pull down to refresh

Two users have reported that their lightning address for autowithdrawals from Coinos has been changed without their consent:
I also noticed that the lightning address of the Coinos nostr account is set to allcoinos@speed.app.
I wonder if that has always been the case or is part of what's going on. Didn't they use their own service, so it should be a Coinos lightning address?

This post is a duplicate of #1000960 and #1000973 because the first one has been posted in the wrong territory, the second one did not contain a proper title and both didn't really get attention.
I also noticed that the lightning address of the Coinos nostr account is set to allcoinos@speed.app.
From nos.lol when querying for kinds: [0]:
[
  "EVENT",
  "cn",
  {
    "content": "{\"name\":\"Coinos\",\"display_name\":\"\",\"nip05\":\"allcoinos@speed.app\",\"banner\":\"https://coinos.io/api/public/11b1a5f8e328948771ef1642f8e3a636fb90d82b7275c8aeef0bfe048dff9458.webp\",\"reactions\":false,\"lud16\":\"allcoinos@speed.app\",\"damus_donation_v2\":47,\"about\":\"\",\"website\":\"\",\"picture\":\"https://coinos.io/api/public/ed0220f3ebf1011fea0166c9b3d51ff7419cd16c36609b5c3c988cc094db54f4.webp\"}",
    "created_at": 1749408931,
    "id": "b84fede39510424ebe54875d9deaf43adcaecc1851d758d5e6b472c067c2d06c",
    "kind": 0,
    "pubkey": "ba80990666ef0b6f4ba5059347beb13242921e54669e680064ca755256a1e3a6",
    "sig": "01d21f61e6207db6df048737a19d3ae200e23cfb8eafcef92696dfb679eab142a40481392e491e3a1b4ac5d4bc34624cec53f8be54cfc9569f09bc7fc36bddd6",
    "tags": []
  }
]
1749408931 -> 2025-06-08T18:55:31.000Z so that changed 3h ago.
Still cached on njump for now, nip-05 was coinos@coinos.io, which is still functional
reply
151 sats \ 4 replies \ @ek OP 8 Jun
Oof, so this means their nsec is compromised?
reply
Also:
Note that for some reason the new ones are hosted at coinos.io/api/public/ so I'd assume at this point that the public API has been defaced.
reply
full cached kind 0 from njump, for archiving purposes:
{
  "id": "24e76f5140b6f49cbea7cb12c7b2bcab8d7e1e8f3153d6a600eaab160ef97e14",
  "pubkey": "ba80990666ef0b6f4ba5059347beb13242921e54669e680064ca755256a1e3a6",
  "created_at": 1733706298,
  "kind": 0,
  "tags": [],
  "content": "{\"name\":\"Coinos\",\"username\":\"coinoswallet\",\"display_name\":\"Coinos\",\"displayName\":\"Coinos\",\"picture\":\"https://coinos.io/icon-512x512.png\",\"website\":\"https://coinos.io\",\"about\":\"The easiest way to get started with bitcoin. Coinos is a free and open source bitcoin web wallet.\",\"nip05\":\"coinos@coinos.io\",\"lud16\":\"coinos@coinos.io\",\"pubkey\":\"ba80990666ef0b6f4ba5059347beb13242921e54669e680064ca755256a1e3a6\",\"npub\":\"npub1h2qfjpnxau9k7ja9qkf50043xfpfy8j5v60xsqryef64y44puwnq28w8ch\",\"created_at\":1730935217,\"banner\":\"https://m.primal.net/MqlY.png\"}",
  "sig": "375f7d557c538add5bbb35f51ad8132fd0e23feb156d56683fe069aa0611eb25fb57710aa3a2f4db659f9292e6311fb18f27c770fe242374e4ac47c9a9f1ba24"
}
reply
Kind 0 now changed to the following at 2025-06-08T22:30:18Z:
[
  "EVENT",
  "cn",
  {
    "content": "{\"lud16\":\"coinos@coinos.io\",\"picture\":\"https://coinos.io/images/icon.png\",\"about\":\"\",\"name\":\"coinos\",\"banner\":\"\",\"display_name\":\"Coinos\",\"displayName\":\"Coinos\",\"website\":\"https://coinos.io\",\"nip05\":\"\"}",
    "created_at": 1749421818,
    "id": "1d3af9ce34e70a13e5e4b81a9eb207e526af35c3b5673cda3301bb2cec870000",
    "kind": 0,
    "pubkey": "ba80990666ef0b6f4ba5059347beb13242921e54669e680064ca755256a1e3a6",
    "sig": "f91ce30ed0e70cca71f189b16b0fba9cd48628cbcd4a9bec9f3e1a54075c2fb2d4f23c114b901185c7d699d42aaef97a85b33f439a303d985dd78e39c774384d",
    "tags": []
  }
]
reply
Potentially, yes.
Edit: especially because the new NIP-05 addr is defunct - 404 (don't try it w/o tor.)
reply
Update:
reply
44 sats \ 0 replies \ @nichro 23h
Bummer.
Seems it's possible it's a follow up attack from the database issue a while back?
And that compromised accounts were all using Nostr login (which might mean it's an nsec breach) so I think accounts without Nostr keys for logging in are safe?
Hope the couple few local merchants recently onboarded on Coinos are fine. Would be rough to onboard and immediately get rugged within a week or two.
reply
33 sats \ 0 replies \ @dog 22h
This is concerning, I’ve chatted with the maker of coinos on Nostr a few times and he even listed coinos on my experimental website https://nostrstore.com/ . He seems like a cool dude, I know they have had pretty serious issues in the recent past as well including locking funds and losing account for funds do to server outages. I’m also good friends with Sergio on Nostr one of the effected, he said it was changed but luckily none of his funds were sent to the new address.
reply
I hope it's nothing too big. Adam had some database problems some weeks ago. Now I feel bad that I wrote 2 emails today with some feedback / feature requests... I also noticed today that the Coinos Nostr account doesn't use a coinos.io address. But I am not sure if that was always the case.
reply
deleted by author
reply
19 sats \ 1 reply \ @ek OP 8 Jun
I don't know why you think it's not a Coinos issue when two users reported their Coinos autowithdrawals are going to other wallets which has nothing to do with any nostr client.
reply
true... just double checking!
reply
My account's fine! All good on my end.
reply
Sorry 😞 ek
reply
0 sats \ 1 reply \ @ek OP 8 Jun
Why did you post the first one in ~DIY?
reply
100 sats \ 0 replies \ @Christo 8 Jun
Just started this nym and only had a few credits, wanted to get the info out urgent
Sorry was in wrong tt
I purchased some cc's and reposted
reply
reply
Yea what? Is Coinos a nostr thing?
reply
50 sats \ 1 reply \ @ek OP 8 Jun
moved it to ~lightning now
I used ~nostr because the reports were from there
reply
Maybe we need ~PSA
reply
deleted by author
reply
It does:
reply
It is like a streak of bad luck for coinos
reply
Did the users have 2FA enabled? If it was an nsec leak, is that still account protection against settings being changed?
Thanks just withdrew my balance just in case! Better @istealkids than someone steal my wallet!
reply
lol no
reply
It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.
Sad
reply
😬
reply
deleted by author