Pages:
Author

Topic: Funds withdrawn from Stake without 2FA. (Read 457 times)

legendary
Activity: 2730
Merit: 1560
Yes, I'm an asshole
December 24, 2023, 12:22:39 PM
#34
You mean to say that even STAKE wont be knowing whether 2FA has been used for this withdrawal or not..?
I am not that tech-savvy but I follow them online and their advice on how we can keep ourselves safe online, which includes what people don't know that hackers can do. So, let me not speak entirely for Stake, but it is possible that they (Stake) see all security checks passed as regular once they (the hackers) are in.


My friend, hacking is more than this, authenticity checks will be a forgotten issue when they are in. Hacking has different levels.

Please let me know how to Bypass 2FA, Coz we have to find a solution for that... Otherwise there is no meaning in having it.
You know what, I wouldn't say that 2FA is totally useless, it will still be safe over 99%+ of all hacking attempts if I am correct. But as it is, these guys (hackers) are more brilliant and crafty than each other. So, let's pray that the more sophisticated ones will never see us as a targets or randomly steal from us.

The question being raised here is not only about how the hacker get into the account, it's also [and more emphasized on] how they bypass the 2FA verification to withdraw OP's fund. OP knows the safety and efficacy of 2FA, which with Stake's security that's claimed to be impenetrable, shouldn't put OP here on the first place. What OP asked from you is an further explanation on your statement, to mitigate future situation, about how do these "different level" of hacking works on 2FA.
legendary
Activity: 2604
Merit: 2353
December 23, 2023, 05:29:54 PM
#33
In an age where any device can be hacked from a distance why reputed, large scale websites are not doing anything regarding this.
In my case, Norway is like 24 hours away on an airplane.

There has to be some logical authentication method when a user logs in from a far away country within some hours.

You can't say that, it would be unfair for serious and professional platforms. Actually most platforms don't allow withdrawals from a new country without doing anything. They fortunately don't rely on an 2FA code only in those situations, they usually send an email, a sms and/or lock withdrawals to new addresses for 24h at least.
On one exchange I even need to enter a 2FA code AND a SMS one for every transfert I'm doing while I'm using the same old IP  Undecided
And some exchanges like Bitfinex, downright allow you to whitelist your IP addresses.
hero member
Activity: 896
Merit: 654
Leading Crypto Sports Betting & Casino Platform
December 23, 2023, 02:01:07 AM
#32
You mean to say that even STAKE wont be knowing whether 2FA has been used for this withdrawal or not..?
I am not that tech-savvy but I follow them online and their advice on how we can keep ourselves safe online, which includes what people don't know that hackers can do. So, let me not speak entirely for Stake, but it is possible that they (Stake) see all security checks passed as regular once they (the hackers) are in.


My friend, hacking is more than this, authenticity checks will be a forgotten issue when they are in. Hacking has different levels.

Please let me know how to Bypass 2FA, Coz we have to find a solution for that... Otherwise there is no meaning in having it.
You know what, I wouldn't say that 2FA is totally useless, it will still be safe over 99%+ of all hacking attempts if I am correct. But as it is, these guys (hackers) are more brilliant and crafty than each other. So, let's pray that the more sophisticated ones will never see us as targets or randomly steal from us.
member
Activity: 2464
Merit: 57
Primedice.com & Stake.com
December 22, 2023, 04:58:39 PM
#31
Stake has a representative that forward every case against them on this board to their team to be addressed, you probably want to try to PM him to get to the bottom of this issue, Symphonized, though he probably is already aware of this situation.

I usually gladly invite representatives of casinos to address an issue or to simply inform them about an open accusation against their platform, but on our previous exchange of PM, he informed me that he's well aware of every case against Stake and asked me to stop sending him PM for such matter. Thus I am not doing it in concern that my PM will be considered as unsolicited.

I have since 18th...
legendary
Activity: 2730
Merit: 1560
Yes, I'm an asshole
December 22, 2023, 04:14:31 PM
#30
Should have asked about this sooner... OP, to be sure we cover all the bases [well, at least several of it] with the proper format for scam accusation, can you complete this thread with the supporting evidence? Screenshot of the said withdrawal from your stake account, the IP from stake's log [please cover your own IP], and conversation with their support and your host discussing as what you describe on the opening post will be much appreciated.
sr. member
Activity: 728
Merit: 421
December 22, 2023, 03:03:30 PM
#29
So sorry for your loss, OP. This is funny how funds could be withdrawn from your stake account without you getting any notification. I am becoming more interested in this case because it is not possible for an account with a 2FA function to be bypassed to take or withdraw funds from it. Does this mean that stake security apparatus is that weak for an account with the 2FA function to be hacked without the owner of the account getting notification about it?. Ordinarily, we all know the 2FA function, but I am still curious how this happens without any trace. This is a good follow-up to see how it happened.
legendary
Activity: 1848
Merit: 1982
Payment Gateway Allows Recurring Payments
December 22, 2023, 02:28:18 PM
#28
Another point I want to ask to everyone here
Why there is not authenticity check when the user logs in from a different country in a day's time or even whenever he logs in from a different country rather than his home country.?
This is a very important point to consider, but I expect the default response from the platform will be that they allow the use of a VPN and therefore the IP used can change several times per day.

This is not an acceptable excuse of course, even if using a VPN there should be at least a warning message in the email that you are logging in from a different IP. This will make you verify your account immediately.
sr. member
Activity: 1439
Merit: 380
To Be Or Not To Be
December 22, 2023, 02:06:01 PM
#27

@Sunderland
Which Police/Authority you are talking about..? Is there any "Bounty hunter" to search and hack the hacker which did this to me..?
[...]

I am not sure about fixedfloat, but binance allows account freezing if you can give them an official investigation letter from your local police and you can connect the dots [they provide a table for this] that prove the address used by the scammer is one of theirs. Maybe he's referring to this authority, your local police.

IIRC Fixedfloat claim they do too. But since the trade has most likely been completed and money has already left their end, they will just add the address/es involved in their blocklist then freeze funds if the perp transacted with the same address.

OP could try to request the perp's trade information as well but as always, fixedfloat will most likely request legal paper/s from op's local police too.

Correct, this is a screenshot of email from Fixedfloat to one of NFT scam victims:



They suggest to contacting cipherblade but they dont take cases under $100k, and a basic report costs $100, adding a police report brings the price to $350.



hero member
Activity: 2786
Merit: 902
yesssir! 🫡
December 22, 2023, 01:59:35 PM
#26
I am not sure about fixedfloat, but binance allows account freezing if you can give them an official investigation letter from your local police and you can connect the dots [they provide a table for this] that prove the address used by the scammer is one of theirs. Maybe he's referring to this authority, your local police.

IIRC Fixedfloat claim they do too. But since the trade has most likely been completed and money has already left their end, they will just add the address/es involved in their blocklist then freeze funds if the perp transacted with the same address.

OP could try to request the perp's trade information as well but as always, fixedfloat will most likely request legal paper/s from op's local police too.
legendary
Activity: 2730
Merit: 1560
Yes, I'm an asshole
December 22, 2023, 12:33:13 PM
#25
@holydarkness
I have sent a PM to the team but no reply yet.

[...]

Maybe they're trying to get to the bottom of this situation before reaching out to you with a concrete answer. I'd suggest we wait a little while.

@Sunderland
Which Police/Authority you are talking about..? Is there any "Bounty hunter" to search and hack the hacker which did this to me..?
[...]

I am not sure about fixedfloat, but binance allows account freezing if you can give them an official investigation letter from your local police and you can connect the dots [they provide a table for this] that prove the address used by the scammer is one of theirs. Maybe he's referring to this authority, your local police.
hero member
Activity: 1078
Merit: 504
December 22, 2023, 11:53:54 AM
#24
@holydarkness
I have sent a PM to the team but no reply yet.

@TheUltraElite
I used to gamble frequently, thats why the BTC was there..
Hopefully, someone from the team will see this and will get a better reply from Stake.

@Sunderland
Which Police/Authority you are talking about..? Is there any "Bounty hunter" to search and hack the hacker which did this to me..?

@sokani
  • NO
  • NO
  • NO

Thats why I am heavily disturbed by this.

@AHOYBRAUSE
Wondering the same...

@EarnOnVictor
You mean to say that even STAKE wont be knowing whether 2FA has been used for this withdrawal or not..?


My friend, hacking is more than this, authenticity checks will be a forgotten issue when they are in. Hacking has different levels.

Please let me know how to Bypass 2FA, Coz we have to find a solution for that... Otherwise there is no meaning in having it.
hero member
Activity: 896
Merit: 654
Leading Crypto Sports Betting & Casino Platform
December 21, 2023, 11:45:27 AM
#23
My Question: How can a withdraw gets accepted without 2fa?
Reply: There are numerous ways that we are not familiar with.


Stake team is not providing me any details about the withdrawal. And on that they say their security is impenetrable.
Sorry about this experience, but as unsatisfactory as the response of Stake's representative is, I'm afraid is true. There is fraud here and there, even in fiats online and in banks that were supposed to be more traceable than cryptocurrency, yet stealing in accounts happens and banks can't truly provide a detailed reason for it or trace it whatsoever.

And I believe Stake can't provide additional information more than what you already know yourself since it is BTC we are talking about. Every normal transaction flows are visible to all. Only that you and they can't access the receiving end account that could later use m!xer to make it untraceable. I don't see how they can help here, unless for a refund.

Quote
Another point I want to ask to everyone here
Why there is not authenticity check when the user logs in from a different country in a day's time or even whenever he logs in from a different country rather than his home country.?
My friend, hacking is more than this, authenticity checks will be a forgotten issue when they are in. Hacking has different levels.
full member
Activity: 164
Merit: 103
December 21, 2023, 09:36:53 AM
#22
This transaction? 0.54092117 BTC•$ 23,713.67

Thats a lot of money,,, hope it gets solved with stake.
hero member
Activity: 798
Merit: 896
Leading Crypto Sports Betting & Casino Platform
December 20, 2023, 08:51:14 PM
#21
I recently read about a similar case in the stake forum.
This user also had 2FA enabled and his funds were transferred to an unknown address.

It's a shame stake support never takes these cases serious and just replies something like "There is nothing we can do. Everything looks normal." If everything would be normal the money would still be there.

Normally stake is fast in blocking account after whatever suspicious activity. I don't understand why they wouldn't do that when a login is happening from a foreign IP and instantly withdrawing all the funds to an address that has never been used before as well.
I also don't understand how this withdrawal can be processed without entering 2fA. These days even if you want to make a tip to another stake player you need to enter 2FA, in the past that wasn't the case.
It's sad to know that money in account seems to be less safe than expected. Yet another fail of security at stake so it seems, when will that ever change.
sr. member
Activity: 658
Merit: 441
December 20, 2023, 05:54:57 PM
#20
Sorry for your loss op. I think the possible ways this could have happened is:
  • If someone close you had access to your device, possibly a friend or loved one.
  • If you stored your login details and 2FA backup code on a password manager, mail or on cloud storage that got compromised.
  • If you downloaded a malware infected application that accessed and stole your login details and 2FA backup code on your device.

sr. member
Activity: 1439
Merit: 380
To Be Or Not To Be
December 20, 2023, 12:56:13 PM
#19

Sorry for your loss, maybe out of topic but just in case you need to trace where the money goes:

Here is what I found,
The "hacker" withdraw with this address: bc1qyuqc9hc9kguk693zlgq6sfk568f7r205rhts4f
then sent the funds to bc1q72tgjdwj8svpmc5nent856zece47cxwav7g0lc (this is Fixedfloat hot address for "order") https://fixedfloat.com/en/

The user doesnt need to provide personal data to use fixedfloat, but maybe they able to provide you with the IP and address destination from that transaction with an official request from the police/authority.
Well, if the funds goes to an exchange with KYC - its possible to identify the bad guy.
legendary
Activity: 2730
Merit: 1560
Yes, I'm an asshole
December 20, 2023, 12:02:04 PM
#18
Case seems pretty puzzling to me as to how the hacker got access to your account. But we can only do so much as speculate and rule out the common causes. In depth investigation can be done from the Stake's owners side and thus I would advice the OP to PM Stunna and wait for them to respond to the thread.

Hoping Stunna/Mladen/Eddie to respond soon and the case to get resolved. Once again, sorry for the loss.


Side note - maybe dont use casino websites as wallets in future?

Stunna hasn't been online for a while, more than five months, I don't think sending them a PM will be beneficial and solve this case, given a very high probability the PM will not even be noticed.
legendary
Activity: 2898
Merit: 1253
So anyway, I applied as a merit source :)
December 20, 2023, 11:33:36 AM
#17
Case seems pretty puzzling to me as to how the hacker got access to your account. But we can only do so much as speculate and rule out the common causes. In depth investigation can be done from the Stake's owners side and thus I would advice the OP to PM Stunna and wait for them to respond to the thread.

Hoping Stunna/Mladen/Eddie to respond soon and the case to get resolved. Once again, sorry for the loss.


Side note - maybe dont use casino websites as wallets in future?
legendary
Activity: 2730
Merit: 1560
Yes, I'm an asshole
December 20, 2023, 11:20:10 AM
#16

Is it possible that they bypassed the 2FA through this method? Is there a log on your email account that shows it's accessed from different location than yours? IF we amuse your assumption for a while that someone has access to your email, perhaps the details asked by their security team are readily available in your inbox?

[...]
I use Google Authenticator, I have known only this one from the beginning and been using it since.

In an age where any device can be hacked from a distance why reputed, large scale websites are not doing anything regarding this.
In my case, Norway is like 24 hours away on an airplane.

There has to be some logical authentication method when a user logs in from a far away country within some hours.

Reading your reply to multiple questions, my initial thought when learning that you use GA as your 2FA and your email was not compromised was that maybe that hacker was someone close to you and bypassing your account by the security key that you probably wrote somewhere and store it in your home. But given the IP is from Norway... I think that's quite unlikely.

If there is anyone from Stake here, Do tell me whether the scammer has withdrawn with 2FA or if there is any other way.
Because this cant be an answer your user is expecting..


My Question: How can a withdraw gets accepted without 2fa?
Reply: There are numerous ways that we are not familiar with.


Stake has a representative that forward every case against them on this board to their team to be addressed, you probably want to try to PM him to get to the bottom of this issue, Symphonized, though he probably is already aware of this situation.

I usually gladly invite representatives of casinos to address an issue or to simply inform them about an open accusation against their platform, but on our previous exchange of PM, he informed me that he's well aware of every case against Stake and asked me to stop sending him PM for such matter. Thus I am not doing it in concern that my PM will be considered as unsolicited.
hero member
Activity: 1078
Merit: 504
December 20, 2023, 09:10:51 AM
#15

Is it possible that they bypassed the 2FA through this method? Is there a log on your email account that shows it's accessed from different location than yours? IF we amuse your assumption for a while that someone has access to your email, perhaps the details asked by their security team are readily available in your inbox?

No. My email is not compromised.. I have checked the sessions of my mail and its clear.


We do not have access to the behind the scenes, so cannot determine how there was a breach of the website. You can only get that response directly from a representative of Stake.

Isolated cases like this are not uncommon with crypto related websites, it could be due to a hack or  you allowing someone else access to where you keep valuable information.

If you do not get a substantial answer after a few days, then you can try calling then out on other websites they are active on.

There is no proper response, nor from the live support or from my VIP host. They are just giving me defined automated answers.


OP, which app do you use for 2-factor authentication codes? Google authenticator? Authy?
How about the email you used for registering to stake... Gmail?

To this date, some sites are not so strict when it comes to IP addresses. I don't know why. I used to like how some site would first have to prove if it's actually you trying to log in, regardless of your IP address.

I use Google Authenticator, I have known only this one from the beginning and been using it since.

In an age where any device can be hacked from a distance why reputed, large scale websites are not doing anything regarding this.
In my case, Norway is like 24 hours away on an airplane.

There has to be some logical authentication method when a user logs in from a far away country within some hours.



If there is anyone from Stake here, Do tell me whether the scammer has withdrawn with 2FA or if there is any other way.
Because this cant be an answer your user is expecting..


My Question: How can a withdraw gets accepted without 2fa?
Reply: There are numerous ways that we are not familiar with.


Pages:
Jump to: