Why Nostr? What is Njump?
2025-06-08 23:47:16

Coinos on Nostr: We're still investigating what happened here. It seems a handful of accounts may have ...

We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.

We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.

I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.

We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.

Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.

This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.
quoting
PSA: An autowithdraw exploit for has been confirmed. Check your settings if you’re using this wallet.

Felt bad for not giving them more time to respond privately, but hopefully this saves some of your sats.

Author Public Key
npub1h2qfjpnxau9k7ja9qkf50043xfpfy8j5v60xsqryef64y44puwnq28w8ch
Seen on
wss://relay.primal.netwss://relay.nostr.bandwss://relay.damus.io