Author

Topic: There is an epic blockchain.info theft method out there (Read 2883 times)

full member
Activity: 238
Merit: 100
★YoBit.Net★ 350+ Coins Exchange & Dice
Wow! Nice security measures, except using TOR actually makes things less secure for you.... ALOT. Bravo!
hero member
Activity: 686
Merit: 500
it's a TOR security breach, stop using tor + bitcoin

atleast theres one smart person out there.

iv never understood why anyone would visit a FINANCIAL site over a PUBLIC VPN do you lot enjoy giving your money away? anyone can set up a Tor exit node and steal your details. its like leaving a safe full of money half open ofcourse someones going to steal your coins. DONT USE TOR FOR FINANCIAL STUFF

If the financial stuff is over https it's ok to use public vpns, they can't eavesdrop anything in that case

I think OP got hacked because he used http indeed he said:
"I thought even recently I was able to access the site using HTTP"

Exactly. He was very probably victim of a man-in-the-middle attack, TOR exit node detected he want to establish HTTPS connection to blockchain.info, served him phony HTTP site instead, took over his credentials and established HTTPS connection to the real site instead of him. Goodbye bitcoins. It's unbelievable he detected that he was served HTTP instead HTTPS connection and still thinking he was accessing the actual site. You should not use TOR if you do not understand what are you doing.
I believe that POODLE actually would make you think that you were using HTTPS while you are not actually connected to the site you thought you were connecting to.

Also the difference between you using HTTPS and HTTP is very small from what this looks like on the tor browser bundle so it would be very easy to miss.

The attack appears to be one (or more) malicious exit nodes
legendary
Activity: 3472
Merit: 10611
with a quick search you realize that securing your bitcoins is not that hard!
2 simple tasks:
1. activate 2 Factor Authentication on your accounts or create offline transaction and send them on a different online machine
2. do not use TOR
sr. member
Activity: 364
Merit: 256
I am repeating myself...

https://bitcointalksearch.org/topic/poodle-vulnerability-825058

It's caused by POODLE vulnerability in TSL/SSL, if you use TOR to access internet then someone might have stolen and read your traffic (read above thread by theymos)
sr. member
Activity: 476
Merit: 501
 Always Access to blockchain.info on TOR. Recently updated Tor Browser Bundle 4.0. Extension is the default value.


maybe there is your problem?

There is a recent bug on the protocol that might allow others to take your password, specially if you are using tor(at least it is what is said in the news above the forum menu)
legendary
Activity: 1159
Merit: 1001
Have you enabled 2-factor auth on blockchain?
If so, you should get the 2FA code for the login always from outside of TOR (use a different browser just to get your 2fa code via email).

This is what I'd like to know. 

Storing coins online without 2FA is a horrible idea.
legendary
Activity: 1974
Merit: 1077
^ Will code for Bitcoins
it's a TOR security breach, stop using tor + bitcoin

atleast theres one smart person out there.

iv never understood why anyone would visit a FINANCIAL site over a PUBLIC VPN do you lot enjoy giving your money away? anyone can set up a Tor exit node and steal your details. its like leaving a safe full of money half open ofcourse someones going to steal your coins. DONT USE TOR FOR FINANCIAL STUFF

If the financial stuff is over https it's ok to use public vpns, they can't eavesdrop anything in that case

I think OP got hacked because he used http indeed he said:
"I thought even recently I was able to access the site using HTTP"

Exactly. He was very probably victim of a man-in-the-middle attack, TOR exit node detected he want to establish HTTPS connection to blockchain.info, served him phony HTTP site instead, took over his credentials and established HTTPS connection to the real site instead of him. Goodbye bitcoins. It's unbelievable he detected that he was served HTTP instead HTTPS connection and still thinking he was accessing the actual site. You should not use TOR if you do not understand what are you doing.
sr. member
Activity: 613
Merit: 305
it's a TOR security breach, stop using tor + bitcoin

atleast theres one smart person out there.

iv never understood why anyone would visit a FINANCIAL site over a PUBLIC VPN do you lot enjoy giving your money away? anyone can set up a Tor exit node and steal your details. its like leaving a safe full of money half open ofcourse someones going to steal your coins. DONT USE TOR FOR FINANCIAL STUFF

If the financial stuff is over https it's ok to use public vpns, they can't eavesdrop anything in that case

I think OP got hacked because he used http indeed he said:
"I thought even recently I was able to access the site using HTTP"
legendary
Activity: 1540
Merit: 1002
it's a TOR security breach, stop using tor + bitcoin

atleast theres one smart person out there.

iv never understood why anyone would visit a FINANCIAL site over a PUBLIC VPN do you lot enjoy giving your money away? anyone can set up a Tor exit node and steal your details. its like leaving a safe full of money half open ofcourse someones going to steal your coins. DONT USE TOR FOR FINANCIAL STUFF
sr. member
Activity: 613
Merit: 305
it's a TOR security breach, stop using tor + bitcoin

So who runs a TOR exit node can inject javascript in the HTTP response from the server?

But HTTPSAnywhere is enabled by default in TOR browser, so i don't think the OP has ever visited blockchain over HTTP
legendary
Activity: 1974
Merit: 1003
it's a TOR security breach, stop using tor + bitcoin
newbie
Activity: 3
Merit: 0
The guy stole 1 btc from me too :/, if anyone got some advice on how to handle this please let me know then

I contacted blockchain and asked for my coins back (dont think it will happend tho)

106 BTC in 6 days!

noobster13, you access blockchain.info through TOR? Something more about your configuration is the same as mine? I want to find out which method is used for theft.
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
The guy stole 1 btc from me too :/, if anyone got some advice on how to handle this please let me know then

I contacted blockchain and asked for my coins back (dont think it will happend tho)

Blockchain can't give your BTC back. It is just a wallet like others, only the person who knows the private key of the address can give it.

  ~~MZ~~
newbie
Activity: 10
Merit: 0
The guy stole 1 btc from me too :/, if anyone got some advice on how to handle this please let me know then

I contacted blockchain and asked for my coins back (dont think it will happend tho)
newbie
Activity: 3
Merit: 0
The hacker now has received 36 BTC in 5 days:

https://blockchain.info/address/13jxBSEBCTNq45ATDxHdTMNdM2dVNH9bmq

Additional Study:

No evidence of my machine compromised.  This is the virtual machine used for only bitcoin, running Linux and is not accessible from the Internet inward.

- When did Blockchain.info only offer HTTPS? When I visit now using HTTP it redirects me to HTTPS, but I thought even recently I was able to access the site using HTTP.

- My Blockchain.info wallet contains a lot of private keys. Thief swept the entire portfolio, which means that he must have wallet ID and password or a copy of the unencrypted wallet.

I don't have a copy of the unencrypted wallet anywhere. The text of the password is only in an file stored outside of the virtual machine, but if the thief has access to this file he would take a lot more from me than 1 BTC.

My conclusions:

- If blockchain.info has been accessible by HTTP recently then the most likely method was injecting Javascript using TOR exit node.

- Otherwise, the only options that I see are blockchain.info breach (possible, but unlikely, given the amounts thief took in the last 5 days), or a kind of cross-site request vulnerability, or 0 day browser based malware.

Whatever method it has worked well for the thief, and probably will take much more.  I wonder who 1NLnDB7XxPD9Jx2iEnPucu2PQNV9eaGcUN is, that lost 25 BTC.
member
Activity: 84
Merit: 10
Occam's Razor would suggest that there isn't a problem with blockchain.info or with TOR, but rather that you made some sort of error or were just unlucky.
legendary
Activity: 1974
Merit: 1003
oh the irony that your name is ihackbitcoins and speak about being the victim of a hacker.

on the more serious note : you had a authenticator atached to the blockchain acount ? if you didnt i kinda suspect malware on your pc. do a scan see what pops up.

I think he is trying to tell us he can hack bitcoin, but he was hacked too

Quote
I'm a bitcoin hacker. That's why it's awesome. I know all the tricks, but I do not know how it was done. It was not ultrasecure wallet, but any of the obvious precautions are not forgotten by me.
sr. member
Activity: 613
Merit: 305
I do not have much time now, I keep this brief.

  • About 1 BTC stolen my blockchain.info wallet.

  • Unlikely my local machine was take over. It is used for only Bitcoin, is Linux, very safe and would have lost more if it was.

  • Very long password, completely at random. Is not used anywhere.

  • Always Access to blockchain.info on TOR. Recently updated Tor Browser Bundle 4.0. Extension is the default value.

  • The last few days there were three other transactions to the thief's address.  About 1 BTC each.

  • When I have more time I will thoroughly investigate to see if I can find out how it was done. After starting with a fresh machine, of course.

  • I'm a bitcoin hacker. That's why it's awesome. I know all the tricks, but I do not know how it was done. It was not ultrasecure wallet, but any of the obvious precautions are not forgotten by me.

However it was done, it's a new method. Maybe someone has access to blockchain.info and steal wallets, but starting small so do not attract attention. Or maybe someone really using TOR in one of these types of attacks that we consider only theoretical. I'm sure there's going to be epic revelation about blockchain.info soon. It was compromised or someone has wiped a lot of wallets because they were accessed through TOR.  Or something else.

If the thief is reading this, PM me, we'll share stories.


I'm not expert on TOR's inner workings but i'm throwing an hypothesis: who controls a TOR relay could be eavesdropping on SSL/TLS handshakes when the encrypted connection is established between a TOR user and the relay, and so he can actually decrypt all the traffic from that user, including the blockchain.info credentials.

Have you enabled 2-factor auth on blockchain?
If so, you should get the 2FA code for the login always from outside of TOR (use a different browser just to get your 2fa code via email).
sr. member
Activity: 351
Merit: 252
oh the irony that your name is ihackbitcoins and speak about being the victim of a hacker.

on the more serious note : you had a authenticator atached to the blockchain acount ? if you didnt i kinda suspect malware on your pc. do a scan see what pops up.
newbie
Activity: 3
Merit: 0

Edit Nov 30: If you're reading this and concerned about using blockchain.info securely over TOR: Use the .onion site: *Malicious Link Removed*



I do not have much time now, I keep this brief.

  • About 1 BTC stolen my blockchain.info wallet.

  • Unlikely my local machine was take over. It is used for only Bitcoin, is Linux, very safe and would have lost more if it was.

  • Very long password, completely at random. Is not used anywhere.

  • Always Access to blockchain.info on TOR. Recently updated Tor Browser Bundle 4.0. Extension is the default value.

  • The last few days there were three other transactions to the thief's address.  About 1 BTC each.

  • When I have more time I will thoroughly investigate to see if I can find out how it was done. After starting with a fresh machine, of course.

  • I'm a bitcoin hacker. That's why it's awesome. I know all the tricks, but I do not know how it was done. It was not ultrasecure wallet, but any of the obvious precautions are not forgotten by me.

However it was done, it's a new method. Maybe someone has access to blockchain.info and steal wallets, but starting small so do not attract attention. Or maybe someone really using TOR in one of these types of attacks that we consider only theoretical. I'm sure there's going to be epic revelation about blockchain.info soon. It was compromised or someone has wiped a lot of wallets because they were accessed through TOR.  Or something else.

If the thief is reading this, PM me, we'll share stories.
Jump to: