63.73 BTC Hacked - Blockchain.info secured by 2FA - Starting security podcast? - page 7.

inBitweTrust

hero member

Activity: 658

Merit: 501

Quote from: statdude on November 27, 2014, 10:13:29 PM

Also just remember that i got a mysterious login on btc-e.
25.11.14 03:33 94.242.246.24 Successful login

This may be the IP address of the hacker.

lu   lu   l   luxembourg   49.610001   6.124000   root sa
Luxembourg   LU   not found   not found   49.750000   6.166700   root SA
LUXEMBOURG   LU   LUXEMBOURG   STEINSEL   49.676941   6.123890   ROOT SA

ASN    5577
Name    ROOT
Description    root SA,LU
# Peers    7
# IPv4 Origin Ranges    17
# IPv6 Origin Ranges    3
Registrar    RIPE-NCC
Allocation date    May 15, 2009
Country Code    LU


Reverse   orion.enn.lu.
Reverse-verified    Yes
Country Code    LU
Country    Luxembourg
Region    Europe
Population    442972
Top-level Domain    LU
IPv4 Ranges    145
IPv6 Ranges    43
Currency    Euro
Currency Code    EUR
IP Range - Start    94.242.192.0
IP Range - End    94.242.255.255
Registrar    RIPE-NCC
Allocation date    Oct 21, 2008

statdude

legendary

Activity: 1498

Merit: 1000

Quote from: jonald_fyookball on November 27, 2014, 10:18:02 PM

good luck catching the thief.

why didn't you use cold storage ?

I meant to. Honestly, I almost always use it. I would have certainly put them in cold storage within the next few days.

I should have obviously done so MUCH sooner.

Searching the suspicious IP address turns up a TOR server. The user of the server with a non-spam email address on that day http://www.stopforumspam.com/ipcheck/94.242.246.24

Turns up " 11/24/2014 14:59 94.242.246.24 bletkorer [email protected] "

jonald_fyookball

legendary

Activity: 1302

Merit: 1008

Core dev leaves me neg feedback #abuse #political

good luck catching the thief.

why didn't you use cold storage ?

statdude

legendary

Activity: 1498

Merit: 1000

Also just remember that i got a mysterious login on btc-e.
25.11.14 03:33 94.242.246.24 Successful login

This may be the IP address of the hacker.

statdude

legendary

Activity: 1498

Merit: 1000

2fa was just email which does not appear to have been breached, but who knows.
I did just find a keylogger on the PC.
MSDCSC.EXE installed 11/19. that is also the same day as a wallet file mysteriously showed up.

HYPERfuture

hero member

Activity: 686

Merit: 500

HYPER project manager and PR + GoldPieces [GP]

Really sorry to hear about your loss.

What was your method of 2FA? Was it just your email account? Or SMS or Yubikey?

inBitweTrust

hero member

Activity: 658

Merit: 501

Quote from: Remember remember the 5th of November on November 27, 2014, 09:45:55 PM

Quote from: kokojie on November 27, 2014, 09:44:21 PM

uh your 2FA is your email, which means anyone that hacks your email can defeat your 2FA, and also they could probably figure out your password since they already hacked your email.

I thought 2FA was supposed to be an SMS to your phone. I admit I have not used Blockchain.info other than to store less than 0.001btc.

they offer both but...

Quote from: statdude on November 27, 2014, 08:05:47 PM

no tor, no mobile,

no record of 2FA being sent to my email

someone must have gotten a wallet backup and my password.

Which means statdude was using the email 2fa which mostly defeats the whole purpose of 2fa altogether as any compromised account or computer can easily defeat and cover up this 2fa. With sms 2FA the hacker would have had to compromise his cell phone as well which is more difficult to coordinate if the user doesn't plug his cellphone into his computer.

Remember remember the 5th of November

legendary

Activity: 1862

Merit: 1011

Reverse engineer from time to time

Quote from: kokojie on November 27, 2014, 09:44:21 PM

uh your 2FA is your email, which means anyone that hacks your email can defeat your 2FA, and also they could probably figure out your password since they already hacked your email.

I thought 2FA was supposed to be an SMS to your phone. I admit I have not used Blockchain.info other than to store less than 0.001btc.

kokojie

legendary

Activity: 1806

Merit: 1003

uh your 2FA is your email, which means anyone that hacks your email can defeat your 2FA, and also they could probably figure out your password since they already hacked your email.

teukon

legendary

Activity: 1246

Merit: 1011

Quote from: statdude on November 27, 2014, 08:44:20 PM

not a fake acct, anyone who knows me can verify this.

There was a backup on my computer of the wallet. So if they breached my PC somehow, they would have just needed the 10 digit password.

How much entropy was in your 10-digit password?

statdude

legendary

Activity: 1498

Merit: 1000

Quote from: funtotry on November 27, 2014, 09:35:43 PM

Quote from: Remember remember the 5th of November on November 27, 2014, 09:15:52 PM

Could it be that your email was compromised, and you had an auto-backup option of the wallet, where it gets emailed to you, unencrypted perhaps?

Blockchain.info wallets are always encrypted when they are emailed to a user.

The fact that I find most strange is that 1E1nAEXaffBHh3RPpB9EGexSGSLS9qVFWB received the change of the initial 63 BTC transaction and it also was one of the sending addresses of the transaction that "emptied" the wallet. This is not the expected behavior of an attacker. This address also had ~5 BTC left in it for ~14 hours after the attacker had emptied your wallet.

strange indeed, but i didnt notice as I was asleep.

statdude

legendary

Activity: 1498

Merit: 1000

Quote from: inBitweTrust on November 27, 2014, 09:32:59 PM

Did you empty your trash after deleting your email backups?
If you use gmail did you check your filters?
Have you scanned your computer for rootkits, trojans, and viruses with multiple programs?

Checking for viruses now. I did actually miss a couple wallet backups in my email. However, they were all encrypted.

I was trying to send a message to the scammers addresses with a "blcokchain" note saying they were stolen coins.
But it seems they locked my account as i just submitted a support ticket?
I can't do anything in there (i just sent a little dust to send the public notes)

funtotry

sr. member

Activity: 420

Merit: 250

Ever wanted to run your own casino? PM me for info

Quote from: Remember remember the 5th of November on November 27, 2014, 09:15:52 PM

Could it be that your email was compromised, and you had an auto-backup option of the wallet, where it gets emailed to you, unencrypted perhaps?

Blockchain.info wallets are always encrypted when they are emailed to a user.

The fact that I find most strange is that 1E1nAEXaffBHh3RPpB9EGexSGSLS9qVFWB received the change of the initial 63 BTC transaction and it also was one of the sending addresses of the transaction that "emptied" the wallet. This is not the expected behavior of an attacker. This address also had ~5 BTC left in it for ~14 hours after the attacker had emptied your wallet.

inBitweTrust

hero member

Activity: 658

Merit: 501

Did you empty your trash after deleting your email backups?
If you use gmail did you check your filters?
Have you scanned your computer for rootkits, trojans, and viruses with multiple programs?

statdude

legendary

Activity: 1498

Merit: 1000

Quote from: Remember remember the 5th of November on November 27, 2014, 09:15:52 PM

Could it be that your email was compromised, and you had an auto-backup option of the wallet, where it gets emailed to you, unencrypted perhaps?

There are actually no copies of my wallet in my email at the time. I had deleted them all.

However, there was an encrypted copy on my desktop.

Remember remember the 5th of November

legendary

Activity: 1862

Merit: 1011

Reverse engineer from time to time

Could it be that your email was compromised, and you had an auto-backup option of the wallet, where it gets emailed to you, unencrypted perhaps?

pedrog

legendary

Activity: 2786

Merit: 1031

Blockchain.info wallet backups are encrypted?

statdude

legendary

Activity: 1498

Merit: 1000

The hacker's addresses are as follows-

Hacker if you're watching, please contact me and we can work something out, don't draw this out!

1PKKHesnMstSDkqbXQzs1kep4qms2eRJFj
16uAPb6i3AJFebLyGzQAcxcrH9YQPaT1fa
15x41gpZkT1WtRZp5va9H3y2BNGkUgPPbH
1HYeQCcAjoHqFwwofBxiurjTqCkMn7a4N6

statdude

legendary

Activity: 1498

Merit: 1000

not a fake acct, anyone who knows me can verify this.

There was a backup on my computer of the wallet. So if they breached my PC somehow, they would have just needed the 10 digit password.

inBitweTrust

hero member

Activity: 658

Merit: 501

Here is the problem with disclosures like this:

1) Bitcointalk accounts are sold all the time
2) Some people may be faking these thefts in order to avoid taxes or other liabilities
3) This may be a way for people to lash out at BTC upon exiting the scene

Quote from: statdude on October 20, 2014, 01:35:17 PM

Quote from: SmokingSkull on October 20, 2014, 01:23:49 PM

My last post on bitcointalk.

I yearned for ANC since 2013, I tried to advertise it, I put in a few ideas and a little bit of work, not too much.
I told people how great it will and would be, I made them think it was on testnet on the 15th, I changed their way of thinking and some of the people bought, cuz they liked the idea.

Now I stand a fool - Just as I stood like a fool with Zetacoin.

It won't happen to me again, because this incident made me lose all trust in people on the internet. Even the people who supposedly did work on something and seemed legit even at second sight.

I won't come back to crypto anymore - I lost so much... and I gained too little, and I don't mean that moneywise.

Goodbye.

This.
I totally agree.
I've finally come to the conclusion - this whole scene - including BTC - is a scam.
play or be played.
sorry brother.

I'm not trying to insinuate that this is anything listed above but it makes our job of accurately diagnosing security breaches more difficult and when you make comments like the above a month before hand .

I apologize for being an asshole for even posting this, but....heavy gambler, really into alts, and pissed off at Bitcoin all raise questions as well.

Topic: 63.73 BTC Hacked - Blockchain.info secured by 2FA - Starting security podcast? - page 7. (Read 15021 times)