Please note that we have changed the title of this article from the previous one which said Golix had been hacked because Golix reached out and said the platform itself had not been hacked but some of their users had their email accounts compromised which is technically different.
Zimbabwe’s most visible cryptocurrencies exchange, Golix, has been hacked. The exchange disclosed the hack this evening in an email to customers.
According to the email, a limited number of account holders had their accounts accessed by “unsolicited third parties” in the past 3 weeks. The startup blames the hack on poor security practices by its users. Apparently, the hackers compromised users’ email accounts and used that to gain access to their Golix accounts.
Once in, the email says, the hackers converted funds between individual users’ cryptocurrencies and USD wallets, and also bought some cryptocurrencies. They were, however, apparently not able to withdraw funds from the exchange. This implies that users didn’t lose any value. Golix says all the withdrawals that happened did so with “full verification.”
The message does not make it clear if Golix has done a full investigation and determined the exact extent of the breach, so more updates will likely be coming from the startup.
Even though the message indicates that no withdrawal of funds happened, the startup uses the words “without full verification“, and as far as we can tell, this does not rule out malicious withdrawals made to appear verified.
In addition, since some unauthorized buying of cryptocurrencies happened, users could have also lost or gained value from the trading that happened. Cryptocurrencies are highly volatile and any conversion from one currency to another can result in significant changes in the value of one’s portfolio.
Golix used the email to advise its users of some security tips.
Here’s the full message
Please be advised that in the three weeks leading up to the 12th of March 2018we noticed that a limited number of Golix accounts fell victim to unsolicited third party access.
The information gathered so far indicates that this malicious activity was carried out through compromised user email accounts.
As a result of this intrusion, affected users have noticed some changes to their accounts such as the conversion of their cryptocurrencies and/or the acquisition of additional cryptocurrencies through already held US dollar balances.
This issue is a priority for us, as are all matters pertaining to account security.
We have a technical team that has been making changes to our systems and has already put in place measures that prevent the withdrawal of any form of currency from users accounts.
Thanks to these efforts, we have successfully ensured that no funds are withdrawn from any account without full verification.
These measures, however, cannot work in isolation.
For additional security protocols, we encourage you as a Golix account holder to do the following
- Change your Golix account password by clicking on “Forgot password” before you login into your account
- Enable two factor authentication using Google Authenticator on your Golix account
- Change your email password
- Enable two factor authentication on your email account using Google Authenticator or other 2 factor options that are not SMS that may be provided by your email provider
- Do not use the same password for both your email and your Golix account
- If possible, use a password generator to generate the email password for you
- Avoid accessing your internet service over unsecure / untrusted internet services that you do not know are legitimate and verified internet providers
- Avoid using your name, surname, children’s names birthdays and other common attributes as your password
- Avoid accessing your email and Golix account on public internet services like internet cafes
- Do not share your password for any account you have with anyone
- Take note of possible phishing attacks on your email – these are “attacks” that trick you into clicking on links in suspicious emails that come through your account which may lead to loss of private data
- Please safeguard your privacy when it comes to information about your Golix account or how you deal with cryptocurrencies. Be very cautious about sharing unnecessary information about these issues, especially on public forums like WhatsApp and Telegram Groups and on social media.
If you have any challenges with your account please contact us via email or on any of our numbers and social media platforms.
The Golix Team
As far as we know, Golix currently allows users to login without 2-factor authentication (unless this changed today). It also allows users to make purchases of cryptocurrencies without any verification of those internal transactions. Two-factor authentication is however required to make withdrawals from the exchange.
It is generally discouraged to use exchanges to store one’s cryptocurrencies. Traders and investors are encouraged to have their cryptocurrencies on an exchange only when they want to trade them, and afterward, to move them to dedicated wallet services.
Currently, Bitcoin (cryptocurrencies in general) are not regulated in Zimbabwe, which means any customers of Golix that lose their money are not protected by the financial regulations of the country.
11 comments
I saw the email and this is bad, very bad for them. The only way to be sure they are telling the truth is if an external audit is done otherwise they might be pulling a Yahoo! and playing with words when the damage was extensive. Saying that customers did not lose value is a bit disigneous in my opinion when said customers could have had their funds changed into Crypto-currency equivalent at an inopportune time.
I speculate that this was a hack by international hackers who wanted to siphon Bitcoin. The international appeal of Bitcoin means Golix is a prime target for international hacks from the likes of the DPRK who brought Sony to its knees. These are highly skilled people with resources and the sort of determination never seen before. This hack appears targeted and these are hard to fend off. It does not help that Golix rhymes with Mt Gox why on earth they chose that name is beyond me. If they are not careful they will meet the same fate.
These is not the time for garden variety programming skills. They need to be at the top of their game to stay afloat.
You could be right, I dont think they are truely revealing the extent of the hack. I strongly suspect that more money/crypto was siphoned out and as a result withdrawals via bank or ecocash seems to be taking too long than normal to be processed. An external auditor could be the only way to accertain the extent of the hack.
As a security review my two cents to Golix is that 2- factor authorisation should be a pre-requisite on signing in into the exchange not only when one wants to move assets out. A lot of damage can be done by the hacker without necessarily withdrawing funds out. Customer’s assets can be used to ”pump” the hacker’s prefarred coins via the exchange.
How much did techzim lose….
Most of you were holding onto bitcoin got speculation… Your article were definitely meant to create a run on bitcoin… Kinda like social marking… The usual Zimbabwe quick buck mentality… Block chain maybe the future but balanced articles are a must… At least the usual disclaimer of financial benefit would suffice
It worries me that you have concluded that we have any financial benefit from Golix. As I told you in an earlier comment in a separate article, when we write sponsored articles we label them as such. Would we have published this article if we were what you suggest we are?
At least now Golix yave ne competitor http://www.styx24.com ,i tried them a few days ago after endless nightmares from Golix , vari well run and very professional.
Bitcoin might be the future .but right now its a piece of shit. As for golix i purchased some coins but never got my account top .so ………………
Dear Staff Writer
Why did you change the title of this article ? Did you receive a call/email from Golix ?
I have just talked to the customer representative from Golix as I was making a followup on my withdrawal that I initiated yesterday but hasnt reached my ecocash account, I was told something very shocking, they said that their ecocash account has no money so they are waiting to replenish from their bank account, who knows if the money is indeed there in the bank ? Only external auditors can be able to tell if indeed no BTC was siphoned through the hack otherwise Golix might be now running a ponzi where they are paying old withdrawals with new ones as a result of the hack.
Has anyone noticed that a lot of these exchanges do not have physical addresses? They seem to easily get hacked and never shoulder the responsibility. It’s easy to establish an “exchange”, get thousands to put their money in, then claim you were hacked, declare bankrupcy and shutdown. Easy money, in my opinion.
My hesitation on throwing money into technology that is not only young but less well tested & understood has paid off. Most of these “bitcoin” this “bitcoin” that “start-ups” are essentially Ponzi schemes. This has been mentioned on TechZim time & again. More so, in an area where there is absolutely no government regulation whatsoever. Anything goes. Which is why most Reserve banks have dragged their feet when it comes to bitcoin issues. The risks of losing are much higher than those of gaining, just like lotto, casino, slot machines, the lottery etc except that some of these have very clear rules of operation and documented recourse in the event of what i would call “radioactive” fallout.
Way back (in the analogue years) it used to be prudent to work with businesses that have physical addresses and a landline etc so that they could be nailed when they transgress. Now in this virtual, fast, digital potpourri where does the young, digital, wannabe investor start when they have been “cleaned” like this?
Despite technological advancement, the basic human vices still remain:- malignant and rampant . Of these, greed (avarice) still lurks around preying on the stupid, the foolish, the naive and the plain ignorant, it’s practitioners laughing all the way to the virtual bank!
Why do you guys delete comments from people. Do you get paid to publish these articles. We are airing our concerns and you delete them. how do you expect Golix to improve when you delete our feedback. Be professional TECHZIM