Damus
Coinos
Recent notes
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "[email protected]" account. We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information. I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked. We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys. Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised. This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys. nevent1qvzqqqqqqypzpggzvz325tcf9kz79s9c9627430ccc82r8rgujycwxd43n92y037qy88wumn8ghj7mn0wvhxcmmv9uq32amnwvaz7tmjv4kxz7fwv3sk6atn9e5k7tcqyrdx8njpnvvulfcsqqd7ud47uw6dnzl4a3fmsrafsp0rte9f29h5uxpgg73
SERVICE UPDATE: We have just re-enabled withdrawals for all user accounts that do not appear to have activity in our server logs during the time that we are missing data for (2am May 9 to 4pm May 10 UTC). About 1100 accounts are still unable to withdraw funds that were deposited before May 10 at 4pm UTC but should be able to withdraw any funds that were deposited after that time. We are continuing to work on shortening that list, correcting balances and missing payments, and restoring full access to everyone. Thank you for your continued patience and understanding!
We've revoked some NWC connection secrets due to concerns of a security leak. This affects NWC connections that were created before Feb. 19 2025. If you're having trouble zapping from Coinos via NWC please visit https://coinos.io/settings/nostr to create a new NWC connection and then copy the new connection string into your Nostr app.