Nonlogs

385 posts

Nonlogs banner
Nonlogs

Nonlogs

@nonlogs

no KYC. no IP logs. no personal data. just trade. built because we needed it ourselves.

Katılım Ekim 2025
5 Takip Edilen757 Takipçiler
Sabitlenmiş Tweet
Nonlogs
Nonlogs@nonlogs·
Community, We Need Your Help Before we bring the server back online, we need your help identifying the actual cause of the hack. So far, I haven't been able to determine how the attacker gained access. I'm not a cybersecurity expert, and my knowledge in this area is limited. To help investigate, we're making our source code public so the community can review it and help identify any potential vulnerabilities. codeberg.org/nonlogs-io/cor… Our current suspicion is that the attack may have involved JWT token forgery, possibly due to a leaked secret key or a successful brute force attack against the secret key. However, this is only a hypothesis, and we need experienced developers and security researchers to help verify the real cause. If you have experience with backend security, authentication systems, or JWT, your help would be greatly appreciated. Our goal is to fully understand what happened before bringing the service back online to ensure everyone's funds remain safe. Thank you to everyone willing to help.
English
8
8
24
1.3K
Nonlogs
Nonlogs@nonlogs·
Security Incident Report: Incident window: 2026-07-07. Stolen Assets BTC: 0.62873908 -> bc1qavhtrggs3v6zf52upxefc4ex3z2w2u9qddqfy7 XMR: 1.41000000 -> 83fzQ2kNkjBVTKY7VGyhRV5puiKMwxLK5UW1D48SP1547daNdnHo8kjWK7zxEUQkkQC6hDZZknaeddCKUSLzgSd4KqTNfft WOW: 545868.63918139 -> Wo4gM9nL1rrdGpNBmnCvbxBjjr83zE58U415wmmxM2Jh8zaKJmxVYGkfERrJfMSHd7bU5WAixh4qM4V6kRPivcLi2DGDRnydm Based on our investigation, the USDT and GRIN withdrawals appear to have been performed by users. We cannot be 100% certain, but they are most likely legitimate user withdrawals. The attacker did not appear to target the USDT or GRIN funds. An external attacker registered a throwaway account, obtained a valid JWT, harvested admin user UUIDs from a public API, forged admin and victim JWTs, dumped balances, and withdrew funds. We believe our JWT signing secret may have been compromised. It was stored in layout.json. Possible explanations include a brute-force attack against the secret, unauthorized access to layout.json through a dependency package, server compromise, or another unknown vulnerability that exposed the JWT signing secret and enabled JWT forgery. At this time, we cannot determine exactly how the JWT signing secret was obtained. The account “pufferfish1” is considered a possible attacker-controlled account, but we cannot conclusively attribute it to the attacker. The attacker could have stolen funds directly from the hot wallet but instead canceled users open orders and initiated withdrawals from user accounts. This suggests the API was used with valid JWTs. Some users who had not logged in for 103 days and 88 days still had withdrawals processed from their accounts. During the incident, approximately $900 in accumulated trading fees and withdrawal fees was also stolen. Attacker Information Gathered from Nginx and Cloudflare 03:42:59 UTC — Account created: pufferfish1 / omega-width-gamma@duck.com Registered using Chrome 150 on macOS. - 16:43 — First hit from 23.162.40.99 → /auth/me (404) - 17:09 — /openapi.json (200) - 18:07 — /auth/me → 200 (multiple response sizes) - 19:25 — /withdrawal/.../user/history (200) - 19:47:31 — /user/admin/aggregated/user_balances (200, ~131 KB) - 19:47–19:56 — /user/admin/users/list, /wallet/admin/wallets-by-coin - 19:55 — Attempts to access /auth/admin/2fa/disable and top-up endpoints - 20:11 — First successful POST /withdrawal/withdrawals/create → 201 from 23.162.40.99 - 20:11–20:48 — Rapid BTC withdrawal requests to bc1qavhtrggs3v6zf52upxefc4ex3z2w2u9qddqfy7 Ongoing — Canceled victims' open orders, rechecked balances, and submitted additional withdrawal requests - 02:26 — Last successful withdrawal request from the attacker IP; numerous subsequent 429 rate-limit responses Cloudflare logs recorded 389 withdrawal creation attempts from 23.162.40.99, including 57 successful (201) responses, with the remainder returning 400, 404, or 429 responses. Possible Attack Flow: Possible attacker registers pufferfish1 ↓ Obtains JWT signing secret by unknown means ↓ GET /coin/coins -> admin UUID (created_by) ↓ Forge admin JWT ↓ Retrieve user balances and user list ↓ Forge victim JWTs ↓ POST/withdrawal/withdrawals/create -> attacker BTC address Source IPs: 173.249.254.85 - Reconnaissance and possible pufferfish1 login - SanJose, CA - AS11878 (tzulo, inc. / KGY, LLC) 23.162.40.99 - Forged admin JWTs and mass withdrawals - Los Angeles,CA - AS400882 (Cyber Data LLC). We do not log user IP addresses. The IP addresses in question were obtained from Cloudflare by correlating the request timestamps with the corresponding Nginx requests. Cloudflare retains these event logs for up to 24 hours.
5
6
34
4.1K
Nonlogs
Nonlogs@nonlogs·
We have lost: BTC: 0.65267867 GRIN: 175288.18821862 USDT: 2022.58134103 WOW: 563773.53020695 XMR: 1.41000000 to the attacker: bc1qavhtrggs3v6zf52upxefc4ex3z2w2u9qddqfy7
English
15
2
85
25.1K
Nonlogs
Nonlogs@nonlogs·
We experienced a security incident affecting withdrawals on Nonlogs. We have rotated auth secrets, invalidated all sessions, paused/secured withdrawal flows, and are reviewing all July 7-8 withdrawals. We are investigating urgently and will publish updates.
English
0
3
19
2.6K
Nonlogs
Nonlogs@nonlogs·
crypto was built so governments couldn't control your money. now they're passing laws to control which crypto you can buy. who you can buy it from. and who you have to prove you are first. they didn't beat it. they just built a cage around it.
English
2
5
21
2K
Nonlogs
Nonlogs@nonlogs·
JPMorgan. Citi. Bank of America. Wells Fargo. all building the same blockchain network to track every dollar you move. they didn't kill crypto. they're becoming it.
English
1
1
22
1.7K
Nonlogs
Nonlogs@nonlogs·
the UK government wants to build a mandatory digital ID for everyone. "it's just to check your right to work" they say. "we're building an infrastructure that can follow you everywhere" said the MP opposing it. one of them is lying.
English
0
3
12
1.6K
Nonlogs
Nonlogs@nonlogs·
@coinbureau the man who ran an exchange that leaked millions of users' KYC data is now your bitcoin price oracle. make it make sense.
English
1
1
1
268
Coin Bureau
Coin Bureau@coinbureau·
🔥CZ: BITCOIN $BTC TO $1 MILLION BY 2033 IS “TOTALLY POSSIBLE” CZ told The Block that Bitcoin holders in terms of wealth are “probably less than 1%,” meaning “the demand for Bitcoin can be significant.” He said if the next cycle goes 5x, Bitcoin could reach $600K, then the 2023 cycle “only needs 2x to get to a million. Totally possible.”
English
96
71
487
77.4K
Nonlogs
Nonlogs@nonlogs·
@OrangeFren and just like that, 450 million people lost access to non-custodial privacy tools. compliance isn't protection. it's a gate.
English
1
1
19
1.1K
OrangeFren.com
OrangeFren.com@OrangeFren·
⚠️ July 1st is here. MiCA is fully in effect for the 450M EU residents A MiCA license is required to: 🔸custody client coins 🔸operate a crypto <> crypto exchange 🔸operate a crypto <> fiat exchange 🔸execute orders on behalf of clients 🔸place crypto assets 🔸receive and transmit orders for crypto 🔸advise on crypto 🔸manage clients crypto portfolio 🔸provide transfer services for crypto ❗️Advertising non compliant services to EU residents is illegal
OrangeFren.com tweet media
English
15
13
80
102.5K
Nonlogs
Nonlogs@nonlogs·
google, meta and microsoft kept scanning your private messages after it became illegal. april 3rd the law expired. they kept going anyway. no legal basis. no consequences. just kept reading your messages.
English
1
3
11
779
Nonlogs
Nonlogs@nonlogs·
@J_Mcryptolaw monero's been forked over 500 times. zcash codebase runs on dozens of chains. the shutdown just becomes the origin story.
English
0
0
1
33
Jefferson Mongare
Jefferson Mongare@J_Mcryptolaw·
@nonlogs The beauty of open source and decentralized protocols. Once deployed, its almost impossible to stop them. Anyone can fork the system and continue.
English
1
1
2
36
Nonlogs
Nonlogs@nonlogs·
they shut down samourai. they shut down tornado cash. the code still runs. forks still exist. builders kept building. can't arrest an idea.
English
3
5
25
724
Nonlogs
Nonlogs@nonlogs·
@liquidstate_1 samourai wallet. tornado cash. both built bitcoin privacy tools. one got 5 years last november. that's what we mean.
English
0
0
0
41
Liquid State
Liquid State@liquidstate_1·
@nonlogs What privacy software are you referring to? I use lots of privacy software and I can't recall anything becoming illegal. I'm not say you're wrong just genuinely confused what you mean.
English
2
0
1
35
Nonlogs
Nonlogs@nonlogs·
ten years ago building privacy software made you a hero in the crypto community. now it makes you a federal criminal. the technology didn't change. the tolerance for it did.
English
9
6
37
841
Nonlogs
Nonlogs@nonlogs·
@Shamex_Ent you don't regulate things nobody cares about. the crackdown is the proof of demand.
English
0
0
0
5
Shamex
Shamex@Shamex_Ent·
@nonlogs Criminalizing privacy won't erase the need for it. It only proves how valuable it has become.
English
1
0
1
20
Nonlogs
Nonlogs@nonlogs·
@Halifan_Iyah always has been. privacy didn't get dangerous. visibility got profitable. :)
English
0
0
0
4
Jigga
Jigga@Halifan_Iyah·
@nonlogs The shift says more about the system than the tech Privacy is still a basic right no matter how it's treated
English
1
0
2
19
Nonlogs
Nonlogs@nonlogs·
@john_bosco99 they sentenced the dev. couldn't sentence the protocol. that detail matters more than people realise.
English
0
0
0
15
John Benjamin
John Benjamin@john_bosco99·
@nonlogs That's the squeeze. But the infrastructure built during that window, Secret Network, confidential compute, TEEs exists regardless of what regulators decide. It's not breaking law, it's enabling legitimate institutions to operate privately.
English
1
0
1
13
Nonlogs
Nonlogs@nonlogs·
@MrBrownConcept wild part is the code never changed. just the people in charge of deciding who's a criminal.
English
0
0
1
7
C. Brown
C. Brown@MrBrownConcept·
@nonlogs You're right. Tolerance for privacy has surely declined as the years progressed.
English
1
0
1
17
Nonlogs
Nonlogs@nonlogs·
@coinbureau everybody tracks these etf flows like it means something real. it is just tradfi guys shuffling spreadsheets around. real crypto is sitting in cold storage and private wallets completely ignoring this.
English
0
0
3
56
Coin Bureau
Coin Bureau@coinbureau·
🚨BRUTAL: SPOT BITCOIN ETFS HAVE LOST $4 BILLION IN THEIR WORST MONTH ON RECORD Investors have pulled $4.06B from spot Bitcoin ETFs in June, the largest monthly outflow since the products launched in January 2024. That beats the previous record of $3.56B in February 2025. Last week alone saw $1.79B in outflows, the second-largest on record.
Coin Bureau tweet mediaCoin Bureau tweet media
English
57
48
234
47.8K