East India hacked/down!

East india market has been hacked and lost 30 coins!

this message is on homepage!

East India Company 
East India Company is currently offline
The hidden service is either under maintenance or undergoing routine migration to a new location.
A Spanish merchant named laBoliviana has found an exploit and decided to abuse it to empty the hot wallet, stealing over 30     Bitcoin. We are in the process of investigating the incident to determine the bug used. 
We will not relaunch the service until the cause has been determined and we implement a new 100% multi-signature escrow     system.
We will provide more details as we continue our investigation. 
We apologize for the software failure and we promise will cover the all the loses suffered once we return.     

laboliviana    

   f251541378ae1c8198613bebbb488bdd651959174d8103bb40f2f678c20ad447    
   2965d58538ba3af74a4af21f2508059bc4fb81094046e4cf651685b393611eb3      
   a8d8fff3aad482534220e8cd1fa25f054196fd3db2a420f07c870bd67e6bfe3d      
   76d5d860ffe1e0e550445fab8605aa24bc7971fe8397614102a7140ca6282411      
   9fe2ee8a7ee0319819ff178b600c2e3ae00525a54beab74906ac508dac9edc06      
   44c6613f99fbffc6fbd9efa8d40528cd8f71f7a025f27fae9627665b86123db3      
   03f747c64f2c386ad5dc8a6c8cf7edc6d017b31344a290bd53a3384fa1b82509      
   2ca88d374cd3773bd84bf9182520c4601666d75d48d163a9a87733c7472f8307      
   84afdb670c070b31ac11ee28773d8a0031c9d7a6ad2b8241984f00095c87d554      
   e15653a6ae7e7aeddeafc2c21a3c82cdf1d3550f43d2f034a84c76ed29b9d5e0        

We ask you LaBoliviana that you reconsider your decision. If you like to do the right thing LaBoliviana and return the money     taken from honset merchants simply trying to provide safe access to drugs during prohibition return the bitcoins back to:    

1Kpab(Address redacted for reddit rules)91U   

Update: We have determined the bug was in the escrow system from a previous modification. The servers were not accessed by the attackers and no private data was lost. The attacker used two accounts one customer named nukleus and a merchant account named laboliviana to drain the wallet using this bug in the escrow system. More details we continue our investigation.     

If you would like to report the bug, receive a bug bounty and earn more than you stole you can contact us at:     
BM-2cXu5vwtGnuaQjWxCCoR3PMabt8yAuCUiV.      

General support inquiries should be sent to BM-2cXu5vwtGnuaQjWxCCoR3PMabt8yAuCUiV while we are offline. We will     return and we will make sure everyone is repaid, we apologize for the inconvience but we must find out exactly what happened and ensure everything is fixed before reopening.     

Update: We have been able to replicate the bug used and we are now working on a patch to correct the issue. We will issue     updates here as we get closer to bringing the service back online.

East India Company


Comments


[17 Points] Vendor_ElfMachine:

Sucks. Looks like I'll have to find somewhere else to vend for a while.


[4 Points] al_eberia:

I can't remember from their announcement post, did they use cold storage or did the attacker get everything?


[3 Points] Jay-__:

https://dnstats.net/market/East+India+Company

For everyone that's as lazy as I am. :F

I'm really curious what exactly the bug was. I hope they'll tell us more.


[2 Points] None:

Are 30 BTC a lot in terms of money for them?


[1 Points] limbsincluded:

nobody predicted this ///


[1 Points] None:

Does anyone think EIC will pay the vendors back or are they SOL?


[1 Points] Vendor_BBMC:

I had a look around East India Company last week. This week I was planning to upgrade to a vendor account and offer my next batch at a discount if customers buy it on IEC instead of Agora.

The problem isn't having a single-sig escrow. Thats fine if there is a separate wallet for each escrow. I find it hard to believe that they still use the discredited hot wallet / cold storage system.

Now the site is down, vendors cant get pai for what they shipped, and customers cant spend or access their bitcoin to purchase elsewhere.

Im troubled that they have called a vendor a thief, when the vendor just understood their site's software better than they did.

The contents of the escrow are promised to the vendor, and the vendor pays the website commission to administer and not lose it.

I'm not going to trade on a site which enforces multisig escrow. Its a con trick to fool customers into thinking they wont get robbed. But the site makes you deposit bitcoin before you can spend it. There was a single-sig FOR THE COMBINED ESCROWS OF EVERY SALE ON THE SITE. In other words not even a single-sig escrow. They used a MULTI ESCROW SIG, just like Silk Road 2.0. They own that "sig" or key, not some vendor from Espana, and East India company used their key to give the vendor every other vendor's escrow.


[1 Points] None:

Thats what they get for not letting us Americans join the party!


[1 Points] throwathrowanz:

Fuckin nukleus


[1 Points] auto587643:

A shame. They looked so promising.