Redditor Reports Crypto Fund Theft from COSS.io, Resulting in Plea from Platform to Return Funds
On October 14th, a user on the COSS.io platform experienced a theft that they reported directly to the company. Though neither the company nor the user reported the exact amount stolen, this led the COSS exchange to evaluate their website, seeking out the cause and culprit of the attack. However, there are two sides to every story.
As Redditor blockchainified explained that he woke up on October 14th to find that there were “thousands” of letters from the COSS Exchange, regarding a failed attempt to enter the account. When he checked his account, he said, “All my holdings were gone. More specifically, they were sold on low-liquid markets at the rates substantially lower than the market ones.”
The user went on, explaining his notification to the COSS Exchange, along with his posts on Telegram and Reddit. Subsequently, COSS posted on their Medium blog, explaining the situation to the public and saying that a full and intensive investigation was initiated. They said, “For security reasons, we cannot go into detail on our methods, but the results of the investigation shows that the user’s password was compromised outside of COSS; at no time was any user password breached on our systems.” This announcement became a public service announcement to “use a password that is exclusive to the platform you use.”
This seemed to upset the Redditor, who claimed, “They forgot to mention one small fact that access to my account was received using vulnerability which allowed hacker to perform brute force attack on my 2FA. I was not the only victim as COSS declares in their medium blog and hacker indeed used exchange’s vulnerability.” He provided a screenshot, showing a comment from Rune Evensen, the visionary officer of the COSS Exchange. Evensen said, “It looks like a combination of ddos and brute force. They are attempting other accounts now so we are taking the system down for a while.” The only source shown for the screenshot is that it was on Telegram.
As the post on Reddit goes on, the user seems even more enraged by the event, blaming COSS and denying any concept that he was at fault for the hacker possessing his password. However, since he kept the funds on the exchange and not a separate wallet, he is still the one liable for the accessibility to his funds. Regardless of how the hacker got the funds or even his password, this is a clear example of the necessity to create a secured wallet.
Any expert would agree that the safest wallet is a hardware device that can be kept off the network, but the inaction on COSS’s part to “protect” him comes down to one fact – that’s not their responsibility. On his post, he urged, “No matter what decision COSS exchange will take I call other exchanges to add an extra security feature to protect user’s funds. TRADING PASSWORD. This will prevent anybody to sell user’s assets on the low liquidity markets for cents even if the password was compromised and exchange grants brute force attacks.” However, any user that enters the crypto market is responsible for storing their assets properly, just like they would need to do within a stock exchange.
In the blog, COSS urged the thief to return the funds, pleading,
“To the perpetrator(s) of this incident, if you are reading this; we will not pursue this case any further if you return the 9.8 million COSS tokens as seen in the linked address above to the ERC address below: 0x8bdfCC2C644Ef0bd226dfccbBDaa7553930560a0”