CCN previously reported on a disturbing discovery by a security researcher who had a problem with Sistemkoin exchange. He found that he was able to spy on other people’s support tickets, and more to the point that most of the support tickets were related to withdrawal troubles. CCN didn’t hear back about that story at the time, but you can see Sistemkoin’s comments near the end of this article.
Sistemkoin is a medium-sized Turkish crypto exchange. At the present time, they have a volume of more than $150 million. We received a report from a Sistemkoin user, who will remain anonymous, who had a severe problem when withdrawing funds from Sistemkoin: they went to the wrong address.
Our source says that he used two-factor authentication to make the withdrawal and even verified the withdrawal address via e-mail, as shown below:
However, when the withdrawal was processed, it went to a different address altogether: 0x18cbb649154917b94216c4059152506cb5712758. The transaction should have been sent to 0xa5b456cc24e03ada01403fcff9f7be048c074cdc. We can see by checking the blockchain that this address never received a transfer in the amount of 12.63~ Ether. However, around the same time, the other address did.
The same address has received numerous transactions, amounting to about 75 Ether over the last four months. Many of the transfers have come from Sistemkoin – 0x5bcbf9f3ef9521a548e7e8b697ecfe29fc2933e1 being the address they apparently process withdrawals from. Some have come from Binance. But they invariably are immediately sent to CREX24, a little known exchange.
We tried to get a comment from CREX24 to no avail. Here is how our correspondence went:
“We are doing a story about someone whose Ethereum withdrawal from Sistemkoin was hijacked and wound up on your exchange. We would like to get a comment or other information about the user. Here are the transaction details.”
What is your account email?
Please specify the issue,thanks.”
“As I said in the original e-mail, this is a press inquiry. We are fielding a story from someone who believes their withdrawal from Sistemkoin was fraudulently sent to your exchange. The transaction ID was 0xc1bbd637a2f199837462b8bb039866e314700d1b575aa7d16410ef5d7f25cbe8 . We are looking for comment or possibly for you to reveal who received that deposit, especially if it was a proprietor of the Sistemkoin exchange. As you know, handling stolen funds can be considered money laundering in most jurisdictions, so we are doing you a favor by alerting you.”
Are you from the coin team?
If not we do not investigate the third party claims.
As you can see in the below image, the transfer shows in the user’s account as processed:
CCN was also tipped off to another user who’d experienced the same issue, only with about 17 Dash instead of 12+ Ether:
In both cases, the amount of money lost may seem negligible to some, or significant to others. But we must insist that it doesn’t matter the amount: that this can happen at all is the story. We contacted Sistemkoin, who responded:
“He scam our exchange. He did two withdrawals and receive two mails. He’s confirming one of them and claiming that he did not withdraw to that address.”
We respond that we’ve noticed other withdrawals have gone to the same address since. They’ve continued to allow this address in their system, despite apparently believing it to belong to a scammer?
“I see that the same address received several deposits from Sistemkoin over the past four months. The user’s dashboard only shows one withdrawal. Can you produce evidence that he made two requests?”
“Yes it was normal, he was using his account as normal user. After 12 ETH withdraw, he claimed that we stole his coins.”
“Well, can you show us where you sent him a confirmation to send to the other address? And that he confirmed it with 2FA?”
We continue our conversation via Telegram, after the exchange administrator confirms my identity.
At this point, this reporter is quite intrigued. Both stories are actually believable. A user attempts to scam an exchange and fails; an exchange steals coins on the regular. This is crypto – the wild west.
The conversation bleeds into the next day for various reasons. Eventually, the administrator of the exchange provides some evidence that two withdrawal requests were posted, in the following conversation:
As you can see, it shows that two withdrawal requests were placed within a minute of each other. The administrator says the system allows for this. The only one that would go through would be the one that was approved from the user’s e-mail account.
Which, in this case, casts reasonable doubt on the story of our source. We’ll leave it up to the reader to decide who’s telling the truth. Both sides are confident in their stories. As a general note, we will say that experienced crypto users, like this reporter, do not use exchanges with low volume, small userbases, or unknown reputations. Many of them end up going the way of C-Cex.