Topic: SOLVED: how to get BTC out of a Bitstamp account without verifying (Read 14988 times)

It's great that you found out they forgot to limit the API. Congratulations on getting your coins back. Hope this lasts...

It's actually strange that a company asks for people for ID documents, yet they don't provide any information about themselves on their site except a forwarding address of their shell company.
Does anybody know just where Bitstamp offices actually are and who are the people behind it?

And while KYC requirements are understable for depositing/withdrawing fiat, applying it to BTC withdrawals is an obvious attempt by them to steal some coins. I'm a verified user on Bitstamp, because a couple of months back I had to send my ID documents to somebody somewhere (in Slovenia maybe?) just to get my money out. How is this legal?

HAHAHA!

so if they post that now all transaction have a 50 btc fee and post it and 1 minute later enforce it against you, you are ok with that?

Or buy some bum a bottle of vodka for £10 and use his id.

Next time you can register a company for £99 in the UK, verify with company documents, withdraw and then delete all

Thanks eldentyrell for the idea! My coins where held hostage too, and i don't trust them enough to send them my identity documents.

The good news is: the withdrawal trick with the old API still works with the new API with a newly generated API key.
Be quick if you want to withdraw. Who knows how long that is working. Details are here: https://www.bitstamp.net/api/

I'd like to know as well, mostly to shut up the people who keep bleating "just send them yer doxx".

A lot of people outside the USA underestimate how astronomically bad the identity-security situation is here, and how much stuff around here is based on the totally broken identity system.  You can't even rent a place to live without getting tangled up in it (something that foreign grad students are constantly getting screwed by).

The US is notorious for lack of information privacy laws, and that sucks, but most states have identity security laws, notably California's which makes it a crime to fail to notify customers if a business suffers a data breach that exposes identity information.  This means that we at least find out about these breaches as long as the company has at least one customer in California and one employee in the US who isn't wiling to go to jail to cover his boss' ass.

Sadly these laws are strong only because the identity-verification system is so pathetically weak.  Other countries with sensible identity-security systems don't need them.

I'm still wondering what a full set of identity docs would be worth.  There must be some user here who has a quasi-criminal friend who could shed light on this.  If so, let's take the following example:

 - male, age 30's
 - lives in a major metro area in the US.
 - pulls in a six-figure salary.
 - respectable credit score.
 - credit cards with $10k-ish credit limits.

Any ideas?

Yes it was absurd that they didn't email their customers about this.  I just luckily heard someone talking about it online or I wouldn't have been aware.  I didn't use my real name on my Bitstamp acct, so I quickly got my funds out of there.

However, I think you probably could just change a fake name to your real one and then send in the KYC docs and could get your funds out.  However, I don't blame you if you don't want to send all that stuff to Slovenia...there is some risk involved for sure.

If they allow to change the user info on the account, ill send in my kyc docs to them to withdraw btc for people, for 1% of what's in account each.

No, they're thieves for refusing to give me back my coins (until I hacked their API).

Thanks for the tip. But you should do AML to help funding terrorists.

Yes, they didnt inform their customers properly, i for one have never seen that well hidden page.

Holy crap, you really ARE Elden Tyrell. 

Excellent workaround, lets hope they dont close it soon.

Yeah, unfortunately the software I used for this is not released and is not really releasable at this point…

I don't know what other trading software is out there, but if it supports withdrawal-via-API that should work.  Any decent arbitrage bot would have this.

Here is their API documentation:

 https://direct.bitstamp.net/api/

The API call you want is "BITCOIN WITHDRAWAL" accessed via HTTP POST to this URL:

  https://www.bitstamp.net/api/bitcoin_withdrawal/

The call is a simple POST and you add two parameters "user" and "password" (the endpoint is SSL so this is at least somewhat okay).  So something approximately close this this should work:


… where you replace "31337" with your numerical user id on bitstamp, "mypass" with your password, "1.0" with the number of BTC to withdraw and "1PC9aZC4hNX2rmmrt7uHTfYAS3hRbph4UN" with the destination address.

My account is closed now so I can't test this.

This will not work if you asked for an API key; in that case you have to use their newer API and I don't know if the loophole exists there too or not.  You also have to have the "enable old API" setting switched on in your account; mine was switched on when they created it since I had been using the API… I'm not sure what the default is for new accounts or if they'll let you switch it on if you've never used it before.  My account might have been grandfathered.

They're shutting off the old API in two weeks so my guess is they might have some bitrot in that code and are afraid to change it.

Sweet.  Congratulations and nice work!  You might think about outlining a recipe for someone who doesn't really know how to use the API and may not have used one before so that they might get some justice before the loophole is closed.

Got my BTC; see update to first post.

They cant, not even in fascist America BTCs are regulated to comply with AML/KYC.