On Wednesday the 14th of November 2018 we were alerted to some questionable trades on the Doge-BTC Market, A user had placed a buy order for just over 11btc worth of Dogecoin at 100 sats price which is way above the current price, Said user then went on and bought mass amounts of x42 off the books pumping the price.
Upon checking the bitcoin wallet we noticed it was empty and we instantly locked down the users account and suspended trading and withdraws so we could investigate.
There was no breach to any of the wallet servers nor to the actual website server itself and there was no injections on any open ports.
We have now learned after speaking with security experts in the field there seems to be a vulnerability in the OpenSource exchange script we were using (OpenTrade) that allows a user to inject a false balance which is what has happened here.


Checking through the logs we can see the hacker credited themselves with 25 BTC in to their account on our database end, then began placing these large orders hoping people would sell into his high profit buys, we can also she he began by emptying the bitcoin wallet, then moved on to doge and x42, all other coins remain un-touched and safe. The hacker made many small withdraws over several minutes at which point we stopped them mid hack and managed to recover some funds before they withdrew them. We were alerted by other users to huge sells over at start-ex on x42 coin so we instantly reached out to them who worked with us to lock out the hackers account and null their balances, unfortunately though they had already withdrawn the BTC they gained from the selling of x42, Also due to the speed and help of start-ex we managed to recover some users stolen x42 that the hacker hadn't managed to sell off in time and we would like to thank Start-Ex for working with us as a community to limit the effect the hacker has caused.

After investigating all of the logs and balances here is what the hacker has taken:

864878 doge

2.785 BTC

61924 x42

21435 of that x42 was recovered with the help of Start-ex.

We also managed to recover:
249784 Dogecoin
9627.29907143 x42
before they could withdraw them from the exchange.

I know the hacker will have used fake details but here is the information we have on them:

Username: kondratlipski
Email: kondratlipski@gmail.com

Off exchange BTC address coins were withdrawn to:
https://www.blockchain.com/btc/address/1B1dSfEABWvs9rb2ZYvuU3SkBKh5sELyTu

Off exchange Dogecoin address coins were withdrawn to: https://dogechain.info/address/DDJWcffLV6x88Uk1eMhqArwrc45hoJ6SVg


As we said above the other coins listed and other balances remained un-touched.

Due to the vulnerability in the OpenTrade platform we have decided not to re-open the exchange for trading and we have disabled automatic withdraws to ensure no one can manipulate and steal any more balances.
We have removed all of the hackers trades from the exchange and credited back balances of the coins you held and we are inviting users of AltMarkets to request a refund of their balances via ticket process.
Ticket requests between 15th - 22nd of November 2018 are currently being actioned, We have refunded over most people and will continue to refund the remaining open tickets over the next few days but we are no longer accepting new tickets, Thanks for your support.