After the recent announcement from our Japanese team about the new wallet for LINE Messenger, we noticed that a very large amount of SHIELD was being sold on CoinExchange (CE). Remembering the recent allegations from the COLX team about a possible CoinsMarkets exit scam, we quickly contacted CE to ask if there had been any suspicious behavior on their exchange pertaining to some of our members CoinsMarkets deposit addresses. CE responded with the confirmation that SHIELD from our members’ CoinsMarkets addresses were indeed deposited onto CE (over 15 million XSH, to the CE deposit address: [SjaHeB3wLRfaRgogtdw9wGYgjLbVAdQLD7]), and were subsequently sold for BTC and withdrawn. Though the account was then locked, the BTC was already withdrawn by that time. The SHIELD that was deposited on CE has been confirmed to have been sent from a number of the wallets that are controlled by CoinsMarkets, as you can see here:
Address #1: [ScpSm9Q76p1N7omGUN5D7iR2TpXhPfbWWi]
Above is the deposit address for a user on CoinsMarkets. CoinsMarkets is guaranteed to be the holder of the private key for that address, so only they are able to send coins from that address to another. A quick check on the explorer here shows a send transaction of about 500,000 XSH made on the 12th April 2018, to this address: SjaHeB3wLRfaRgogtdw9wGYgjLbVAdQLD7, which was confirmed by CE to be a deposit address in their control. So it is certain that it was CoinsMarkets themselves that initiated this deposit, and not, say, a CoinsMarkets user, since all XSH withdrawals have been closed for months (and continue to be closed).
Address #2: [SSdbC7Jzrxw3fuSfjAttu5Y4S37RPRM4AA]
Here is the deposit address shown for a second user on CoinsMarkets. You can check their SHIELD deposit address on the explorer here. You can see two transactions, one made on the 12th April worth 50,000 XSH and another made on the 13th April worth 2000 XSH. Trace the payments and they both lead to the same address as before: SjaHeB3wLRfaRgogtdw9wGYgjLbVAdQLD7.
Address #3: [Shr9vTD8S32nfkNJdWMX8G8UkLQ31pecZQ]
Here is yet another example. Please find their SHIELD deposit address on the explorer here. You can see two transactions, one made on the 12th April worth 18,000 XSH and another made on the 13th April worth 30,000 XSH. Trace the payments and you can see that they both arrive at the same CE deposit address: SjaHeB3wLRfaRgogtdw9wGYgjLbVAdQLD7.
We contacted CoinsMarkets immediately after they closed their exchange back in January; they said they were working on fixing their database problems, so we waited a while before contacting them again. After hearing that they were enabling withdraws on other coins, we contacted CoinsMarkets again to ask them to enable withdraws for SHIELD. They neither replied to our inquires nor did they publicly announce any reason for the closing of CoinsMarkets.
As it stands, the CoinsMarkets team is anonymous, thus we were unable to get into contact with them via an alternate channel.
Our deepest sympathies go out to anyone who may have lost SHIELD (or any other coin, for that matter) on CoinsMarkets. To try and minimize the risk of this happening again, we will include a warning message on our website from now on. This warning will hopefully further educate our community about the risks of storing SHIELD on an exchange wallet.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — —
NOTE: There have been a few misunderstandings that should be addressed:
Q1: If the coins were moved to CoinExchange/CE, why does the CoinsMarkets balances page still show SHIELD (like the above screenshots)?
A1: That page is highly likely to have been cached. It’s just visually showing the presence of SHIELD on the website, while the real SHIELD was moved away to CE to be sold. Since CoinsMarkets run the website, they can keep those numbers there for as long as they like. They could also edit the numbers so that everyone’s balances all say 999999. It’s purely a visual “trick”, but you can’t trick the blockchain. Checking the explorer reveals that all those addresses have been drained into the CE deposit address.
Q2: If 15 million stolen XSH has been sold, why is it still visible as being in the CE deposit address on the explorer?
A2a: Trades happen internally.
Trades on an exchange are managed internally. That is to say, any trades that happen on CE are tracked through CE’s internal databases rather than the blockchain. The quantity of the cryptocurrencies which are deposited into a deposit address are simply added to the existing balance for that account in the internal database, and trades are tracked across users based on their account info in that database. If all trades were recorded on the blockchain, you may have to wait for network confirmation for every trade made on the exchange, which is not the case. Exchange balances on the blockchain are only modified when a) someone makes a withdrawal, b) when someone makes a deposit, and c) when said exchange reorganises their addresses (for efficiency etc.).
A2b: Withdrawals made by the legitimate buyers do not necessarily have to affect the 15mil balance on the deposit address.
According to CE, all of the deposited XSH was sold for BTC. That means that that XSH (though initially stolen) is now in the hands of legitimate buyers.
As an analogy, take a standard crypto QT wallet that can hold multiple addresses. Receiving 1 coin on one of those addresses and then sending 1 coin from your wallet (without coin control) to another address does not necessarily use the “very same” coin that was received earlier. The addresses and inputs used for sending are automatically determined by the wallet based on a priority algorithm, and it is a similar situation for CE — withdrawals made by buyers of the stolen XSH do not necessarily have to be deducted from the initial deposit address; they can be sent from any other address in the CE wallets, depending on CE’s internal algorithms.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — —