We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.
We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.
I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.
We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.
Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.
This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.
nostr:nevent1qvzqqqqqqypzpggzvz325tcf9kz79s9c9627430ccc82r8rgujycwxd43n92y037qy88wumn8ghj7mn0wvhxcmmv9uq32amnwvaz7tmjv4kxz7fwv3sk6atn9e5k7tcqyrdx8njpnvvulfcsqqd7ud47uw6dnzl4a3fmsrafsp0rte9f29h5uxpgg73
Login to reply
Replies (67)
We have disabled all auto-withdrawals for the time being until we get a better handle on the situation.
nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsyg96szvsveh0pdh5hfg9jdrmavfjg2fpu4rxne5qqex2w4f9dg0r5cpsgqqqqqqsvsjscr
There is no such thing as rotating Nostr keys
Wow. I hope I never did something stupid with my nsec.
But we really need to find a way to stop this single point of failure.
💯
Once your key is compromised it's over. New game plus 😬😅
If you can dump an image of your disks to an encrypted external drive, the best time was before you changed anything. The next best time is right now.
Keep your nsec safe people. Don’t just copy and paste it everywhere.
nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpp4mhxue69uhkummn9ekx7mqwjqt9e
I hope everybody learns a valuable lesson about third parties
New game plus lmaoooo I cant not zap that
Galera, um aviso importante.
Saquem seus sats da Coinos, estão surgindo muitos relatos de carteiras drenadas.
A nostr:nprofile1qqst4qyeqenw7zm0fwjsty68h6cnys5jre2xd8ngqpjv5a2j26s78fspz4mhxue69uhhyetvv9ujumrfvecxz7fwd4jsz9thwden5te0wfjkccte9e3k76twdaeju6t0qy28wumn8ghj7un9d3shjtnyv9kh2uewd9hsmryfpz se pronunciou recentemente alegando de que está investigando o caso. Houve um vazamento de dados causado por um exploit em janeiro que pode ter armazenado alguns dados de usuários e os atacantes podem estar usando tais dados para adentrar a Coinos e saquear o saldo.
Leiam mais aqui:
nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gppemhxue69uhkummn9ekx7mp0qgst4qyeqenw7zm0fwjsty68h6cnys5jre2xd8ngqpjv5a2j26s78fsrqsqqqqqpysntnk
I love Nostr; but, generally speaking, nsecs shouldn't yet be counted on to keep anything important secure... except maybe by someone who *really* knows what their doing - which necessarily means they would know not to be sharing their nsec(s) with any 3rd parties.
nostr:nevent1qvzqqqqqqypzpw5qnyrxdmctda962pvng7ltzvjzjg09ge57dqqxfjn42ft2rcaxqqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52g9e9955
🚨🚨🚨
nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpp4mhxue69uhkummn9ekx7mqwjqt9e
I didn't want to know this,😔
Np I’ll just rotate my keys…. Wait a minute
like, inside out or?
That is a business professional way of saying, ‘you’re fucked’
I’m just bouncing off the elliptic curve here
I’m still inside
Big Yikes.
nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsyg96szvsveh0pdh5hfg9jdrmavfjg2fpu4rxne5qqex2w4f9dg0r5cpsgqqqqqqsvsjscr
lemme know when you make it the whole way around pls
update I tried this and now I have become a shift register
👀 careful out there fam.
nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpp4mhxue69uhkummn9ekx7mqwjqt9e
nostr:nprofile1qqsp3yzapfwkyw4cr2vt4xx9s27474lj2pkxhqyfqh79n826pv3fkzqpzpmhxue69uhkummnw3ezuamfdejsz9rhwden5te0wfjkccte9ejxzmt4wvhxjmcpp4mhxue69uhkummn9ekx7mq8gj7q7 heads up, not sure if you're still using coinos but nsec may be compromised
Thanks Cuban. Saw that. Never used the forwarding feature. But I emptied the wallet and switched to primal NWC just in case.
I know you are currently fixing things. Is this why I cannot login to my coinos?
😂
I worry I could end up where I started on the curve
That’s the stuff that keeps me up at night
whatever rotates your key man
Maybe I'm not an asshole for raging against nsec pasting culture after all. But that's a separate topic.
nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsyg96szvsveh0pdh5hfg9jdrmavfjg2fpu4rxne5qqex2w4f9dg0r5cpsgqqqqqqsvsjscr
a handful:
oh my
Pretty much 🤣😂
Ooof!
nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsyg96szvsveh0pdh5hfg9jdrmavfjg2fpu4rxne5qqex2w4f9dg0r5cpsgqqqqqqsvsjscr
nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpp4mhxue69uhkummn9ekx7mqzyzagpxgxvmhskm6t55zex3a7kyey9ys723nfu6qqvn9825jk5836vqcyqqqqqqgphpupe
GM
This seems to happen quite often to them. 🤔
Not good
nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpzamhxue69uhhsmtj9e6hxetwdaehgu3wdaexwtczyzagpxgxvmhskm6t55zex3a7kyey9ys723nfu6qqvn9825jk5836vqcyqqqqqqgxzjytx
Might be worth checking for this address too.
nostr:note1ezvpf8dzcf6anplwjlgyqpppye27wgdh6aheu5p5fn35twpqxyws93cpyd
Good luck with the investigation. Here’s to coming out stronger from this. 👊
Are you still having issues logging in? Please email support@coinos.io
Yeh. "login failed". My account wasnt connected with NOSTR
Lmao year of our lord 2025 and people are still raw dogging nsecs?
nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gprdmhxue69uhhg6r9vehhyetnwshxummnw3erztnrdakj7q3qh2qfjpnxau9k7ja9qkf50043xfpfy8j5v60xsqryef64y44puwnqxpqqqqqqzak0k3v
Unable to zap.... No lightening wallet found.
move your funds out of coinos.io they had many security flops, this just being the last one nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpr9mhxue69uhhwmm59e6hg7r09ehkuef0da6hgcn00qpzpw5qnyrxdmctda962pvng7ltzvjzjg09ge57dqqxfjn42ft2rcaxqvzqqqqqqyusztpv
He already posted about an ongoing investigation:
nostr:nevent1qvzqqqqqqypzpw5qnyrxdmctda962pvng7ltzvjzjg09ge57dqqxfjn42ft2rcaxqqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52g9e9955
I’m sorry but this is simply unacceptable. One to be storing private keys in the first place this way and two if you have known hackers that have hacked you before to that degree you need to tell everyone I mean EVERY ACCOUNT about this.
nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpp4mhxue69uhkummn9ekx7mqwjqt9e
Why are you storing private keys on file? That seems very irresponsible
😳😳😳👀🤦♂️
Think he means create new Nostr keys entirely ? 🤔
"recommending to rotate nostr keys" ahahaha
nostr:nevent1qvzqqqqqqypzpw5qnyrxdmctda962pvng7ltzvjzjg09ge57dqqxfjn42ft2rcaxqqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52g9e9955
Are you still using your nsec to login somewhere, anon?
nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsyg96szvsveh0pdh5hfg9jdrmavfjg2fpu4rxne5qqex2w4f9dg0r5cpsgqqqqqqsvsjscr
It happens to the best of us
Keep up the great work. Thanks 🫡
This is why remote signing, extensions, possibly sub keys, etc all need to be a standard. This sort of problem at scale would be a disaster. #Nostr keys are precious and a major problem still remains that many clients or services still have a place to paste private keys to login or use the service.
Be extremely careful with this and if you aren’t sure if you are using keys client side only, then opt out until a better option is available.
Love CoinOS btw, this isn’t a dig and they’ve implemented most of the above options for this reason. Just really important to know the trade offs with things like this.
nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpp4mhxue69uhkummn9ekx7mqwjqt9e
nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsyg96szvsveh0pdh5hfg9jdrmavfjg2fpu4rxne5qqex2w4f9dg0r5cpsgqqqqqqsvsjscr
Once upon a time I remember we used to complain bitcoin/nostr stuff wasn't attacked enough as people liked the projects. These days attacks are constant, sophisticated and from every direction, many state sponsored. Its ultimately a good thing for hardening and something users should be prepared for using bleeding edge, but of course very painful.
I salute you brave users/developers🫡
nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gppemhxue69uhkummn9ekx7mp0qgst4qyeqenw7zm0fwjsty68h6cnys5jre2xd8ngqpjv5a2j26s78fsrqsqqqqqpysntnk
I’m still here for you <3
TKay tried flipping, it was not effective!
I hope you all learn a valid lesson from this. I Storing private keys is massively irresponsible and you should be held accountable.
Transparency and full disclosure. It's not the easy way, it's the right way. Thank you Coinos.io for your continued efforts to harden and fight off the actors who will inevitably go after sats wherever they may be. It is more important than even, that we all learn to self custody and do regular sweeps to protect ourselves from these threats. 💪🫡
nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gppemhxue69uhkummn9ekx7mp0qgst4qyeqenw7zm0fwjsty68h6cnys5jre2xd8ngqpjv5a2j26s78fsrqsqqqqqpysntnk
👀
nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpp4mhxue69uhkummn9ekx7mqwjqt9e
Sorry guys. This kind of failure is unacceptable. This is why users need to have self custodial user friendly wallets. This is what always happens when you rely on a third party for your wallet, and that third party has any control whatsoever.
Coinos themselves are at fault for this issue, but only in so far that this will happen to every single custodian, at one point or another. They made some bad security decisions, but that's unimportant. They could have done everything correctly and eventually something would have happened anyway.
This is why self custody is necessary. Mistakes happen, most of the time the custodian is not evil or malicious, it's the very ability to have control over another's funds or data that is the problem, almost never who the controller is.
What coinos did right is the user friendlyness. I liked coinos, it works, the ui is clean and simple, and getting setup is incredibly easy. But they took custody of user funds, and that's always a problem in the making.
The wallet integrated in animestr will be entirely self-custodied, and still be as intuitive as coinos (if not more)
nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpzamhxue69uhhyetvv9ujumn0wd68ytnzv9hxgtczyzagpxgxvmhskm6t55zex3a7kyey9ys723nfu6qqvn9825jk5836vqcyqqqqqqg658atz
nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpzamhxue69uhhyetvv9ujumn0wd68ytnzv9hxgtczyzagpxgxvmhskm6t55zex3a7kyey9ys723nfu6qqvn9825jk5836vqcyqqqqqqg658atz
#NYKNYC-OS
All good, fam; it may be a nostr:nprofile1qyxhwumn8ghj7mn0wvhxcmmvqyg8wumn8ghj7mn0wd68ytnvv9hxgqpqh2qfjpnxau9k7ja9qkf50043xfpfy8j5v60xsqryef64y44puwnqmdsa3p issue. 💁♂️
They've had some malicious actor, breech-related complications recently so they may have frozen transfers for #Bitcoin / #BTC custodial stash security purposes. 🤙
nostr:nevent1qvzqqqqqqypzpw5qnyrxdmctda962pvng7ltzvjzjg09ge57dqqxfjn42ft2rcaxqqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52g9e9955