Bitcoin Forum

My friend recently had his coins stolen on BFX. Given how it happened hackers can apparently drain your account with as little as control of your email.

1. He had 2FA enabled
2. The ONLY thing the hackers needed was control of the email.

Presumably they started by gaining access to the email, searched that he had received emails from BFX before, reset his pw, then gained control of his account.  Because he had 2FA enabled, they used a trading algo to make the worst trades possible matched up with their own personal account at BFX until all the coins were drained.  For example they would trade BTC --> DRK  and then trade the DRK --> BTC back at a slightly worse price matched with their own algo and doing thousands of trades until all the money is gone.

Bitfinex has REFUSED TO REFUND his coins.  So they are setting precedent that they will REFUSE TO REFUND YOUR COINS AS WELL.  I would suggest staying away from them and say that this is one reason bitcoins will never ever become mainstream.

How can they execute trades if his account has 2FA? He must have had orders open then I assume? (never used BitFinex before)

i think you should enable 2fa to your email too or the security that microsoft is offering where you have another email doing the security and the back-up part, although i can't understand how they gained the access of the email, you didn't explain this very well.

in any case you should avoid using random mail on the web, gmail for example is well known and offer better security

He used gmail, and it was hacked.  2FA is not required for trades, only for withdrawals.  So the 2FA did its job in keeping the coins from being withdrew.  However the hackers were smart enough to realize this, and siphoned the money away through bad trades into their own trading account.

They don't require 2FA to login? That is pretty stupid.

bitfinex do require 2FA for login (at least you can set it up this way)

Usually sites require personal information to disable 2FA. They managed to get such information, or only his email?

And why not add 2FA in the email too???

Then how was an attacker able to login to Bitfinex?

safest place for any coin is locked in a qt wallet

Your friend's gmail account was hacked, and used to reset The password of his Bitfinex account. That wasn't Bitfinex's fault. It's like asking for refund for having a weak password.

The person who took up those bid and offer trades would have financial gains on his other account, but there is no way to prove he was the hacker.

the point is that he need coin to trade, so this suggestion is off topic


i'm also the one who think that you should preserve your computer before anything else, if he downloaded something shady in the last few days then it's only his fault, use a dedicated desktop for trading and for storing your bitcoin and don't install or click NOTHING when you use this machine

sorry to hear that.


how did they log-in his account since it needs 2FA to log-in?


how long did this thousands of trades take that he didn't realize his account was compromised


it is a very well known fact that you should never keep your coins at any exchanger. there has been a lot of hacks, alleged hacks, and scams that makes everybody think twice before considering keeping the coins at an exchanger.