would have happened anyway.
This is why self custody is necessary. Mistakes happen, most of the time the custodian is not evil or malicious, it's the very ability to have control over another's funds or data that is the problem, almost never who the controller is.
What coinos did right is the user friendlyness. I liked coinos, it works, the ui is clean and simple, and getting setup is incredibly easy. But they took custody of user funds, and that's always a problem in the making.
The wallet integrated in animestr will be entirely self-custodied, and still be as intuitive as coinos (if not more)
Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.
We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.
I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.
We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.
Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.
This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.
View quoted note →
Mysterious Hamster
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.
We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.
I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.
We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.
Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.
This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.
View quoted note →
#NYKNYC-OS
All good, fam; it may be a
@Mysterious Hamster issue. 💁♂️
They've had some malicious actor, breech-related complications recently so they may have frozen transfers for #Bitcoin / #BTC custodial stash security purposes. 🤙
View quoted note →
