Topic: Someone hacked into our Blockchain.com wallet (Read 625 times)

URGENT

Looks like he stole another $2k from us:

https://www.blockchain.com/btc/tx/0358082dda05367d4a1dba52d6bd0b64a8067dccbcf233684488b7fab58fa868

We did set up 2FA with the account, is it because of the 12 words (the key) that he was able to gain access? We got no email and no notification when these funds were stolen.

Someone else is going to be in charge of the funds from now on with a different PC and in a different country.


The issue is urgent and we need help, so we started a new topic:
https://bitcointalksearch.org/topic/urgent-a-2nd-hack-into-our-blockchain-wallet-5078190

This one will be locked.

Putting answers on a scale is quite hard.

Let me rephrase it:

1) There is no known chrome vulnerability currently (IF you are on the latest version) to break out of the sandbox.
This means that there is no way for an attacker to access your filesystem or your saved passwords.

The very tiny chance that he used a 0-day-exploit exists, but is negligibly small (especially considering that this is a 'simple add-on scam').

This means that:

• Your saved passwords should be safe
• Any keepass database or any other files on your harddrive should be safe
• Your machine should be clean

Definitely tell your admin to check which browser version he has used. If it was not the latest, we have to dig further to find out if there are vulnerabilities which would allow to break out of the sandbox.



2) Depending on the permissions your administrator gave to the extension (assuming all have been granted):

• Chances are VERY high that each password entered into the browser while the addon was active has been compromised
• Chances are VERY high that ANY information entered into the browser while installed has been compromised

I hope this is enough information for you. Rating it on a scale between 1 and 10 wouldn't be close to professional.

---

What ?

1) I don't think he has asked you.
2) I made 6 different statements. How can you simply say "7 out of 10"
3) It is not about password manager. Even using a password manager would have caused the theft of the funds. Please read the whole thread.

 2) It's a moot point.  You've terminated his employment with you and changed your Blockchain.com wallet for a new one, right?!

@get-paid, another user sent me the source code. I’ll take a look through it tonight and see if there’s anything that looks particularly tragic on it, although I’m going to say it’s probably a 5-7 score on your computer being fullly safe after uninstalling the plugin.

Thanks for the info about this.
How certain are you regarding this information? (say on a scale of 1 to 10).

Not that easy because you have to confirm the address in ledger nano led visor

Sure, that's perfectly possible.

However, this would require one to create a malicous version of ledger live (or electrum) for this specific purpose.

And that's where the 2FA (confirming the TX on the ledger screen by physically pressing a button) comes into play.
If you confirm the amount + address, you're fine.




Generating a 'similar looking address' is not as easy as you might thing.

Vanity gens need multiple hour/days/weeks to generate an address with 6 or 7 chosen chars.

So, if you want to generate a 'similar looking' address at runtime, you'll get 1 or 2 chars identical. The rest will be different.

That's the beauty of a big 'key space'.

That is what their add says.
But I would not use ledger in an infected machine.
Yes, you have to accept the payment, but a clever program could wait for you to make a bitcoin transaction and change it before it is send to ledger for confirmation.

And then you just might confirm the payment. Particularly if the output address looks similar than the real output address. 

Oh of course, you’re the guy who said to the other user to back up their wallet addresses .

You seem a bit oddly too in the know of how the software works (or your interpretation of it, they probably do have the keys) so would you care to enlighten us as to how you yourself have been enlightened?

If there is no chrome vulnerability which allows an extension to break out of the isolated environment (which i doubt currently), your local machine is not compromised.
Even if there were such a vulnerability, i heavily doubt that these developers would be able to exploit it.

Your saved passwords SHOULD be safe (again, if there is no vulnerability OR the developer aren't intelligent enough to make use of a potential vulnerability).

Your keepass database (local KeePass, not browser extension LastPass) is safe.
Your desktop wallets are safe too.

If the add-on had full access to each site you visit (which it probably had), all passwords which you have entered while it was installed can be (and most probably are) compromised.
Each data entered into the browser while it was installed can be compromised.


But the most important thing is, your local machine is safe.

I had the same plugin pushed to me from the owner of cryptrave.com. Usually i wouldn't fall for this trick, but i actually lost a family member on monday, and i was just browsing bitcointalk aimlessly without paying attention after the news actually hit me... I actually felt like playing with a no-deposit bonus would distract me a little bit, and i actually fell for the scammer's trick. Luckily I had the reflex not logging in to any funded wallet while the plugin was installed, so so far i wasn't robbed.

I'm still figuring out which steps i need to take in order to be safe... Offcourse i completely removed all files from my chrome portable and installed a clean version, but i'm wondering what to do with the passwords saved by chrome, my keepass database, my desktop wallets (most of my funds are in my ledger and trezor HW wallets, but i still keep some spending money on a couple desktop wallets)...
I have downloaded the plugin's sourcecode, but at the moment i don't have the energy to truely vet it... On a quick browse, i actually found the array where the hacker defined his wallet addresses for the different (alt)coins he's trying to steal:
t = [];
t.BTC = "16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S", t.ETH = "0x03b70dc31abf9cf6c1cf80bfeeb322e8d3dbb4ca", t.ETC = "0x4F53C9882Ba87d2D7c525dF2aEF2540EFB6e32e5", t.BCH = "1PCh7w6LdcEv1sWd5wtvkELHcWe5HumUi3", t.LTC = "LRPChoyN8qLWENjo1dUjk2bESZjE7bQ6sP";

https://bitcointalksearch.org/topic/potential-scam-cryptravecom-5076352

Thanks for pointing out. I somehow missed the URL 

I have filed a report regarding this browser extension.




Not only somehow, but most probably simply trough stealing cookies from the browser.

Stealing cookies is quite an easy approach to gather access to an account, logged in from the browser.

You can regard cookies as an identifier. Anyone who has this explicit cookie (which is assigned to user X in the database of website Y), has access to he account.




Well.. to be honestly.. you basically asked for it. Installing shady add-on's with 1 rating AND using a web wallet is crying to get funds stolen.

While i do not support the behavior of stealing funds, this is one of the lowest-effort-steals i have come across on this forum.
The only one to blame, definitely is your 'admin'.

You may consider using proper stand alone/installed wallet on your computer. It should be safer than websites - at least this problem would have been avoided.
Also if you plan to proceed with bigger funds, a hardware wallet (or cold storage) would be the next step.

We have done all this, 2FA is now activated.
We lost 0.52 BTC (around $2,300) - it was intended to pay publishers, we wish the thief that karma would hit him back for what he did, those bad people who like to steal money from others should be punished. Karma will take care of it.

this the reason why 2FA can be useful in a way. 
i would suggest to reinstall the OS, wipe out everything just to make sure its safe to use the computer again. some hackers leave a bug that will connect to repositories and install a program in the background and then again collect data from you.

I believe the add-on didn't have any access to your passwords then. It could only somehow Access your wallet that was already logged in in the same browser.... :/

I mostly fall to them on their first try, gladly I am not that fool to install the said ad-on.

1. before you install the said ad-on, it will ask for the user permission to be able to edit and read the datas on most used crypto websites and email providers
2. Not sure about this one but a reformat is better

Installing random chrome plugins is like opening random .exe files, very dangerous. I just use Opera and the only addon I use is uBlock Origin. I rather stay safe then sorry.

Thanks for trying to help, this info was given above in the first post:

If your 'admin' was logged into the account AND the addon has rights to 'view all sites and interact with them' (has to be accepted when installed), then the addon can do whatever it wants to.

Blockchain.com is a web wallet. Each other type of wallet is more secure than a web wallet.

However, this shouldn't happen. A malicious addon can indeed steal your funds this way.




He probably(!) doesn't need to format his laptop. Changing all passwords wouldn't hurt (at least those saved in chrome AND from sites visited while the addon was installed).




Malicious addons have been used since years to steal secret information (passwords).

Might give us information about the addon, so that we can report it to google ?