The real hackers will usually not settle for only 10% of the award money and also when everyone knows the person, then it will be even more difficult for the hacker to survive (if the intention for the company is to identify and take action against him).
Look at it this way. It's better to have $20 million and live as a free man thinking how to spend the money for the rest of your life than perhaps get arrested, have the coins confiscated and returned to the legitimate owners, and spend 20 years in prison. It all depends who the hackers are and if they have significant backing and state protection. 
Topic: Mixin Network hacked - $200 Million lost (Read 407 times)
It is definitely a tempting offer, but who knows what plan they have in the background. Maybe they did this just to catch them later on. Not the first time a company said A and do B.
It's certainly a double-edge sword. Maybe they want the hacker(s) to start communicating with them in a hope to aid government agencies to track the individuals and restore the full $200 million. No one would be crazy enough to accept going through identity verification before receiving the $20 million bug reward lol. Maybe they think they will discover more through the communication channel.I think this mixin hack was an insider job though we have no evidence for this. The real hackers will usually not settle for only 10% of the award money and also when everyone knows the person, then it will be even more difficult for the hacker to survive (if the intention for the company is to identify and take action against him).
It is definitely a tempting offer, but who knows what plan they have in the background. Maybe they did this just to catch them later on. Not the first time a company said A and do B.
It's certainly a double-edge sword. Maybe they want the hacker(s) to start communicating with them in a hope to aid government agencies to track the individuals and restore the full $200 million. No one would be crazy enough to accept going through identity verification before receiving the $20 million bug reward lol. Maybe they think they will discover more through the communication channel. 
I read some news yesterday that the Mixin team promised the hackers $20 million as bug bounty if they returned the rest and explain how they attacked the network. Stranger things have happened. $20 million is still a lot of money + you avoid persecution and having to think if someone might be on your trail.
Damn, not sure if this is a common occurrence but it does sounds like they don't even know what part of their service has the worst security. It is definitely a tempting offer, but who knows what plan they have in the background. Maybe they did this just to catch them later on. Not the first time a company said A and do B.
Who knows, maybe the hacker or hacking group decides to return the stolen coins minus a $20 million reward as a bug bounty. I read some news yesterday that the Mixin team promised the hackers $20 million as bug bounty if they returned the rest and explain how they attacked the network. Stranger things have happened. $20 million is still a lot of money + you avoid persecution and having to think if someone might be on your trail.
He went on to say that as for the other 50% of their funds, mixin network is going to issue "bonds tokens" for the customers to claim, and the platform would repurchase it from them in the future.
Why it feels like I have some odd feeling on this one. Yeah, it's a temporary solution that they can provide to gain back the customers confidence about this incident. Not a hater or what not but isn't that we've seen something like this when the fiascos of Do Kwon has happened.Well, the difference is that they're new tokens and not bond tokens or there's not that much difference at all with it.
But anyway, I guess with all of these platforms and networks that have been hacked with a lot of money. I guess that they all invested in security but the reality is that, no matter how strong the network and its security protocols are, all of them are prone to attacks and success rates of it are increasing.
You have some odd feeling because something is terribly odd. Feng Xiaodong not only sounds substandard, he's also funny ensuring that 50% of the users' funds are safe but it's going to be in the form of "bond tokens" which they will create out of thin air and will buy back in an undetermined time in the indefinite future. LOL! He at least knows how to crack a good joke.
I don't know how secure the network really is, but it doesn't matter. All it takes is one foolish move and all security is pointless, something like your funds are in a cold storage and you kept the seed phrase in your Gmail drafts. LOL! They claim to be a "decentralized multisig" solution and they have a cloud service provider whose database stored the keys.
True.One employee or one of the co founders done something wrong and true that one mistake in the tiniest that he can do, they're all going to fall down. Seems like that there's an interesting development on this one on how they've screwed up.
There's option to use non-custodial wallet (such as Bitcoin Core). Although some time after done writing my review, i got impression we only have direct access to one of the key. Two other keys seems to be managed by Mixin Safe and Mixin Messenger.
I was taking a look at how their system works, because they are not as "decentralized " as they said. Their whole system is so complicated
But they said they own a recovery key, the last key, which should have a time lock.
Was this used in the hack?
https://safe.mixin.zone/how-it-secures
Quote
Recovery Key
Mixin Safe team controls the last key named recovery key. This key is very special, because it's timelocked by Bitcoin script. That means the recovery key can only be used after your safe address is inactive for at least 1 year.
Mixin Safe team controls the last key named recovery key. This key is very special, because it's timelocked by Bitcoin script. That means the recovery key can only be used after your safe address is inactive for at least 1 year.
The news doesn't mention Mixin safe got hacked. But if Mixin Safe also hacked, only address which receive deposit more than 1 year should be hacked. Although at time when Mixin run review campaign, the timelock duration shortened to few days where i move my coin through that recovery key.
There's option to use non-custodial wallet (such as Bitcoin Core). Although some time after done writing my review, i got impression we only have direct access to one of the key. Two other keys seems to be managed by Mixin Safe and Mixin Messenger.
I was taking a look at how their system works, because they are not as "decentralized " as they said. Their whole system is so complicated
But they said they own a recovery key, the last key, which should have a time lock.
Was this used in the hack?
https://safe.mixin.zone/how-it-secures
Quote
Recovery Key
Mixin Safe team controls the last key named recovery key. This key is very special, because it's timelocked by Bitcoin script. That means the recovery key can only be used after your safe address is inactive for at least 1 year.
Mixin Safe team controls the last key named recovery key. This key is very special, because it's timelocked by Bitcoin script. That means the recovery key can only be used after your safe address is inactive for at least 1 year.
There's been an update on this issue: The Mixin network's founder Feng Xiaodong has announced via a livestream that every customer who had funds on their network has surely lost 50% of it[1], according to him they are trying to recover the stolen funds, but it is very difficult at the moment. He went on to say that as for the other 50% of their funds, mixin network is going to issue "bonds tokens" for the customers to claim, and the platform would repurchase it from them in the future. From this news i think we can say users of mixin safe have probably lost 100% of the funds they had in the platform, and i know it sounds cliché, but not your keys, not your coins has to be repeated again and surely not for the last time.
[1] https://www.cryptotimes.io/mixin-network-founder-admits-50-assets-are-safe/
I haven't seen any official statement except on Twitter recently there was a tweet about the problem, Mixin team said 'the loss is not as big as expected' Meaning there is still a chance for customer funds to be returned? I guess it's hard...[1] https://www.cryptotimes.io/mixin-network-founder-admits-50-assets-are-safe/
The link about the statement of Mixin founder - Feng Xiaodong leads to Twitch without any video.
While on Twitter Mixin will take responsibility for this loss with action but still don't understand if this is 50% of customer funds will be returned or full.
Quote
Regarding the asset losses, we can only take responsibility through action besides apologizing. At the same time, being responsible has always been Mixin's attitude. Specific reimbursement rules still need some time.
[1] https://twitter.com/MixinKernel/status/1706948541850235274
That was for Mixin Safe not Mixin Network, Mixin Network is the entire company owning all this stuff but the Safe vault was using time-locked multisig they cannot breach, it does not need a cloud database or any of that stuff.
Take note that 'multisig' on Mixin safe is not the typical multisig wallet you create on a wallet like Electrum, to sign a tx in Mixin safe you need the 'approval' of both owner's and member's wallet, but any safe in Mixin safe is centralized and you don't control the keys to the funds, the platform does, and they stored it online, in the cloud. From Feng Xiaodong's livestream, this hack affected every user who has funds in their platform, even in the vault they said was safe.50% is a large amount for a platform to lose at once. I am not quite sure if this will work though,
Surely this will not work, and i believe all users in the platform can consider 100% of their funds lost. If Mixin network didn't lose all of it they will just refund the 50% of the assets they claim to have secured in the crypto that the customer had initially deposted or any other payment option that has value, but they want to issue bond tokens out of thin air, to later repurchase it, what if the platform bites the dust soon or before they can make that repurchase, what if they totally lose customer trust and can no longer make any profit. They have only said this as PR, to calm customers' down for now. 
They have a running campaign and conducted one of the highest review campaigns in the forum. The Mixin review employed 100 members and paid the highest amount and members were even paid upfront. They have suspended both deposits and withdrawals which means customers will wait to get more information from the management.
That was for Mixin Safe not Mixin Network, Mixin Network is the entire company owning all this stuff but the Safe vault was using time-locked multisig they cannot breach, it does not need a cloud database or any of that stuff.
I would not call Mixin a decentralized network, they are centralized and do have a single point of failure, which is that they store the keys to their customers' funds online, in the cloud.
That is correct.
Quote
There's been an update on this issue: The Mixin network's founder Feng Xiaodong has announced via a livestream that every customer who had funds on their network has surely lost 50% of it[1], according to him they are trying to recover the stolen funds, but it is very difficult at the moment. He went on to say that as for the other 50% of their funds, mixin network is going to issue "bonds tokens" for the customers to claim, and the platform would repurchase it from them in the future. From this news i think we can say users of mixin safe have probably lost 100% of the funds they had in the platform, and i know it sounds cliché, but not your keys, not your coins has to be repeated again and surely not for the last time.
50% is a large amount for a platform to lose at once. I am not quite sure if this will work though, but he looks to have a plan at least. (Not like SBF who just wrote
WHAT
H
A
P
P
E
N
E
D
after he lost everyone's money).
He went on to say that as for the other 50% of their funds, mixin network is going to issue "bonds tokens" for the customers to claim, and the platform would repurchase it from them in the future.
Why it feels like I have some odd feeling on this one. Yeah, it's a temporary solution that they can provide to gain back the customers confidence about this incident. Not a hater or what not but isn't that we've seen something like this when the fiascos of Do Kwon has happened.Well, the difference is that they're new tokens and not bond tokens or there's not that much difference at all with it.
But anyway, I guess with all of these platforms and networks that have been hacked with a lot of money. I guess that they all invested in security but the reality is that, no matter how strong the network and its security protocols are, all of them are prone to attacks and success rates of it are increasing.
You have some odd feeling because something is terribly odd. Feng Xiaodong not only sounds substandard, he's also funny ensuring that 50% of the users' funds are safe but it's going to be in the form of "bond tokens" which they will create out of thin air and will buy back in an undetermined time in the indefinite future. LOL! He at least knows how to crack a good joke.
I don't know how secure the network really is, but it doesn't matter. All it takes is one foolish move and all security is pointless, something like your funds are in a cold storage and you kept the seed phrase in your Gmail drafts. LOL! They claim to be a "decentralized multisig" solution and they have a cloud service provider whose database stored the keys.
He went on to say that as for the other 50% of their funds, mixin network is going to issue "bonds tokens" for the customers to claim, and the platform would repurchase it from them in the future.
Why it feels like I have some odd feeling on this one. Yeah, it's a temporary solution that they can provide to gain back the customers confidence about this incident. Not a hater or what not but isn't that we've seen something like this when the fiascos of Do Kwon has happened.Well, the difference is that they're new tokens and not bond tokens or there's not that much difference at all with it.
But anyway, I guess with all of these platforms and networks that have been hacked with a lot of money. I guess that they all invested in security but the reality is that, no matter how strong the network and its security protocols are, all of them are prone to attacks and success rates of it are increasing.
He went on to say that as for the other 50% of their funds, mixin network is going to issue "bonds tokens" for the customers to claim, and the platform would repurchase it from them in the future.
I wonder how long the platform will stay afloat until every token is purchased back. How would they ensure that nobody is abusing it by buying them cheaply from the P2P market or just hacking the smart contract? Seeing how they lost their money it doesn't give any confidence at all. It is really surprising how a platform that holds a hundred million dollars of money doesn't have a good security mechanism to protect its funds. So a decentralised network got attacked because it was working on a centralised server if I'm not wrong?
I would not call Mixin a decentralized network, they are centralized and do have a single point of failure, which is that they store the keys to their customers' funds online, in the cloud.There's been an update on this issue: The Mixin network's founder Feng Xiaodong has announced via a livestream that every customer who had funds on their network has surely lost 50% of it[1], according to him they are trying to recover the stolen funds, but it is very difficult at the moment. He went on to say that as for the other 50% of their funds, mixin network is going to issue "bonds tokens" for the customers to claim, and the platform would repurchase it from them in the future. From this news i think we can say users of mixin safe have probably lost 100% of the funds they had in the platform, and i know it sounds cliché, but not your keys, not your coins has to be repeated again and surely not for the last time.
[1] https://www.cryptotimes.io/mixin-network-founder-admits-50-assets-are-safe/
So a decentralised network got attacked because it was working on a centralised server if I'm not wrong?
Is there a possibility for the hackers to be traced and these $200 million be retrieved by them? Or is it a gone case completely?
I believe that some internal person is definitely involved in this, else how would the hackers be able to know about the wallets and how can they attack directly? Will keep a close watch to know what happens next here.
It's like saving your private keys on telegram that works through your phone number, some day your number gets discontinued due to not having enough recharge done by you and it goes to some other person and he/she just logs into your telegram (unknowingly) and sees what in the saved messages? Your private keys. Think.
Is there a possibility for the hackers to be traced and these $200 million be retrieved by them? Or is it a gone case completely?
I believe that some internal person is definitely involved in this, else how would the hackers be able to know about the wallets and how can they attack directly? Will keep a close watch to know what happens next here.
It's like saving your private keys on telegram that works through your phone number, some day your number gets discontinued due to not having enough recharge done by you and it goes to some other person and he/she just logs into your telegram (unknowingly) and sees what in the saved messages? Your private keys. Think.
Based on my experience (reviewed Mixin safe few months ago), it's supposed to be custom multi-signature address with custom spend condition (2-of-3 by default and your own key after some time).
I know that to spend on mixin safe you need to 'sign' the transaction from your owner's wallet and member's wallet, but it is surely not the typical self custodial multisig wallet that you'll create in a wallet like Electrum for example. A safe in mixin safe is custodial and you do not control the keys to your safe and the announcement after the hack shows they store these keys online, in the cloud, a single point of failure and a very bad option to secure this amount of money.I was also expecting it to be proper multisig, and the system would keep one key of many, and the system would only help with interfacing the actual/real multisig operations with the messages/confirmations from the parties.
From the way the service was presented/packaged, it should have not had a sigle point of failure, unless they've done either a mistake either something fishy under the hood.
Based on my experience (reviewed Mixin safe few months ago), it's supposed to be custom multi-signature address with custom spend condition (2-of-3 by default and your own key after some time).
I know that to spend on mixin safe you need to 'sign' the transaction from your owner's wallet and member's wallet, but it is surely not the typical self custodial multisig wallet that you'll create in a wallet like Electrum for example. A safe in mixin safe is custodial and you do not control the keys to your safe and the announcement after the hack shows they store these keys online, in the cloud, a single point of failure and a very bad option to secure this amount of money. 
Today's breaking news - that Mixin Network's cloud database has been attacked resulting in the loss of several mainnet assets and that's what the official statement on Twitter says.
[1] https://twitter.com/MixinKernel/status/1706139175018529139
This is just an irony of action. If I were to predict that any platform would be hacked any moment I would never includ mixin. Mixin came to the forum with the promise of security our bitcoin and possibly make it hereditary. They also said that their system does not store people's private keys, rather they hold one of the keys, the customer hold one while the network friends hold one and in order to authorize transaction, atleast two of the three keys holders will have to approve. This means that for there to be a successful hack, the hackers got access to the mixin data base and also the customers data base which is bad.
I know mixin has been in existence for so many years, but they recently found their way to the crypto industry and are willing to dominate. But this hack will be a major set back to their reputation while many will lose confidence even after being refunded. I wish this never happened to them.
Their service is not easy to use, it's pretty hard and complicated for an average user and I really wonder, how was this project so popular? According to their website, more than $1B total value is secured and if we believe that, then roughly 1/5 of funds have been stolen.
By the way, even if funds are found, I don't think anyone will continue to use this service because the platform that has been promoting how secure it is, get's hacked easily, that means, they are everything other than secure.
By the way, even if funds are found, I don't think anyone will continue to use this service because the platform that has been promoting how secure it is, get's hacked easily, that means, they are everything other than secure.
Jump to: