Topic: [WARNING] Attack on freebitco.in account - page 2. (Read 1051 times)

Code:
What happened: over the month of April, I had made large deposits of $2,000 at least three times and made my way into the monthly wagering contest. As one of the top 10, I ended up winning the contest at number 7 for a total of $500. Upon winning I received an email confirming my victory
https://i.imgur.com/rW1fvb7.png
However, less than a couple minutes later I noticed that my balance was drained and set to zero and I had gotten an email stating that I had made a withdrawal request which I did not make. I didn't even have time to.
https://i.imgur.com/mvHbjQf.png
I did not confirm the withdrawal as in I did not click the link. Therefore, it should be sent back to my balance within an hour.
I immediately started to change my 2fa and my passwords to keep my account secure.
https://i.imgur.com/svUWSzf.png
https://i.imgur.com/fjLAS4W.png

While in the meantime My unauthorized request was canceled because the hour had lapsed. And the money was put back into my account.
https://i.imgur.com/olzcwZM.png

I also had changed my deposit address into my crypto.com  wallet and made that into my default address.
Scammed by freebitco.in https://imgur.com/gallery/3HUWdyy

I tried to cash it out however it got sent to a totally different address supposably my Bitcoin wallet on freebitco.in and it happened to be my old address so I changed my default address yet it sent it to my old address which I don't know how it did that
 Here are two screenshots of how I don't even know this is possible.
https://i.imgur.com/UNGWjUh.png
https://i.imgur.com/1kUxsDW.png

Now since I enabled my 2fa. It made it so I no longer needed a to do a email confirmation before the deposit was sent so I never got a verification email.

However, I got a verification that the Bitcoin had been sent to this supposed old address which I never sent to. Furthermore, the balance never showed up.
https://i.imgur.com/pFhAN9p.png

Here is a screenshot of it being confirmed on the freebitco.in website saying that I got a deposit from myself, however it never showed up in my balance.
https://i.imgur.com/GHhcd9l.png


At that moment I was screwed. Here's a summary of what I think is going on.

Keep in mind that the owner of the website the Quinn fails to ever respond to problems his users face on his website. Here's the summary.


The 2fa thing is part of the scam.

They make a withdraw request which triggers the email.

As a result of an UN requested withdrawal the customer gets spooked and immediately changes there security settings in belief that this will help secure there account.

However, this is a trojan horse that that allows the  withdrawal confirmation request to be disabled.

Thus, the original attacker is able to capitalize on the ignorance of the individual who is thinking there securing there account by enabling there 2fa security measures.

Using fear to trap the individual into unknowingly let there defense down and be luted by either hackers or some one on the inside or backend of the freebitco.in site.

It's genius really but completely f***** up

Either way, security or no security measures anyone can be targeted rendering this website
Extremely dangerous for anyone who has a balance.

This happened to me the other day right after I had won the wagering contest 7th place $500.

We can speculate all we want as to whether or not the websites secure .

But the fact that the matter is there's a few of us that would like to get the hard-earned money that we won.

So we can keep talking about what's wrong with the website or we can discuss how we're going to make reparations to these individuals.

However, if it's an inside job, there's little chance for recovering the funds other than reporting to the FTC and financial crimes units.

Mr. Quinn in my opinion is either part of The problem by allowing this to happen or he's directly involved. Either way, he's guilty by association because he knows his website's faulty and he fails to do anything about it.

And I also have another issue which I doubt will ever get solved. But I ordered a hardware wallet with my hard-earned reward points. I never got that wallet and I never got refunded my reward points but that's an issue for some other time I guess. Or that ship is already sailed which sucks.

:

Scammers Profile Link: https://bitcointalksearch.org/user/thequin-143168  

https://freebitco.in/#



Reference Link: c2e76e8865c2757c040f0f58b12866eaa6d2426aea40b4dcedfb527e36e9f0bb ...


Amount Scammed:
0.00823099 BTC ($500)  


Payment Method:
BTC on https://blockchain.com


Proof ofPayment: https://www.blockchain.com/explorer/transactions/btc/c2e76e8865c2757c040f0f58b12866eaa6d2426aea40b4dcedfb527e36e9f0bb...  


USER ID 53314860

---

Wrong because in my case I got no validation email. After I enable 2fa I didn't get validation email. when 2fa was NOT enabled however, I did get a verification email so it's not a issue of whether or not we're checking our emails because we were. We just never got them

I believe the vulnerability can't be exploited without a valid user ID and the attackers are definitely getting those IDs from the jackpot leader board. This explains why only a limited number of users were affected by this attack.
If freebitco.in team are aware of this ND didn't take any action, that's bad. If they aren't, that's even worse!

The difference between your case and his is that he made a deposit while you didn't. Since you didn't make a deposit, the attacker probably decided to change his tactic by making you believe your account got banned.

Hard to say, maybe in your case, at some point attackers managed to overwrite deposit address and make it fixed somewhere in website's html code.
They had customized scripts, so every case can be different.
And since fbc is not quick to act, attackers had time to adapt and improve their scripts or even improve the whole attack scenario.

I sent email about 2 weeks ago, but still waiting for response.

Anyway, for me,  a curious thing is that my account is still wrong at this time, after all day. I see a deposit address that is not mine and I do not see the mine one in the deposit address history and I have exited and entered the page many times.

Logically, I still see the cashtravel script but I'm surprised that it's been there for so long when that script doesn't appear anywhere in another friend's account.

If Freebitco.in would like to investigate...

Please, send emails to Freebitco.in. They shouldn't be silent.

Yeah, I believe that only small group of high rollers were targeted or at least users whose IDs where published on leaderboard of daily jackpot, monthly wagering or referral contest.
And that's understandable - these accounts have active users and should have enough BTC balance to make a withdrawal.

Attackers managed to inject malicious script into a particular user's session (by a known ID).
In my case it was https://cashtravel.info/forum/main.js.
Now, attackers could change location of malicious script and even improve its code.

I saw that one of the Legendary user became a victim of similar attack, so maybe now this issue will get a proper attention.

Several days ago I made a deposit and it was credited to my account. For the time being these problems seem to be affecting high roller accounts and referral contest leaders. In my opinion, FreeBitco.in needs to take the site offline for emergency maintenance for a few hours or days while they investigate what is going on and fix it.

For some reason they have stopped caring about maintaining the website. It’s been almost a month since the last round of the lambo contest finished but they have not even picked a winner yet. They are sinking a lot of money into promoting their FUN token, completely forgetting that FreeBitco.in is the only place it has gained any sort of traction. Their actions are completely incomprehensible.

Their website has had a lot of success and been the cornerstone for some of their other projects, but they are now letting it all go downhill with their negligence and putting millions of dollars of user funds at risk.

Hi! I also became a victim of the substitution of the deposit and withdrawal addresses. The fbc support is silent and does not try to make up for my loss. This is completely out of the fault and the problem of the site. The users are not to blame for anything here. Fbc have security holes in the site and should be responsible for it. It is necessary to demand from them the refund of the stolen

Hi, I have also been robbed on Freebitco.in, here are the details:

https://bitcointalksearch.org/topic/m.64019622

Thanks Eternad,

I have written my case in this thread as well. I have lost all my freebitcoin funds but i would like that Freebitco.in will investigate the issue because it is a freebitco.in issue and as you have said, if MFA does not work we should have an email confirmation for withdraws.

By the moment, my account is still bad (my deposit address is false and i have the script) then i am doing nothing in Freebitco.in

I’m not a player of this casino but I saw some user using this security feature with their account. Maybe check your account settings and add your email address to send notification in there whenever you process withdrawal.

Based on your claim, The change address happened right after you input the code and all the details for the withdrawal process right? It’s better to go check this thread https://bitcointalk.org/index.php?topic=320959.28820 to become updated on what’s happening right now on this casino. Having an email verification is still not enough to withdraw your balance safely since there’s something wrong going on in the casino.

I am using the web freebitco.in and when i make a withdrawal i only can write:
- the amount i want to retire
- the address to send (i enter manually)
- the MFA code

After that, i only have the widthdraw button and yes, before pressing it i have verified the address and it was the same one i have introduced manually but...

.. after pressing the Widthdraw button i have seen the different amount (0.0210 instead of 0.002) and the different address in the square of "Pending Payouts", that means, i was not be able to longer do anything.

If there any other method for withdraw? I have the 2MA activated and i have not found how to confirm the widthdraw by email (i would love this method). Where ir the email verification check?

Thanks in advance.

I was skeptical too when I saw this issue but judging on the number of customers from this casino experiencing same issue including high rank makes me think that somethings might wrong on the casino.

What worrying here is why these affected users don’t check the withdrawal confirmation sent via email address to verify whether they are sending on correct address or not. I read about some user complaints that the withdrawal confirmation show a different address which means this issue will be avoided if they only check the email verification.

I mean the following steps:
- I have opened the withdraw pop-up and I filled the data selecting a widthdraw of 0.002 btc, writing manually my kraken address and entering the authenticator code.
- I do more or less same 6 days a week in the last month.
- I have seen that instead of 0.002 btc the sent has been for 0.0210 btc and in the retirement windows has appeared another address, not the one i have written manualy.
- I have looked at the deposit address, because they already changed it a few weeks ago and it had changed. Iw was not my usual one. A new one has appeared, which, curiously, is where freebitcoin has sent the savings.
- Since that day I have checked the deposit address but I did not expect that they would change my withdrawal address without me knowing it.

If I look mi deposit adress, is not the mine one and the mine one does not appear and i see the script that @Zibi321 has comented using the developer tools:

.  

I have tested from PC Chrome, PC Brave, PC Edge and mobile Chrome and mobile Samsung and my address is not the mine one.
A friend has comen to home and his account works well, his addresses are the correct ones ans has not the script in developer tools using the same computer and navigator.

What do you mean by "sent to the deposit account (which is not mine)"?
A deposit address can't and will never be an address you own because it is (or it must be at least) an address belonging to the platform. When you deposit funds, the platform takes your funds and credits your account balance.
So you mean your funds have been sent to the same address as the one displayed for your deposits?
You say "the deposit address is still not the mine one and i cannot return to the real mine one" but how do you know it's not a legit deposit address? If you've used "New deposit address" feature, you won't be able to see the QR-code of the former one anymore but you will still see the address in the "old deposit addresses" history.

Same issue. I have been stoled. When I withdrew a part of my savings by entering the correct address, the entire amount was sent to the deposit account (which is not mine).


After some emails and Facebook messages, Freebitco.in does not answer. Shameless!.

.  

On the other side, i have blocked the script but the deposit address is still not the mine one and i cannot return to the real mine one.



Thanks in advance.

---

Does anyone know how to get Freebitco.in support to know about this problem? Nobody answers the emails and the problem is serious.

Same issue

same problem:

didnt know this post before posting my one:

https://bitcointalksearch.org/topic/freebitcoin-is-probably-hacked-and-they-are-well-aware-of-it-5494608

Almost unbelievable freebitcoin staff haven't addressed this. Considering the amount of money they are holding their support is unbelievably shite.

Hi,

I am one of the users which was SCAMMED by the vulnerability of the FBC site. 
Thank you @Zibi321 for explaining it in detail, and I want to add my two cents.

In fact this is what happened to me:
1) I was in the top10 daily wagerers in 31st March or 1st April.
2) the next day my FBC website showed the message about the changing of address (i didn't take a screenshot, but it was same as the case reported by Zibi321, only different deposit address starting with '3...' )
the message was something in the lines of "Please note that your deposit address have been change to segwit P2SH format. Depositing to your old address will be charged of additional fee"  https://www.talkimg.com/images/2024/04/11/jAWpq.png
I didn't think of it too much, as everything worked normally on the site, I was claiming free rolls, WoFs, free spins from emails, playing Hi-Lo, reward points were updating etc., so I assumed this message is just some maintenance / upgrade being done by FBC.
3) on 04 April, i deposited 0.06768 BTC to the new P2SH address  (https://ibb.co/NNPjD0w)   (TX id: 77d47f1b44cd656776ca0b2be753ebc0234da203e673714d577e382b6a50444a),    but never received this amount in my account at FBC.   Suspiciously enough, the next day the message for change of deposit address to P2SH disappeared from the site. 
4) i wrote several times to the freebitcoin support email, to the FAQ page, as well as to TheQuin, and never received any reply from any of those
5) feeling desperate I joined this forum where i saw also other users faced the same issue and were scammed. I also noticed some abnormal behavior of the site, when I tried to click the generate "new deposit address", nothing happened, you can see it on this video link:  https://www.youtube.com/watch?v=O7gXJTFnqyw
6) It seems that within the js script is an embedded MALICIOUS script which was identified by user ID482015 in this forum topic: https://bitcointalksearch.org/topic/m.63923149 .   The malicious scirpt is this:
.   
after I blocked this script with AdBlock, now the generate new deposit address is working normally.
This script however is still not removed from the FBC site:   https://ibb.co/L99f2hL

So as a summary, there is a malicious script targeting the high rollers, several people have been scammed by this vulnerability, there is no response from FBC support or TheQuin, the script is still not removed, so the vulnerability is still there, maybe only felt by the targeted audience (high rollers).   

I hope FBC can return the scammed people's money and fix this vulnerability ASAP.  Also support from the community is needed, make it more transparent, otherwise they won't listen to just a few voices.

I necromanced an old freebitco account just to see if there is any notification of address change [other users on their ANN have also explained that they're still using their legacy address] and I didn't see any. It seems the incident is not isolated, so it's safe to say, like khaled0111, that it's not your device that got hacked... or you somehow been compromised just like other three users.

I'll try to bring this to TheQuin, just in case he missed this situation. Hopefully he can clarify what happens.