So whats the IP that accessed your account? Just because it says in gmail that it was an Iphone, that doesn't mean it was. User agents can be switched.
PM me the IP if you don't want to post it publicly. It would be easy for me to check if it is a phone, router or proxy server (if it's online) by fingerprinting. It is very possible it was a proxy though, you said it was 30 minutes from your city, if they tried to log in to your gmail from 1000 miles away, they would have had to answer the security questions.
Topic: 40 BTC Gone - Please Help Me Understand What Happened (Read 3557 times)
I think I know what happened. It's the RNG of Android devices. The k value or the r value or whatever. It was all over the news recently. But then you said you are using an iPhone4.. so maybe that's not it. Unless you've used the same wallet on an android device previously.
inside job. now slowly look at the person closest to you.
I'd put wifi packet sniffing as the culprit at a very low possibility.
But how was his email compromised originally? That's the point I was trying to make.
While he was at another location, he was likely asked to re-sign into his Gmail account. It could be at that point the password would have been sniffed through some form of MITM attack. Later on, the hacker would just sign into the compromised account, read the emails he sent to himself with all the details, then take the coin using any of those other alternatives.
I guess what I'm trying to do is not just gloss-over the "gmail was compromised" part.
I consider wifi to be unlikely because you're assuming that:
- OP visited a compromised wifi
- OP logged in to his email using a compromised wifi and not using https
- Attacker knows about Bitcoin
If the attacker's purpose was to steal Bitcoins, he'd be much more likely to do it by targeting people he knows use Bitcoin. Targeting random passerbys as they utilize the wifi would mean he'd probably have to search through thousands of email accounts before finding a single one that has a blockchain.info account, much less one who stores a significant amount in BTC. By targeting, say, the MtGox list of email addresses with a phishing email, he'd be likely to get access to dozens of emails, all owned by people who use (or have used) BTC.
I'd put wifi packet sniffing as the culprit at a very low possibility.
But how was his email compromised originally? That's the point I was trying to make.
While he was at another location, he was likely asked to re-sign into his Gmail account. It could be at that point the password would have been sniffed through some form of MITM attack. Later on, the hacker would just sign into the compromised account, read the emails he sent to himself with all the details, then take the coin using any of those other alternatives.
I guess what I'm trying to do is not just gloss-over the "gmail was compromised" part.
Thanks for the clarification. However, would this sort of attack still trigger Blockchain to send me the SMS code like they did 3 minutes before funds were transfered.
I'll make some assumptions here. Specifically:
- You had a backup of your wallet sent to your email account.
- You had your identifier sent to your email account.
- You had your password sent to your email account.
- The thief has access to everything all of the above
- The thief knew how to avoid being identified
Given those assumptions, when the thief saw the identifier and password, they may have tried just logging into your blockchain.info account rather than mess with the backup.
When they discovered that you have 2FA (which would trigger the SMS code to you), they could move on to the backup from your email.
Once they have the backup, they no longer need 2FA. They can use the information in the backup to send the bitcoins without ever accessing your account on blockchain.info.
Assuming the thief was intelligent, they would use a proxy (perhaps TOR?), so the IP address you have would be a proxy exit, and not the IP of the thief themselves.
I'd put wifi packet sniffing as the culprit at a very low possibility.
No, I only had 2FA on Blockchain.
Implement 2FA on your Gmail immediately.
After the MtGox hack, someone hit my Gmail account several times, enough that Google contacted me personally twice about it and, presumably, flagged me in their system as someone "likely to be hacked" in the future. If I wouldn't have had 2FA enabled due to another attempted compromise about six months prior to that, they wouldn't have been able to have identified this as an illegitimate attempt to "recover" my Gmail account.
My guess is someone set up a free public wireless and then ghosted your session using something similar to Firesheep or etc. If they can ghost your session, they can create a relevant cookie and then peruse your Gmail at their discretion, especially if you don't use HTTPS. It's not specified on that wiki page, but I'm pretty sure if someone runs the public wifi themselves they can do DNS and HTTPS man-in-the-middle attacks with ease if they have the right tools.
I guess I'll contact Verizon just in case, but as you mentioned, the thief probably wasn't stupid enough to use an IP that could be traced back to him.
You might be surprised. If someone set up a fake public wireless in a specific location, they might have tried to work quickly enough to steal it right there from the same location.
Do you have 2FA on your Gmail?
No, I only had 2FA on Blockchain.
Have you scanned your computer for viruses?
I'm running virus scans with Symantec and McAfee now. Would it be possible for them to get to my wallet with a virus because of the two factor authentication? Again, sorry I know very little about computer technology.
I recommend running Malwarebytes, and maybe avast, and as last resort Combofix
McAfee the last year has had the highest infections rates, only second to norton (As in running a AV and having a virus infection that it didn't detect)
(Computer Repair Monkey)
But it sounds Like what happened
You used a public WIFI, and someone sniffed your email address and password, logged into your email account and saw your blockchain account, tried to login got 2FA login prompt, downloaded your backup wallet and used your password you sent yourself to get your wallet keys, drained wallet.
Anyone else following the coins?
looks like they are being spent
I guess I'll contact Verizon just in case, but as you mentioned, the thief probably wasn't stupid enough to use an IP that could be traced back to him.
You might be surprised. If someone set up a fake public wireless in a specific location, they might have tried to work quickly enough to steal it right there from the same location.
Do you have 2FA on your Gmail?
Thanks for the clarification. However, would this sort of attack still trigger Blockchain to send me the SMS code like they did 3 minutes before funds were transfered.
I'll make some assumptions here. Specifically:
- You had a backup of your wallet sent to your email account.
- You had your identifier sent to your email account.
- You had your password sent to your email account.
- The thief has access to everything all of the above
- The thief knew how to avoid being identified
Given those assumptions, when the thief saw the identifier and password, they may have tried just logging into your blockchain.info account rather than mess with the backup.
When they discovered that you have 2FA (which would trigger the SMS code to you), they could move on to the backup from your email.
Once they have the backup, they no longer need 2FA. They can use the information in the backup to send the bitcoins without ever accessing your account on blockchain.info.
Assuming the thief was intelligent, they would use a proxy (perhaps TOR?), so the IP address you have would be a proxy exit, and not the IP of the thief themselves.
Got it. Thanks for explaining this in a very clear manner. This is very helpful for me as most of this stuff is way over my head.
I guess I'll contact Verizon just in case, but as you mentioned, the thief probably wasn't stupid enough to use an IP that could be traced back to him.
Thanks for the clarification. However, would this sort of attack still trigger Blockchain to send me the SMS code like they did 3 minutes before funds were transfered.
I'll make some assumptions here. Specifically:
- You had a backup of your wallet sent to your email account.
- You had your identifier sent to your email account.
- You had your password sent to your email account.
- The thief has access to everything all of the above
- The thief knew how to avoid being identified
Given those assumptions, when the thief saw the identifier and password, they may have tried just logging into your blockchain.info account rather than mess with the backup.
When they discovered that you have 2FA (which would trigger the SMS code to you), they could move on to the backup from your email.
Once they have the backup, they no longer need 2FA. They can use the information in the backup to send the bitcoins without ever accessing your account on blockchain.info.
Assuming the thief was intelligent, they would use a proxy (perhaps TOR?), so the IP address you have would be a proxy exit, and not the IP of the thief themselves.
Have you ever imported a private key that could have been seen by anyone other than hackers?
At one point I moved everything from Blockchain to a paper wallet. At a later date, I moved everything from my paper wallet back into my Blockchain wallet by using the "Import Using Paper Wallet" option. Is this what you are referring to?
Thanks for the clarification. However, would this sort of attack still trigger Blockchain to send me the SMS code like they did 3 minutes before funds were transfered.
Attacker probably tried to login on blockchain first and later used your wallet backup.
Just so I can understand, if the thief did not actually have access to my phone (physically or remotely) to get the 2 factor code, would he still have been able to send the money from my wallet?
Yes.
If you had a backup of your wallet sent to your email, and they had access to your email, then they could send money using the backup without ever having access to the 2FA
Thanks for the clarification. However, would this sort of attack still trigger Blockchain to send me the SMS code like they did 3 minutes before funds were transfered.
At one point I moved everything from Blockchain to a paper wallet. At a later date, I moved everything from my paper wallet back into my Blockchain wallet by using the "Import Using Paper Wallet" option. Is this what you are referring to?
That depends. How did you generate the paper wallet?
I used bitaddress.org and just created and printed one from there. I know there are a number of other security measures one can take to make this process much more secure, but since I'm essentially computer illiterate (despite Excel and PowerPoint which I use for work...), I did not go through those procedures because I could not understand them.
Unfortunately is it not likely you will be able to identify the attacker (with out the help of the NSA) so you funds are probably unrecoverable.
Given that I've possibly identified the IP address of the attacker as mentioned previously (After reviewing the IP addresses that have accessed my Gmail, I noticed one that appeared to access from an iPhone that I did not recognize. It was also a Verizon network iPhone and the IP address was mapped to about 30 minutes outside my city. This was on July 18th (and the theft happened on August 2nd). Potentially also of note, I used public wifi at a hospital on July 30th), could I call Verizon to confirm that that IP address was not associated with my account? If it was not, could I then file a police report on the matter to attempt to identify the individual using that IP address?
I know that is a longshot, and I've come to terms with the fact that I will likely never see that money again, but if there is a chance through that course of action, I'd take it.
Most importantly, I want to learn from this experience for when I purchase more BTC in the future, and provide a case study of what not to do for others so the same thing doesn't happen to them.
Just so I can understand, if the thief did not actually have access to my phone (physically or remotely) to get the 2 factor code, would he still have been able to send the money from my wallet?
Yes.
If you had a backup of your wallet sent to your email, and they had access to your email, then they could send money using the backup without ever having access to the 2FA
At one point I moved everything from Blockchain to a paper wallet. At a later date, I moved everything from my paper wallet back into my Blockchain wallet by using the "Import Using Paper Wallet" option. Is this what you are referring to?
That depends. How did you generate the paper wallet?
Have you ever imported a private key that could have been seen by anyone other than hackers?
At one point I moved everything from Blockchain to a paper wallet. At a later date, I moved everything from my paper wallet back into my Blockchain wallet by using the "Import Using Paper Wallet" option. Is this what you are referring to?
If you sync your local wallet to a compromised blockchain.info wallet, it will compromise your local wallet even if you never use your blockchain.info wallet.
Sorry to hear about your loss.
Have you posted to https://bitcointalksearch.org/topic/m.2814699
This sounds like a blockchain.info specific issue.
I have read numerous threads recently where similar attacks are happening with blockchain.info wallets.
I regularly receive emails regarding unauthorized attempts to access my wallet, so it is clear that blockchain.info (any any other type of bitcoin wallet) are targets.
Unfortunately there are many attack vectors but by posting to the blockchain.info thread specifically maybe they can help you and other victims narrow down the options and prevent this from continuing to happen.
Unfortunately is it not likely you will be able to identify the attacker (with out the help of the NSA) so you funds are probably unrecoverable.
To be safe do a clean install of your OS or even better use a dedicated computer with no Java, adobe or flash to access bitcoin accounts.
Have you posted to https://bitcointalksearch.org/topic/m.2814699
This sounds like a blockchain.info specific issue.
I have read numerous threads recently where similar attacks are happening with blockchain.info wallets.
I regularly receive emails regarding unauthorized attempts to access my wallet, so it is clear that blockchain.info (any any other type of bitcoin wallet) are targets.
Unfortunately there are many attack vectors but by posting to the blockchain.info thread specifically maybe they can help you and other victims narrow down the options and prevent this from continuing to happen.
Unfortunately is it not likely you will be able to identify the attacker (with out the help of the NSA) so you funds are probably unrecoverable.
To be safe do a clean install of your OS or even better use a dedicated computer with no Java, adobe or flash to access bitcoin accounts.
Jump to: