The altcoin exchange Excoin has announced that it will soon shut down after alleging that an attacker was able to withdraw all the bitcoins from the exchange.

With a trading engine written in Go, Excoin launched what was predominantly a Blackcoin exchange back in November of 2014. Excoin also featured a proof of reserve page which reassured members that their funds were securely stored and accounted for.

As a result of the alleged theft, Lead Developer Samantha Chen posted the following announcement:

February 6th and 10th, the user 'Ambiorx' was able to gain access to all the Bitcoins on the Exco.in exchange. As a result we no longer have the means necessary to continue operation and are deeply saddened to announce we will be shutting down operations this month. The trading engine has been disabled and Exco.in user accounts will remain active, with the exception of Ambiorx's account and those who may be affiliated.

Users are now able to withdraw their remaining funds from Exco.in with new deposits having been disabled. If you have any issues withdrawing, please contact support we will assist you as soon as possible.

Exco.in will be liquidating its assets and holdings and converting it to BTC to make it available to our members.

We are sincerely sorry that things have come to this. Our goal was to provide a service for a community we sincerely cared about and wished to support.

We will do everything we can to make sure every member is reimbursed properly.

We would greatly appreciate any assistance in locating 'Ambiorx' and we will be available for support until operations cease.

Technical explanation:

Upon initial investigation it appears that during the DDOS two separate trades spiraled out of control either due to a bug or an exploit and transferred a very large number of small Bitcoin transactions to Ambiorx's account.

Ambiorx did not notify us and we had not realized due to their account not reporting any suspicious activity. The transfers in question were missing the trade ids, so they did not raise alerts in our system and were unable to correctly associate with the trade. Which resulted in the trade attempting to re-initiate the transfers endlessly. We had investigated the trades during this period and noticed two trades with issues caching trade data but it appeared minor at the time and they had the correct number of associated transfers. We fixed the caching issues with the trades and moved forward.

Ambiorx used the fraudulently obtained Bitcoins to purchase as much of the NBT and NSR on the site that they could buy and transferred it to off site addresses (included at the end of this message). The bugged/exploit trade continued to fill his account with new Bitcoins as he continued to spend them. From February 6th to the 11th, the remainder of the NBT, BTC and much of the NSR was drained from the site to the addresses listed below.

We noticed the hot wallets dwindling but assuming it was members moving their funds off site during the DDOS, we loaded all the cold balances onto the site so that users would not have withdrawals interrupted during our periods of up time.This fatal mistake allowed Ambiorx to continue to drain the site.

We are still investigating the exact cause of the bug or exploit and if anything else happened on the servers we have yet to notice. Excoin is still under DDOS attack which makes it very difficult to investigate the causes of these issues. We will provide more information about the attack as we learn more.

Samantha Chen (YT)

Exco.in Lead Developer

Email me at admin@exco.in for any clarification or questions

I will make myself available on IRC on freenode for questions.

I will be resigning from Blackwave Labs and looking for regular full time employment to help pay back the lost funds. I will also ask drunkonsound to help cover my loses with Blackwave Labs holdings as well.

Information We Have Collected On 'ambiorx'

Suspected Thief:

Username:

ambiorx

Email Address:

exco@comtecservices.be

IP Addresses:

141.101.105.65

141.134.108.38

62.210.170.27

171.25.193.20

194.150.168.95

82.116.120.3

IRC Records:

ambiorx (8d866c26@gateway/web/freenode/ip.141.134.108.38)

Suspected IRC Aliases:

arrakian [~arrakian@gateway/tor-sasl/arrakian]

scytale [~scytale/tor-sasl/scytale]

facedancer [~arrakian@gateway/tor-sasl/facedancer]

BTC Addresses:

1AaKKtfWVVwwUEzwXwQxasvSqmrnTQX6zQ

1NdbyjbAK4kBna2TQV8wNje5TfRR2tWxfJ

1BtxvnnACtYRbWnmgaNu6HN8UfBQW5QtQR

1AaKKtfWVVwwUEzwXwQxasvSqmrnTQX6zQ

1BnNn2LsVbn8DDWx5ABrDF1Vkc2epchf7Z

1PANRuwAet9F6WSVZLC2fkuxTeMFxvdzFZ

12RFmHYjNSpAwLJjMHzAU91zLe9Wd7T2Fc

1MCw31vCtyvtpyeNsmsuVpTFuKEXfmDb7m

1FYgqo8waWDYyjmGqifDtgbSfG7Pp1QA7M

1MY7qYCTsKfkvoXMq6XWYVUGKwsVsY5JjW

1B7k9aTwxAspzrGiQ3shBjB6DLmPPM3jSG

1PwXMcNZVAeDddQ6p9S12vFSAfuHMU1q3W

1MY7qYCTsKfkvoXMq6XWYVUGKwsVsY5JjW

1B7k9aTwxAspzrGiQ3shBjB6DLmPPM3jSG

1PwXMcNZVAeDddQ6p9S12vFSAfuHMU1q3W

13KUvkpxqbS5DiMwQscBar1pBtVvsQHhwM

1BtxvnnACtYRbWnmgaNu6HN8UfBQW5QtQR

19cRmsjcyUfiVPdy7DFu3FUfPhDKbkCruG

17JiGNa1xprKrkvEFNvGtVYf7UekoSTqzE

19cRmsjcyUfiVPdy7DFu3FUfPhDKbkCruG

NBT Addresses:

BHrY63eUcNMXeY4wx5cUUyGTNxjxPrteKp

B7dRpykKPViao7VzUL3pWYK7vRoXPQygJ4

BHBCqXWe9K85x2J3gr5X11h3QNrSJkQE9V

BHrY63eUcNMXeY4wx5cUUyGTNxjxPrteKp

B9x1KgYaWEz4mkuLwQ2DMm4eBs6kUpbrKU

BEZx8xGZfuiaJL2PVoBJx3je51kDv57TQ9

BSyrARuTDwKChftRUiVjAXwTHr2pwZpV94

BRCKA2rZkje7hp6zsh18vrv7aLdWXK3GRS

BKt7G4oMrPmkBLKbCZq8eTK7riT26YKxqS

B4eHmVLCKD1PuiKRcoNokYPPdJ1QCRXWms

BNPrcPHF1GhcrH5SVqRha4Mzef7gkYoact

BH8Bz1tYR5mm2hEfYZgiJeVfnDxpMvAA9a

BDWqf6PRRVN4hxHyYqeWaP1y4DUiD1t1ms

BPD9zQZMR7LhNc7hDtye5iV6UGRvPjQKdc

BK9KqjVNgW2Mhm9CnzLnK8qaUCcx4jcdhk

BHgqCEe3LjYkyG1xiM66Esp3MWmqNnT92s

NSR Addresses:

SMVTMUmhCa8AGbvR4B8AmsWExHUgkaEhsE

SgFzG93yKJqbTw1TM1nwvtesGBF7jFG4dY

Information We Collected From the DDOS

DDOSer Name

DD4BC Team

DDOSer Email

dd4bc@Safe-mail.net

Identified DDOS IP Addresses:

104.131.204.15

104.131.213.10

104.154.38.52

107.170.150.138

130.211.185.192

146.148.40.57

172.245.55.112

184.172.15.235

50.97.173.18

5.255.253.51

66.249.69.136

66.249.69.88

66.249.75.104

66.249.75.184

66.249.75.216

66.249.75.88

66.249.79.111

66.249.79.119

66.249.79.127

66.249.79.135

66.249.79.4

66.249.79.95

Email messages, logs and information from our database with personal information removed can be provided to those interested in assisting the investigation.

If you are interested in assisting please contact me at admin@exco.in for more additional details and questions.