Author

Topic: Bittrex account hacked with 2FA enabled- BE CAREFUL (Read 113 times)

newbie
Activity: 7
Merit: 0
I want to share my story about Bittrex negligence in securing my funds.

On June the 19th a hacker was able to intrude in my Google account.
1. He stole passwords from "Google Auto Sign-in", a tool I use to automatically sign-in to websites using stored credentials
2. downloaded photos of me and of my passport from Google drive
3. arranged these pictures with Photoshop or some other photo editing program to make a photomontage showing me holding my passport
4. entered in my Bittrex support account and submitted a ticket to disable 2FA security on my account
5. put a rule in my gmail to filter all messages from Bittrex and send them directly into the trash bin.
6. At the request of identity verification he just posted 2 photomontages one showing me holding a paper sheet reading "bittrex 19.06.2018 Please disable 2FA" and another one showing me holding my passport.

In only 25 hours and 12 minutes the Bittrex agent gave him green light to disable 2FA, while I couldn't see any email from support, cause I don't check trash bin of my gmail so often.
He immediately entered in my Bittrex account where I had crypto currency for about 40000 USD value.
He withdrew all my funds to his crypto currency addresses.
Despite the very suspicious activity the Bittrex support agent didn't lock withdrawals up nor even put them on hold as it's usual after 2FA disabling.
The suspicious signs were:
1.   IP address of a location on the other side of the globe respect to my usual login site
2.   Request to disable 2FA security without a motivation
3.   two low quality photomontages which anyone can easily realize coming from one single original. Indeed only centering, contrast and background color were changed to mimic two different photos.

Below I report the whole emails exchange between the hacker and the Bittrex support agent  

Tuesday 19 June 2018 at 15:20
Hacker:
Hello, disable Two-factor please
•   
 
Tuesday at 15:20
Bittrex Agent

Hi,
For help with the 2FA related items please see the following article: https://bittrex.zendesk.com/hc/en-us/articles/115000198612
If you need two-factor removed after troubleshooting please reply with the following information, the more details you can provide the better:
1) Recent ip addresses you have logged into site with (You can find this by visiting, https://www.google.com/#q=what+is+my+ip+address )
2) Recent transaction ids for any withdrawals and deposits you have made to Bittrex
3) Recent balances in your account
For Accounts valued at over $1000 USD we will require additional information for proof of identity.
4)Please attach an image of your government-issued ID, as well as a selfie in which you are holding that identification where we can match your face against the picture displayed on the ID. Also, please write "Bittrex" and today's date on a piece of paper and hold it in the picture. Please make sure the text on your ID is readable in all photos. Please do not attach .pdf, zip files, or links to files.
Please reply to this email with the required documents or attach them directly to your support ticket by visiting https://bittrex.zendesk.com/agent/tickets/1413823.
We understand this is a slow and painful way to recover your account, but we do this for both your safety and ours.
Best Regards,
Bittrex Support Team @ Bittrex
Follow us on Twitter @ https[Suspicious link removed]xchange


Tuesday at 15:24   
Hacker:

My IP Address: 114.125.72.89 or 182.1.91.135
Withdrawal:
Amount: 1.92594187 BTC
To: 3MLVb6tuaDHEcErGTsExTMJNZEeRnUHoTq
Requested At: 05/28/2017 15:20
I attach photos of my documents, I hope this will be enough!
o   thumbnail_passport niko.jpg
(400 KB)
o   Selfi.jpg
(2 MB)

•   
Tuesday at 15:38
Bittrex agent

Hey Nicola,
Thank you for reaching out about your 2fa removal.
We still require the following information.
For Accounts valued at over $1000 USD we will require additional information for proof of identity.
4) Please attach an image of your government-issued ID, as well as a selfie in which you are holding that identification where we can match your face against the picture displayed on the ID. Also, please write "Bittrex" and today's date on a piece of paper and hold it in the picture. Please make sure the text on your ID is readable in all photos.
Please see the attached example if your account is over $1000 USD
We understand this is a slow and painful way to recover your account, but we do this for both your safety and ours.
Best Regards,
F.L. @ Bittrex
Follow us on Twitter @ https[Suspicious link removed]xchange
•   

Wednesday at 15:54
Hacker

Hello,
o   selfy.jpg
(1 MB)
•   

Wednesday at 16:32
Bittrex agent

Hey Nicola,
Thank you for providing us with the required information.
YOUR 2FA has been DISABLED/REMOVED
Please make sure to re-enable two-factor to secure your account and increase your limits.
When enabling 2FA we display the "secret" key. Please make sure to store this key in a safe place, it will allow you to restore your 2fa in the future should you lose or wipe your device.
If you have not yet done so please verify your account, this will increase your withdrawal limits and help support respond to your issues in a more timely manner. https://bittrex.com/Manage?view=verification
Best Regards,  F.L. @ Bittrex


As you can read from the mails Bittrex agent was negligent in secure my funds and I suspect him/her to be accomplice of the hacker.

The IP address from which the hacker operated was: 185.5.175.84 - Located in Romania Bucharest pointing to a company called Voxility.srl - I am an expat living in Malaysia.

The hacker used the device: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv: 56.0) Gecko/20100101 Firefox/56.0

The hacker addresses:
16NK5bxJK7NQA2GjPykKVLCYW9BDkdmdEF
18MLfL9WPKqmYpBem1uWkvH8wXPaTXgKam
19uwKFcKUeW9LxpogZDMAx7BnUdmhZbkjb DdzFFzCqrhsjwEDhFKt9XfPv72iaySyorUoF6X1cCKAgSTq3jSUcSwG48CG5mnTnsFT9A5Az7K4JjgJ LCQitSMSjrXgPLcFnfgMB5pkH D9mthyevmWLKeWymyER3oxWkX9LoFd19py
D6ktx4ti68r3c2Dd3Unm9Dga5RakrTteSY
0xc08051b3218e1fb981521598c409a0371b191ed8




Jump to: