Pages:
Author

Topic: LocalBitcoins vulnerability: 6 case of stolen funds confirmed as of now (Read 375 times)

mk4
legendary
Activity: 2870
Merit: 3873
📟 t3rminal.xyz
Of course there will be compensation. It's not the users fault that the company's vault was robbed by thief.
 If a thief robs a bank, breaks the bank vault and steal people gold/jewelry, the bank are responsible for keeping the gold safe and will definitely compensate the owners.

The example you gave really doesn't apply with bitcoin/cryptocurrency exchanges, also as reasoned out by o_e_l_e_o. From all the exchanges that got hacked since the rise of bitcoin and cryptocurrencies in general, has every single exchange compensated their users of the stolen funds? No. Most, if not all went bankrupt instead.
legendary
Activity: 2268
Merit: 18771
I wouldn't doubt if the hacker has held onto some account details which at the time did not have any funds in them, because just 6 cases seems to be way too small
I don't think doing that would be of any benefit to the hacker. The whole point of this attack was that it was stealing 2FA codes via the forum and using them to log in to exchange accounts. Keeping username and passwords would be no use unless the hacker had another way of stealing 2FA codes.


Of course there will be compensation. It's not the users fault that the company's vault was robbed by thief.
 If a thief robs a bank, breaks the bank vault and steal people gold/jewelry, the bank are responsible for keeping the gold safe and will definitely compensate the owners.
A bank is regulated and insured. Many crypto exchanges are not. Of course they should compensate the losses, but there have been many hacks in the past that haven't. It's by no means guaranteed.
Ucy
sr. member
Activity: 2730
Merit: 403
Compare rates on different exchanges & swap.
Looks like localbitcoins managed to shut this down pretty quickly after it started up actually, but the hackers still managed to make off with just shy of 8 BTC ($28,000) from 5 users (assuming that 1 address is the only address they used). Wonder if localbitcoins will compensate the users affected?

Once again, we have to wonder why users keep leaving large amount of funds on exchanges. Say it with me now: Not your keys, not your bitcoin. Not your keys, not your bitcoin. Not your keys, not your bitcoin. Not your keys, not your bitcoin.

Of course there will be compensation. It's not the users fault that the company's vault was robbed by thief.
 If a thief robs a bank, breaks the bank vault and steal people gold/jewelry, the bank are responsible for keeping the gold safe and will definitely compensate the owners.
hero member
Activity: 1666
Merit: 753
Thanks for letting us know. I actually had no idea of this until I came across this thread.

It's really a bit surprising to me though how small of an amount has actually been compromised, when an entire forum has been breached into. I wouldn't doubt if the hacker has held onto some account details which at the time did not have any funds in them, because just 6 cases seems to be way too small

Even if you didn't sign into the forum during this time it's probably best to be safe, change your password and enable 2FA if you haven't already. It's a good thing that LBC is taking responsibility it seems and refunding people, which is at least professional on their part.

wow this is pretty scary, was it the first time happening???

I like localbitcoin and always thought its a pretty good site, not that fancy but usability is totally there

I hope more safe system will be in place to avoid this kind of scary hacks

Don't think it's the first time that LBC has given us a scare. I remember back in the days it used to be down every once in a while and people would panic. Small hacks had happened a few years back as well.
mk4
legendary
Activity: 2870
Merit: 3873
📟 t3rminal.xyz
Are there any more details about this third party software and what the vulnerability was exactly?

I read a couple articles about the attack and I was led to believe this was a DNS spoofing attack on the forum subdomain. It sounds like that's not actually the case?

I don't think they have given specific information about this matter as of now, but I don't think it's a DNS attack. But for what it looks like in my opinion, I'm personally leaning more on a javascript/XSS injection on the forum software. Probably omething like:

User visits forum --> script executes --> probably redirects the user to a phishing site(?)

Just my rough guess.
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
I once said that you need to store Bitcoin, namely, you knew about your cold wallets, but you used other exchanges.
Typical... you know that those bitcoins are in an Exchange because users want/need to trade right? (Apparently, obviously, surely, most of them got their "own" wallet)
You can't easily use a Cold wallet that was buried 20-feet under a random area guided with a "X" on a map to buy a HYPEd shitcoin before it get pumped.

If that's the case and the team is as professional as they claim to be, they should reimburse the users. Just another reason on why you shouldn't keep your funds in exchanges by the way.
I'm afraid that keeping most of the coins in a hot/cold wallet not possible for someone who's day trading. Personally, I prefer keeping higher exchange balance than in cold wallet since highly-priced orders yield higher profit.
Specially now that the price is on its (*typo edit) best buy, predictable low-liqudity and mostly everyone is expecting a rise.

Usually, it goes like this:
Source (ex.Mining)---→(HotWallet)--→EXCHANGE---(Mixer)---→Cold Wallet (Savings)
Other Sources-------⤴---------------⤴                 ↪-----→Hot Wallet  (Expenses)

Fortunately, legitimate exchanges today are heavily regulated and problems such as missing funds can be legally resolved.
legendary
Activity: 1666
Merit: 1196
STOP SNITCHIN'
They should just compensate the stolen bitcoin in my opinion.
According to this reddit post, one of the affected users has already had his lost balance reimbursed.

Glad to hear it. If the losses were really limited to 8 BTC, they should just compensate the victims out of goodwill.
copper member
Activity: 140
Merit: 3
These hackers are becoming very sophisticated, i wouldn't be surprised if it was the same team behind the electrum wallet hack as it follows the same pattern of phishing for login details. Bad day for bitcoiners as localbitcoins is a good website
hero member
Activity: 2184
Merit: 531
I once said that you need to store Bitcoin, namely, you knew about your cold wallets, but you used other exchanges.

You can't expect everything to be stored in cold wallets. They stole a very small number of coins and as long as the loss is small it can be reimbursed and won't affect the business that much. If you have 1000 Bitcoin on your platform it's natural that up to 10% will be in hot wallets but some businesses like that Korean exchange that was hacked had all of their money in hot wallets.
legendary
Activity: 2268
Merit: 18771
Whats about our personal information are they are safe too or the attackers take it too ?
This was a man-in-the-middle type attack on individual users' accounts, stealing their 2FA keys via the forum to log in to their LBC accounts and transfer out their funds. There was no hack on the main LBC wallets or databases, so your personal information won't be affected. I would encourage everyone, however, to think twice before performing KYC with any service online. Just because your documents weren't accessed with this attack, doesn't mean they won't be accessed in the future.


They should just compensate the stolen bitcoin in my opinion.
According to this reddit post, one of the affected users has already had his lost balance reimbursed.
jr. member
Activity: 238
Merit: 1
I once said that you need to store Bitcoin, namely, you knew about your cold wallets, but you used other exchanges.
mk4
legendary
Activity: 2870
Merit: 3873
📟 t3rminal.xyz
Wonder if localbitcoins will compensate the users affected?
They should just compensate the stolen bitcoin in my opinion. While 8 BTC is definitely a lot for me, it's probably not that much for them when taking into account how much they're potentially earning. Compensating the stolen BTC would be a great PR move too.

wow this is pretty scary, was it the first time happening???

I like localbitcoin and always thought its a pretty good site, not that fancy but usability is totally there

I hope more safe system will be in place to avoid this kind of scary hacks
It's the first time for LocalBitcoins as far as I know. In the hackers point of view, getting past LocalBitcoins itself is probably difficult, hence the attacker went for the weaker link: the forum software. Correct me if I'm wrong, but the LocalBitcoins exchange itself and the LocalBitcoins forum has accounts that are connected; so the attacker took advantage of this. Quite smart really.
member
Activity: 225
Merit: 10
quarkchain.io
wow this is pretty scary, was it the first time happening???

I like localbitcoin and always thought its a pretty good site, not that fancy but usability is totally there

I hope more safe system will be in place to avoid this kind of scary hacks
legendary
Activity: 3234
Merit: 1214
DGbet.fun - Crypto Sportsbook
Localbitcoins.com was one among the best platform that has got its service around the world. Quite often bitcoin fraudulent activities happen through localbitcoins. This time the same has taken place in large scale as more and more hackers have focused over the cryptocurrency network. Two year back I lost through a hack that was completely because of not enabling two factor authentication.
legendary
Activity: 2268
Merit: 18771
Looks like localbitcoins managed to shut this down pretty quickly after it started up actually, but the hackers still managed to make off with just shy of 8 BTC ($28,000) from 5 users (assuming that 1 address is the only address they used). Wonder if localbitcoins will compensate the users affected?

Once again, we have to wonder why users keep leaving large amount of funds on exchanges. Say it with me now: Not your keys, not your bitcoin. Not your keys, not your bitcoin. Not your keys, not your bitcoin. Not your keys, not your bitcoin.
mk4
legendary
Activity: 2870
Merit: 3873
📟 t3rminal.xyz
How long will this go on? Another cryptocurrency exchange has been cracked. Phishing, one of the most experienced viruses. I hope the team of the LOCALBITCOINS project will do everything to ensure that the cryptocurrency remains with the owners
As long as exchanges are around, hacks will happen whether we like it or not.



Update: edited the topic to include the message from LocalBitcoins.
jr. member
Activity: 120
Merit: 1
How long will this go on? Another cryptocurrency exchange has been cracked. Phishing, one of the most experienced viruses. I hope the team of the LOCALBITCOINS project will do everything to ensure that the cryptocurrency remains with the owners

Not surprising, every year they hack the exchanges, just recently there was information about breaking into large crypto exchanges and selling verified user documents

https://www.ccn.com/hacked-customer-data-from-world-leading-cryptocurrency-exchanges-for-sale-on-the-dark-web/

How do you not understand that to keep money even in the bank is unsafe and especially on the exchanges

My advice to you is to keep your cryptocurrency in cold wallets on your computer and this will not protect you from hacking by 100%

In my opinion this is the safest place
member
Activity: 420
Merit: 10
How long will this go on? Another cryptocurrency exchange has been cracked. Phishing, one of the most experienced viruses. I hope the team of the LOCALBITCOINS project will do everything to ensure that the cryptocurrency remains with the owners
mk4
legendary
Activity: 2870
Merit: 3873
📟 t3rminal.xyz
From the look of it, there have been few reports and the damage is not that big (or still not reported from the users yet). If that's the case and the team is as professional as they claim to be, they should reimburse the users. Just another reason on why you shouldn't keep your funds in exchanges by the way.

From the looks of it based on the discussions, it seems like the forum-side of LocalBitcoins was compromised and the hacker is using the login to phish the forum accounts, for the hacker to be able to withdraw the funds of the users. Hopefully it stopped here as the forum has been disabled. Not 100% sure though.
staff
Activity: 3500
Merit: 6152
From the look of it, there have been few reports and the damage is not that big (or still not reported from the users yet). If that's the case and the team is as professional as they claim to be, they should reimburse the users. Just another reason on why you shouldn't keep your funds in exchanges by the way.
Pages:
Jump to: