Exchange Exmo was accused of stealing money from their own users

Exchange Exmo was accused of stealing money from their own users

A few days ago, popular news publication received a letter from a reader, in which he accused cryptocurrency exchange Exmo theft. The reader is led, in his own opinion, irrefutable evidence of such unworthy behaviour of employees of the exchange. Let’s carefully read the material three cases the loss of funds and make your own conclusions.


The popularity of exchange Exmo connected with the possibility of withdrawal of Fiat funds (USD and EUR) directly to the Bank card. However, this feature is only available for verified accounts. The verification procedure requires the provision of passport data, information on place of registration, the signing of the agreement, as well as your photo with the document on the background of a personal account on EXMO. Account verification may take more than a month.

In addition, any withdrawal from the stock exchange requires confirmation via e-mail or by using two-factor authentication via SMS or TOTP (Google Authenticator). To Paktika, it looks like this: once you are in a private office requested a withdrawal, the post office receives a message with a link, clicking on which you confirm the operation. Then the request for withdrawal is check.

According to representatives of the exchange check withdrawals can take up to 72 hours. The procedure really takes a long time, which often leads to losses due to exchange rate fluctuations.

The following is an example: this address repeatedly withdraw money from Russian ip addresses. Still, the test took 16 hours.

There is another way to withdraw funds without confirmation via the API. This method is manually activated by a support request. Also it should be clarified that if you change the password and type of security lock is activated on the withdrawal for two days.

What is common to the three cases of missing funds

In each story, the withdrawals were made in a relatively short time and were requested through a proxy, though none of the users did not include a similar feature. In all three stories the users logged on the exchange only from Russian IP addresses, the attackers requested a withdrawal from foreign addresses. The names of all the characters changed.

The first story

The first user, let’s call him Alex, uses Gmail, where he has two factor authentication enabled, to log on to exchange two-factor authentication has not been established. Alex is a programmer, works on Windows, technically competent people. Uses Chrome, untested plug-ins do not install, use different passwords for services.

Chronology of events:

— January 26, 7:48 Alex account passes verification

— January 28 at 18:24 the attacker entered the account from Monaco

— January 28, 18:38 the attacker buys the crypto-currency in the pair DOGE/BTC

— January 28 at 18:41 the attacker outputs the cryptocurrency DOGE account

Please note that at 18:41 was approved by the withdrawal, not when the request is created. No message in the email Alex didn’t come any links to confirm the withdrawal it is not passed.

Stock exchange representatives argue that an email with a link to confirm withdrawal (below) was sent to the user

As a result, within minutes, brought Doge for $1800. For some reason, the test output this time, worked quickly, and security was not embarrassed that the user came in from Monaco for the first time and decided to volutone this address.

The second story

Another user named Bob also brought money to the exchange, bought and sold coins, sometimes bringing the profit to e-wallets. Bob on the website of the Exmo was enabled two-factor authentication via SMS. For some reason Bob could not log in to your account more than 30 days, including at a time when it was made illegal withdrawals. Technical support answering messages slowly and reluctantly.

Chronology of events:

— 30 Dec 9:22 the attacker comes on the stock exchange from Amsterdam. Bob has been online since 27 Dec, 30 Dec SMS about the confirmation of entrance to the stock exchange he did not come

— Dec 30 at 9:23 the attacker changes the currency in the pair WAVES/BTC

— Dec 30 at 9:26 an attacker disables authentication via SMS, and includes TOTP (Google Authenticator). Here you can see that the attacker requested a password recovery in 9:22 and for a minute logged into your account

— January 2 at 9:29 the attacker gets the money. Exactly 2 days after changing the way of protection. That is the test again successfully managed to pass, despite the atypical IP address, the new address is output, and the method of protection and password

In the end, from the account it was withdrawn about $300. Bob was able to log in to my account in February.

Representatives refute the existence of a configured two-factor authentication via SMS: “the user has NOT been configured SMS-login (2FA) , the top line shows that the user has specified a telephone on which he was sent a code to configure text input, but the code has not been entered and therefore the setup was NOT completed”.

The third story

The third victim’s name is Victoria, she has long been involved in trade and exchange cryptocurrency and has a fairly good reputation on LocalBitcoin service. Victoria uses Mac OS X, follow the safety, no plug-ins does not put, is simple where you have enabled authentication via SMS. However, the password from Exmo and mail Victoria did the same.

As a result, the attacker managed to disable two-factor authentication in the mail that somehow getting passport details to Victoria and giving their support

In this case, the funds were withdrawn not only from the exchange Exmo and from LocalBitcoin wallet and exchange Yobit.

Chronology of events:

— Feb 4 at 12:07 the attacker is in the account of the exchange Exmo

— Feb 7 at 18:33 the attacker managed to log in on mail after disabling verification

— Feb 7 at 18:42 (15:42) the attacker conducts the auction, transferring all the funds in BTC

— Feb 7 at 19:13 (16:13) as the attacker removes all the BTC from the account of the exchange Exmo

In the end, a conclusion confirmed BTC in 30 minutes. The total amount derived from all services amounted to $35,000.

Review representative Exmo: “because the passwords were the same, was obtained access to the account where the user has uploaded data for verification (a picture you download, the attacker could not, but knew the user’s data: date of birth, passport number and could find the data in the database of the banks), given that the passwords match to email and the website of EXMO, it is likely that they coincide on other services could obtain personal data of the user.”

Food for thought. How does the password reset

If you enable two-factor authentication, sign out and recover your password, you can get a new password in cleartext to the mail.

The old password still works.

In this regard, several questions arise:

  • Is it possible that Exmo stores passwords in the clear?
  • Can anyone from the staff to intercept emails sent to the users, and withdraw money from the accounts?

The official response of the exchange Exmo

— How often do you experience these fraudulent cases of withdrawal?

Indeed, such cases are, however, extremely rare and exclusively related to the fact that the users do not comply with guidelines and rules to ensure the safety of their accounts on the platform.

— Will there be taken some additional measures to improve the reliability of the exchange?

The platform is constantly working to improve account security and provides a full range of available modern tools for protection. Also, from the EXMO occurs regularly inform the user about the need to protect the accounts and the available security tools. In this case, each user bears the personal responsibility for the safety of their personal funds in the stock account.

— Do you consider the theory that staff exchanges can illegally withdraw funds users?

Such a scenario is possible, because the departments are decentralized so that employees only had access to a limited amount of information necessary for solving operational tasks. None of the employees EXMO does not have sufficient permissions to commit fraud.

News tags
Let's Disqus