Security Alert: Half A Million Old Coinmama Logins Hacked, No Indication of KYC/AML Breach

Colin Muller
  • 450,00 Coinmama login/password pairs found for sale
  • The credentials are old, only prior to 5 Aug, 2017

The fiat-crypto exchange Coinmama have been hacked, they said in an official post, as roughly 450,000 email-password pairs have been found for sale on the dark web. Critically, the hacked credentials are not from recent accounts - only accounts made prior to 5 August, 2017 have been stolen.

The stolen Coinmama credentials are part of a far larger booty. ZDNet reported on February 14 that a total of 747 million credentials grifted from 24 total entities were up for sale, of which the Coinmama tranche is a tiny fraction.

The entire collection was for sale on the “Dream Market” dark web market for about $15,000. But ZDNet also reported the collection is no longer for sale on the open market, because of buyers’ complaints that the public sale would - ironically - lead to leaks of the stolen goods. Some websites, like, index stolen credentials so that users can check if their own credentials are compromised and known to identity thieves.

Coinmama are on guard for “any external indication that the compromised data is being used,” and encourage users with potentially affected accounts to change their passwords as soon as possible.

There was no mention of whether Coinmama users’ personal details were also leaked, in addition to username/password pairs. The exchange requires an extensive amount of Know-Your-Customer/Anti-Money-Laundering information to be submitted, in order to take full advantage of the service, including multiple IDs and even utility bills.

Dark Web Sales

CryptoGlobe recently reported that $600 million worth of bitcoin was used for dark web transactions during 2018, an amount only slightly down since the previous year. An economist at Chainalysis, a blockchain security analytics firm, speculated that increased law enforcement on dark web markets may account for the drop.

Another collection of stolen credentials of similar size was recently put up for sale on the dark web. But there is no immediate indication that the sales are in fact the same collection.

IOTA Foundation to Reopen Mainnet by March 2 after $2 Million Hack

The IOTA Foundation, the non-profit organization behind the IOTA network, has announced it plans to reactivate the IOTA Network by March 2 after halting it over a $2 million hack.

According to the non-profit organization, it’s working on creating transition tools for users to transfer funds from their existing wallets to new ones so they can avoid any further losses and bring the network back online.

As CryptoGlobe reported, the IOTA Foundation turned off its Coordinator node, which is responsible for validating individual transactions on the network, earlier this month after users started reporting their funds were being stolen from the Trinity wallet, a wallet designed by the Foundation.

Since it turned the coordinator off, it has been working with law enforcement agencies, including the German Center for Cybercrime and the U.S. Federal Bureau of Investigation, to identify the cause. A total of “8.55 Ti”, or $2.3 million worth of IOTA tokens were lost.

In a post-mortem report, the Foundation detailed the vulnerability was the result of an integration with a fiat-to-crypto onramp platform called MoonPay that was being used with the Trinity wallet. Its investigation found a hacker was able to take over MoonPay’s content distribution network, and using it infiltrated the Trinity Wallet to distribute malicious Software Development Kits (SDKs).

The Foundation’s internal analysis of affected Trinity caches found irrefutable proof that they had been compromised with one of several illicit versions of Moonpay’s software development kit (SDK), which was being loaded automatically from Moonpay’s servers (their content delivery network) when a user opened Trinity.

The attacker, according to the Foundation, made sure he avoided triggering cryptocurrency exchanges’ know-your-customer (KYC) checks when sending funds to cash out, keeping the threshold below $10,000.

The IOTA Foundation was, according to the report, only able to identify 50 victims from the attack, and doesn’t know exactly how many users were affected by the attack. As such, it’s asking those who used the Trinity desktop wallet to use a migration tool.

The organization’s move to shut down the Coordinator node and essentially bring the mainnet to a halt was a controversial one, as various cryptocurrency users are now on social media claiming the IOTA network is centralized.

Featured image via Pixabay.