Pages:
Author

Topic: Multiple Kraken Accounts, Robbed/Emptied. Kraken say "Fuck you, its your loss" - page 5. (Read 19781 times)

legendary
Activity: 2268
Merit: 1278
What is the controversy? You could have used 2fa on login. You chose not to. Case closed.

And what's with using single letters instead of proper words? Is it some kind of mental hangup that happens when someone calls you on your bullshit? Second time now.
hero member
Activity: 840
Merit: 1000
And no 2fa accounts were compromised. You willingly chose to have shitty security for your money. At some level, you wanted this to happen so you had something to bitch about. Business as usual with you.

If u had bothered to read even the posts in this thread, you would know that wasn't the case.

No accounts that had 2FA Log In enabled, were compromised. Accounts that merely had 2FA on transactions, or withdrawals enabled, were robbed (see Thorvald's post), cos the 'hackers' (who I believe to be operating within Kraken, hence why only Kraken is affected, and affected en-masse), could simply turn off the 2FA with use of the account password.......and Kraken did not even utilise 2FA or even Email verification to confirm that the user want's to disable 2FA.

As already stated, unlike practically all other exchanges who use Email confirmation, or in the case of the Chinese exchanges, 2FA mobile phone confirmation as a minimum for confirming withdrawals or important changes to account (like new withdrawal addresses being added), Kraken simply send an Email out advising that the deed has been done. Kraken security is so bad, it makes the head spin with incredulity. Question is, why is it so bad? Are the team at Kraken actually really fucking stupid, or are things left this way in order to facilitate selective theft out of 'unprotected' customer accounts?

This shit has happened before, yet Kraken have still failed to take even the most standard, basic preventative measures, and implement Email verification as a bare minimum.
legendary
Activity: 2268
Merit: 1278
And no 2fa accounts were compromised. You willingly chose to have shitty security for your money. At some level, you wanted this to happen so you had something to bitch about. Business as usual with you.
hero member
Activity: 840
Merit: 1000
Worth noting that mat is most likely lying. He likes the victim role.

To the rest of you, get a yubikey.


The fact that you come to that conclusion reveals way more about you, than it does about me....not least of all that your judgement is in the shitter.....(but I knew that anyway).


P.S. Hope u are all buckled up for the big BTC Back to $450 slide?




Did he really open that email with "sorry for your loss"?! What a cucked thing to do.

This was the first thing he said in each of the three emails before he decided that my case was 'solved'. Making sure, that I knew in no uncertain terms, that it was MY LOSS (nothing to do with lax security on Kraken's part).




Kraken, the Bitcoin exchange that is truly 'Sorry For Your Loss'.
legendary
Activity: 2268
Merit: 1278
Worth noting that mat is most likely lying. He likes the victim role.

To the rest of you, get a yubikey.
hero member
Activity: 756
Merit: 502
CryptoTalk.Org - Get Paid for every Post!
Did he really open that email with "sorry for your loss"?! What a cucked thing to do.

True -- businesses should keep up with internet lingo. Cheesy

Putting SFYL as a response to a customer in this situation is pretty screwed up (if slightly hilarious). But hey, these customer service guys get paid next to nothing I am sure, so what do we really expect?
legendary
Activity: 1260
Merit: 1116
Did he really open that email with "sorry for your loss"?! What a cucked thing to do.
hero member
Activity: 756
Merit: 502
CryptoTalk.Org - Get Paid for every Post!
I would never keep funds on an exchange where I don't at least have 2-factor authorization.

Email confirmation really isn't good enough. True, they should *at least* use email confirmation, but people should be securing their accounts better than that.
hero member
Activity: 840
Merit: 1000
When you get scammed the worst thing you can do is to think it is your own fault.

We need to make kraken responsible as their security implementation is so bad it hurts my developer heart.

I have investigated a lot of the withdrawals that day, and find it quite interesting that about 8 hours after my complaint Kraken decided to move 555,660.00 ETH from their wallet for withdrawals to another wallet.
That wallet is being used for withdrawals to day.

A coincidence ? I don't think so.

I know they will explain it with the HF and double spending on ETH/ETC but there is no need to create a new wallet as the old wallet could be reused.

I haven't investigated if the same happened to the BTC-wallet

Thorvald

I don't think it is my own fault.....if it happens again, then I would think it was my own fault, which is why I am going to pull all my funds from all crypto exchanges, and call an end on trading crypto...no point in trying to trade crypto when accounts can be so easily robbed, and the exchanges can tell their customers to basically go do one, with impunity.

I have put in my complaint with UK Financial Ombudsman but of course, I expect to be told that since Kraken is an unregulated foreign exchange etc etc etc...... However, I am pretty sure that there are some written laws somewhere, that state that it is not ok for Kraken to operate the way they are operating whilst handling money belonging to the public, Duty of Care n all that....so will see where this takes me.

As for pressuring Kraken somehow......I dunno....could get a website made (kraken.con or something), into which all the reports of accounts being breached and/or robbed on 20th July can be filed....but for that, we would need a good few to come forward. So far, I have seen around 10 or so different people saying that their Kraken accounts were breached and/or robbed on 20th July 2016.
newbie
Activity: 11
Merit: 0
When you get scammed the worst thing you can do is to think it is your own fault.

We need to make kraken responsible as their security implementation is so bad it hurts my developer heart.

I have investigated a lot of the withdrawals that day, and find it quite interesting that about 8 hours after my complaint Kraken decided to move 555,660.00 ETH from their wallet for withdrawals to another wallet.
That wallet is being used for withdrawals to day.

A coincidence ? I don't think so.

I know they will explain it with the HF and double spending on ETH/ETC but there is no need to create a new wallet as the old wallet could be reused.

I haven't investigated if the same happened to the BTC-wallet

Thorvald
hero member
Activity: 490
Merit: 500
thimo the dev
hero member
Activity: 840
Merit: 1000
I've got some new ideas:

1. Join and gather all the info guys.
2. Use social media (but please do it nicely, else you clearly lose). It makes visible for many other customers that there are problems there and will force Kraken to do something useful on this.

I started with this: https://twitter.com/neuro_fish/status/758596711883374592

Good luck!

Indeed.

I think a collection of all the different cases should be gathered together.....I can perhaps get a website knocked together, that could act as a pasteboard for all the different accounts of people having been robbed by Kraken, or someone operating with back end access to Kraken.

I intend to press ahead with a pushing a complaint through financial ombudsman etc, even though I know they are gonna turn around and tell me that Kraken is foreign and unregulated, therefore there is nothing that they can do, etc etc.....however, I do suspect that somewhere in the legal framework of any of the countries where Kraken bases it's operations, there is a 'Duty of Care', that Kraken must abide by in order to protect their customers funds. Despite this sort of thing having happened before, Kraken still opt to not even insist on something as simple as Email verification. This is inexplicable and inexcusable, and in my case, certainly would have prevented the theft from occuring.

The lax security, and the security breach is with Kraken, not with their customers. I am pretty sure if these cases ever got in front of a judge that this would be the conclusion that the courts would come to as well.
newbie
Activity: 11
Merit: 0
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
I've got some new ideas:

1. Join and gather all the info guys.
2. Use social media (but please do it nicely, else you clearly lose). It makes visible for many other customers that there are problems there and will force Kraken to do something useful on this.

I started with this: https://twitter.com/neuro_fish/status/758596711883374592

Good luck!
newbie
Activity: 11
Merit: 0
I my case the robber logged in, and changed the 2FA I had activated on trading - I had not 2FA on login. Then used all my dollars to buy ETH and sent that and the ETH I had to an external wallet. All within 5 minutes. I was driving in France and just saw the mail after 30 mins. I had not used the userid/password on other exchanges, and know my pc is not compromised. What really surprised me that Kraken does allow change of 2FA without using 2FA, and secondly allow withdrawals without any extra check like locked wallet, email-confirmation, IP-restrictions or 2FA.

The Kraken security is so bad implemented, that I am missing words.

Unfortunately I had not made any withdrawals, so I didn't know.

Worst of all was to see my almost 500 ETH sitting in the new wallet for 6 days, before seeing it being traded at shapeshift yesterday, and knowing its just lost.

But anyone that has been hacked are welcome to write me at [email protected] so we can all get a better view on how this could happen.

And the Kraken statement that no one with 2 FA activated was hacked is a lie, but the one who did the job knew that it was possible to deactivate 2FA on trading without having access to 2FA. And using that no one with 2FA was hacked is a bad argument, as the data exposed might just give access to the login information needed, but with 2FA on login, the hacker could not log in.

I am not saying this is an inside job, but I do think that someone had access to the user-database and thus could figure out what accounts to attack.
And just seeing that all attacks was made around the same time tell me that this is not a coincidence. If it just was us users throwing around with our passwords, why would the hackers make a coordinated attack on Kraken.

Best regards
Thorvald
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!

Even if Kraken has a thief inside, it will be hard to find and prove.
And until that will happen (if ever), they will clearly deny everything and blame on you.
And they do have a point: their DB should contain also the 2FA seeds and then the thief could have emptied all the accounts. But this is unusual: not too greedy and pretty smart thief, the blame can go on you for not protecting the account and it can look like you were actually hacked locally. I said at start too that's your fault, remember?
Yes, you have a point too: too big of a coincidence that others got "hacked" in the same way at the same time.

The actual big problem is that Kraken should take you seriously and investigate more on this.
But until proven otherwise, both parts are "innocent".  Undecided


Edit: spelling

M8, lots of Kraken accounts were emptied on the 20th July 2016 (https://cointelegraph.com/news/enable-2fa-kraken-accounts-compromised-funds-stolen), some are even claiming that they had 2FA enabled, only for the hackers to disable it. As I have already stated many times. Had Kraken done what Finex, or Stamp, or even BTC-E do, and sent me an Email asking me to confirm my transaction, then there would be no problem, cos the hacker(s) didn't have access to my Email account, mostly cos the 'hacker' is more likely than not operating at Krakens end.

I am not a tech expert, but accounts on one exchange, that operates a default security policy of no secondary confirmation for extractions, hit all on the one day, tells me that the problem is within Kraken itself.

Oh, it looks like I didn't know the whole story. Apologies.
If also 2FA accounts were emptied then it's a clear matter and you have all the ways to sue them for stealing from you.
And fyi, if it's an inside job, the secondary confirmation can be bypassed too with some (php) skills. But it's harder than only getting the DB.
hero member
Activity: 840
Merit: 1000
My reply to the above.........next step will be to file complaint with financial ombudsman. Obviously I don't expect to see any light at the end of this tunnel but this exchange needs to have complaints piling up in various jurisdictions imo.

Even if Kraken has a thief inside, it will be hard to find and prove.
And until that will happen (if ever), they will clearly deny everything and blame on you.
And they do have a point: their DB should contain also the 2FA seeds and then the thief could have emptied all the accounts. But this is unusual: not too greedy and pretty smart thief, the blame can go on you for not protecting the account and it can look like you were actually hacked locally. I said at start too that's your fault, remember?
Yes, you have a point too: too big of a coincidence that others got "hacked" in the same way at the same time.

The actual big problem is that Kraken should take you seriously and investigate more on this.
But until proven otherwise, both parts are "innocent".  Undecided


Edit: spelling

M8, lots of Kraken accounts were emptied on the 20th July 2016 (https://cointelegraph.com/news/enable-2fa-kraken-accounts-compromised-funds-stolen), some are even claiming that they had 2FA enabled, only for the hackers to disable it with the account password and then empty the account. As I have already stated many times. Had Kraken done what Finex, or Stamp, or even BTC-E do, and sent me an Email asking me to confirm my transaction, then there would be no problem, cos the hacker(s) didn't have access to my Email account, mostly cos the 'hacker' is more likely than not operating at Krakens end, as opposed to having infiltrated my PC and having access to all my passwords and log in details.

I am not a tech expert, but accounts on one exchange, that operates a default security policy of no secondary confirmation for extractions, hit all on the same day, tells me that the problem is within Kraken itself........and this has happened before (2014 I think), and they still never learned. Willful negligence at best, intentional fraud at worst......if things are going so well at Kraken, selectively robbing their own customers and then blaming the customers for it would be one way to pay the bills. That is the only logical explanation I can think off for Kraken having not already implemented Email confirmation for all withdrawals at the very least.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
My reply to the above.........next step will be to file complaint with financial ombudsman. Obviously I don't expect to see any light at the end of this tunnel but this exchange needs to have complaints piling up in various jurisdictions imo.

Even if Kraken has a thief inside, it will be hard to find and prove.
And until that will happen (if ever), they will clearly deny everything and blame on you.
And they do have a point: their DB should contain also the 2FA seeds and then the thief could have emptied all the accounts. But this is unusual: not too greedy and pretty smart thief, the blame can go on you for not protecting the account and it can look like you were actually hacked locally. I said at start too that's your fault, remember?
Yes, you have a point too: too big of a coincidence that others got "hacked" in the same way at the same time.

The actual big problem is that Kraken should take you seriously and investigate more on this.
But until proven otherwise, both parts are "innocent".  Undecided


Edit: spelling
legendary
Activity: 1904
Merit: 1037
Trusted Bitcoiner
People should start to realize that an exchange isn't the right place to keep bitcoin or FIAT  money, an exchange should be used only to 'change' your bitcoin for fiat or viceversa (or also altcoin).
Mt.gox docet....

sure, but exchanges should also realize that they arnt e-wallets. allowing unprotected accounts to withdraw btc to any address without email confirmation, is probably a practice ALL exchanges should review...

Its hard to place blame on kraken,its a gr8 exchange and they have lots of neat features like that "account lock down" feature mat should have used. but i think there is still some room for improvement.

its pains me to hear these stories every once in awhile.

hero member
Activity: 840
Merit: 1000
My reply to the above.........next step will be to file complaint with financial ombudsman. Obviously I don't expect to see any light at the end of this tunnel but this exchange needs to have complaints piling up in various jurisdictions imo.

Quote
Matthew *********
  Reply|
Today 00:06
Kraken Support ([email protected])


Hello.

You may say that you don't think the origin of the theft is internal because no accounts with 2FA enabled were compromised, but I say that if my PC was compromised, then surely more than just my Kraken account would have been compromised? But the fact is, only my Kraken account has been compromised, and you have just admitted that other accounts (without 2FA enabled) were compromised and I indeed know from correspondence I have had on social media, that other Kraken accounts were compromised within the same time frame as my account was emptied, and that lots of Kraken customer money was 'stolen'. Sorry, but everything seems to be pointing towards the rats scurrying around at Kraken's end, not at your customers end.

At this point, I am not entirely clear on the jurisdiction under which Kraken operates, but I would dare say that as soon as an online business starts recieving customer funds, that they have a duty of care to protect those funds, and that Kraken in this case have been negligent at best, or fraudulent at worst. Even if I really was stupid enough to download some spyware that logged my Kraken password, had Kraken even so much as implemented an Email verification system, as does every other crypto exchange on the internet, then the theives who I believe are operating at Kraken's end, would not have been able to empty my Kraken account, because they wouldn't have the password to my registered Email account.

With all this in my mind, I would like to know when I can expect Kraken to refund the funds  (in Euros) that were removed from the account without my permission.

Matthew.



Pages:
Jump to: