Topic: Got hacked (?), 7ish btc lost!? (Read 4091 times)

Some great comments and support from other members here GreenBits, glad to see you had a chat with bit-mining, the site I think has great potential, more so now after reading your comments.  As I was there live when it happened, will stand by you as witness to the criminal act.  Was very saddened by your loss, so much so I canceled my trades & went to bed after it happened, doubt you got much sleep that night, anyway my few bitcoins have sat in my offline wallet for two+ years collecting value by doing NOTHING, putting them at risk like this, after what had just happened to you made me sick.

Anyway, got my own personal theory about what 'might' have happened, sent you a PM, please get back to me, so we might discuss it further...

GroundRod

I have edited my previous post because I made an accusation in error.

I had a considerable conversation with the administrator of bit-mining.co. after going over the details of the intrusion, and being informed of the security features behind the scenes, I no longer suspect that my account details were compromised. There was a mis communication during our emails which I based my accusation off of that was not correct; After being presented with the facts i can concur that bit-mining.co was not the vector of compromise. so, i will man up and face the music.

I humbly apologize for my false accusation, demontn. I hope you accept it, and I sincerely wish the best for you and your service. besides this unfortunate incident, i honestly enjoyed your exchange. you have fair pricing and, now the we have spoken, decent customer service.

~Green

So I guess that it was btce. i apologize to you guys for not listening.

My opinion...

BTC-e is the key to all of this.

You seem convinced that they aren't an issue because you hadn't used the site in so long. I'm not sure why you feel this matters. If anything, were a malicious employee to access the emails and passwords of users of the site, the lack of activity might be the very reason they decided to target you, perhaps figuring that they'd be able to do their deeds and it would be weeks before you noticed.

1) BTC-e seems to be chronologically the first target.

2) Your email wasn't compromised, and your system wasn't compromised. This seems pretty clear.

3) The common link to these sites was the password.

4) I would think the most likely means of retrieving the password would be from the (unencrypted!) data in one of the site's databases.

5) The password reset business is irrelevant (although whether you're being lied to by btc-mining isn't.) Seems clear to me the hacker did it just to throw you off the trail, and likely to lock you out of the account too (if he's going to just sell your stuff and not profit, might as well add one final slap-to-the-face while he's at it.) He apparently did his business, requested a bunch of password resets from the same session (or not), then changed the password on you.


It all seems to boil down to your accounts being compromised by an inept, petty and vindictive thief who got your password and was expecting to hit gold. The only real question seems to be how he got the password. Presuming you don't have younger family members who dislike you poking through your stuff, my money is on BTC-e being the source of the password one way or another.

EDIT: You might consider asking each site if their user password data is encrypted in their database, and if so how (md5, etc.) Not that any one of them couldn't just lie to you, but three sites giving quick, solid responses and one ignoring the question for a week or two would be pretty suspect.

No, They are based in Bulgaria, Cheap site, Look slike an early 2000's one. 

http://en.wikipedia.org/wiki/BTC-E

I dont think so.

Isn't btc-e based in Russia?
I always hear that again and again in the forum...

totally agree, now i know.

but, i dont use the same password for all my bitcoin related activities. i use many different ones.

let me clarify, only the exchanges i use for trading have this password. i utilize a variety of different passwords. lbc, mtgoox, btistamp, here, are all unique passwords, because i use them very infrequently.

i dont believe i was keylogged, again, no other services were compromised. keylogger would get more than one password, correct? id be looking at total account compromise across the board, not just a single user/pass pair compromised (which seems to be the case).

i have never accessed these accounts except at my home terminal.

This one is very simple

If we're positive that your email is safe, then there are 2 obvious explanations


1) you are keylogged (most likely)
or

2) some bitcoin site that you use has had their database compromised. Because you use the same password for all of your bitcoin related activities it would not be too hard to begin targeting sites with your email address and password. He'd never even have to have physical access to your email. The physical address is enough to get into a site like havelock if you know the password.


so what's the gist, kids?


1- always ALWAYS enable 2FA
2- always, ALWAYS make seperate passwords for every single site you use
3- use a some encrypted password manager or a physical notebook.

rofl, why is everyone else so quick to assume that email caused this? I have 2 fa on my gmail with an android device. like, what about this makes poeple believe my email was compromised? gmail doesnt indicate that, and the sensitive information/lack off cleanup suggest that entry to my email was never gained.

There is more important shit in my email than the credentials for 7 btc. Why nothing else disturbed? The whole argument for my email being compromised rests on the fact that in order to access my bitmining.co account,  my password was suppsedly reset, and that reset password was accessed from the only place it could, my inbox (the self same 2fa'd gmail account with an even more complex password).

The takeaway:
The only way that my bit-mining.co account was compromised was if my email was compromised.so if my email wasnt compromised, someone is lying to me.

the guy had the password to get into the account. this was his last stop.
1)....but instead he resets it.
2)....then uses technomancy (accessing my gmail) to get the new password,
3)....deletes all the password reset messages to cover his tracks (LEAVING 4 sell/withdrawal/login notifications in the process, he didnt see those in the inbox apparently), all to:
4) to then to break into my account with the newly generated password.

and, not being able to figure out the withdrawal system at bitmining (your cat could figure this out), attempted only 2 times to withdraw the balance after spending some of it for more ghs? which he sold at the lowest possible price? which, amazingly, he was so inept he put his btc address in an input field designed for a btc amount?

should have taken the fuckin password and skipped to step 4, dont you think? this guy fought the gmail dragon/put malware/phished/cookiestole/i could give two fucks when he already has the username and pass?

now does that scenario seem more likely, or this:

password reset never happened?

i wrote:
so, the attacker reset my password, utilized the reset to gain access to my account (got into my email), did the series of trades/withdrawal attempts, then, after they finished, as a final action, they reset the password again a second time? this is the sequence of events i have gleaned from our communications.

you see, i remember coming to the terminal, seeing the commotion about a huge buy sell, then refreshing and seeing that small account balance before i attempted to withdraw (dont see my withdrawal attempts). when i hit the trade tab again, i was logged out, then my pass didnt work. that would indicate the password was reset (the second time i guess) while i was actively in chat.
so this was happening while i was near my terminal?
he already had the password.. why did this guy reset it to get a new one?
and why lock me out of my account he was cool enough to leave me access to all the other accounts he compromised..

none of the other accounts compromised had password resets applied. he knew the password on earlier incursions (btce,cex,havelock) but needed to reset the password on my account here to get in? he had the credentials already... why risk locking the account? also, i cant seem to find a record of any of the password reset emails in my spam, trash, inbox, anywhere. How many password reset requests were issued? why wasnt the account locked in the initial series of password reset attempts, like the second time? also, if my email was compromised, the attacker neglected to delete the havelock trade notifications and btce login notifications yet deleted all the password reset emails (which would have been quite numerous, else it would have meant it was locked due to multiple attempts).

are you absolutely sure that the attacker gained entry via a password reset? i think this is a red herring.

no other service i have accessed in the last 5 days (lbc/gox/stamp) that doesnt share a common password with this incident was affected. all those accounts with different passwords ( accessed from the same compromised pc, using the same compromised email) are completely unaffected.

i strongly urge you to continue investigation into the possibility my credentials were compromised on your end.

thoughts?

i

response:

Well, I can't answer all those questions for you, as I don't know what the hacker was thinking. However, I can attempt to make guesses, and maybe from them and any other information you may be aware of, you can determine what makes sense.

"so, the attacker reset my password, utilized the reset to gain access to my account (got into my email), did the series of trades/withdrawal attempts, then, after they finished, as a final action, they reset the password again a second time? this is the sequence of events i have gleaned from our communications."

Not entirely true. They attempted MANY password resets - so many, so close together, that our server's mail queue became too full and stopped sending mails to your email at all. Not sure what the point of this was.

"you see, i remember coming to the terminal, seeing the commotion about a huge buy sell, then refreshing and seeing that small account balance before i attempted to withdraw (dont see my withdrawal attempts). when i hit the trade tab again, i was logged out, then my pass didnt work. that would indicate the password was reset (the second time i guess) while i was actively in chat."

That, or your session had expired. Seems like an awful big coincidence that your session would expire just as this is occurring, however.

"he already had the password. why did this guy reset it to get a new one?"

Not sure. My original thought was that he first gained access to your email, and knew somehow beforehand that you were a bit-mining user. So, he went to reset your password, and, since he was in  a rush (he somehow knew you were at the terminal as you say, perhaps), reset it a whole ton of times since our password resets sometimes take some time to get to your email. He got the password, deleted all the messages (explaining why you don't see any password reset emails in your inbox now), accessed your account, conducted the trades, possibly out of spite, or in some roundabout way to enrich himself, and finally logged out of the account.

This theory is reasonable, but still doesn't support some of the facts. Specifically, (A) that there were no oddly-priced orders placed just before the transaction so the hacker could enrich himself, (B) that your other accounts were accessed... presumably with no password resets (because you can still access the accounts with your old password), and (C) that the hacker attempted to withdraw BTC, suggesting he is unfamiliar with our system. Also, you claim that your gmail had 2 step security placed on it, which renders that type of hack fairly unlikely.

My other theory, which seems to hold a bit more water (I have developed it a bit more since yesterday, so bear with me), is that the hacker somehow got the password to your btc-e account, logged in, and didn't see any balance. However, he saw your chat username mcnastyfilth (I checked the BTC-E chat archive, you that indeed seems to be your name there: http://trollboxarchive.com/search.php?search_type=username&search=mcnastyfilth) . With this username he accessed your Cex.io account. When there was no balance in either of these, he noticed from the cex.io chat log that you mentioned Bit-Mining & Havelock. He drained your havelock account, attempted to drain your Bit-Mining account, and when he couldn't, decided to just destroy it out of spite instead.

Probably something to do with email you have to be SUPER careful with that stuff.

Honestly, id take btce and cex.io off the list. I havent used my btce account in at least 6 months, it wasnt carrying a balance. had been using cex.io, but again low balance. if the compromise was inter exchange, there would be little financial incentive to take my particular account in those cases. the high value accounts were bit-mining.co and havelock (in that order). These have activity. But for the last week, pretty much the sole site ive been accessing has been bit-mining. which has been under maintenance roughly half that time.



this has to be the dumbest fucking thief in the land. deletes over 10 password reset emails to cover his tracks, and leaves fraudulent login notifications and trade notification sitting in the inbox. that seems highly illogical.

given the lack of timestamps, ive asked bit-mining.co to provide a chronology of the intrusion. i still haven't been told definitively how the hacker got into my account. waiting for a response from them.

Oh yea, Im pretty sure, Get enough users to steal billions from and put them into different wallet by using a bitcoin tumblr.

They won't even tell us who they are. That tells you something already ...

If BTC-E is selective scamming, Is there a way to report them, What their country laws?

Any time anyone has coins stolen from an online exchange / wallet provider, they should definitely report it here. Then we can get an idea of the trustworthiness (or not) of the site in question.

If money is regularly disappearing with 2fa in place, you have to start wondering whether its an inside job.

this is a laptop, accessing a wifi connection. wifi connection is provided, i live in corporate housing. is password protected, password is fairly complicated and is only given out to lease holders. maybe 10 people total would be using this network.

because of the variable signal strength, i most often use 3g data on my android device to surf the web/youtube/casual research. the old building eats the signal. the laptop, connected to an additional display in the living room, is stationary. it is not specced well enough for gaming/watching media.

this is, in all respects, a work computer.
 i have only used this singular connection for the many months this computer has been tethered here

Ok nice list. Make sure you're 100% certain those are the only places you used your password.


How often do you use wifi and where? Wifi connections, especially public ones are basically a hunting ground for anyone who has basic hacking knowledge. I myself, on a test trail, have stolen people's email passwords and hijacked sessions in public places like the airport, mall, universities, anywhere is unsafe. (Mind you I did this to test common wifi security vulnerabilities as a part of a project, I never did anything with the data collected other then verify that it could be used to access restricted accounts).

As far as I know 3G broadband is safe.

this password was specifically developed for this category of sites. i keep different sets of passwords (and variations of older passwords over time) for things i deem at different levels of risk. password is ten characters long with three numbers, one cap and 1 symbol. the gmail account doesnt even share the compromised password, in addition to 2fa. i left my android device at home for the holidays and was completely cut off from accessing my btc, so i know how hardcore google is about not letting you access your gmail from foreign ips/foreign devices.


but, every single service that was compromised, had the same password.
Slight, I believe you are correct, out of the services, one of the 4 had its database compromised, either by subversive, technological methods, or simple employee theft.

So lets narrow those vectors down to:
BTCE (10+ months old account)
HAVELOCK (6+ months old, most likely older)
CEX.IO (6+ months old, mst likely older)
BIT-MINING.CO (week old)

my activities are so habitual i can assure you i havent visited any sites with possible malware, nor opened any attachments. also, other passwords have been used on this system, recently, but havent been compromised. in fact, because of a tech error of bit-mining.co (wallet had to sync over two days before we could get withdrawals), i spent 2.5 days camped out in chat waiting for the resolution (most of my position was there, and trading as well as withdrawal was disabled/suspended) literally, checking the site every 15 minutes. i look at that, havelock and cex.io's orderbooks, and i browse the securities section of the forum for news. this is the only thing i do with this terminal. no gaming. no media creation. no youtube. i use my phone for all of this

The common link is the password.

There's a good chance the exchange itself could have been compromised or another service you subscribe to. Usually it's pretty easy to tell if your gmail was compromised because of the extensive logging and security tools they have in place. Plus you had 2fa.

Seems really unlikely that a hacker would be able to specifically target your computer after knowing your involvement with BTC so we can rule out a targeted "blackbox" attack. We can also rule out session hijacking (stealing cookies) as he was able to get your password to other exchanges. You say you keep your system secure and updated so it's unlikely you were caught by a trojan or botnet.

You need to catalog ALL places where you have used that username/email and password combo and try to determine if one of those sites/services were compromised because that sounds like the most likely attack vector. Could be as simple as someone hacking a forum that you frequent, cracking your password, then trying it out to see what they can access.