Pages:
Author

Topic: 24 BTC stolen from my bitstamp account 2FA and email confirmation protected - page 3. (Read 14977 times)

hero member
Activity: 490
Merit: 500
....snip....

First: thank you for the reply.
I'm not a computer security expert.
I will reinstall all my systems (2 Macs and a samsung SII).
I have been using google authenticator since the beginning and I haven't ever heard about such a log but I will check.
I did have downloaded bitcoin apps. Many of them. One in particular has been then prooved a malaware (the stealth address mac tool). But I removed that and the infected files that were found malicious afterwards.

I don't feel attacked and I know I had to expect everything but this has been overwhelming. I believe in bitcoin and keep the majority of my coins offline but I thought that 2FA, 20 characters unique password and confirmation email was enough for a week. I was wrong.

I only hope this to be useful to other because I have never read about such a thing

Reinstallation of systems is a tedious process. But that's the best option going forward. That will ensure you have a clean system state. Make sure you take backup of everything important you have before you do this.

In regards to logs with gogle authenticator, you might try to ask Mike Hearn - if he has the time to answer. He's on this forum.  Profile: https://bitcointalksearch.org/user/mike-hearn-2700
He works for google afaik. He might not be able to give you any log data, but maybe he can point you in the right direction. Getting hold of google reps in general is quite hard.. Sad If you're persistent you might go to police and have a police officer ask them, they might be better at answering then. But even if you get such info, it might be a dead end. But IF there's no log data at google's side - that indicates that the thief has bypassed 2FA and it's a theft done by Bitstamp or someone with high level access to their systems. If that's the case, then I think they would have to reimburse you. But I am not a lawyer, but I think that should hold up in court. It's a bit like a bank allowing your bank account to be emptied without you logging in. They would have to compensate you. But these are just my thoughts.

You had downloaded bitcoin apps, many of them... Be very careful with this in the future. If you download any bitcoin apps or programs, don't use it on the same phone/machine that you use for bitcoin activities. I know that's kind of silly as you most likely won't have 2 phones - but this is the reality if you want to stay secure. Rather access websites if you need bitcoin information on the phone than installing all kinds of apps. I assume you run android on your phone, and it's known for having security problems.

If you had malware installed, that's not good at all. Even if it was removed and all files are reported to be removed by any antivirus software, or done manually that is still not proof it is actually removed in full. Although antivirus programs are quite good, many malware authors constantly try to avoid detection from anti-virus programs, and if some kind of malware has not made it into the antivirus makers list, it might as well go undetected.

You're saying you don't feel attacked. If there's an attack on your devices, you will probably not notice anything visually, it will just happen.

you thought that 2FA, 20 characters unique password and confirmation email was enough for a week -> if your systems are compromised you will not be safe with this. Malware on your devices can do anything that you can do.

Going forward, and I hope you still will be into bitcoin, I would suggest creating a cold wallet and move any coins you want to store for a long term there.
Also, for using bitcoins, I would advise to have a single device for this, for instance a cheap notebok running linux.

Having some coins accessible from a phone wallet is ok, but not more than you can afford to lose. So for instance if you have 30 BTC, you could have 20 BTC in a cold wallet and 9 on the bitcoin notebook and 1 on a phone wallet, or just transfer from the notebok to the phone wallet whenever you need to have some coin available on your phone.

And don't do any websurfing at all or at least not on weird pages (clicking suspicious links on various forums and on reddit may not be too smart) or installation of strange apps on the bitcoin machine, just have a network connection

I sincerely hope you will not encounter anything more troubles in the future. Having a dedicated machine for linux might seem like overkill, but it is better than losing a lot of money! If you can't afford a dedicated machine, running a virtual machine with bitcoind might also be a solution, some malware would have a lot harder time to access bitcoins residing in a virtual machine.
full member
Activity: 162
Merit: 100
What email service do you use?  Can you check your login/logout histories or IP Addresses?  Gmail allows this, but I'm not sure about others.  Clearly this person had access to your email as well, to confirm the withdrawals. 
good point!
I only searched for email not for logins. The only problem is that I access from three devices but I'll investigate.

I know that IP geolocation is not accurate but according to Google I have had an access to my gmail account from France 12 hours ago and one from Romania one day ago (two country I'm obviously not in).

This could be misleading but I have now a strong suspect my gmail account is hacked. I have immediatly changed my passwords and I will set up 2FA for that account
full member
Activity: 162
Merit: 100
I'm going to have to say that it was likely a combination of things. Its possible that you downloaded a rouge app which when connected your phone to your computer to update your music or something, installed a keylogger on your computer. I would never rule out an inside job, but you also need to ensure your computer is virus and keylogger free before you access anything else that may have money on it.

Contact your phone company and see if you can get any records of texts sent from your device or received in case the thief somehow deleted it. It would seem that the person doing this has experience and is trying to cover up his/her tracks.

I don't have any connection betwen my phone and Mac except google for contact, calendar and mail.
I will try to ask my carrier even if I have no faith in their support...

Thank you
full member
Activity: 162
Merit: 100
What email service do you use?  Can you check your login/logout histories or IP Addresses?  Gmail allows this, but I'm not sure about others.  Clearly this person had access to your email as well, to confirm the withdrawals. 
good point!
I only searched for email not for logins. The only problem is that I access from three devices but I'll investigate.
full member
Activity: 162
Merit: 100
newbie
Activity: 18
Merit: 0
What email service do you use?  Can you check your login/logout histories or IP Addresses?  Gmail allows this, but I'm not sure about others.  Clearly this person had access to your email as well, to confirm the withdrawals. 
full member
Activity: 176
Merit: 100
I'm going to have to say that it was likely a combination of things. Its possible that you downloaded a rouge app which when connected your phone to your computer to update your music or something, installed a keylogger on your computer. I would never rule out an inside job, but you also need to ensure your computer is virus and keylogger free before you access anything else that may have money on it.

Contact your phone company and see if you can get any records of texts sent from your device or received in case the thief somehow deleted it. It would seem that the person doing this has experience and is trying to cover up his/her tracks.
sr. member
Activity: 742
Merit: 250
If 2 factor authorization is enabled that means that additional password will be sent to my mobile phone, right?

Do i have to pay for these sms?  I didnt find the answer anywhere...
full member
Activity: 162
Merit: 100
One of the many things I cannot explain myself is why he has changed my password and changed it back.

so you can't login until he has totally cleared your account (the remaining $36.30)

edit: if you had 2fa enabled, i would suspect people that may have had physical access to your phone

This make a lot of sense. Thank you for what it worths.

I was on vacation on the mountains in a flat with my family. My children are under 5 and my wife can hardly read emails.

Really It seems the only explanation for me is that I did it and forgot about it but there is no trace of the confirmation emails and I don't have trace of the destination address.

Sincerely this is too much: password hacked (20 characters thrown with lastpass, 2FA hacked, email hacked). Maybe it worth some investigation also for the community.
hero member
Activity: 490
Merit: 500
If an attacker has root access to bitstamp, he can bypass 2FA easily and alter the event log any which way he'd like.

Now, seeing that MtGox loss of coins might be (in my view) a black op or the work of a highly sophisticated private group, it is not unthinkable they will pull the same kind of shenanigans with other exchanges. It was claimed that hackers had control of MtGox servers for a long time (claimed by the one who released the source code and gawked about the 20gb db leak that's yet to surface). Seeing how lax MtGox was with most routines, it's not unthinkable that was the case. Also, as pointed out earlier, a resourceful group could've infiltrated MtGox through sophisticated methods, and even one or more inside plants.

Having access to the physical properties of MtGox means that their servers are compromised. Even if Mark did not give access credentials to important systems to others various surveilance may have revealed the methods used to gain access (video surveilance, keylogging etc.)

All ex-employees and current employees should be checked in a criminal investigation, also anyone that have ever entered the MtGox physical offices and/or have had close contact with Mark should be looked more closely at. An investigator should also monitor lifestyle of suspect individuals, property purchases, extensive travelling and such may give some indications.

All the leaks and the attempts of trying to make Mark look like an incompetent fool may be a deliberate attempt to make him a scapegoat and diverting attention from the real thiefs.

Now, there's been claims of Bitstamp e-mail addresses leaked. I have received no e-mail to the registered e-mail address with them, but others have. Seeing that e-mail addresses to at least parts of their customer database is compromised, it is not unthinkable that there might be hackers currently having access to their systems, just waiting for the right opportunity. Just emptying some user accounts gradually might also be a way of getting bitcoins without making too much noise.

Also, if personal devices are compromised, unless you're a computer security expert, you can't know for sure if that's infact the case or not. So best option is to reinstall all affected systems.

One cannot rule out the fact that it might be a rogue action from Bitstamp itself either. The simplest way to get bitcoins would be to just empty a user account, and then claim they can't do anything about it. Of course thats unethical and criminal, but how can you prove it?

I never looked into 2FA with google authenticator (if that's what being used), but maybe there's a log of events somewhere with google as well. If that log shows nothing, then it's likely that the theft happened with a adversariy having high level acces to Bitstamp systems.

If OP have downloaded any bitcoin apps, or installed any particular bitcoin software that's proprietary or not well known, he might as well have received some malicious software that's collected information and aided in the breach.

Lastly I'm very sorry for the loss of the OP and I applogize if anyone unjustly feels attacked in this thread, but really, with bitcoin you can't rule out anything. The incentive (ie. value) is so high that all kinds of things can be expected to happen.
sr. member
Activity: 378
Merit: 250
Super Smash Bros. Ultimate Available Now!
One of the many things I cannot explain myself is why he has changed my password and changed it back.

so you can't login until he has totally cleared your account (the remaining $36.30)

edit: if you had 2fa enabled, i would suspect people that may have had physical access to your phone
full member
Activity: 162
Merit: 100
One of the many things I cannot explain myself is why he has changed my password and changed it back.
newbie
Activity: 42
Merit: 0
maybe they were planning on buying that 24 BTC delorean

http://bitcoinmotor.com/
full member
Activity: 162
Merit: 100
Well, either an inside job or you just had only Google email confirmation protected and forgot to enable the 2FA, no one can get to your phone or maybe your close friend look around not too far..

My wife hates bitcoin. My phone is always with me. My children are too young.
The only thing I have thought was that was actually me that withdrew from my account and then forgot about it but it is impossible because I don't have any clue about the destination address.
full member
Activity: 162
Merit: 100
Look like auto transfert script ATS its used when you are infected that when you are logged in it transfer money directly to some addr
i am really sorry for your loss


EDIT : if you had your wallet in computer you will make the jober easier i guess


I say your comp is infected

I was on vacation so I wasn't logged in. I left my house in the early afternoon. Nobody was at home and the hacking was at around 8:00 PM.

Moreover there is the email confirmation. It's really incredible.

BTW probably my Mac is infected.
hero member
Activity: 658
Merit: 500
Small Red and Bad
I know it's kind of irrelevant, but I always wonder why the exchanges allow to choose BTC adress when withdrawing funds. Why not ask the user to submit 3 btc addresses that may be used for withdrawals and never allow these to be changed? Bind them to the account and just allow the user to choose which one should be currently used. This way thieves would be completely cut off. They already can't withdraw fiat, so they buy btc with their victim's money and send those to themselves.
full member
Activity: 162
Merit: 100
Hmm..  maybe some keylogger installed with some app?

This is possible but I cannot explain the 2FA bypass.
hero member
Activity: 518
Merit: 521
The NSA, GCHQ, etc may have their hackers working overtime to push Bitcoin towards regulation.

Seems like a large increase in hacking recently.
newbie
Activity: 46
Merit: 0
Look like auto transfert script ATS its used when you are infected that when you are logged in it transfer money directly to some addr
i am really sorry for your loss


EDIT : if you had your wallet in computer you will make the jober easier i guess


I say your comp is infected
full member
Activity: 162
Merit: 100
Is your phone rooted?

Whoever took it also has access to your email.

No my phone is not rooted and is always with me
Pages:
Jump to: