Pages:
Author

Topic: Checkout the latest BTCLend feature available now! (Read 1574 times)

donator
Activity: 686
Merit: 519
It's for the children!
https://talk.paycoin.com/discussion/1393/my-experience-with-btclend-a-tale-of-loans-staking-hacks-and-headache#latest
https://archive.is/yuq4b

@CeForce Community Selected Moderator, PayCoin Talk Founder, Team Paycoin Member

My experience with BTCLend. A tale of loans, staking, hacks, and headache.

Quote
My BTC Lend LLC, www.btclend.org Experience:

The company BTC Lend LLC organized in Delaware file # 5650922
CEO Carmelo Millian
Registered MSB via FinCEN: 31000064289192 for Money transmitter and Other.
BTCLend provides Peer 2 Peer, bankless, virtual currency loans and related services. Through their web platform www.btclend.org. The company holds customer deposits, loans virtual currencies to its users, allows its users to loan virtual currencies to each other, as well as other virtual currency related services.

Loans/Registration/Payments
I had a few problems with registration, and then some issues with my documents being approved for the account and lending verification. Carmelo generally took care of them but it was sort of a pain to get my account verified to a high enough level in order to have a decent reputation to start out.

A reputation loan is a non-collateralized loan given from BTC Lend or one of its users to another of its users. Reputation loans use a scoring model or algorithm based on a user's reputation score. The score is based on things such as identification provided, previous history, and presence in the community as well as other factors.

I had my first reputation loan funded Jan 24 for 0.15 BTC. It doesn't seem to stand out as having any issues. I paid the loan back a few days later to build my reputation score. I had to link my coinbase account every time I wanted to make a transaction, and disable coinbase two factor authentication (2FA) for the transaction then enable it again or it wouldn't go through.

My second reputation loan was for for 0.95 BTC I made the First payment of 0.34754167 BTC a couple of days early, it never registered on my account then showed late and resulted in my reputation score going down.

I made the next payment this time on the day it was due. Also showed as late, resulting in losing more reputation score through no fault of my own. I had to email BTCLend CEO Carmelo Millian directly with all of the payment information and it took several emails for him to fix the issue with my account and reputation/profile.

Then I made a larger loan request for 2 BTC (~$500 USD). It was funded and again I needed to manually authorize the coinbase API, disable Coinbase 2FA, make the withdraw, re-enable 2FA. I made my payments on time etc. eventually decided that I didn't want to deal with the payment system anymore, so I paid off my loan off entirely early just to be done.

Staking
Paycoin, symbol XPY, is a virtual currency created based off of the Peercoin source code. While the original virtual currency Bitcoin is based of Proof-of-Work which requires vast computational power to generate new coins Peercoin and paycoin are based on Proof-of-Stake which requires a user to have stake or an investment in the coin in order to generate new coins. Staking is the systematic process of generating new coins. BTCLend began offering a "staking wallet" or "staking service" for Paycoin.

In the meantime as the XPY staking wallet launched I moved the bulk (at that time) of my XPY holdings to BTCLend to stake. I had very few if any issues technically speaking during that time.

As time went on and I saw ideas like LendCoin (LCN), a virtual currency with a guaranteed $1 floor value, come and go watching how BTCLend grew I became more and more uncomfortable that they were good stewards of my deposits.

On May 20 I submitted a ticket requesting that my XPY be unlocked and that my account be deleted. I looked for any TOS I could find and the one I found had no mention of unlocking the staked XPY or any mention of penalty.

After 6 days of no response I emailed BTCLend CEO Carmelo Millian directly, asking for a resolution. He then informed me that he could unlock my coins, for a 20% penalty.

I still can't afford to take a 300 XPY hit, so I decided I'll just deal with it until July when they unlock anyways.

Little did I know the Coinbase API was still actually active on my account, somehow it managed to work perfectly in the end.

On May 29 I woke up to a couple of emails from coinbase that I wasn't exactly expecting:

"On May 29, 2015 you purchased 4.0000 BTC for $958.01 USD from *Bankname* - Bank *****last4.
Those bitcoins are now available in your My Wallet account!"

Followed Shortly By:

"You just sent 4.0000 BTC (worth $946.00 USD) to 1JYprFYWXWsJ2c3YFAztoX5WHoPwJQh6s3.
Attached message:
Funded by Transfer with ID: 556883126c32f9273100009b"

I immediately contacted Coinbase about my account being compromised. Given that I had 2FA my initial reaction was one of confusion and great concern. I then followed up with my bank to let them know that there was a purchase coming that was fraudulent as a result of my coinbase account being compromised.

As I calmed down over the next few minutes I started working through how the 2fa could have been bypassed. My phone had no new texts with Authy requests for new devices, as I looked at my Coinbase account further and checked the API access to my account there was that lone entry from BTCLend. The one that never worked to begin with, active with full access to my coinbase account.

After disabling it I then again contacted Coinbase and let them know I was fairly certain I knew how it happened (they had emailed me in the meantime asking if I knew about BTCLend). They also mentioned that since this was an API I authorized I was basically out of luck. I also know that if I initiated a fraud dispute with my bank over this I would lose my coinbase account. Not something I'm exactly keen on.

I then contacted Carmelo. And let him know that my personal bank account had been hit for $1,000 dollars. On BTCLendtalk a thread had been created https://btclendtalk.org/topic/251/coinbase-hacked where a user had mentioned himself and another person had the same 4 btc taken from their coinbase via the API.

Carmelo then posted, https://btclendtalk.org/topic/252/our-coinabse-api-was-compromised-solved, that there was a compromise and that no customer coins had been compromised. The full message regarding no customer funds compromised was later erased with no explanation given as to why. Despite that thread being active and 3 users (myself being one of the three) reporting that we in fact had coins compromised, and we were also BTCLend customers. It wasn't until he was told directly by others in a call that coins had been compromised and he needed to fix his post did he do so. In reality thousands of XPY were taken and over 25 BTC.

Carmelo then promised to pay me back, but not until the following Friday June 5th. In the meantime, My house payment was due June 1 and the payment had already been sent/authorized. My car payment was due June 1 and had already been sent/authorized.

As promised on June 5.

"You just received 4.0000 BTC (worth $899.44 USD) from an external bitcoin account."

By the time I was paid back BTC had lost value and the amount I was paid was worth almost $50 dollars less as the funds came directly out of my checking account.

So to say that this would be a financial problem would be putting it lightly. I had to borrow 4 BTC from a very generous friend and initiate a sell immediately on my coinbase account (after I finally got it unlocked)

***Continued in next post****

Quote
My sob story:
My wife and I live on a fairly tight budget. I'm a stay at home dad who got full-on garza'd (An alleged international con-man accused of defrauded 1,000's of virtual currencies investors of tens of millions of dollars). We live generally on the edge and the first of the month is always close as most of our payments hit around that time. Had I not been able to immediately borrow the money I would have had a late house payment, a late car payment and certainly a hit on my credit. The best part. June 5th is my anniversary so as if it did suck enough we almost had to cancel our weekend plans to take our son camping.

I have again asked that my coins be unlocked, and without penalty. I feel like it's the least they can do for my trouble. Generally my experience has been nothing but, at the very least a constant inconvenience. It's fairly apparent as time has gone by that BTCLend is playing fast and loose with not only security, but customer coins.

His initial response was to tell me that Coinbase had been hacked and that he was covering his customers because it was the right thing to do.

"Just so you know, The Coinbase hack was not only on BTCLend customers. We just went ahead and covered our customers because it’s the right thing to do. Good Luck."

I reached out to Coinbase using my existing ticket related to this incident as I hadn't heard anything regarding Coinbase being comprimised: Thje response from Coinbase support closed with this:

"The unauthorized transactions were created using only the API key which you affirmed was used for BTCLend. Whomever created these transactions required access to the API key, and at this time we have no indications that our customer’s API keys are vulnerable."

Carmelo has agreed and asked his developer to unlock my coins. I will be withdrawing all my holdings from BTCLend when they are available. I will be requesting my account be closed my data be deleted. He has now informed me that the coins are locked as collateral and asked if I still have an active loan. (I don't). One thing after another, after another.

I generally don't post often or anything of substance. I'm not really one to make public posts about individuals or companies, especially after getting GAW'd as hard as I have. I feel like it's important for me to share my experience as I've been a BTCLend user since nearly the beginning. I've experienced real loss as a result of BTCLend, the stress on my family alone over this last issue has been enough to make all of it not worth it. Knowing that others out there will continue to experience what I have bothers me enough to make people aware of what I've dealt with and the loss and headache I've endured.
donator
Activity: 686
Merit: 519
It's for the children!
UPDATE:

BTC Lend is a FinCEN registered MSB operating, allegedly illegally, in the state of Florida with their LLC based in Delaware.   

The service was COMPROMISED for the SECOND time and customer coins were LOST for the second time (second confirmed time).   

Carmelo then posted that everything was solved (as quoted and archived below) and no customer coins were lost. 

Cryptsy and Bitrex were notified of the theft.

Addresses for the stolen coins.

I don't believe the public has been notified of any details yet?   

XPY 42,000
https://chainz.cryptoid.info/xpy/address.dws?PN9tXWfRNxaTrKyGgLM7UXKLxPwoyjoVHf.htm

BTC 21
https://blockchain.info/tx/f6e75742ad5f22b342308c6e1809be3452811f212ccb039e37c47e65999136bd

BTC 4.45
https://blockchain.info/es/address/1bwqkYg7SqQnYuQ19eNXsovSgVHMYypGg

BTC 2
https://blockchain.info/es/address/18nUecCHjFHC6QjpzQX7t5HgQ32wPuqKm6

@Paul Revere, some of the recent dumps may have been carmelo withdrawing from ZenCloud to buy BTC in order to payback the lost bitcoins!  Since BTC Lend has four (4) prime controllers they can likely make up the xpy.   

BTC Lend may be operating at a negative balance (Fractional Reserve) right now.


Well Looky Here:

https://btclendtalk.org/topic/251/coinbase-hacked
https://archive.is/MerLI

@VCollective
Quote
Coinbase Hacked
Everyone check your coinbase account, i have had reports of 4 BTC getting purchased and sent to an address. 2 confirmed reports so far.

Coins were sent to here 1M8zzE2HHsPvBHUeKQ6wwD2B8bjHcBqnvd
sr. member
Activity: 406
Merit: 260
The Scamcoats are coming!
Still waiting for this supposed "rogue developer" to be identified. Why would BTClend not expose this person who took control of their customer's deposits and then crazily used leaked HYperstake keys to set up Hyperstaking addresses with them instead of simply moving them to an anonymous wallet? This rogue developer is clearly insane, and the Crypto Community is at risk of this guy turning up somewhere else to make extra income for some other business through nefarious means as well. Or, Carmel Milian is lying and he and his partner Homero Garza were the ones who took customer coins and set them up with the leaked Hyperstake keys.
donator
Activity: 686
Merit: 519
It's for the children!
BTC Lend is a FinCEN registered MSB for activities:
409     Money transmitter
499     Other

https://wallet.btclend.org/
Quote
AML/KYC COMPLIANT

BTCLend is registered with FinCEN as an MSB and is committed to preventing money laundering and illegal activity. BTCLend is proactive in monitoring irregular and increased account activity.

http://www.fincen.gov/financial_institutions/msb/msbstateselector.html (search for btclend)
http://puu.sh/hUEGT/f7bc841751.png

What has been admitted by Carmello the CEO of btclend thus far:
1) The company lost control over ALL customer deposits via a rogue developer. 
https://btclendtalk.org/topic/50/aparently-some-leaked-prime-controller-keys-are-staking-btclend-coins
Also admitted on gethashing and btctalk.

2) The company violated its own privacy policy and ToS by LOCKING all customer DEPOSITS and forcing users to enter personal information without notice of this change.
legendary
Activity: 910
Merit: 1009
favdesu: indeed  Smiley

il crosspost this from GAW scam thread for anyone who is annoyed by this:

I got emails from BTCLend from an email only used with Paybase. They somehow got the Paybase database. Totally not connected to Garza in any way.

It told me a friend referred me, is Homero my friend?

I just got another one, from yet another throwaway Paybase account. At the bottom it says

Quote
You have received this email because you have subscribed to BTCLend, LLC  as **redacted**@opayq.com. If you no longer wish to receive emails please unsubscribe

This is an outright lie. I'm thinking of sending a threatening response. What's the proper procedure for responding to illegal emails under spam laws again? I know some people were going over it when hashtalk switched domains.

in the US, try this:

http://www.onguardonline.gov/articles/0038-spam#report
  

Thanks. It was sent from sendgrid, I reported it to them following instructions at https://sendgrid.com/report_spam and forwarded it to    [email protected]. I also reported it to gmail.


So if you are in the US or if the business is in the US, like say if it claims to be in CA or CT, it would be multiple violations of the CAN-SPAM act?  Reportable to the FCC: https://www.fcc.gov/encyclopedia/can-spam

https://www.fcc.gov/guides/spam-unwanted-text-messages-and-email

You have multiple options for filing a complaint with the FCC:

Quote
File a complaint online: https://consumercomplaints.fcc.gov/hc/en-us/requests/new?ticket_form_id=38824
By phone: 1-888-CALL-FCC (1-888-225-5322); TTY: 1-888-TELL-FCC (1-888-835-5322)
By mail (please include include your name, address, contact information and as much detail about your complaint as possible):
Federal Communications Commission
Consumer and Governmental Affairs Bureau
Consumer Inquiries and Complaints Division
445 12th Street, S.W.
Washington, DC 20554
legendary
Activity: 1764
Merit: 1000
this guy (cmilian who runs this shit show) is using GAW's / garzas database of emails and spamming each one. great  Roll Eyes
using common spammer tactic illustrated in the following picture:


can't you just report this to their web/host? most of them have a TOS against spamming.
legendary
Activity: 910
Merit: 1009
this guy (cmilian who runs this shit show) is using GAW's / garzas database of emails and spamming each one. great  Roll Eyes
using common spammer tactic illustrated in the following picture:
donator
Activity: 686
Merit: 519
It's for the children!
https://forum.gethashing.com/t/btclend-colateral-based-peer-to-peer-lending/2295/125

BoB
Quote
K'in 'ell, anyone would have to be short on braincells to go anywhere near this scammy little shite. From the link you just posted:

Before or at the time of collecting personal information, we will identify the purposes for which information is being collected.
So saying "we can offer a better service" without specifying how collecting that info helps provide a better service counts as identifying the purpose for which the info is gathered? Utter BS.

We will collect and use of personal information solely with the objective of fulfilling those purposes specified by us and for other compatible purposes, unless we obtain the consent of the individual concerned or as required by law.
From this word salad I gleamed the following information: We'll use any info you give us for anything whatsoever, including the original purpose for which it was gathered. Such as selling it.

"...and use of personal..."

"...compatible purposes, unless we obtain..."

Was this written by a ■■■■■■■ 7 year old? I think his mother needs to give him a good slap and tell him to stop trying to play with the big boys. He clearly doesn't have the mental capacity to do it.

We will only retain personal information as long as necessary for the fulfillment of those purposes.
And then how will it be dealt with? Where's the information regarding ho it will be disposed of. I'm assuming this is the point at which he tells us that the piece of paper he printed it out on will be fished off of the crap on his desk, screwed up and thrown in the waste paper basket.

We will collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned.
Here he blatently admits that he would collect your personal information even without your knowledge or consent if he deems it inappropriate. Scum.

We will protect personal information by reasonable security safeguards against loss or theft, as well as unauthorized access,
Yeah, because that worked so well with the customer coins you used for hyperstaking, didn't it, @cmilian . Anyone trusting you to secure anything is asking, begging in fact, for trouble.

We will make readily available to customers information about our policies and practices relating to the management of personal information.
Translation: We will throw together a semi literate page full of garbage that is badly written in the hope that you aren't smart enough to see through our utter BS and total lack of professional capabilities to actually provide any of the services and guarantees which we offer.

Anyone doing business with carmello is begging to be ripped off, treated like ■■■■ and taken for a ride.

Or maybe I'm just slow and plain stupid...
legendary
Activity: 1764
Merit: 1000
Carmello's response to my inquiry on what was decided for the 4,000 staked coins after 17 days of waiting:



This tactic looks familiar.

Ahhh, the ol' Kissimmee Ass tactic when confronted with a hard question. Seems legit. Roll Eyes

obvious answer. the good solution will be his personal wallet. geez, stop spreading fud /s
sr. member
Activity: 406
Merit: 260
The Scamcoats are coming!
Carmello's response to my inquiry on what was decided for the 4,000 staked coins after 17 days of waiting:



This tactic looks familiar.

Ahhh, the ol' Kissimmee Ass tactic when confronted with a hard question. Seems legit. Roll Eyes
donator
Activity: 686
Merit: 519
It's for the children!
Carmello's response to my inquiry on what was decided for the 4,000 staked coins after 17 days of waiting:



This tactic looks familiar.
sr. member
Activity: 406
Merit: 260
The Scamcoats are coming!
Where can I find the real life identities of the people who will be in charge of my coins?

This looks like a ponzi in a tuxedo.

That apartment complex address on btclend site is fake. You can find the real scammer here in the flesh. Verified.

Carmelo Milian
888 Assembly Ct
Kissimmee, FL 34747
(978) 587-3250

Ahh. So this ass is in Kissimee? I have told Carmelo to Kiss My Ass, and now it turns out that he actually is a  Kissimmee Ass.  Cheesy
newbie
Activity: 33
Merit: 0
Where can I find the real life identities of the people who will be in charge of my coins?

This looks like a ponzi in a tuxedo.

That apartment complex address on btclend site is fake. You can find the real scammer here in the flesh. Verified.

Carmelo Milian
888 Assembly Ct
Kissimmee, FL 34747
(978) 587-3250
legendary
Activity: 910
Merit: 1009
i thought BCT was below you CMILIAN? running out of customers to defraud?

pretty sweet that you change your terms after customers have locked their coins in. doesnt sound like Homero Garza at all
legendary
Activity: 3654
Merit: 8909
https://bpip.org
http://puu.sh/hSyuf/711ca9c2fa.png

Any reason it takes 17 days to burn some coins?

What were you saying about finding a new shiny object to play with?

I bet that's what Carmelo Milian, a business associate of Homero Joshua Garza would consider a good solution.

You could start a thread such Smiley

I'm sure it would be all the rage....

On a second thought, who cares about this wannabe banker from Florida. He doesn't even have friends in Singapore to help him escape US regulations.
donator
Activity: 686
Merit: 519
It's for the children!
http://puu.sh/hSyuf/711ca9c2fa.png

Any reason it takes 17 days to burn some coins?

What were you saying about finding a new shiny object to play with?

I bet that's what Carmelo Milian, a business associate of Homero Joshua Garza would consider a good solution.

You could start a thread such Smiley

I'm sure it would be all the rage....
legendary
Activity: 3654
Merit: 8909
https://bpip.org
http://puu.sh/hSyuf/711ca9c2fa.png

Any reason it takes 17 days to burn some coins?

What were you saying about finding a new shiny object to play with?

I bet that's what Carmelo Milian, a business associate of Homero Joshua Garza would consider a good solution.
sr. member
Activity: 406
Merit: 260
The Scamcoats are coming!


Any reason it takes 17 days to burn some coins?

He could always give them to the guy that discovered his "security breach" as a gesture of good will. I promise I will dump them immediately.  Grin
donator
Activity: 686
Merit: 519
It's for the children!


Any reason it takes 17 days to burn some coins?
donator
Activity: 686
Merit: 519
It's for the children!
Where can I find the real life identities of the people who will be in charge of my coins?

This looks like a ponzi in a tuxedo.

It is the 12 international developers (allegedly 11 now) who have access to your coins you need to worry about more than the people in charge of the company.

The one who used customer coins to create a "prime controller" for Paycoin with 600,000 coins was allegedly fired.   

Paul Revere discovered this breach in trust, NOT BTC Lend!

After this was reported Mr Millian promptly began insulting and making threatening comments? maybe bullyish comments "I wish I had you in front of me." instead of explaining the situation.   

No transparency has been provided with regards to the incident and the answer which was ultimately left with the community was: "You want details subscribe to our mailing list or read our forum."

Their Forum update leaves much to be desired: https://btclendtalk.org/topic/50/aparently-some-leaked-prime-controller-keys-are-staking-btclend-coins

Pages:
Jump to: