Topic: 130 BTC stolen from Bitstamp account (Read 1095 times)
That's so messed up, I really feel so sorry for you and wish you the best.
Maybe - if you are able to follow the BTC address chain to the target address - you have a slight chance to get the IP address of the thief:
http://bitcoin.stackexchange.com/questions/193/how-do-i-see-the-ip-address-of-a-bitcoin-transaction
last comment (answered Apr 24 '12 at 7:07)
http://bitcoin.stackexchange.com/questions/193/how-do-i-see-the-ip-address-of-a-bitcoin-transaction
last comment (answered Apr 24 '12 at 7:07)
Quote
Man i would never put an answer here but i have to. It seems most of you aren't aware of the fact that bitcoin clients connect to an irc server to find more nodes. Its very simple to get the ip address of each client that connects to that irc server. Im currently in the process of linking this to bitcoin address and transactions, but im sure its nothing but an hour or two away. Just a little digging.
Hello there..
I feel sorry for you too :/
As above was mentioned.. have you clicked any links?
Or: Have you recieved ANY unexpected Mails from BitStamp?
Have you been logged in, with your mobile connection, or unexpected on an open wlan?
Have you installed any toolbars on your browser?
Do you use the newest version of the browser?
Have you traded with some people for the first time, and send them your ID (not password)?
It could be an Injection attack too..
Again.. I'm very sorry.. hope you havent lost too much..
Greetings
Zumba
I feel sorry for you too :/
As above was mentioned.. have you clicked any links?
Or: Have you recieved ANY unexpected Mails from BitStamp?
Have you been logged in, with your mobile connection, or unexpected on an open wlan?
Have you installed any toolbars on your browser?
Do you use the newest version of the browser?
Have you traded with some people for the first time, and send them your ID (not password)?
It could be an Injection attack too..
Again.. I'm very sorry.. hope you havent lost too much..
Greetings
Zumba
Thank you all for your condolences, much appreciated.
So far I haven't found out about the attack vector. I'm going through my browser history, but so far I haven't discovered anything. Lately, I've been very careful what I click. Especially bitcoin-related :-)
I expect it should lessen the risk of XSS attacks if I run a separate browser for trading? If not a virtual machine..
Not that I do that much day trading. Fortunately not all was lost, as I had transferred some of my holdings to paper wallets.
So far I haven't found out about the attack vector. I'm going through my browser history, but so far I haven't discovered anything. Lately, I've been very careful what I click. Especially bitcoin-related :-)
I expect it should lessen the risk of XSS attacks if I run a separate browser for trading? If not a virtual machine..
Not that I do that much day trading. Fortunately not all was lost, as I had transferred some of my holdings to paper wallets.
Bad news, I feel sorry for you.
Thanks for the warning will use the 2 factor auth starting from now !
Thanks for the warning will use the 2 factor auth starting from now !
Oh man.. When dealing with that much money, security is a very important factor. 
Only post bitcoins on your account when you want to sell them on the same day.
I feel sorry man
I feel sorry man
He used a proxy for both logins I believe, the first one said Anonymous Proxy, the second one is located in the Netherlands.
Wow, that's bad. Feeling sorry for you.
I would like to see some sort of email confirmation request before coins can actually get withdrawn from bitstamp ("...if you want to withdraw coins, then click this link to confirm...". This would be an additional security layer and might help prevent theft like this one.
I would like to see some sort of email confirmation request before coins can actually get withdrawn from bitstamp ("...if you want to withdraw coins, then click this link to confirm...". This would be an additional security layer and might help prevent theft like this one.
ouch!
Are you clicking any links? How did the attacker attacked you what vector did he used? That was very big amount I felt sorry for what happens to you.
My Bitstamp account was compromised last night (Apr 30th). I was foolish enough to store 130 BTC there - without 2-factor authentication. So I can only blame myself. But I thought I'd write about this as I expect there are a lot of victims..
So I expect this is some kind of XSS attack similar to the BTC-e reports. I was not running noscript. Using Firefox 20.0.1 on winxp. The same exploit was probably targeting BTC-e users, because I got a login warning from 46.19.137.78 at 30.04.13 16:39. They have fortunately now forced email confirmation of withdrawals so I was not affected. Had I noticed this on time, I could have escaped the theft on Bitstamp.
I can see that someone logged in from 46.19.137.78 and 85.159.237.4 on my Bitstamp account. Funds were transferred to address 1FbXHeWdLfo6RSTV3xaMRYKGVTk9iLgiZc . Only funds stolen from my account have gone through that address.
Coins were moved immediately forward through several addresses. Following the transactions, I was surprised to see that everything ended up in the same address though: 1NwbXavc82UAg6qjYikQAcBMabEzKoGJxC . Currently, this account contains 2860 BTC, no withdrawals.
The thief left a message via email for some reason - included below.
I expect there's nothing I can do to get back my coins. For information leading to recovery of funds, I'm glad to compensate 25% of amount recovered.
So I hope I have at least learnt the hard way to always use 2-factor authentication and block javascript.
Return-path: <[email protected]>
Envelope-to: XXX
Delivery-date: Wed, 01 May 2013 00:13:44 +0300
Received: from bay0-omc4-s25.bay0.hotmail.com ([65.54.190.227])
by XXX with smtp (Exim 4.72)
(envelope-from <[email protected]>)
id 1UXHro-0008CP-TP
for XXX; Wed, 01 May 2013 00:13:43 +0300
Received: from BAY171-W77 ([65.54.190.200]) by bay0-omc4-s25.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 30 Apr 2013 14:13:31 -0700
X-EIP: [ASFJqLis8vc0ni6MFAnXMPkE37Ubt0Ny]
X-Originating-Email: [[email protected]]
Message-ID: <[email protected]>
Content-Type: multipart/alternative;
boundary="_4f98ada4-5c25-496a-99cc-2b7dbace59d3_"
From: Bitcoin Jedi <[email protected]>
To: XXX
Date: Tue, 30 Apr 2013 21:13:31 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 30 Apr 2013 21:13:31.0524 (UTC) FILETIME=[91258440:01CE45E7]
X-SA-Exim-Connect-IP: 65.54.190.227
X-SA-Exim-Mail-From: [email protected]
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on XXX
X-Spam-Level:
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1
Subject: bitcoin
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:26:47 +0000)
X-SA-Exim-Scanned: Yes (on XXX)
Content-Length: 980
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
hey !
thanks for bitcoin !
you want new password now
dont use winxp , its bad
bai
xiangfu
So I expect this is some kind of XSS attack similar to the BTC-e reports. I was not running noscript. Using Firefox 20.0.1 on winxp. The same exploit was probably targeting BTC-e users, because I got a login warning from 46.19.137.78 at 30.04.13 16:39. They have fortunately now forced email confirmation of withdrawals so I was not affected. Had I noticed this on time, I could have escaped the theft on Bitstamp.
I can see that someone logged in from 46.19.137.78 and 85.159.237.4 on my Bitstamp account. Funds were transferred to address 1FbXHeWdLfo6RSTV3xaMRYKGVTk9iLgiZc . Only funds stolen from my account have gone through that address.
Coins were moved immediately forward through several addresses. Following the transactions, I was surprised to see that everything ended up in the same address though: 1NwbXavc82UAg6qjYikQAcBMabEzKoGJxC . Currently, this account contains 2860 BTC, no withdrawals.
The thief left a message via email for some reason - included below.
I expect there's nothing I can do to get back my coins. For information leading to recovery of funds, I'm glad to compensate 25% of amount recovered.
So I hope I have at least learnt the hard way to always use 2-factor authentication and block javascript.
Return-path: <[email protected]>
Envelope-to: XXX
Delivery-date: Wed, 01 May 2013 00:13:44 +0300
Received: from bay0-omc4-s25.bay0.hotmail.com ([65.54.190.227])
by XXX with smtp (Exim 4.72)
(envelope-from <[email protected]>)
id 1UXHro-0008CP-TP
for XXX; Wed, 01 May 2013 00:13:43 +0300
Received: from BAY171-W77 ([65.54.190.200]) by bay0-omc4-s25.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 30 Apr 2013 14:13:31 -0700
X-EIP: [ASFJqLis8vc0ni6MFAnXMPkE37Ubt0Ny]
X-Originating-Email: [[email protected]]
Message-ID: <[email protected]>
Content-Type: multipart/alternative;
boundary="_4f98ada4-5c25-496a-99cc-2b7dbace59d3_"
From: Bitcoin Jedi <[email protected]>
To: XXX
Date: Tue, 30 Apr 2013 21:13:31 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 30 Apr 2013 21:13:31.0524 (UTC) FILETIME=[91258440:01CE45E7]
X-SA-Exim-Connect-IP: 65.54.190.227
X-SA-Exim-Mail-From: [email protected]
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on XXX
X-Spam-Level:
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1
Subject: bitcoin
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:26:47 +0000)
X-SA-Exim-Scanned: Yes (on XXX)
Content-Length: 980
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
hey !
thanks for bitcoin !
you want new password now
dont use winxp , its bad
bai
xiangfu
Jump to: