We have posted a conversation with the hacker, so this thread is now closed and locked and you can continue reading here:
https://bitcointalksearch.org/topic/conversation-with-the-hacker-who-stole-funds-from-us-5083139
Topic: URGENT! A 2nd Hack into our Blockchain wallet (Read 680 times)
So Blockchain sends no notification if you import the wallet using the 12 word seed? Is that what happened here?
It is impossible for blockchain.com to know whether the seed as been imported into another wallet.
But let me understand this:
You have used the SAME wallet with the SAME seed on the SAME 3rd party service which is way less secure than a normal wallet AFTER the attacker gained access to your account?
Really.. ?
A really good advice from me: Please stop any business around crypto.
First learn the basics (yes, BASICS), then start dealing with money.
We are experts at advertising and paying users, yes, when it comes to Crypto we have to learn a very hard lesson here.
Who in his right mind would use a compromised account to store more funds?
Yes, it's a terrible mistake, people do make mistakes, this one is indeed quite a costly one, it's no fun for sure, but we would have to storm it out and move on.
Thanks guys for letting us know hackers can use the 12 word seed to move funds without any notification in your web wallet.
So just to clarify, you could have all the "protection" you want, such as 2FA, email verification etc. - but if someone has your Blockchain 12 word seed - he can easily move the funds without having to go through all these security steps, correct?!
So basically these security steps are "Good for nothing" pretty much?!
You should consider changing your e-mail address with blockchain.com , if they got your login credentials and password they could request the mail address to be moved, then they can drain your wallet.
Just make a new account, and change all your mail accounts and passwords.
Consider doing a clean install of your computer as well, just in case you have some code laying around.
You should also consider to check if you have a physical keylogger connected to your keyboard. Simple, is there any usb box between your keyboard cable and the computer (if you dont use a laptop)
/KX
Which addon was that exactly?
From OP's first thread:
The addon was:
https://chrome.google.com/webstore/detail/cr-cash-plugin/joofmeiidadomccpmeaoagdogmbifhlh/related
From CryptoDraw.org
https://chrome.google.com/webstore/detail/cr-cash-plugin/joofmeiidadomccpmeaoagdogmbifhlh/related
From CryptoDraw.org
This is the official reply from Blockchain.com
Hello,
I'm very sorry to hear about this. You may have some type of malware on your computer that resulted in your funds being stolen because your private information was somehow obtained. One of the most common types of these are browser extensions posing as bitcoin price tickers that are actually stealing your account information. There's also the possibility that you visited a phishing site posing as Blockchain. We've also heard of computer viruses that detect when an address is in your clipboard, and replace the one you wanted to use with an address controlled by this malicious party.
By design, Blockchain never has access to users' accounts or funds. If you keep your password and private key backups secure, then your funds are always safe with us. Since this information has been compromised, be sure to never use this wallet or any addresses contained within it. I'd also highly advise against using the same password again. I'm truly sorry that you had funds stolen from you. That certainly is an extremely frustrating experience.
If you’d like to learn more about how our wallet works, please visit: https://www.blockchain.com/learning-portal/wallet-faq.
Brian | Blockchain Support
Facebook: https://www.facebook.com/blockchain Twitter: https://twitter.com/Blockchain
Blog: https://blog.blockchain.com/
Hello,
I'm very sorry to hear about this. You may have some type of malware on your computer that resulted in your funds being stolen because your private information was somehow obtained. One of the most common types of these are browser extensions posing as bitcoin price tickers that are actually stealing your account information. There's also the possibility that you visited a phishing site posing as Blockchain. We've also heard of computer viruses that detect when an address is in your clipboard, and replace the one you wanted to use with an address controlled by this malicious party.
By design, Blockchain never has access to users' accounts or funds. If you keep your password and private key backups secure, then your funds are always safe with us. Since this information has been compromised, be sure to never use this wallet or any addresses contained within it. I'd also highly advise against using the same password again. I'm truly sorry that you had funds stolen from you. That certainly is an extremely frustrating experience.
If you’d like to learn more about how our wallet works, please visit: https://www.blockchain.com/learning-portal/wallet-faq.
Brian | Blockchain Support
Facebook: https://www.facebook.com/blockchain Twitter: https://twitter.com/Blockchain
Blog: https://blog.blockchain.com/
I didn't expect anything else from their site.
All of that creates a false sense of security for newbies. Stop using online wallets and start learning how to secure your systems.
This.
Follow this advice.
In fact, noone which handles user funds or relies on funds to pay others should use a web wallet. Never.
This is the official reply from Blockchain.com
Hello,
I'm very sorry to hear about this. You may have some type of malware on your computer that resulted in your funds being stolen because your private information was somehow obtained. One of the most common types of these are browser extensions posing as bitcoin price tickers that are actually stealing your account information. There's also the possibility that you visited a phishing site posing as Blockchain. We've also heard of computer viruses that detect when an address is in your clipboard, and replace the one you wanted to use with an address controlled by this malicious party.
By design, Blockchain never has access to users' accounts or funds. If you keep your password and private key backups secure, then your funds are always safe with us. Since this information has been compromised, be sure to never use this wallet or any addresses contained within it. I'd also highly advise against using the same password again. I'm truly sorry that you had funds stolen from you. That certainly is an extremely frustrating experience.
If you’d like to learn more about how our wallet works, please visit: https://www.blockchain.com/learning-portal/wallet-faq.
Brian | Blockchain Support
Facebook: https://www.facebook.com/blockchain Twitter: https://twitter.com/Blockchain
Blog: https://blog.blockchain.com/
Hello,
I'm very sorry to hear about this. You may have some type of malware on your computer that resulted in your funds being stolen because your private information was somehow obtained. One of the most common types of these are browser extensions posing as bitcoin price tickers that are actually stealing your account information. There's also the possibility that you visited a phishing site posing as Blockchain. We've also heard of computer viruses that detect when an address is in your clipboard, and replace the one you wanted to use with an address controlled by this malicious party.
By design, Blockchain never has access to users' accounts or funds. If you keep your password and private key backups secure, then your funds are always safe with us. Since this information has been compromised, be sure to never use this wallet or any addresses contained within it. I'd also highly advise against using the same password again. I'm truly sorry that you had funds stolen from you. That certainly is an extremely frustrating experience.
If you’d like to learn more about how our wallet works, please visit: https://www.blockchain.com/learning-portal/wallet-faq.
Brian | Blockchain Support
Facebook: https://www.facebook.com/blockchain Twitter: https://twitter.com/Blockchain
Blog: https://blog.blockchain.com/
So just to clarify, you could have all the "protection" you want, such as 2FA, email verification etc. - but if someone has your Blockchain 12 word seed - he can easily move the funds without having to go through all these security steps, correct?!
All of that creates a false sense of security for newbies. Stop using online wallets and start learning how to secure your systems.It might a,os be easy to find an innocent bystander who’s had their identity atolen too...
You might also have to check their and your jurisdication. Sometimes they like you to sue people in their country of residence...
You might also have to check their and your jurisdication. Sometimes they like you to sue people in their country of residence...
The owner of Crypton-Exchange.net was the one who "guided" our admin what to do, he told him to install the addon (and yes, it was naively done, a rookie's mistake), but legally speaking the chats are documented, when we confronted him for the theft he left the chat (he did speak to us initially), it's all documented - it was done from his site, using his site, it wasn't a Skype conversation where you can say it was a hacker hiding behind someone.
It might a,os be easy to find an innocent bystander who’s had their identity atolen too...
You might also have to check their and your jurisdication. Sometimes they like you to sue people in their country of residence...
You might also have to check their and your jurisdication. Sometimes they like you to sue people in their country of residence...
The owner of Crypton-Exchange.net was the one who "guided" our admin what to do, he told him to install the addon (and yes, it was naively done, a rookie's mistake), but legally speaking the chats are documented, when we confronted him for the theft he left the chat (he did speak to us initially), it's all documented - it was done from his site, using his site, it wasn't a Skype conversation where you can say it was a hacker hiding behind someone.
All the activity was made from the site, looking at the site ownership it seems to be registered with Reg.ru - we have some contacts who speak perfect Russian and are lawyers too, we will check the possibility of obtaining his details and getting him arrested in Russia, we have all the evidence we need.
One last idea we haven't asked about.
The hacker is the owner of Crypton-Exchange.net (as explained in the 1st thread), can we get to him by contacting the domain registrar of this domain? How feasible is that?
If you have proofs that this person is a criminal and stole your money, you can try to contact authorities . Registrar would be a good way to identify him
However, if he is the attacker (through the addon), it's probably that he also uses some sort of identity protection. It may not be easy to identify him.
It might a,os be easy to find an innocent bystander who’s had their identity atolen too...
You might also have to check their and your jurisdication. Sometimes they like you to sue people in their country of residence...
One last idea we haven't asked about.
The hacker is the owner of Crypton-Exchange.net (as explained in the 1st thread), can we get to him by contacting the domain registrar of this domain? How feasible is that?
If you have proofs that this person is a criminal and stole your money, you can try to contact authorities . Registrar would be a good way to identify him
However, if he is the attacker (through the addon), it's probably that he also uses some sort of identity protection. It may not be easy to identify him.
OP, if you have gotten enough ideas, consider closing this thread.
A lot of people have started posting in here without knowing what they are talking about.
Yes, you're right in one way.
One last idea we haven't asked about.
The hacker is the owner of Crypton-Exchange.net (as explained in the 1st thread), can we get to him by contacting the domain registrar of this domain? How feasible is that?
Have you considered the possibility of an inside job? In other words: how much do you trust your admin?
This is probably the case here, if they still continue to get hacked even the ad-on is removed on the browser as they said previously on the first thread. AFAIK an ad-on dont have a virus-like function that can still access the device if its removed.
There's your vulnerability point, and I think Occam's razor fits well here. The easiest way for this "hack" to have happened is that someone who already has access (seed, password, 2fa etc.) logged in and withdrew the funds.
If they did so, then they could also have been careless. Check access times on the 2fa device, and see if it coincides with the time of the hack, or even ask blockchain.com to see if 2fa alerts were sent. If alerts were sent and login times match, then you likely have the culprit. Maybe he/she even used a known address to withdraw to?
Maybe the add-on accessed the browser , like Trojan or something like that.
The whole purpose of a browser extension is to access the browser. Makes sense, doesn't it ?
This is probably the case here, if they still continue to get hacked even the ad-on is removed on the browser as they said previously on the first thread. AFAIK an ad-on dont have a virus-like function that can still access the device if its removed.
It doesn't need to have a 'virus like funtion'. (Also, please not that a virus is just malware which needs interaction from a user).
Once the seed is compromised (meaning: anyone knows the secret which allows to spend the BTC) it will stay compromised forever.
OP, if you have gotten enough ideas, consider closing this thread.
A lot of people have started posting in here without knowing what they are talking about.
Thanks guys for letting us know hackers can use the 12 word seed to move funds without any notification in your web wallet.
weren't there a pop-up warning about it when you save backup phrase for the first time So just to clarify, you could have all the "protection" you want, such as 2FA, email verification etc. - but if someone has your Blockchain 12 word seed - he can easily move the funds without having to go through all these security steps, correct?!
yes. the same also applies to all standard bitcoin HD wallets but some other wallets may implement extra Passphrase to protect its BIP39 Mnemonic (word seed)
So basically these security steps are "Good for nothing" pretty much?!
those protections only guard you against any attempts on breaking into your account once your account breached and backup phrase copied, your bitcoin wallet is compromised
if your bitcoin wallet is compromised, those protections are no longer effective
Have you considered the possibility of an inside job? In other words: how much do you trust your admin?
This is probably the case here, if they still continue to get hacked even the ad-on is removed on the browser as they said previously on the first thread. AFAIK an ad-on dont have a virus-like function that can still access the device if its removed.
My bad. I have re-read his first thread linked in OP. But in the discussion, he mentioned he formatted his OS, etc too...
Have you considered the possibility of an inside job? In other words: how much do you trust your admin?
While reading the OP, I was wondering if it could be something about the APIs, (if the site owner is using any). I am not familiar with it but what about if the hacker is just using it . The hacker didn't access the wallet via the web interface (otherwise he would have received his code), nor via a compromised OS.
When he installed the add-on, he was logged on the wallet in the same browser. Maybe the add-on accessed the browser , like Trojan or something like that.
Have you considered the possibility of an inside job? In other words: how much do you trust your admin?
While reading the OP, I was wondering if it could be something about the APIs, (if the site owner is using any). I am not familiar with it but what about if the hacker is just using it . The hacker didn't access the wallet via the web interface (otherwise he would have received his code), nor via a compromised OS.
AFAIK, you can export the seed as often as you want.
Allowing to export it once wouldn't make sense IMO.
Allowing to export it once wouldn't make sense IMO.
I can vaguely remember that in earlier versions of their webwallet, you could only backup your phrase once. Seems like that's not the case anymore. (Or maybe it has never been.)
Have you considered the possibility of an inside job? In other words: how much do you trust your admin?
This is indeed an interesting vector.Who in his right mind would use a compromised account to store more funds?
Even if i knew nothing about bitcoin, i'd probably stop using such an account after it was compromised. I guess that might just be me though.
Something that's also interesting; the first time that you got hacked, the funds got send to
https://www.blockchain.com/btc/address/16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S
Which seems to be/could be some sort of collection of people that fell victim to this extension.
The second adress however, https://www.blockchain.com/btc/address/1MiMbMZF7QB47AaUp1sg4CWzsPFq7Ruo2e
Only has 1 transaction.
Why would the "hacker" create/send it to a new/clean adress, when he didn't do so in the first place?
Ah well. I'm probably reaching here.
Have you considered the possibility of an inside job? In other words: how much do you trust your admin?
So basically these security steps are "Good for nothing" pretty much?!
No. These security steps makes your blockchain.info wallet safer. This wallet was made to be used with all security steps done.
When you have done all security steps, your account is not going to be compromised so easily.
In your case, if you had 2fa+email verification the attacker would not be able to withdraw your funds, as a 2fa would be asked of him. He would not be able to see your seed, as 2fa is required for that as well. That's not 100%< far from it... But if there is 1% more security, it's worth.
When the attacker saw your seed, it's gone. It's not a matter of the wallet you are using anymore. Bitcoin and the blockchain technology was designed that way. In Bitcoin, the owner of the funds is the person who owns the Private key.
The seed is, simple put, a mathematical function that generate all your private keys. that's why it must be kept safe. When it was compromised, all your wallet is compromised, you need a new one.
I'm not entirely sure how blockchain.info works in terms of how often you can export your seed, (i thought you could only do it once?), but i'm pretty sure that there's probably a way around that.
You can just click a button "see words" and you will see them.
Thanks for the help bitmover!
So basically these security steps are "Good for nothing" pretty much?!
No. These security steps makes your blockchain.info wallet safer. This wallet was made to be used with all security steps done.
When you have done all security steps, your account is not going to be compromised so easily.
In your case, if you had 2fa+email verification the attacker would not be able to withdraw your funds, as a 2fa would be asked of him. He would not be able to see your seed, as 2fa is required for that as well. That's not 100%< far from it... But if there is 1% more security, it's worth.
When the attacker saw your seed, it's gone. It's not a matter of the wallet you are using anymore. Bitcoin and the blockchain technology was designed that way. In Bitcoin, the owner of the funds is the person who owns the Private key.
The seed is, simple put, a mathematical function that generate all your private keys. that's why it must be kept safe. When it was compromised, all your wallet is compromised, you need a new one.
I'm not entirely sure how blockchain.info works in terms of how often you can export your seed, (i thought you could only do it once?), but i'm pretty sure that there's probably a way around that.
You can just click a button "see words" and you will see them.
Jump to: