Home » Featured » Pandora Marketplace Hacked: Losing $250,000 in BTC

Pandora Marketplace Hacked: Losing $250,000 in BTC

Update: Withdrawals are working again.

We had a quiet couple of weeks but now a claim from the Pandora Marketplace  admin (Alice) was published stating that guess what…. the market was hacked, losing around 50% of all the BTC totaling at around $250,000 value (somewhere around 425BTC at the current rate), we know this drill very well by now with all the hacks and scams that we have witnessed, Alice posted a very detailed post on the pandora forums explaining what happened, and how the market admins intend to sort this issue out and return the lost funds by collecting higher commissions from the vendors and repaying everyone within the time frame of a month or so.

This is the post from the Pandora admin Alice (you can read the original one here: http://bl3j73taluhwidx5.onion/index.php?topic=6629.0) with some formatting fixes:

===Quote===

First of all sorry, but i didnt had to much for choice if i didnt wanted to close pandora market and hope at least some of you will understand situation, but i know i am going to burn and lost all of my karma, but there is whole truth with my plan.

What happened:
1) Last week pandora market got shaved of large portions of BTC by 2 vendors used to be small-time scammers, they were able to steal about 1/2 of BTC pandora total holdings (basically everything, that was not on cold storage), they found the leak in system.
2) I stopped all withdrawals, found leak and fix the bug in system and also were checking any signle money operation programming, that is the reason why everyone withdrawals were stopped for about 12 hours.

What were my options back then, when i found bitcoin lost:
1) I could make market to disapear and just close it down, everyone will think then, i scammed oll of you.
2) I will apply solution to cover losses and continue operations.
3) I choose number 2)

Why I didnt told truth before:
1) That would probably lead only to instant panic and market closure week before that day. All money would be probably lost - all vendors and customers money.
2) I didn't informed and pandora were able to make withdrawals of more than 1000BTC since steal of bitcoins discovered to vendors -  all of that would not be possible if i would not take this drastic measurements.
3) All my actions was made to safe pandora market and continue operation, time will tell if that was good move.
4) Only what i am sure about is if i didn
t made this drastic measurements, i can only close down the market and be remembered as scammer.

Current situation:
1) I partly covered loss from my profits (this is probably very stupid move from me as everybody will probably blame me, i should closed market i think now) – i covered about 1/3 of losses from my own money (hard decision for me).
2) Market and almost all BTC will be recovered during this week by applying very high tax on all transactions.

Actions made:
1) Currently only max 2/10 pandora holdings are held on main server so possible loss is limited to 2/10 of total pandora holdings.
2) Many security updates to the system, leak fixed.
3) If pandora will survive that, in future if that ever happen again, loss is limited to 2/10 of BTC holdings.

Facts:
1) Pandora market processing withdrawals for vendors and over 1000BTC were sent to vendors during last week.
2) All transaction must be taxed with scheme below to complete recovery.
3) Pandora will start processing withdrawal for all users by 23.3. (withdrawal fee for customers will aply from that day until 23. + 14 days)
4) Pandora will be recovered in less than 10 days from now.
5) For those thinking about closing shops at pandora:
5.1.) I really do understand that, but think about this:
5.2.) Small market might (i mean person behind the market) might not be ready for inflow of money and he might scam you anyway.
5.3.) Think again, how much you made with pandora market existence and how much you are going to make in future and without this market, you would may not be able to make money that you did there.
5.4.) I didn’t had many options to safe market and this loss is temporary and will be repaid back.

Recovery scheme & Buyback:
1) For save pandora market i had to make very drastic measurements – commission (operating tax) of 24% during 23.3.
1.2) commission paid from all transaction scheme:
1.3) 24% by 23.3. (16% recovery tax if your item have add commission to item instead of deduct)
1.4) 16% 23.3. – 31.3. (8% recovery tax if your item have add commission to item instead of deduct)
1.5) 8% from 31.3. until 1.4.
1.6) If you have option to add commission to item price as vendor, you are not charged full 24% but customer pay commission of 8% and after you are cahrged 16%.

Reason to accept that:
1) Truth is that you have no choice and if you want be able to withdraw for all send order, consider it as prepaid tax (will explain later).
2) Take it as necessary evil to continue business on pandora market (i understand some of you will not).
3) All commission paid are in database and i know, who paid what amount of commission above expected.
4) EXAMPLE:
4.1) ESCROW RELEASE FOR vendor_name(31118) ON ORDER 56086 AMOUNT 0.13266796 COMM 0.03741917 (that is helf for every single transaction)
5) These allow me to calculate exact commission paid by that day easily and:
6) From 31.3. all affected vendors (probably all) will have overpaid commission calculated.
7) Overpaid commission ill be put to special database.
All vendors will later pay only 40% of standard commission and 60% will be calculated back to repay tax back to vendors. 60% of future commissions will be paid back to vendors after total amount of overpaid money is 0. (proportion might change to pay back vendors quick as possible)
9) Worst case scenario is i will sell 30% of pandora earnings and pay from that debt to vendors to repay them overtax (each 1% will earn portion of pandora profits, paid daily).

About me & what i think:
1) I must be completely stupid to be honest in this business, because for me were such easier to exit.
2) I dont expect nobody to understand, even if i wrote that post, i think, many of you will think, this is beginning of scam, because it does make sense (but if i am going to scam i am not going to allow withdrawals of more than 1000BTC right ? - so that play for that is truth)
3) I must be very stupid, as i put even my all money back just for everybody will blaming me, but that is risk i am taking now.
4) If somebody think, i am taking that 24% profits now, that is not true, it is much more easier just to close all withdrawals and run away with money - which i didn't do.
5) BIG TRUTH is: Now i am not making any money out of pandora, every single satoshi now go back to repay back loss.
6) I don
t want to sound like i almos save your money, i will be blamed, of course, many will think, this is start of scam, or i took money by myself, but none on that is truth.

FACTS 2:
1) If this is going to be scam, which is not, i am not going to allow withdrawals.
2) Recovery of all loss is by end of month.
3) Pandora will be beck in normal by end of the month.
4) 75% recovered. (30% from me).
5) I am now working for free.
6) Pandora will survive (i believe that).
7) Personaly i still didn’t steal single bitcoins from customer or vendor.
Understand in this anonymous place it is not easy to believe nothing.

SUPER SHORT VERSION:
1) Pandora loss 1/2 of BTC holdings.
2) Drastic tax is needed to recover (paid by all vendors).
3) Tax paid by vendors will be paid back in form of 40% or less commission pay in future.
4) Normal operation will start again approx 31.3.2014.

UPDATE 1:
1) All vendor & customer balances are not touched in any way and after recovery will be fully available (customers can still order from any vendor and vendors don’t  have any issues with withdrawals, from day 1 because i recovered cold storage and used my money to pay vendors).
2) There are enough BTC to cover all withdrawals (i calculated balances on all vendor accounts and pandora have multiple time balance for withdrawal then is available balance on vendor accounts) – vendors dont have issues wit withdrawals from day 1 (except 12 hour withdrawal stop before few days).

UPDATE 2:
1) Inflow of BTC into pandora market is unchanged in comparison to last week
2) Buyers are still buying in stable rate in compare to the last week
3) Others will try to make panic and take advantage of this issue, so if you can, please don
t try to create more panic but protect pandora if possible.
4) If you want as vendor limit your loss, you can change item to add price instead of deduct, then from 23.3. commission 16% will aply and 8% will be paid by you and 8% by customer.

Best what vendor can do now to limit loss is probably change all their items to add commission to price.

That way 8% commission is added to total price to be paid by customer. And from 23.3. “TAX” is going to be 16% so, vendor is paying “just” 8% splitting it with customer. That 8% “TAX” should NOT probably burn most of vendors as margins on items sold here are usually high and every vendor should survive that temporary loss to be paid back when back in normal.

SO if pandora is going to survive that, and at least half of people will understand why it is how it is now, pandora will be here for normal operations within 31.3.2014.

Now everybody say me fuck off and that i am idiont and scammer.

For those who will stay calm, i promise you, i will repay commissions back in time (even for those who will not stay calm).

Never thought it is going happen to pandora, i always think these steal are always made by owners. I thought pandora is stronghold that can not be beaten, but i learned from this and i believe Pandora is not going down!

==End Quote===

alice

This is the post saying that the lost sum was around 250’000$, this might also help explain the 25% commission – considering last weeks turnover was around 1000BTC according to the above post:

250000

We don’t know exactly what happened there but the above post seems detailed enough to explain the general repayment plan, we only hope that everyone will have their money back in no time.

We will keep following and updating as we will have more information.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

11 comments

  1. Pandamonia

  2. I’m sorry to say this and I don’t like to but.. Those literacy skills alone from an Admin would scare me away from the site.

    • @Defunkt – I do believe you’re confusing literacy with fluency. Evidently English is not Alice’s first language. She does have the skill set to read and write apparently, and in a 2nd language to boot. Imagine how you or I would fair in her native land?

      That being said, I don’t get all warm and fuzzy knowing foreigners are running the site. She, if it is a she, seems sincere, but then so does Defcon, and I don’t trust SR2 anymore. He and she may be as sincere as they portray themselves. The fact that what happened, happened on their watch, makes me think that either;, A – they’re incompetent. Or B – It’s Definitely a con. Get it? Def-con. :P

  3. If one bad market creates a scammer fashion way, other ambitious boys realize the same easy way to make money anonymously with no chance of being discovered, as sheep market, tormarket, silkroad2, and as expected for a long time, pandora. Let’s be smart, all markets cited, their admins premeditated fraud all in some way (now they are nice guys that wants to be cool refunding the money that they have stolen, a great business really) no one has updated their platforms, it was used as scenery and artifice for a lie and a scam of thousands or millions of dollars. Bitcoins are like bicycles, who is upon is the owner, and nothing more. Those stupids who rely on admins will be ripped off always. It’s my 0.02 btc

  4. I know deepdot says don’t deposit any bitcoins, and its a good point.

    But while withdrawalsw are disabled. only the site’s owner can take bitcoin out. So if you deposit a small sum, watch it on the blockchain, and it ends up with $250,000 -worth of its friends, Alice has been a naughty, er, girl with her fingers in the till.

    If a site allows deposits but not withdrawals, its USUALLY a scam. If you send to a bitcoin wallet, it has to accept it. But if it starts moving, the marketplace isn’t shut down. Alice is m oving coins about.

    Alice is the only person able to withraw. So if it gets withdrawn, that wallet belongs to Alice

  5. I was scammed (check support chat) weeks ago out of $1,000 by some asshole who claimed to have alerted Alice to the problems months ago re: security.

    Ridiculous that this problem wasn’t fixed months ago.

  6. Wow, wasn’t aware of this hack and still I was able to withdraw without any problems 6 days ago … It only was a small amount (I deposited a little bit too much and withdrew the 20 $ extra amount) – No problem … The same with orders after that day.

    And to the guy who complained because of his/her language skills … I’m no native speaker too, but US TV-Shows, Internet etc. have taught me the language pretty well – But some guys have other talents than languages.

    With Alice that should have been programming – It’s somehow weird that I’ve always seen this coming, but the Pandora site is just so ugly (even though I’ve only shopped there since the latest SR2 hack) and even though I hat to say it but it just looks unprofessional somehow, that I always feared their programming is in the same fashion … And this hack seems to have proven that.

    Of course it was worse with SR2 who were unable to fix the most simple problems (even too incompetent to solve the captcha issue). Even though pandora didn’t have horrible issues like that, the design of the site always screamed insecurity … At least a little bit

  7. Withdrawals are now enabled for customers (with a temporary 20% fee to encourage purchasing), and withdrawals were NEVER disabled for vendors.

    See Alice’s posts for yourself, btw not once was I prevented from withdrawing:

    bl3j73taluhwidx5.onion/index.php?action=profile;area=showposts;u=1

    DDW please update the list of hidden marketplaces because it still says that withdrawals are disabled which is not true.

  8. I’ve got to say, I’m positively surprised about pandora – I always used SR2 until my coins were gone due to this alleged hack (was only some change I didn’t want to move back and forth, especially considering it sometimes took hours or even days to get your coins credited to your SR account then).

    So after the hack I followed my favorite vendor to Pandora, even though the site didn’t seem too appealing to me. But well, you gotta play the hand you get dealt.

    When Pandora started, I searched through their forums and Alice asked the people how she could possibly proof that she isn’t out there too scam anybody. People told her to implement multisig BTC transactions would be the best way to do that and even though she didn’t (or couldn’t) implement multisig up until now it seems pretty clear that this gal (or guy with gal nick) is pretty straight forward.

    Just seems because people already got scanmed so much that nearly every little inch of trust is gone in this community – Even when a genuine incident happens. And with every day going by it seems the Pandora hack was one of those.

    In my opinion Pandora (Evolution also looks pretty good though) is the best market out there at the moment and if somebody would have told me 2, 3 months ago that I would say something like this I’d probably have laughed him off …

    People who really should be ashamed are those (sub)reddit guys. I remember a post asking why there’s no pandora reddit and the answer was, that there were reports of pandora being fraudulent and full of scammers. On the other hand tormarket (which was advertised on the sheep markets “bye bye, I’ve screwed you all” page) got fiercly defended … One week before their shutdown.

    Guess what I want to say: don’t always trust your instincts, but never ever trust reddit!

  9. I have BTC in my wallet on Pandora but withdrawal is disabled and no one responds from support. Was very good Pandora but to disable withdrawal it seems like it’s been scammed. Shame

    Follow my vendors to Agora

Leave a Reply

Your email address will not be published. Required fields are marked *

*


+ three = 6

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">