Pages:
Author

Topic: Mixin Network hacked - $200 Million lost (Read 461 times)

legendary
Activity: 2730
Merit: 7065
October 01, 2023, 06:58:54 AM
#35
The real hackers will usually not settle for only 10% of the award money and also when everyone knows the person, then it will be even more difficult for the hacker to survive (if the intention for the company is to identify and take action against him).
Look at it this way. It's better to have $20 million and live as a free man thinking how to spend the money for the rest of your life than perhaps get arrested, have the coins confiscated and returned to the legitimate owners, and spend 20 years in prison. It all depends who the hackers are and if they have significant backing and state protection.
sr. member
Activity: 1022
Merit: 280
October 01, 2023, 03:27:57 AM
#34
It is definitely a tempting offer, but who knows what plan they have in the background. Maybe they did this just to catch them later on. Not the first time a company said A and do B.
It's certainly a double-edge sword. Maybe they want the hacker(s) to start communicating with them in a hope to aid government agencies to track the individuals and restore the full $200 million. No one would be crazy enough to accept going through identity verification before receiving the $20 million bug reward lol. Maybe they think they will discover more through the communication channel.

I think this mixin hack was an insider job though we have no evidence for this. The real hackers will usually not settle for only 10% of the award money and also when everyone knows the person, then it will be even more difficult for the hacker to survive (if the intention for the company is to identify and take action against him).
legendary
Activity: 2730
Merit: 7065
September 29, 2023, 01:43:42 PM
#33
It is definitely a tempting offer, but who knows what plan they have in the background. Maybe they did this just to catch them later on. Not the first time a company said A and do B.
It's certainly a double-edge sword. Maybe they want the hacker(s) to start communicating with them in a hope to aid government agencies to track the individuals and restore the full $200 million. No one would be crazy enough to accept going through identity verification before receiving the $20 million bug reward lol. Maybe they think they will discover more through the communication channel.
legendary
Activity: 2170
Merit: 1789
September 28, 2023, 07:42:18 PM
#32
I read some news yesterday that the Mixin team promised the hackers $20 million as bug bounty if they returned the rest and explain how they attacked the network. Stranger things have happened. $20 million is still a lot of money + you avoid persecution and having to think if someone might be on your trail.   
Damn, not sure if this is a common occurrence but it does sounds like they don't even know what part of their service has the worst security. It is definitely a tempting offer, but who knows what plan they have in the background. Maybe they did this just to catch them later on. Not the first time a company said A and do B.
legendary
Activity: 2730
Merit: 7065
September 28, 2023, 01:16:37 PM
#31
Who knows, maybe the hacker or hacking group decides to return the stolen coins minus a $20 million reward as a bug bounty. I read some news yesterday that the Mixin team promised the hackers $20 million as bug bounty if they returned the rest and explain how they attacked the network. Stranger things have happened. $20 million is still a lot of money + you avoid persecution and having to think if someone might be on your trail.   
hero member
Activity: 3038
Merit: 634
September 28, 2023, 08:35:20 AM
#30
He went on to say that as for the other 50% of their funds, mixin network is going to issue "bonds tokens" for the customers to claim, and the platform would repurchase it from them in the future.
Why it feels like I have some odd feeling on this one. Yeah, it's a temporary solution that they can provide to gain back the customers confidence about this incident. Not a hater or what not but isn't that we've seen something like this when the fiascos of Do Kwon has happened.

Well, the difference is that they're new tokens and not bond tokens or there's not that much difference at all with it.

But anyway, I guess with all of these platforms and networks that have been hacked with a lot of money. I guess that they all invested in security but the reality is that, no matter how strong the network and its security protocols are, all of them are prone to attacks and success rates of it are increasing.

You have some odd feeling because something is terribly odd. Feng Xiaodong not only sounds substandard, he's also funny ensuring that 50% of the users' funds are safe but it's going to be in the form of "bond tokens" which they will create out of thin air and will buy back in an undetermined time in the indefinite future. LOL! He at least knows how to crack a good joke.
Yeah, that seems to be the reason because we've seen this being done by some con before and as much as I don't want to think negatively about the people involved proposing this. However, it just really sounds off beat.

I don't know how secure the network really is, but it doesn't matter. All it takes is one foolish move and all security is pointless, something like your funds are in a cold storage and you kept the seed phrase in your Gmail drafts. LOL! They claim to be a "decentralized multisig" solution and they have a cloud service provider whose database stored the keys.
True.

One employee or one of the co founders done something wrong and true that one mistake in the tiniest that he can do, they're all going to fall down. Seems like that there's an interesting development on this one on how they've screwed up.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
September 27, 2023, 06:34:57 AM
#29
There's option to use non-custodial wallet (such as Bitcoin Core). Although some time after done writing my review, i got impression we only have direct access to one of the key. Two other keys seems to be managed by Mixin Safe and Mixin Messenger.

I was taking a look at how their system works, because they are not as "decentralized " as they said. Their whole system is so complicated

But they said they own a recovery  key, the last key, which should have a time lock.

Was this used in the hack?

https://safe.mixin.zone/how-it-secures

Quote
Recovery Key
Mixin Safe team controls the last key named recovery key. This key is very special, because it's timelocked by Bitcoin script. That means the recovery key can only be used after your safe address is inactive for at least 1 year.

The news doesn't mention Mixin safe got hacked. But if Mixin Safe also hacked, only address which receive deposit more than 1 year should be hacked. Although at time when Mixin run review campaign, the timelock duration shortened to few days where i move my coin through that recovery key.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
September 27, 2023, 05:09:22 AM
#28
There's option to use non-custodial wallet (such as Bitcoin Core). Although some time after done writing my review, i got impression we only have direct access to one of the key. Two other keys seems to be managed by Mixin Safe and Mixin Messenger.

I was taking a look at how their system works, because they are not as "decentralized " as they said. Their whole system is so complicated

But they said they own a recovery  key, the last key, which should have a time lock.

Was this used in the hack?

https://safe.mixin.zone/how-it-secures

Quote
Recovery Key
Mixin Safe team controls the last key named recovery key. This key is very special, because it's timelocked by Bitcoin script. That means the recovery key can only be used after your safe address is inactive for at least 1 year.
hero member
Activity: 1498
Merit: 785
September 27, 2023, 04:38:34 AM
#27
There's been an update on this issue: The Mixin network's founder Feng Xiaodong has announced via a livestream that every customer who had funds on their network has surely lost 50% of it[1], according to him they are trying to recover the stolen funds, but it is very difficult at the moment. He went on to say that as for the other 50% of their funds, mixin network is going to issue "bonds tokens" for the customers to claim, and the platform would repurchase it from them in the future. From this news i think we can say users of mixin safe have probably lost 100% of the funds they had in the platform, and i know it sounds cliché, but not your keys, not your coins has to be repeated again and surely not for the last time.
[1] https://www.cryptotimes.io/mixin-network-founder-admits-50-assets-are-safe/
I haven't seen any official statement except on Twitter recently there was a tweet about the problem, Mixin team said 'the loss is not as big as expected' Meaning there is still a chance for customer funds to be returned? I guess it's hard...
The link about the statement of Mixin founder - Feng Xiaodong leads to Twitch without any video.
While on Twitter Mixin will take responsibility for this loss with action but still don't understand if this is 50% of customer funds will be returned or full.

Quote
Regarding the asset losses, we can only take responsibility through action besides apologizing. At the same time, being responsible has always been Mixin's attitude. Specific reimbursement rules still need some time.
[1] https://twitter.com/MixinKernel/status/1706948541850235274
legendary
Activity: 994
Merit: 1089
September 27, 2023, 04:31:15 AM
#26
That was for Mixin Safe not Mixin Network, Mixin Network is the entire company owning all this stuff but the Safe vault was using time-locked multisig they cannot breach, it does not need a cloud database or any of that stuff.
Take note that 'multisig' on Mixin safe is not the typical multisig wallet you create on a wallet like Electrum, to sign a tx in Mixin safe you need the 'approval' of both owner's and member's wallet, but any safe in Mixin safe is centralized and you don't control the keys to the funds, the platform does, and they stored it online, in the cloud. From Feng Xiaodong's livestream, this hack affected every user who has funds in their platform, even in the vault they said was safe.
50% is a large amount for a platform to lose at once. I am not quite sure if this will work though,
Surely this will not work, and i believe all users in the platform can consider 100% of their funds lost. If Mixin network didn't lose all of it they will just refund the 50% of the assets they claim to have secured in the crypto that the customer had initially deposted or any other payment option that has value, but they want to issue bond tokens out of thin air, to later repurchase it, what if the platform bites the dust soon or before they can make that repurchase, what if they totally lose customer trust and can no longer make any profit. They have only said this as PR, to calm customers' down for now.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
September 27, 2023, 04:13:38 AM
#25
They have a running campaign and conducted one of the highest review campaigns in the forum. The Mixin review employed 100 members and paid the highest amount and members were even paid upfront. They have suspended both deposits and withdrawals which means customers will wait to get more information from the management.

That was for Mixin Safe not Mixin Network, Mixin Network is the entire company owning all this stuff but the Safe vault was using time-locked multisig they cannot breach, it does not need a cloud database or any of that stuff.

I would not call Mixin a decentralized network, they are centralized and do have a single point of failure, which is that they store the keys to their customers' funds online, in the cloud.

That is correct.

Quote
There's been an update on this issue: The Mixin network's founder Feng Xiaodong has announced via a livestream that every customer who had funds on their network has surely lost 50% of it[1], according to him they are trying to recover the stolen funds, but it is very difficult at the moment. He went on to say that as for the other 50% of their funds, mixin network is going to issue "bonds tokens" for the customers to claim, and the platform would repurchase it from them in the future. From this news i think we can say users of mixin safe have probably lost 100% of the funds they had in the platform, and i know it sounds cliché, but not your keys, not your coins has to be repeated again and surely not for the last time.

50% is a large amount for a platform to lose at once. I am not quite sure if this will work though, but he looks to have a plan at least. (Not like SBF who just wrote
WHAT
H
A
P
P
E
N
E
D
after he lost everyone's money).
legendary
Activity: 2576
Merit: 1860
September 26, 2023, 08:57:08 PM
#24
He went on to say that as for the other 50% of their funds, mixin network is going to issue "bonds tokens" for the customers to claim, and the platform would repurchase it from them in the future.
Why it feels like I have some odd feeling on this one. Yeah, it's a temporary solution that they can provide to gain back the customers confidence about this incident. Not a hater or what not but isn't that we've seen something like this when the fiascos of Do Kwon has happened.

Well, the difference is that they're new tokens and not bond tokens or there's not that much difference at all with it.

But anyway, I guess with all of these platforms and networks that have been hacked with a lot of money. I guess that they all invested in security but the reality is that, no matter how strong the network and its security protocols are, all of them are prone to attacks and success rates of it are increasing.

You have some odd feeling because something is terribly odd. Feng Xiaodong not only sounds substandard, he's also funny ensuring that 50% of the users' funds are safe but it's going to be in the form of "bond tokens" which they will create out of thin air and will buy back in an undetermined time in the indefinite future. LOL! He at least knows how to crack a good joke.

I don't know how secure the network really is, but it doesn't matter. All it takes is one foolish move and all security is pointless, something like your funds are in a cold storage and you kept the seed phrase in your Gmail drafts. LOL! They claim to be a "decentralized multisig" solution and they have a cloud service provider whose database stored the keys.
hero member
Activity: 3038
Merit: 634
September 26, 2023, 08:19:37 PM
#23
He went on to say that as for the other 50% of their funds, mixin network is going to issue "bonds tokens" for the customers to claim, and the platform would repurchase it from them in the future.
Why it feels like I have some odd feeling on this one. Yeah, it's a temporary solution that they can provide to gain back the customers confidence about this incident. Not a hater or what not but isn't that we've seen something like this when the fiascos of Do Kwon has happened.

Well, the difference is that they're new tokens and not bond tokens or there's not that much difference at all with it.

But anyway, I guess with all of these platforms and networks that have been hacked with a lot of money. I guess that they all invested in security but the reality is that, no matter how strong the network and its security protocols are, all of them are prone to attacks and success rates of it are increasing.
legendary
Activity: 2170
Merit: 1789
September 26, 2023, 07:57:06 PM
#22
He went on to say that as for the other 50% of their funds, mixin network is going to issue "bonds tokens" for the customers to claim, and the platform would repurchase it from them in the future.
I wonder how long the platform will stay afloat until every token is purchased back. How would they ensure that nobody is abusing it by buying them cheaply from the P2P market or just hacking the smart contract? Seeing how they lost their money it doesn't give any confidence at all. It is really surprising how a platform that holds a hundred million dollars of money doesn't have a good security mechanism to protect its funds.
legendary
Activity: 994
Merit: 1089
September 26, 2023, 05:41:59 PM
#21
So a decentralised network got attacked because it was working on a centralised server if I'm not wrong?
I would not call Mixin a decentralized network, they are centralized and do have a single point of failure, which is that they store the keys to their customers' funds online, in the cloud.

There's been an update on this issue: The Mixin network's founder Feng Xiaodong has announced via a livestream that every customer who had funds on their network has surely lost 50% of it[1], according to him they are trying to recover the stolen funds, but it is very difficult at the moment. He went on to say that as for the other 50% of their funds, mixin network is going to issue "bonds tokens" for the customers to claim, and the platform would repurchase it from them in the future. From this news i think we can say users of mixin safe have probably lost 100% of the funds they had in the platform, and i know it sounds cliché, but not your keys, not your coins has to be repeated again and surely not for the last time.

[1] https://www.cryptotimes.io/mixin-network-founder-admits-50-assets-are-safe/
legendary
Activity: 3052
Merit: 1273
September 26, 2023, 03:36:53 PM
#20
So a decentralised network got attacked because it was working on a centralised server if I'm not wrong?
Is there a possibility for the hackers to be traced and these $200 million be retrieved by them? Or is it a gone case completely?
I believe that some internal person is definitely involved in this, else how would the hackers be able to know about the wallets and how can they attack directly? Will keep a close watch to know what happens next here.
It's like saving your private keys on telegram that works through your phone number, some day your number gets discontinued due to not having enough recharge done by you and it goes to some other person and he/she just logs into your telegram (unknowingly) and sees what in the saved messages? Your private keys. Think.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
September 26, 2023, 10:02:02 AM
#19
Based on my experience (reviewed Mixin safe few months ago), it's supposed to be custom multi-signature address with custom  spend condition (2-of-3 by default and your own key after some time).
I know that to spend on mixin safe you need to 'sign' the transaction from your owner's wallet and member's wallet, but it is surely not the typical self custodial multisig wallet that you'll create in a wallet like Electrum for example. A safe in mixin safe is custodial and you do not control the keys to your safe and the announcement after the hack shows they store these keys online, in the cloud, a single point of failure and a very bad option to secure this amount of money.

I was also expecting it to be proper multisig, and the system would keep one key of many, and the system would only help with interfacing the actual/real multisig operations with the messages/confirmations from the parties.
From the way the service was presented/packaged, it should have not had a sigle point of failure, unless they've done either a mistake either something fishy under the hood.
legendary
Activity: 994
Merit: 1089
September 26, 2023, 09:46:28 AM
#18
Based on my experience (reviewed Mixin safe few months ago), it's supposed to be custom multi-signature address with custom  spend condition (2-of-3 by default and your own key after some time).
I know that to spend on mixin safe you need to 'sign' the transaction from your owner's wallet and member's wallet, but it is surely not the typical self custodial multisig wallet that you'll create in a wallet like Electrum for example. A safe in mixin safe is custodial and you do not control the keys to your safe and the announcement after the hack shows they store these keys online, in the cloud, a single point of failure and a very bad option to secure this amount of money.
legendary
Activity: 1302
Merit: 1089
Goodnight, o_e_l_e_o 🌹
September 26, 2023, 07:06:37 AM
#17


Today's breaking news - that Mixin Network's cloud database has been attacked resulting in the loss of several mainnet assets and that's what the official statement on Twitter says.
[1] https://twitter.com/MixinKernel/status/1706139175018529139


This is just an irony of action. If I were to predict that any platform would be hacked any moment I would never includ mixin. Mixin came to the forum with the promise of security our bitcoin and possibly make it hereditary.  They also said that their system does not store people's private keys, rather they hold one of the keys, the customer hold one while the network friends hold one and in order to authorize transaction, atleast two of the three keys holders will have to approve. This means that for there to be a successful hack, the hackers got access to the mixin data base and also the customers data base which is bad.

I know mixin has been in existence for so many years, but they recently found their way to the crypto industry and are willing to dominate. But this hack will be a major set back to their reputation while many will lose confidence even after being refunded. I wish this never happened to them.
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
September 26, 2023, 02:35:52 AM
#16
Their service is not easy to use, it's pretty hard and complicated for an average user and I really wonder, how was this project so popular? According to their website, more than $1B total value is secured and if we believe that, then roughly 1/5 of funds have been stolen.
By the way, even if funds are found, I don't think anyone will continue to use this service because the platform that has been promoting how secure it is, get's hacked easily, that means, they are everything other than secure.
Pages:
Jump to: