Author

Topic: Possibly malicious pool owners **URGENT** (Read 614 times)

sr. member
Activity: 266
Merit: 250
February 13, 2014, 12:49:11 AM
#2
Last night, amid complaints of fraudulent withdrawals from many of our miners, we at Hackshard launched a full investigation into our databases, websites, and other software with the goal of identifying and eliminating whatever faulty code, hardware, or security hole had caused miners to lose their coins. We discovered no fault in the cronjobs, databases, stratum servers, wallets, or any of the other various components of the Hackshard mining pools. While this did confirm that the Hackshard infrastructure was not at fault, our findings hinted at something perhaps even more worrisome. We found that several dozen miners had recently withdrawn to a single address: the same address as that which many of those claiming fraud had presented to us as having stolen their coins. Given the extreme unlikelihood of so many miners being host to the same keylogging virus, and given the complete lack of evidence that our own pools have been infiltrated by malicious agents, we have concluded that the issue could only have arisen from miners using identical login credentials with multiple pools. If this is the case, with a significant portion of our miners having been victims, we further conclude that only one with access to the database of a rather large pool could have been the thief. As such, we request that all miners who have been affected by this theft respond immediately with a full list of pools which they have recently used so that we may attempt to identify the malignant pool. We further request that all pool owners search their outgoing transactions for multiple usernames withdrawing to a few addresses.

We strongly urge everyone to use separate credentials on each and every pool he or she uses and to enable automatic payments. If you have been using the same username & password on multiple pools, change them immediately.

If you lost any coins from a fraudulent withdrawal and you use the same credentials on other pools as you do on the pool you were stolen from, please change your passwords on all pools and then contact the owners of whichever pool you lost coins on and tell them which pools you used the same credentials on. In this way, pool owners can attempt to find a common pool among miners bereft of coins.

For example, say you have the same password on pools A, B, C, D and your coins were stolen from pool C. Change your passwords on every pool immediately and then contact the owners of pool C, telling them that your coins were stolen and you had the same credentials on pools A, B and D. If enough miners do this and pool owners co-operate, we should be able to figure out which pool stole the coins.


You missed the whole point.

1 out of 100 pools get hacked and coins get stolen. What, like $2 worth of coins that had yet to hit your automatic threshold for payment may be at risk. Is that what you are worried about? I dont care if all my pools get hacked. Most I would lose is $10 and that would be a one time thing.

90 out of 100 pools steal coins you mine. Compare your rate using coinwarz then watch how much you actually mine. Most pools steal about 30% of what you mine and only show 1% fee. Now that's a loss of THOUSANDS OF DOLLARS in a year continuously.

And no one knows or cares about it. I even started a thread and didnt get a response. I guess P2POOLs don't have this issue because they are not centrally controlled? Not sure.
sr. member
Activity: 406
Merit: 250
January 16, 2014, 08:08:50 AM
#1
Last night, amid complaints of fraudulent withdrawals from many of our miners, we at Hackshard launched a full investigation into our databases, websites, and other software with the goal of identifying and eliminating whatever faulty code, hardware, or security hole had caused miners to lose their coins. We discovered no fault in the cronjobs, databases, stratum servers, wallets, or any of the other various components of the Hackshard mining pools. While this did confirm that the Hackshard infrastructure was not at fault, our findings hinted at something perhaps even more worrisome. We found that several dozen miners had recently withdrawn to a single address: the same address as that which many of those claiming fraud had presented to us as having stolen their coins. Given the extreme unlikelihood of so many miners being host to the same keylogging virus, and given the complete lack of evidence that our own pools have been infiltrated by malicious agents, we have concluded that the issue could only have arisen from miners using identical login credentials with multiple pools. If this is the case, with a significant portion of our miners having been victims, we further conclude that only one with access to the database of a rather large pool could have been the thief. As such, we request that all miners who have been affected by this theft respond immediately with a full list of pools which they have recently used so that we may attempt to identify the malignant pool. We further request that all pool owners search their outgoing transactions for multiple usernames withdrawing to a few addresses.

We strongly urge everyone to use separate credentials on each and every pool he or she uses and to enable automatic payments. If you have been using the same username & password on multiple pools, change them immediately.

If you lost any coins from a fraudulent withdrawal and you use the same credentials on other pools as you do on the pool you were stolen from, please change your passwords on all pools and then contact the owners of whichever pool you lost coins on and tell them which pools you used the same credentials on. In this way, pool owners can attempt to find a common pool among miners bereft of coins.

For example, say you have the same password on pools A, B, C, D and your coins were stolen from pool C. Change your passwords on every pool immediately and then contact the owners of pool C, telling them that your coins were stolen and you had the same credentials on pools A, B and D. If enough miners do this and pool owners co-operate, we should be able to figure out which pool stole the coins.
Jump to: