Coinos autowithdrawal exploit \ stacker news ~lightning

pull down to refresh

1930 sats \ 32 comments \ @ek 8 Jun lightning

Two users have reported that their lightning address for autowithdrawals from Coinos has been changed without their consent:

view on primal.netview on primal.net

I also noticed that the lightning address of the Coinos nostr account is set to allcoinos@speed.app.

I wonder if that has always been the case or is part of what's going on. Didn't they use their own service, so it should be a Coinos lightning address?

This post is a duplicate of #1000960 and #1000973 because the first one has been posted in the wrong territory, the second one did not contain a proper title and both didn't really get attention.

view all related items

433 sats \ 5 replies \ @optimism 8 Jun

I also noticed that the lightning address of the Coinos nostr account is set to allcoinos@speed.app.

From nos.lol when querying for kinds: [0]:

[
  "EVENT",
  "cn",
  {
    "content": "{\"name\":\"Coinos\",\"display_name\":\"\",\"nip05\":\"allcoinos@speed.app\",\"banner\":\"https://coinos.io/api/public/11b1a5f8e328948771ef1642f8e3a636fb90d82b7275c8aeef0bfe048dff9458.webp\",\"reactions\":false,\"lud16\":\"allcoinos@speed.app\",\"damus_donation_v2\":47,\"about\":\"\",\"website\":\"\",\"picture\":\"https://coinos.io/api/public/ed0220f3ebf1011fea0166c9b3d51ff7419cd16c36609b5c3c988cc094db54f4.webp\"}",
    "created_at": 1749408931,
    "id": "b84fede39510424ebe54875d9deaf43adcaecc1851d758d5e6b472c067c2d06c",
    "kind": 0,
    "pubkey": "ba80990666ef0b6f4ba5059347beb13242921e54669e680064ca755256a1e3a6",
    "sig": "01d21f61e6207db6df048737a19d3ae200e23cfb8eafcef92696dfb679eab142a40481392e491e3a1b4ac5d4bc34624cec53f8be54cfc9569f09bc7fc36bddd6",
    "tags": []
  }
]

1749408931 -> 2025-06-08T18:55:31.000Z so that changed 3h ago.

Still cached on njump for now, nip-05 was coinos@coinos.io, which is still functional

151 sats \ 4 replies \ @ek OP 8 Jun

Oof, so this means their nsec is compromised?

100 sats \ 2 replies \ @optimism 8 Jun

Also:

banner changed: cached -> new
logo changed: cached -> new

Note that for some reason the new ones are hosted at coinos.io/api/public/ so I'd assume at this point that the public API has been defaced.

0 sats \ 1 reply \ @optimism 8 Jun

full cached kind 0 from njump, for archiving purposes:

{
  "id": "24e76f5140b6f49cbea7cb12c7b2bcab8d7e1e8f3153d6a600eaab160ef97e14",
  "pubkey": "ba80990666ef0b6f4ba5059347beb13242921e54669e680064ca755256a1e3a6",
  "created_at": 1733706298,
  "kind": 0,
  "tags": [],
  "content": "{\"name\":\"Coinos\",\"username\":\"coinoswallet\",\"display_name\":\"Coinos\",\"displayName\":\"Coinos\",\"picture\":\"https://coinos.io/icon-512x512.png\",\"website\":\"https://coinos.io\",\"about\":\"The easiest way to get started with bitcoin. Coinos is a free and open source bitcoin web wallet.\",\"nip05\":\"coinos@coinos.io\",\"lud16\":\"coinos@coinos.io\",\"pubkey\":\"ba80990666ef0b6f4ba5059347beb13242921e54669e680064ca755256a1e3a6\",\"npub\":\"npub1h2qfjpnxau9k7ja9qkf50043xfpfy8j5v60xsqryef64y44puwnq28w8ch\",\"created_at\":1730935217,\"banner\":\"https://m.primal.net/MqlY.png\"}",
  "sig": "375f7d557c538add5bbb35f51ad8132fd0e23feb156d56683fe069aa0611eb25fb57710aa3a2f4db659f9292e6311fb18f27c770fe242374e4ac47c9a9f1ba24"
}

0 sats \ 0 replies \ @optimism 8 Jun

Kind 0 now changed to the following at 2025-06-08T22:30:18Z:

[
  "EVENT",
  "cn",
  {
    "content": "{\"lud16\":\"coinos@coinos.io\",\"picture\":\"https://coinos.io/images/icon.png\",\"about\":\"\",\"name\":\"coinos\",\"banner\":\"\",\"display_name\":\"Coinos\",\"displayName\":\"Coinos\",\"website\":\"https://coinos.io\",\"nip05\":\"\"}",
    "created_at": 1749421818,
    "id": "1d3af9ce34e70a13e5e4b81a9eb207e526af35c3b5673cda3301bb2cec870000",
    "kind": 0,
    "pubkey": "ba80990666ef0b6f4ba5059347beb13242921e54669e680064ca755256a1e3a6",
    "sig": "f91ce30ed0e70cca71f189b16b0fba9cd48628cbcd4a9bec9f3e1a54075c2fb2d4f23c114b901185c7d699d42aaef97a85b33f439a303d985dd78e39c774384d",
    "tags": []
  }
]

50 sats \ 0 replies \ @optimism 8 Jun

Potentially, yes.

Edit: especially because the new NIP-05 addr is defunct - 404 (don't try it w/o tor.)

226 sats \ 0 replies \ @optimism 8 Jun

Update:

view on primal.net

76 sats \ 0 replies \ @0xbitcoiner 8 Jun

My account's fine! All good on my end.

44 sats \ 0 replies \ @nichro 9 Jun

Bummer.

Seems it's possible it's a follow up attack from the database issue a while back?

And that compromised accounts were all using Nostr login (which might mean it's an nsec breach) so I think accounts without Nostr keys for logging in are safe?

Hope the couple few local merchants recently onboarded on Coinos are fine. Would be rough to onboard and immediately get rugged within a week or two.

33 sats \ 0 replies \ @dog 9 Jun

This is concerning, I’ve chatted with the maker of coinos on Nostr a few times and he even listed coinos on my experimental website https://nostrstore.com/ . He seems like a cool dude, I know they have had pretty serious issues in the recent past as well including locking funds and losing account for funds do to server outages. I’m also good friends with Sergio on Nostr one of the effected, he said it was changed but luckily none of his funds were sent to the new address.

21 sats \ 4 replies \ @nathanael 8 Jun

I hope it's nothing too big. Adam had some database problems some weeks ago. Now I feel bad that I wrote 2 emails today with some feedback / feature requests... I also noticed today that the Coinos Nostr account doesn't use a coinos.io address. But I am not sure if that was always the case.

0 sats \ 3 replies \ @supratic 8 Jun

deleted by author

19 sats \ 1 reply \ @ek OP 8 Jun

I don't know why you think it's not a Coinos issue when two users reported their Coinos autowithdrawals are going to other wallets which has nothing to do with any nostr client.

0 sats \ 0 replies \ @supratic 8 Jun

true... just double checking!

7 sats \ 0 replies \ @0xbitcoiner 8 Jun

cc/ @adam_coinos_io

0 sats \ 5 replies \ @supratic 8 Jun

~nostr?

0 sats \ 4 replies \ @WeAreAllSatoshi 8 Jun

Yea what? Is Coinos a nostr thing?

50 sats \ 1 reply \ @ek OP 8 Jun

moved it to ~lightning now

I used ~nostr because the reports were from there

0 sats \ 0 replies \ @WeAreAllSatoshi 8 Jun

Maybe we need ~PSA

0 sats \ 1 reply \ @supratic 8 Jun

deleted by author

0 sats \ 0 replies \ @ek OP 8 Jun

It does:

0 sats \ 0 replies \ @Bell_curve 10 Jun

Why not address coinOS directly @ek?

@coinoswallet

@adam_coinos_io

0 sats \ 0 replies \ @alashazam 9 Jun

It is like a streak of bad luck for coinos

0 sats \ 0 replies \ @stackernews110 9 Jun freebie

Did the users have 2FA enabled? If it was an nsec leak, is that still account protection against settings being changed?

0 sats \ 1 reply \ @realBitcoinDog 9 Jun

Thanks just withdrew my balance just in case! Better @istealkids than someone steal my wallet!

0 sats \ 0 replies \ @noknees 9 Jun

lol no

0 sats \ 0 replies \ @hasherstacker 9 Jun

It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.