I very much doubt it - no exchanges are particularly transparent on how they operate due to general security related paranoia. Some exchanges may be cloud based, but I think Bitrex may be the only exchange on Azure as (and I'm sure my knowledge is  probably out of date at this point) Bitrex and Cryptopia are the only exchanges that have Microsoft based stacks; where Bitrix is cloud based and Cryptopia is on centralized hardware.

The two differing approaches on hardware is likely due to differing approaches on how the exchanges process the trades. Cryptopia's trade engine is atomic, where every trade is queued and processed in sequence which is a workload suited to a single threaded application; this approach won't work well on the cloud so we can assume that Bitrex does it differently.

Exchanges use an internal ledger, sometimes a blockchain, sometimes a relational database, sometimes a hybrid of both. Changing slightly each time due any given coin or tokens idiosyncrasies, an exchange runs a single 'hot wallet' which you can think of as a cash register, where each user gets an address from that wallet which is unique to them. When a deposit is received, it arrives in the hot wallet, and the the exchange credits that user with x amount of y coin. Any and all trading that happens then happens on that exchanges internal ledger and not at all on the blockchains of those coins due to network fees and confirmation times. When you decide to withdraw from the exchange, that's when the exchange goes and commits a transaction to the external blockchain, which is why deposits/withdraws are subjected to confirmations etc, but trades and transfers etc are usually instant.

As you mentioned, it's almost impossible to segregate customer assets from proprietary assets at all times due to how the fees are calculated (again, nothing on the blockchain, only a change of value in a database) - once a day or so it would be possible to move it all in order to comply, but doing it in real time is absolutely unfeasible.

We have another phase of UI improvements which should reach the live site this week; we're updating the panel on the left of the exchange which deals with markets and open orders etc - adding the ability to only show particular coins, being able to sort the lists by change/volume/price/ticker; making our notifications only include delta updates for the sake of using much less bandwidth and making the chat/trollbox opt in, rather than loading on every page load. Exciting times for us.

Unsure why the site appeared down for you this morning; some kind of DNS related drama?

So is ti460 going to apologize as much as he did post FUD?

I guess soon enough we will find out whether Nova or Yobit have solved the issue already or simply not encountered it yet.

@fusionfoto - We're getting there, we had some hardware cause us some issues for us; some of the wallets themselves or some of our integrations have had issues recovering from this. Cryptopia has to balance getting everything running smoothly again while not cutting any corners to make sure everyone's money stays safe.

@flashdix - I had to go and cleanse sections of your support ticket from our DB because you included your API key and API secret in the support ticket for whatever reason (NEVER give your API key/secret to anyone, ffs). Your has been unlocked based on my assumptions your bot will be less dumb in the future. If you want to spam the mempool of a coin, do it from your own wallet and not ours.

@theincrediblevictor, @chickenbacon, @hoan281, @Icefrag - Some of the aforementioned problems have queued a bunch of wallet work up, most of which is manually checking and reprocessing transactions. We can't just get some temps or some interns and hand them root access to our hot wallets. This seems like it would be pretty low hanging fruit though, so I'll ask.

@Mindin - sorry for the hassle, glad support helped you

@dodopool - We've been working with the SIGT team to deal with these problems which are with SIGT and not with Cryptopia. The SIGT wallet wasn't designed to work on an enterprise level and so it has major problems no matter what kind of hardware we put on it. You're right that your wallet with a few addresses and a handful of transactions will sync in a manner of hours. But if you have tens of thousands addresses with over a million inputs and you're wallet was involved in up to 50 transactions per block since it was listed... then it's a slightly different story. Since 2 of the 3 wallets that were importing our keys have corrupted their leveldbs, we're assuming plan A isn't going to work. Plan B is to gonna be to import the keys a few hundred at a time so we can consolidate the inputs back into our hot wallet so that users can withdraw and we can delist.

@Lisk_beginner, @wacko - accounts locked this way are locked for 24 hours at which point they unlock - and we know you're right, the confirmation box is coming soon.

I dunno how I missed this thread for so long, but let me state immediately and categorically that no data breach of any kind has happened at Cryptopia. Our support team has been bogged down by many situations similar to what was described in this thread, however in the many cases we've had to investigate there were some pretty common themes.

In some situations, an external data breach caused an email box of one of our users to become compromised, which was then used to reset the password of the associated account - in many instances, these accounts had no 2FA, or email 2FA to the email account which had already been owned.
In some situations, an external data breach caused a Cryptopia account to be directly compromised due to a shared login between Cryptopia and where ever the data breach occurred. In some of these instances the accounts received emails from us stating that an unsuccessful login had occurred before the correct username/password combination from the breach was used, and in other instances the correct username/password was submitted on the first attempt and no emails from us were sent.
We had a case where Google Auth was bypassed, however the user was using Google Auth as a Chrome extension and we concluded that the malicious user gained remote access to that persons computer, which included an auto-login session to the email associated with the Cryptopia account, and of course access to the browser for 2FA.
Outside of the above not-Cryptopia problem, no accounts with Google Auth or Cryptopia Auth were breached as part of the phishing attacks and data breaches that are outside of Cryptopia's control.

At the end of the day our user's account can only be as secure as the users set them up to be. We recently went and forced Email 2FA onto every account which had no 2FA, which has reduced this occurring but hasn't stopped it. One of the most heartbreaking things about some of our interactions with users that have been ripped off in this fashion is that they often blame our security rather than reflecting on what happened on their end; the end result being that they don't go and enable 2FA, ensure they have unique passwords everywhere, check for and remove malware, research and apply security best practices, etc, which ultimately leaves them open for a repeat incident.

What we've learned from this is that we need to go away and really look at how to use our site's pages and emails to educate our users and the crypto community around how security actually works. We need to update our 2FA pages to detail the strengths and weaknesses in various types of 2FA so that our users can make better decisions or at least be aware of the risks that they're taking with their choices; we need to update some of our email templates so that it tells you what's going on and provides an explanation of what this means and suggests some actions you may want to take - we discovered that most users didn't know how to react to a 'someone tried to log into you account and failed' email. We want to get to get our support tools, processes and headcount sorted so that we can be the first exchange to offer live chat support and be available to help our users in their moments of panic. The Crytpo community is growing rapidly and a factor of this is that many people that weren't the earliest of adopters aren't aware of the level of security paranoia that is required when you have a bunch of money sitting on accounts/computers that are connected to the internet.

If you go to our website, you will note that we use a different type of SSL cert to most other exchanges; it's not just 'Secure' but 'You're securely connected to Cryptopia Ltd [NZ]'. This is called an EV SSL certificate, which to obtain we have to be thoroughly vetted by Comodo as a real business that exists at a real location in the real world. https://en.wikipedia.org/wiki/Extended_Validation_Certificate This is one of those security features where most users out there don't realize what the significance of a green address bar is compared to a white one. The benefit for us, is simply that it's harder for our users to be phished, because while a phishing site could have a minor change to the domain, they won't be able to replicate our SSL cert - but this only helps users that know what they're looking for.

Anyway, again, Cryptopia wasn't hacked.

Cryptopia was not hacked, that whole thread is FUD. If a users account credentials or email login is breached outside of Cryptopia, it is not a failing of Cryptopia's security. If a user had the same username/password on multiple sites and/or no 2FA, or email 2FA to the email account that was breached, then there is nothing that Cryptopia would detect or block.

If you changed your email address via support ticket, while having 2FA email enabled, the 2FA will get sent to your old email not your new one. You'll need to email their support team to get your 2FA reset.

Sorry, last week was incredibly busy for us so I didn't have any time to check this thread (we are around, but if you want support, talking to our support team is the best way to do it - this isn't an official support channel).

@btclife01 - I'm glad you stuff got resolved in the end, sorry for the delay you had
@flashdix - Your bot reached the API request limit several times while submitting minimum sized withdraws of the same coin to the same address - hundreds of frivolous transactions/min will get you flagged as a ddos and banned. If you were to contact support with I've reviewed my bot's code and it won't be doing that anymore. I'm sorry I put one of your wallets into maintenance for a few days. Please re-enable my account. then I'm sure they will be much more receptive than they have been to your current tone and manner.
@drm - don't worry, we don't bite
@gocrypto - we had a few issues with a networking appliance that impacted several of our wallets around the same time as a few data breaches happened out in the wild. this caused us to get 2 months worth of tickets over a couple of days, where users not used to us taking more than a day to respond then logged more tickets asking about the first ones - it cascaded a little out of control and caused a bit of a backlog for us, especially when some of our wallets take hours to days to start again, but as i understand it support is well on their way to catching up.
@swatcat - if the time was out of sync on our end, it would break google 2fa for all of our users, not just you. i assume google auth was set up with a discrepancy between your device and our servers, whereas now they agree what the time is and the offset that was applied during the initial set up may now be causing problems? that's my best guess. if it was our time sync, it would be broken for everyone.
@nindzja - NSR is getting delisted, the reason for us doing so is that they broke their wallet. before we delist them, we will fix and sync the wallet so that you can withdraw them, it just hasn't been high up the priorities list for us.
@fusionfoto - the wallet team isn't a 24/7 team, the weekend has just ended.

Yes they are and so are all of our staff; our office is in Christchurch.

A user being phished (assumption) while not having 2FA enabled does not mean that the exchange was hacked.

BTC withdraw verification via email is not 2FA.

A user has 2FA enabled, but Cryptopia allows user to user transfers which is the massive flaw in all that? I to assume that all these users went to the trouble of setting up 2FA for withdraws, but not for login or transfers (we offer 2FA on both of those functions) - if so, that sounds kinda silly.

If you're using decent 2FA (and by that I mean google auth or one of the Cryptopia dongles), then:
You can't be phished for your 2FA, if you check for the Cryptopia EV SSL cert when you login.
Your 2FA can't be keylogged.
Your 2FA can't be photographed or recorded.

And your account remains safe. The reason Cryptopia and every other crypto services push 2FA so hard is not because we make money from it (which we don't), it's because your account is so much more secure with 2FA than just having a really long and complex password; like night and day differences of secure.

Yay for WAVES assets... we're pretty frustrated at the WAVES team at the moment for all the drama their wallets continually cause (such as releasing an update that caused a hardfork without marking the release as mandatory... for the 3rd time, as recently as 2 weeks ago).

I'm not about to lecture an English teacher about how similar those names are, or a high-school counselor about how stealing other peoples ideas are bad.

C'mon man, take the hint, or at least check my posting history and then take the hint.

That guy didn't PM me. All of our support tickets get a response within about 6-12 hours (from a human being), if you've been waiting more than a day or two - there is a decent chance you emailed the wrong email, or didn't click submit on the support form.

I would suggest that you should be more worried about getting Cryptopia's name off your word-press site before they take legal action and pursue you for the advertising revenue that you've been collecting under their trademark. I would also suggest googling the new name you come up with at least once before you rename everything.

You could add a few 0s to your budget and still fall short of being able to start an exchange.

Is assuming the current Cryptopia won't notice or bother to throw down really the best business model?

PM me your support ticket # and/or Cryptopia username and I'll look into it.