Pages:
Author

Topic: 40 BTC Gone - Please Help Me Understand What Happened (Read 3624 times)

full member
Activity: 624
Merit: 125
alcedoplatform.com
So whats the IP that accessed your account?  Just because it says in gmail that it was an Iphone, that doesn't mean it was.  User agents can be switched.
PM me the IP if you don't want to post it publicly.  It would be easy for me to check if it is a phone, router or proxy server (if it's online) by fingerprinting.  It is very possible it was a proxy though, you said it was 30 minutes from your city, if they tried to log in to your gmail from 1000 miles away, they would have had to answer the security questions.
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
I think I know what happened. It's the RNG of Android devices. The k value or the r value or whatever. It was all over the news recently. But then you said you are using an iPhone4.. so maybe that's not it. Unless you've used the same wallet on an android device previously.
legendary
Activity: 2912
Merit: 1060
inside job. now slowly look at the person closest to you.
legendary
Activity: 1400
Merit: 1005
I'd put wifi packet sniffing as the culprit at a very low possibility.

But how was his email compromised originally? That's the point I was trying to make.

While he was at another location, he was likely asked to re-sign into his Gmail account. It could be at that point the password would have been sniffed through some form of MITM attack. Later on, the hacker would just sign into the compromised account, read the emails he sent to himself with all the details, then take the coin using any of those other alternatives.

I guess what I'm trying to do is not just gloss-over the "gmail was compromised" part.
Phishing or malware seems more likely, but you're right.

I consider wifi to be unlikely because you're assuming that:
- OP visited a compromised wifi
- OP logged in to his email using a compromised wifi and not using https
- Attacker knows about Bitcoin

If the attacker's purpose was to steal Bitcoins, he'd be much more likely to do it by targeting people he knows use Bitcoin.  Targeting random passerbys as they utilize the wifi would mean he'd probably have to search through thousands of email accounts before finding a single one that has a blockchain.info account, much less one who stores a significant amount in BTC.  By targeting, say, the MtGox list of email addresses with a phishing email, he'd be likely to get access to dozens of emails, all owned by people who use (or have used) BTC.
donator
Activity: 1419
Merit: 1015
I'd put wifi packet sniffing as the culprit at a very low possibility.

But how was his email compromised originally? That's the point I was trying to make.

While he was at another location, he was likely asked to re-sign into his Gmail account. It could be at that point the password would have been sniffed through some form of MITM attack. Later on, the hacker would just sign into the compromised account, read the emails he sent to himself with all the details, then take the coin using any of those other alternatives.

I guess what I'm trying to do is not just gloss-over the "gmail was compromised" part.
legendary
Activity: 1400
Merit: 1005
Thanks for the clarification.  However, would this sort of attack still trigger Blockchain to send me the SMS code like they did 3 minutes before funds were transfered.

I'll make some assumptions here.  Specifically:

  • You had a backup of your wallet sent to your email account.
  • You had your identifier sent to your email account.
  • You had your password sent to your email account.
  • The thief has access to everything all of the above
  • The thief knew how to avoid being identified

Given those assumptions, when the thief saw the identifier and password, they may have tried just logging into your blockchain.info account rather than mess with the backup.

When they discovered that you have 2FA (which would trigger the SMS code to you), they could move on to the backup from your email.

Once they have the backup, they no longer need 2FA.  They can use the information in the backup to send the bitcoins without ever accessing your account on blockchain.info.

Assuming the thief was intelligent, they would use a proxy (perhaps TOR?), so the IP address you have would be a proxy exit, and not the IP of the thief themselves.
This sounds like, by far, the likely course of action by the thief.  All they need to do is compromise your email address, and they have all the information they need right there.  And email addresses are compromised all the time, for a variety of reasons.

I'd put wifi packet sniffing as the culprit at a very low possibility.
donator
Activity: 1419
Merit: 1015
No, I only had 2FA on Blockchain.

Implement 2FA on your Gmail immediately.

After the MtGox hack, someone hit my Gmail account several times, enough that Google contacted me personally twice about it and, presumably, flagged me in their system as someone "likely to be hacked" in the future. If I wouldn't have had 2FA enabled due to another attempted compromise about six months prior to that, they wouldn't have been able to have identified this as an illegitimate attempt to "recover" my Gmail account.

My guess is someone set up a free public wireless and then ghosted your session using something similar to Firesheep or etc. If they can ghost your session, they can create a relevant cookie and then peruse your Gmail at their discretion, especially if you don't use HTTPS. It's not specified on that wiki page, but I'm pretty sure if someone runs the public wifi themselves they can do DNS and HTTPS man-in-the-middle attacks with ease if they have the right tools.
newbie
Activity: 27
Merit: 0
I guess I'll contact Verizon just in case, but as you mentioned, the thief probably wasn't stupid enough to use an IP that could be traced back to him.

You might be surprised. If someone set up a fake public wireless in a specific location, they might have tried to work quickly enough to steal it right there from the same location.

Do you have 2FA on your Gmail?

No, I only had 2FA on Blockchain.
hero member
Activity: 826
Merit: 500
Have you scanned your computer for viruses?

I'm running virus scans with Symantec and McAfee now.  Would it be possible for them to get to my wallet with a virus because of the two factor authentication?  Again, sorry I know very little about computer technology.

I recommend running Malwarebytes, and maybe avast, and as last resort Combofix

McAfee the last year has had the highest infections rates, only second to norton (As in running a AV and having a virus infection that it didn't detect)
(Computer Repair Monkey)


But it sounds Like what happened

You used a public WIFI, and someone sniffed your email address and password, logged into your email account and saw your blockchain account, tried to login got 2FA login prompt, downloaded your backup wallet and used your password you sent yourself to get your wallet keys, drained wallet.

Anyone else following the coins?

looks like they are being spent
donator
Activity: 1419
Merit: 1015
I guess I'll contact Verizon just in case, but as you mentioned, the thief probably wasn't stupid enough to use an IP that could be traced back to him.

You might be surprised. If someone set up a fake public wireless in a specific location, they might have tried to work quickly enough to steal it right there from the same location.

Do you have 2FA on your Gmail?
newbie
Activity: 27
Merit: 0
Thanks for the clarification.  However, would this sort of attack still trigger Blockchain to send me the SMS code like they did 3 minutes before funds were transfered.

I'll make some assumptions here.  Specifically:

  • You had a backup of your wallet sent to your email account.
  • You had your identifier sent to your email account.
  • You had your password sent to your email account.
  • The thief has access to everything all of the above
  • The thief knew how to avoid being identified

Given those assumptions, when the thief saw the identifier and password, they may have tried just logging into your blockchain.info account rather than mess with the backup.

When they discovered that you have 2FA (which would trigger the SMS code to you), they could move on to the backup from your email.

Once they have the backup, they no longer need 2FA.  They can use the information in the backup to send the bitcoins without ever accessing your account on blockchain.info.

Assuming the thief was intelligent, they would use a proxy (perhaps TOR?), so the IP address you have would be a proxy exit, and not the IP of the thief themselves.


Got it.  Thanks for explaining this in a very clear manner.  This is very helpful for me as most of this stuff is way over my head.

I guess I'll contact Verizon just in case, but as you mentioned, the thief probably wasn't stupid enough to use an IP that could be traced back to him.
legendary
Activity: 3472
Merit: 4801
Thanks for the clarification.  However, would this sort of attack still trigger Blockchain to send me the SMS code like they did 3 minutes before funds were transfered.

I'll make some assumptions here.  Specifically:

  • You had a backup of your wallet sent to your email account.
  • You had your identifier sent to your email account.
  • You had your password sent to your email account.
  • The thief has access to everything all of the above
  • The thief knew how to avoid being identified

Given those assumptions, when the thief saw the identifier and password, they may have tried just logging into your blockchain.info account rather than mess with the backup.

When they discovered that you have 2FA (which would trigger the SMS code to you), they could move on to the backup from your email.

Once they have the backup, they no longer need 2FA.  They can use the information in the backup to send the bitcoins without ever accessing your account on blockchain.info.

Assuming the thief was intelligent, they would use a proxy (perhaps TOR?), so the IP address you have would be a proxy exit, and not the IP of the thief themselves.


donator
Activity: 1736
Merit: 1014
Let's talk governance, lipstick, and pigs.
Have you ever imported a private key that could have been seen by anyone other than hackers?

At one point I moved everything from Blockchain to a paper wallet.  At a later date, I moved everything from my paper wallet back into my Blockchain wallet by using the "Import Using Paper Wallet" option.  Is this what you are referring to?
No. That should be fine as long as nobody saw your paper wallet. I mean that if you import any "free money" from a QR code private key, like from a puzzle or contest.
legendary
Activity: 1274
Merit: 1004

Thanks for the clarification.  However, would this sort of attack still trigger Blockchain to send me the SMS code like they did 3 minutes before funds were transfered.

Attacker probably tried to login on blockchain first and later used your wallet backup.
newbie
Activity: 27
Merit: 0
Just so I can understand, if the thief did not actually have access to my phone (physically or remotely) to get the 2 factor code, would he still have been able to send the money from my wallet?

Yes.

If you had a backup of your wallet sent to your email, and they had access to your email, then they could send money using the backup without ever having access to the 2FA

Thanks for the clarification.  However, would this sort of attack still trigger Blockchain to send me the SMS code like they did 3 minutes before funds were transfered.

At one point I moved everything from Blockchain to a paper wallet.  At a later date, I moved everything from my paper wallet back into my Blockchain wallet by using the "Import Using Paper Wallet" option.  Is this what you are referring to?

That depends.  How did you generate the paper wallet?


I used bitaddress.org and just created and printed one from there.  I know there are a number of other security measures one can take to make this process much more secure, but since I'm essentially computer illiterate (despite Excel and PowerPoint which I use for work...), I did not go through those procedures because I could not understand them.
newbie
Activity: 27
Merit: 0
Unfortunately is it not likely you will be able to identify the attacker (with out the help of the NSA) so you funds are probably unrecoverable.

Given that I've possibly identified the IP address of the attacker as mentioned previously (After reviewing the IP addresses that have accessed my Gmail, I noticed one that appeared to access from an iPhone that I did not recognize. It was also a Verizon network iPhone and the IP address was mapped to about 30 minutes outside my city. This was on July 18th (and the theft happened on August 2nd).  Potentially also of note, I used public wifi at a hospital on July 30th), could I call Verizon to confirm that that IP address was not associated with my account?  If it was not, could I then file a police report on the matter to attempt to identify the individual using that IP address?

I know that is a longshot, and I've come to terms with the fact that I will likely never see that money again, but if there is a chance through that course of action, I'd take it.

Most importantly, I want to learn from this experience for when I purchase more BTC in the future, and provide a case study of what not to do for others so the same thing doesn't happen to them.
legendary
Activity: 3472
Merit: 4801
Just so I can understand, if the thief did not actually have access to my phone (physically or remotely) to get the 2 factor code, would he still have been able to send the money from my wallet?

Yes.

If you had a backup of your wallet sent to your email, and they had access to your email, then they could send money using the backup without ever having access to the 2FA

At one point I moved everything from Blockchain to a paper wallet.  At a later date, I moved everything from my paper wallet back into my Blockchain wallet by using the "Import Using Paper Wallet" option.  Is this what you are referring to?

That depends.  How did you generate the paper wallet?
newbie
Activity: 27
Merit: 0
Have you ever imported a private key that could have been seen by anyone other than hackers?

At one point I moved everything from Blockchain to a paper wallet.  At a later date, I moved everything from my paper wallet back into my Blockchain wallet by using the "Import Using Paper Wallet" option.  Is this what you are referring to?
donator
Activity: 1736
Merit: 1014
Let's talk governance, lipstick, and pigs.
If you sync your local wallet to a compromised blockchain.info wallet, it will compromise your local wallet even if you never use your blockchain.info wallet.
BCB
vip
Activity: 1078
Merit: 1002
BCJ
Sorry to hear about your loss.

Have you posted to https://bitcointalksearch.org/topic/m.2814699

This sounds like a blockchain.info specific issue. 

I have read numerous threads recently where similar attacks are happening with blockchain.info wallets.

I regularly receive emails regarding unauthorized attempts to access my wallet, so it is clear that blockchain.info (any any other type of bitcoin wallet) are targets.

Unfortunately there are many attack vectors but by posting to the blockchain.info thread specifically maybe they can help you and other victims narrow down the options and prevent this from continuing to happen.

Unfortunately is it not likely you will be able to identify the attacker (with out the help of the NSA) so you funds are probably unrecoverable.

To be safe do a clean install of your OS or even better use a dedicated computer with no Java, adobe or flash to access bitcoin accounts.



Pages:
Jump to: