Author

Topic: Extremely easy to have coins stolen on Bitfinex! (Read 794 times)

legendary
Activity: 1946
Merit: 1137
My friend recently had his coins stolen on BFX. Given how it happened hackers can apparently drain your account with as little as control of your email.

sorry to hear that.

Quote
1. He had 2FA enabled
2. The ONLY thing the hackers needed was control of the email.

how did they log-in his account since it needs 2FA to log-in?

Quote
Presumably they started by gaining access to the email, searched that he had received emails from BFX before, reset his pw, then gained control of his account.  Because he had 2FA enabled, they used a trading algo to make the worst trades possible matched up with their own personal account at BFX until all the coins were drained.  For example they would trade BTC --> DRK  and then trade the DRK --> BTC back at a slightly worse price matched with their own algo and doing thousands of trades until all the money is gone.

how long did this thousands of trades take that he didn't realize his account was compromised

Quote
Bitfinex has REFUSED TO REFUND his coins.  So they are setting precedent that they will REFUSE TO REFUND YOUR COINS AS WELL.  I would suggest staying away from them and say that this is one reason bitcoins will never ever become mainstream.

it is a very well known fact that you should never keep your coins at any exchanger. there has been a lot of hacks, alleged hacks, and scams that makes everybody think twice before considering keeping the coins at an exchanger.
legendary
Activity: 3248
Merit: 1070
safest place for any coin is locked in a qt wallet

the point is that he need coin to trade, so this suggestion is off topic

He used gmail, and it was hacked.  2FA is not required for trades, only for withdrawals.  So the 2FA did its job in keeping the coins from being withdrew.  However the hackers were smart enough to realize this, and siphoned the money away through bad trades into their own trading account.

i'm also the one who think that you should preserve your computer before anything else, if he downloaded something shady in the last few days then it's only his fault, use a dedicated desktop for trading and for storing your bitcoin and don't install or click NOTHING when you use this machine
hero member
Activity: 672
Merit: 500
Your friend's gmail account was hacked, and used to reset The password of his Bitfinex account. That wasn't Bitfinex's fault. It's like asking for refund for having a weak password.

The person who took up those bid and offer trades would have financial gains on his other account, but there is no way to prove he was the hacker.
sr. member
Activity: 310
Merit: 256
Photon --- The First Child Of Blake Coin --Merged
safest place for any coin is locked in a qt wallet
staff
Activity: 3458
Merit: 6793
Just writing some code
He used gmail, and it was hacked.  2FA is not required for trades, only for withdrawals.  So the 2FA did its job in keeping the coins from being withdrew.  However the hackers were smart enough to realize this, and siphoned the money away through bad trades into their own trading account.
They don't require 2FA to login? That is pretty stupid.
bitfinex do require 2FA for login (at least you can set it up this way)
Then how was an attacker able to login to Bitfinex?
legendary
Activity: 1162
Merit: 1000
Usually sites require personal information to disable 2FA. They managed to get such information, or only his email?

And why not add 2FA in the email too???
legendary
Activity: 2940
Merit: 1131
He used gmail, and it was hacked.  2FA is not required for trades, only for withdrawals.  So the 2FA did its job in keeping the coins from being withdrew.  However the hackers were smart enough to realize this, and siphoned the money away through bad trades into their own trading account.
They don't require 2FA to login? That is pretty stupid.
bitfinex do require 2FA for login (at least you can set it up this way)
staff
Activity: 3458
Merit: 6793
Just writing some code
He used gmail, and it was hacked.  2FA is not required for trades, only for withdrawals.  So the 2FA did its job in keeping the coins from being withdrew.  However the hackers were smart enough to realize this, and siphoned the money away through bad trades into their own trading account.
They don't require 2FA to login? That is pretty stupid.
newbie
Activity: 17
Merit: 0
He used gmail, and it was hacked.  2FA is not required for trades, only for withdrawals.  So the 2FA did its job in keeping the coins from being withdrew.  However the hackers were smart enough to realize this, and siphoned the money away through bad trades into their own trading account.
hero member
Activity: 639
Merit: 500
i think you should enable 2fa to your email too or the security that microsoft is offering where you have another email doing the security and the back-up part, although i can't understand how they gained the access of the email, you didn't explain this very well.

in any case you should avoid using random mail on the web, gmail for example is well known and offer better security

legendary
Activity: 1596
Merit: 1010
How can they execute trades if his account has 2FA? He must have had orders open then I assume? (never used BitFinex before)
newbie
Activity: 17
Merit: 0
My friend recently had his coins stolen on BFX. Given how it happened hackers can apparently drain your account with as little as control of your email.

1. He had 2FA enabled
2. The ONLY thing the hackers needed was control of the email.

Presumably they started by gaining access to the email, searched that he had received emails from BFX before, reset his pw, then gained control of his account.  Because he had 2FA enabled, they used a trading algo to make the worst trades possible matched up with their own personal account at BFX until all the coins were drained.  For example they would trade BTC --> DRK  and then trade the DRK --> BTC back at a slightly worse price matched with their own algo and doing thousands of trades until all the money is gone.

Bitfinex has REFUSED TO REFUND his coins.  So they are setting precedent that they will REFUSE TO REFUND YOUR COINS AS WELL.  I would suggest staying away from them and say that this is one reason bitcoins will never ever become mainstream.
Jump to: