|
Title: Got hacked (?), 7ish btc lost!? Post by: GreenBits on January 26, 2014, 09:46:46 AM is also posted in service discussion in case a mod wants to hit me. my bad.
I am at a loss. I walk back to the chat window of bit-mining.co to notice an amazing market crash /rebound. Excited, i check my buy orders (placed at a premium spot). Refresh the page. 0 btc and zero ghs. Refresh the page again. Im logged out of my account with a changed pass. Odd. After contacting the operator via pm and email, I'm informed that I've had an unusual number of password reset attempts, and id need a manual password reset, which was provided. So I'm in my account, not liking what i see zero balances. it seems someone compromised the account, then proceeded to purchase ghs at an unusually high price. then, having purchased as much ghs as they could with my balance, proceeded to sell all the rest of the ghs back to the market, closing my 7 btc position at .00000956btc. they purchased ghs at .05 per ( when the market rate is .015 all day, it crashed earlier) and attempted to sell 999.99999999, i only had 250~ which filled orders down to .001) you see, you can only withdraw to one single address, supplied at account creation. i thought this would be a foolproof security feature, i didnt expect my account to be griefed. whats odd is that, according to the operator, they attempted to put a btc address in the withdrawal field, as if they werent familiar with the service. so i guess once they figured out they couldnt withdraw the btc (yet they were competent enough to utilize the orderbooks on havelock/cex), they decided to be a dick. dont know why they purchased, then sold. seems a thief would just sell and go. would have been thwarted by the security feature, but this speculative thief is interesting. and thats not all. the got into my havelock account, sold my 330 neobee shares, and withdrew that bitcoin to a green address. they also logged into my btce, nothing there to take, they also got into my cex account. sld my namecoins and i guess figured it wasnt worth it. so, these three services all share the same pass user name. i know, im dumb. whatever. we are past that at this point, dont lecture me. what i cant figure out is how they got into my cex.io account (same pass, dif username). although i just realized that my username is in my ref link. that solves that. they accessed btce around 9:25 est from IP: 50.136.152.85 got into havelock 2014-01-25 21:07:32 withdraw withdraw to: 1BzbergrjuUShb927P3vUbtQZW1firSsjC ฿1.07008294 ฿0.0010 and got into my bit-mining.co account, no time stamps because there is no trans history save an internal one support sent showing the odd account activity i had. cex: 2014-01-26 02:26:56 0.00221686 BTC 0.00221686 BTC SELL Sold 0.3172 NMC at 0.00698785 BTC details: i havent installed any software. this comp is old and only used for trading. i have fully updated antivirus with automatic scanning i havent opened any email attachments/emails period. nor opened any programs save chrome. i rebooted the computer once yesterday ( i reboot about once a week) my gmail has 2fa, i have possession of the device, (had disabled 2fa on btce and havelock, kicks own ass) didnt update any software, and the only pages i have visited today are this forum, havelock, cex.io, lmb-holdings and bitcoinmiami. using chrome. google details said im the only ip that has accessed my account. bit-mining.co said Hello ljackson, we have identified the individual on the other side of the order at 0.027. We are trying to determine if it's related; if it isn't, we shouldn't be giving you their email. As for access to the account, it appears as if it was done by resetting your password. There was multiple attempts made shortly before the trades were executed. Also, I would recommend changing your password on ALL other accounts, especially your email, bitcoin-related accounts, and any other accounts you recently accessed using the computer you last used to log onto bit-mining. Also, try to log off any other individuals accessing your gmail account (click details in the bottom right hand corner of any gmail page), because that is where the password reset emails went. i never received any email for a password reset though. its not in trash. also, it doesnt seem that anyone but myself has logged into my gmail for some days. only a single ip (mine) in the activity log. again, ive done no unusual activities in the last few days, ive even done less browsing than average, had been parked at the bit-mining chatroom waiting for trading to be enabled, was locked for two days waiting for bitcoind to sync so i could withdraw. so, what the fuck happened? all these services had a common password. 3 had the same username (bitming,btce,havelock), one had a username that could be determined by public information from me (cex,io, my signature). No other service ive utilized on this computer (mtgx, bitstamp, lbc) was compromised. they all have different passwords. i dont think i was keylogged. and ive utilized these services extensively, with tabs open, for months with no problems. secure wifi i think (corporate housing, wifi has pass, know most if not all of neighbors in entire building personally, none with technical expertise for this) Title: Re: Got hacked (?), 7ish btc lost!? Post by: bitbitz on January 26, 2014, 09:49:09 AM Damn, that sucks, hope all will be alright.
Title: Re: Got hacked (?), 7ish btc lost!? Post by: GreenBits on January 26, 2014, 10:04:36 AM im starting to think my email wasnt compromised at all.
Title: Re: Got hacked (?), 7ish btc lost!? Post by: Sonny on January 26, 2014, 10:08:59 AM im starting to think my email/computer wasnt compromised at all. Sorry to hear your loss. Do you have any clue now? Title: Re: Got hacked (?), 7ish btc lost!? Post by: HairyMaclairy on January 26, 2014, 10:18:49 AM Email for reset could have been trashed then permanently deleted.
Title: Re: Got hacked (?), 7ish btc lost!? Post by: GreenBits on January 26, 2014, 10:24:28 AM my gmail was never compromised. and the password reset of the bit-mining account occurred after they had gained access to the account.
i was told the ip address appears to be that of a mobile phone. i cant even open bitmining on my android device since the site changes. trade log: (provided by admin) Canceling 1617 for ljackson0214@gmail.com Crediting ljackson0214@gmail.com with 20.00000000 GHs Sell order canceled for ljackson0214@gmail.com, refunded 20.00000000 Canceling 1701 for ljackson0214@gmail.com Crediting ljackson0214@gmail.com with 10.00000000 GHs Sell order canceled for ljackson0214@gmail.com, refunded 10.00000000 Canceling 1703 for ljackson0214@gmail.com Crediting ljackson0214@gmail.com with 10.00000000 GHs Sell order canceled for ljackson0214@gmail.com, refunded 10.00000000 Canceling 1704 for ljackson0214@gmail.com Crediting ljackson0214@gmail.com with 10.00000000 GHs Sell order canceled for ljackson0214@gmail.com, refunded 10.00000000 Canceling 1792 for ljackson0214@gmail.com Buy order canceled for ljackson0214@gmail.com, refunded 1.1800059. Withdrawing 0 BTC for ljackson0214@gmail.com Can't withdraw 0 BTC for ljackson0214@gmail.com Withdrawing 0 BTC for ljackson0214@gmail.com Can't withdraw 0 BTC for ljackson0214@gmail.com Selling ljackson0214@gmail.com 1.50000000 GHs at 0.0270001 Buying ljackson0214@gmail.com 52.08 GHs at 0.0500000 ljackson0214@gmail.com did not have 2.06 BTC to sell Buying ljackson0214@gmail.com 32.1974668 GHs at 0.0500000 Selling ljackson0214@gmail.com 999.99999999 GHs at 0.0000003 ljackson0214@gmail.com did not have 999.99999999 GHs to sell Selling ljackson0214@gmail.com 32.1974668 GHs at 0.0000003 what motive would someone have to do this? and how did they get my password? im the only person with physical access to this comp. pass was not bruted. 2fa on gmail, no suspicious logins according to google. support at bitmining suggested this: Hello Ljackson, I am not aware how your email was accessed, and neither are you, so this is why I specifically recommend CHANGING it as soon and as fast as possible. Here are some ways in which hackers commonly bypass google auth: (1) Cookie stealing: Once a device is logged in, no google auth is used, even if the device's location changes. If the google login cookie was stolen from your computer, it would look to google like your computer changed location, and thus not prompt for google auth. (2) Device Passwords: Devices accessing your google account (such as phones, etc...) do not prompt for a google auth, but instead use a special device-unique login code. If that login code was stolen, then google wouldn't prompt for google auth. (3) Trojans: If your account was logged onto gmail, and your computer had a trojan, the trojan can cause your own computer to execute commands on gmail in the background, without your being aware of it. I'm not saying that necessarily gmail was the cause of your issue, but given what I know, it seems likely. The only other reasoning for why your account password could be reset so many times is if the hacker accessed your account, conducted the trades, then, unaware of how to change your password, simply reset it many times to the point where our system stops sending emails. also It looks to me increasingly unlikely that the original hacked account was Bit-Mining. First: How would the username "mcnastyfilth" be obtained from your Bit-Mining account, so they would know to log into Cex with that username? Second: The server time for the first trade on Bit-Mining was 2014-01-25 22:24:49. The server time for the BTC-E login was 26.01.14 06:25. Now, even taking into account the difference in server times (BTC-E and bit-mining don't operate in the same time zone), by subtracting off the current server time at each, the BTC-E login occurred prior to the compromising of your Bit-Mining account. The same goes for the cex.io login, as far as I can see. Third: The user attempted to withdraw BTC from your bit-mining account by entering in the address 1BzbergrjuUShb927P3vUbtQZW1firSsjC at the amount prompt. This indicates that he wasn't familiar with the Bit-Mining system, and didn't know that you couldn't withdraw the BTC to a different BTC address. If I were you, I would attempt to contact the BTC-E administrators (they seem to be the account that was accessed first). I will continue the investigation at Bit-Mining, however, just in case. Title: Re: Got hacked (?), 7ish btc lost!? Post by: GreenBits on January 26, 2014, 10:26:49 AM Email for reset could have been trashed then permanently deleted. true, but wouldnt the remote login show up in the google details tab? it indicates im the only one who has accessed my gmail. if they had, wouldnt a unique, distant ip show up on this list?Browser (Chrome) Show details * United States (SC) (24.31.11.165) 5:25 am (0 minutes ago) Browser (Chrome) Show details * United States (SC) (24.31.11.165) 4:20 am (1 hour ago) Browser (Chrome) Show details * United States (SC) (24.31.11.165) 3:37 am (1.5 hours ago) Browser (Chrome) Show details * United States (SC) (24.31.11.165) 2:49 am (2.5 hours ago) Browser (Chrome) Show details * United States (SC) (24.31.11.165) 2:06 am (3 hours ago) Browser (Chrome) Show details * United States (SC) (24.31.11.165) Jan 25 (23 hours ago) Browser (Chrome) Show details * United States (SC) (24.31.11.165) Jan 25 (1 day ago) Browser (Chrome) Show details * United States (SC) (24.31.11.165) Jan 25 (1 day ago) Browser (Chrome) Show details * United States (SC) (24.31.11.165) Jan 24 (2 days ago) Browser (Chrome) Show details * United States (SC) (24.31.11.165) Jan 24 (2 days ago) Title: Re: Got hacked (?), 7ish btc lost!? Post by: GreenBits on January 26, 2014, 10:41:15 AM and i havent accessed btce ever from a mobile device, and not within the last 6 months on a terminal. i never verified with them.odd the first service to be compromised is the one i use the least.
Title: Re: Got hacked (?), 7ish btc lost!? Post by: U1TRA_L0RD on January 26, 2014, 12:37:18 PM There is no getting them back if the hacker used a proxy to hide their tracks.
Title: Re: Got hacked (?), 7ish btc lost!? Post by: vitalemontea on January 26, 2014, 12:45:23 PM They can access your email through your PC when it is at idle OR use your computer as proxy to avoid gmail verification and shit.
Title: Re: Got hacked (?), 7ish btc lost!? Post by: Meuh6879 on January 26, 2014, 12:48:20 PM Quote so, what the fuck happened? Well, shit append. BTW, you must always transfer bitcoin to a local Bitcoin-QT sofware to secure your money. Hacked plateforme is like "rain in california" ... :-\ Title: Re: Got hacked (?), 7ish btc lost!? Post by: empoweoqwj on January 26, 2014, 01:24:28 PM Never keep significant amount of bitcoins online - that's what offline wallets were designed for.
Title: Re: Got hacked (?), 7ish btc lost!? Post by: meelvanchris on January 26, 2014, 01:32:06 PM Not to make you paranoid. Just maybe something to think about.
Reading from what you've said with password resets, if could be fairly easy to do so via your email. Then like stated already someone could delete those files permanently from trash so it wouldnt show up there. I still think its somewhere in email comprimise. Either someone hacked into your pc and remotedly guided it to your mail etc. (maybe with remember me's, passwords embedded into your browser?) (Or small chance and im hoping for your sake it really wasnt that, someone could have personally been sitting behind your pc while you were away...) ANyway.. sorry for your loss Title: Re: Got hacked (?), 7ish btc lost!? Post by: EvilPanda on January 26, 2014, 02:45:20 PM The biggest mistake was having the same passwords. You also say one of them could be determined by public info. Did you log into Gox or any other sites that were not haked lately? From the password guessing and the fact that the other passes were not found I would exclude keylogger. Either someone hacked your pc eg. through remote desktop feature, or tapped into your wireless if you have one. There is also a small chance they just obtained some info about you and decided to guess your password based on that.
Interesting how they could bring your balance to 0. A typical exchange doesn't allow you to place an ask order below the minimum bid - if you do that it will go for the minimal price anyway. Title: Re: Got hacked (?), 7ish btc lost!? Post by: GreenBits on January 26, 2014, 06:44:09 PM question to those you suspect my email was compromised...
why would the thief delete a password reset email ( supposedly to cover his tracks) and leave 3 trade notifications from havelock and a login successful email from btce? so, this guy accesses my havelock account, sells my stuff and withdraws 1.07 btc (doesnt reset password) (account 6 months old) goes to btce, nothing there, moves on (doesnt reset password) (account old as time, unused for months) goes to cex.io, sells namecoins, doesnt withdraw anything though (no password reset) (account 6 months old) and then goes to bit-mining.co, spends account balance buying assets, then sells assets off at absolute lowest price (password reset) (2 week old account) from admin of bit mining: As for access to the account, it appears as if it was done by resetting your password. There was multiple attempts made shortly before the trades were executed. Also, I would recommend changing your password on ALL other accounts, especially your email, bitcoin-related accounts, and any other accounts you recently accessed using the computer you last used to log onto bit-mining. Also, try to log off any other individuals accessing your gmail account (click details in the bottom right hand corner of any gmail page), because that is where the password reset emails went. also from bitmining: I'm not saying that necessarily gmail was the cause of your issue, but given what I know, it seems likely. The only other reasoning for why your account password could be reset so many times is if the hacker accessed your account, conducted the trades, then, unaware of how to change your password, simply reset it many times to the point where our system stops sending emails. so, was my password reset then gmail used to access my account? or was my account accessed, then my password reset? because the reset occurred supposedly before the theft. which is odd, why reset a password you already had? to break into email to resteal it? also, if you have stolen credentials, why reset them? so.. no deletion of any other emails that showed the account intrusion. thief also didnt withdraw from the service that would need email verification to do so (cex.io) seems to indicate my email wasnt compromised. i cant store ghs/stocks in an offline wallet. hence being on the exchanges i use. Title: Re: Got hacked (?), 7ish btc lost!? Post by: the_poet on January 26, 2014, 06:52:16 PM 90BTC stolen in the other thread, now another theft?
This is getting scary... Title: Re: Got hacked (?), 7ish btc lost!? Post by: GreenBits on January 26, 2014, 07:01:02 PM and yes, i should have used different passes, used to utilize 2fa on both havelock and btce, so was never an issue for me until i disabled it sometime later (stopped trading on those exchanges for a while).
this thief is a study in contrast. tech savvy enough to compromise 2fa gmail, intercept a password reset email, and delete it permanently. while ignoring 4 other emails that show clear, unauthorized access to my accounts. it seems obvious that the fact my cex.io balance wasnt withdrawn means my email wasnt compromised. withdrawing from cex.io requires email confirmation. my username/password was compromised out in the wild. Title: Re: Got hacked (?), 7ish btc lost!? Post by: U1TRA_L0RD on January 26, 2014, 07:02:41 PM 90BTC stolen in the other thread, now another theft? Damn right it is, Im getting my wallet and storing it into a USB drive. These hackers will bring down bitcoin and then there wont be bitcoin, They are stupid fucks who have no brains.This is getting scary... Title: Re: Got hacked (?), 7ish btc lost!? Post by: GreenBits on January 26, 2014, 07:12:10 PM no other service i use has been compromised, including non btc accounts. only services with that common password
Title: Re: Got hacked (?), 7ish btc lost!? Post by: EFFV on January 26, 2014, 07:21:50 PM I had a very similar experience with btc-e, I lost about 180 ltc, and 1.7 btc, they didn't get my other coins though.
My 2fa was not compromised yet they removed all my funds. This was directly after I contacted btc-e support. I believe to this day btc-e is not a trustworthy company. Title: Re: Got hacked (?), 7ish btc lost!? Post by: GreenBits on January 26, 2014, 07:51:00 PM btce was the first account compromised for me chronologically, but out of the accounts compromised, it was the one i utilized the absolute least.
the only service ive signed up for in recent memory that shares this password is bit-mining.co . all the other accounts are very old/ not used (with the exception of cex, heavily used) Title: Re: Got hacked (?), 7ish btc lost!? Post by: U1TRA_L0RD on January 26, 2014, 08:24:29 PM Have you guys noticed there is now a chain between BTC-E transactions and account issues and MtGox transactions and account issues?
Title: Re: Got hacked (?), 7ish btc lost!? Post by: GreenBits on January 26, 2014, 08:57:57 PM got some of my trans log. requested the login times and ips of the time my account was compromised, they werent available. Hello Ljackson, Unfortunately we don't log login activity (it is sort of pointless in many situations, especially with cookie stealing). We instead choose to monitor changes in account information, including trading, password reset, withdraw request, etc... Also, much of the log is hard to understand. You have to remember that we are a new system, and that we've been working on important features rather than making easily readable logs. Here is the log for your account: note:(the bold activity is legit) Buying ljackson0214@gmail.com 59 GHs at 0.013 Buy_Recur(ljackson0214@gmail.com, 0.013, 59) Buy filled none for ljackson0214@gmail.com, save. Crediting ljackson0214@gmail.com with 59.00000000 GHs Selling ljackson0214@gmail.com 10.00000000 GHs at 0.034 Subbing ljackson0214@gmail.com for 10.00000000 GHs Sell_Recur(ljackson0214@gmail.com, 0.034, 10.00000000) Sell filled none for ljackson0214@gmail.com, save. Selling ljackson0214@gmail.com 10.00000000 GHs at 0.0335 Subbing ljackson0214@gmail.com for 10.00000000 GHs Sell_Recur(ljackson0214@gmail.com, 0.0335, 10.00000000) Sell filled none for ljackson0214@gmail.com, save. Selling ljackson0214@gmail.com 10.00000000 GHs at 0.033 Subbing ljackson0214@gmail.com for 10.00000000 GHs Sell_Recur(ljackson0214@gmail.com, 0.033, 10.00000000) Sell filled none for ljackson0214@gmail.com, save. Selling ljackson0214@gmail.com 25 GHs at 0.0327 Subbing ljackson0214@gmail.com for 25 GHs Sell_Recur(ljackson0214@gmail.com, 0.0327, 25) Sell filled none for ljackson0214@gmail.com, save. Buying ljackson0214@gmail.com 10 GHs at 0.0145 Buy_Recur(ljackson0214@gmail.com, 0.0145, 10) Buy filled none for ljackson0214@gmail.com, save. Buying ljackson0214@gmail.com 142 GHs at 0.0140000 Buy_Recur(ljackson0214@gmail.com, 0.0140000, 142) Buy filled none for ljackson0214@gmail.com, save. Canceling 1753 for ljackson0214@gmail.com Buy order canceled for ljackson0214@gmail.com, refunded 1.988. Buying ljackson0214@gmail.com 133 GHs at 0.015 Buy_Recur(ljackson0214@gmail.com, 0.015, 133) Buy filled none for ljackson0214@gmail.com, save. Canceling 1770 for ljackson0214@gmail.com Buy order canceled for ljackson0214@gmail.com, refunded 1.995. Buying ljackson0214@gmail.com 99 GHs at 0.0200001 Buy_Recur(ljackson0214@gmail.com, 0.0200001, 99) Buy filled none for ljackson0214@gmail.com, save. Crediting ljackson0214@gmail.com with 15 GHs (filled) Crediting ljackson0214@gmail.com with 25 GHs (filled) Canceling 1752 for ljackson0214@gmail.com Buy order canceled for ljackson0214@gmail.com, refunded 0.145. Selling ljackson0214@gmail.com 1.00000000 GHs at 0.0290000 Subbing ljackson0214@gmail.com for 1.00000000 GHs Sell_Recur(ljackson0214@gmail.com, 0.0290000, 1.00000000) Crediting xxxxx@hotmail.com with 1.00000000 GHs Sell filled complete for ljackson0214@gmail.com, finish. Canceling 1725 for ljackson0214@gmail.com Crediting ljackson0214@gmail.com with 10.00000000 GHs Sell order canceled for ljackson0214@gmail.com, refunded 10.00000000 Canceling 1724 for ljackson0214@gmail.com Crediting ljackson0214@gmail.com with 10.00000000 GHs Sell order canceled for ljackson0214@gmail.com , refunded 10.00000000 Canceling 1705 for ljackson0214@gmail.com Crediting ljackson0214@gmail.com with 25.00000000 GHs Sell order canceled for ljackson0214@gmail.com, refunded 25.00000000 Canceling 1617 for ljackson0214@gmail.com Crediting ljackson0214@gmail.com with 20.00000000 GHs Sell order canceled for ljackson0214@gmail.com, refunded 20.00000000 Canceling 1701 for ljackson0214@gmail.com Crediting ljackson0214@gmail.com with 10.00000000 GHs Sell order canceled for ljackson0214@gmail.com, refunded 10.00000000 Canceling 1703 for ljackson0214@gmail.com Crediting ljackson0214@gmail.com with 10.00000000 GHs Sell order canceled for ljackson0214@gmail.com, refunded 10.00000000 Canceling 1704 for ljackson0214@gmail.com Crediting ljackson0214@gmail.com with 10.00000000 GHs Sell order canceled for ljackson0214@gmail.com, refunded 10.00000000 Canceling 1792 for ljackson0214@gmail.com Buy order canceled for ljackson0214@gmail.com , refunded 1.1800059. Selling ljackson0214@gmail.com 1.50000000 GHs at 0.0270001 Subbing ljackson0214@gmail.com for 1.50000000 GHs Sell_Recur(ljackson0214@gmail.com, 0.0270001, 1.50000000) Sell filled complete for ljackson0214@gmail.com, finish. Selling ljackson0214@gmail.com 177.07079376178 GHs at 0.0000003 Subbing ljackson0214@gmail.com for 177.07079376178 GHs Sell_Recur(ljackson0214@gmail.com, 0.0000003, 177.07079376178) Sell filled incomplete for ljackson0214@gmail.com, recur. Sell_Recur(ljackson0214@gmail.com, 0.0000003, 174.07079376178) Sell filled incomplete for ljackson0214@gmail.com, recur. Sell_Recur(ljackson0214@gmail.com, 0.0000003, 154.07079376178) Sell filled incomplete for ljackson0214@gmail.com, recur. Sell_Recur(ljackson0214@gmail.com, 0.0000003, 124.07079376178) Sell filled incomplete for ljackson0214@gmail.com, recur. Sell_Recur(ljackson0214@gmail.com, 0.0000003, 117.07079376178) Sell filled incomplete for ljackson0214@gmail.com, recur. Sell_Recur(ljackson0214@gmail.com, 0.0000003, 67.49811794178) Crediting xxxx@hotmail.com with 1.00000000 GHs Sell filled incomplete for ljackson0214@gmail.com, recur. Sell_Recur(ljackson0214@gmail.com, 0.0000003, 66.49811794178) Sell filled incomplete for ljackson0214@gmail.com, recur. Sell_Recur(ljackson0214@gmail.com, 0.0000003, 63.49811794178) Sell filled incomplete for ljackson0214@gmail.com, recur. Sell_Recur(ljackson0214@gmail.com, 0.0000003, 62.49811794178) Sell filled complete for ljackson0214@gmail.com, finish. Buying ljackson0214@gmail.com 52.08 GHs at 0.0500000 Buying ljackson0214@gmail.com 32.1974668 GHs at 0.0500000 Buy_Recur(ljackson0214@gmail.com, 0.0500000, 32.1974668) Crediting ljackson0214@gmail.com with 1.02070624 GHs Buy filled incomplete for ljackson0214@gmail.com, recur. Buy_Recur(ljackson0214@gmail.com, 0.0500000, 31.17676056) Crediting ljackson0214@gmail.com with 1.00000000 GHs Buy filled incomplete for ljackson0214@gmail.com, recur. Buy_Recur(ljackson0214@gmail.com, 0.0500000, 30.17676056) Crediting ljackson0214@gmail.com with 19.00000000 GHs Buy filled incomplete for ljackson0214@gmail.com, recur. Buy_Recur(ljackson0214@gmail.com, 0.0500000, 11.17676056) Crediting ljackson0214@gmail.com with 11.17676056 GHs Buy filled complete for ljackson0214@gmail.com, finish. Selling ljackson0214@gmail.com 999.99999999 GHs at 0.0000003 Subbing ljackson0214@gmail.com for 999.99999999 GHs ljackson0214@gmail.com did not have 999.99999999 GHs to sub Selling ljackson0214@gmail.com 32.1974668 GHs at 0.0000003 Subbing ljackson0214@gmail.com for 32.1974668 GHs Sell_Recur(ljackson0214@gmail.com, 0.0000003, 32.1974668) Sell filled complete for ljackson0214@gmail.com, finish. this indicates to me the person that compromised my account also has an account on the exchange, and had a buy/sell order filled. knowing how an orderbook works (demonstrated by the havelock/cex incursions), the thief did not attempt to liquidate the assets and withdraw the money, instead engaging in a pattern of buying/selling/buying selling that satisfied multiple orders over a period of time. this might also suggest multiple agents at work in cohesion (multiple account holders on the exchange) Title: Re: Got hacked (?), 7ish btc lost!? Post by: GreenBits on January 26, 2014, 10:12:10 PM also, do like, websites exist nowadays that dont record ip addresses of login attempts? or times? esp at a place where multiple password resets mean a required manual admin override to access ( he had to email me a password to get back into my account) i mean, not tech genius here, but there are websites with multiple user accounts that dont record ip information for that particular session? isnt that basic information a site admin/webmaster should have access to?
why cant i find a single password reset email? Title: Re: Got hacked (?), 7ish btc lost!? Post by: Slight0 on January 26, 2014, 10:47:21 PM There's a good chance the exchange itself could have been compromised or another service you subscribe to. Usually it's pretty easy to tell if your gmail was compromised because of the extensive logging and security tools they have in place. Plus you had 2fa.
Seems really unlikely that a hacker would be able to specifically target your computer after knowing your involvement with BTC so we can rule out a targeted "blackbox" attack. We can also rule out session hijacking (stealing cookies) as he was able to get your password to other exchanges. You say you keep your system secure and updated so it's unlikely you were caught by a trojan or botnet. You need to catalog ALL places where you have used that username/email and password combo and try to determine if one of those sites/services were compromised because that sounds like the most likely attack vector. Could be as simple as someone hacking a forum that you frequent, cracking your password, then trying it out to see what they can access. Title: Re: Got hacked (?), 7ish btc lost!? Post by: GreenBits on January 26, 2014, 11:25:52 PM this password was specifically developed for this category of sites. i keep different sets of passwords (and variations of older passwords over time) for things i deem at different levels of risk. password is ten characters long with three numbers, one cap and 1 symbol. the gmail account doesnt even share the compromised password, in addition to 2fa. i left my android device at home for the holidays and was completely cut off from accessing my btc, so i know how hardcore google is about not letting you access your gmail from foreign ips/foreign devices.
but, every single service that was compromised, had the same password. Slight, I believe you are correct, out of the services, one of the 4 had its database compromised, either by subversive, technological methods, or simple employee theft. So lets narrow those vectors down to: BTCE (10+ months old account) HAVELOCK (6+ months old, most likely older) CEX.IO (6+ months old, mst likely older) BIT-MINING.CO (week old) my activities are so habitual i can assure you i havent visited any sites with possible malware, nor opened any attachments. also, other passwords have been used on this system, recently, but havent been compromised. in fact, because of a tech error of bit-mining.co (wallet had to sync over two days before we could get withdrawals), i spent 2.5 days camped out in chat waiting for the resolution (most of my position was there, and trading as well as withdrawal was disabled/suspended) literally, checking the site every 15 minutes. i look at that, havelock and cex.io's orderbooks, and i browse the securities section of the forum for news. this is the only thing i do with this terminal. no gaming. no media creation. no youtube. i use my phone for all of this The common link is the password. Title: Re: Got hacked (?), 7ish btc lost!? Post by: Slight0 on January 26, 2014, 11:35:23 PM So lets narrow those vectors down to: BTCE (10+ months old account) HAVELOCK (6+ months old, most likely older) CEX.IO (6+ months old, mst likely older) BIT-MINING.CO (week old) Ok nice list. Make sure you're 100% certain those are the only places you used your password. i use my phone for all of this How often do you use wifi and where? Wifi connections, especially public ones are basically a hunting ground for anyone who has basic hacking knowledge. I myself, on a test trail, have stolen people's email passwords and hijacked sessions in public places like the airport, mall, universities, anywhere is unsafe. (Mind you I did this to test common wifi security vulnerabilities as a part of a project, I never did anything with the data collected other then verify that it could be used to access restricted accounts). As far as I know 3G broadband is safe. Title: Re: Got hacked (?), 7ish btc lost!? Post by: GreenBits on January 26, 2014, 11:53:27 PM this is a laptop, accessing a wifi connection. wifi connection is provided, i live in corporate housing. is password protected, password is fairly complicated and is only given out to lease holders. maybe 10 people total would be using this network.
because of the variable signal strength, i most often use 3g data on my android device to surf the web/youtube/casual research. the old building eats the signal. the laptop, connected to an additional display in the living room, is stationary. it is not specced well enough for gaming/watching media. this is, in all respects, a work computer. i have only used this singular connection for the many months this computer has been tethered here Title: Re: Got hacked (?), 7ish btc lost!? Post by: empoweoqwj on January 27, 2014, 02:15:16 AM I had a very similar experience with btc-e, I lost about 180 ltc, and 1.7 btc, they didn't get my other coins though. My 2fa was not compromised yet they removed all my funds. This was directly after I contacted btc-e support. I believe to this day btc-e is not a trustworthy company. Bulgarians! Any time anyone has coins stolen from an online exchange / wallet provider, they should definitely report it here. Then we can get an idea of the trustworthiness (or not) of the site in question. If money is regularly disappearing with 2fa in place, you have to start wondering whether its an inside job. Title: Re: Got hacked (?), 7ish btc lost!? Post by: U1TRA_L0RD on January 27, 2014, 02:23:06 AM I had a very similar experience with btc-e, I lost about 180 ltc, and 1.7 btc, they didn't get my other coins though. My 2fa was not compromised yet they removed all my funds. This was directly after I contacted btc-e support. I believe to this day btc-e is not a trustworthy company. Bulgarians! Any time anyone has coins stolen from an online exchange / wallet provider, they should definitely report it here. Then we can get an idea of the trustworthiness (or not) of the site in question. If money is regularly disappearing with 2fa in place, you have to start wondering whether its an inside job. Title: Re: Got hacked (?), 7ish btc lost!? Post by: empoweoqwj on January 27, 2014, 02:31:46 AM I had a very similar experience with btc-e, I lost about 180 ltc, and 1.7 btc, they didn't get my other coins though. My 2fa was not compromised yet they removed all my funds. This was directly after I contacted btc-e support. I believe to this day btc-e is not a trustworthy company. Bulgarians! Any time anyone has coins stolen from an online exchange / wallet provider, they should definitely report it here. Then we can get an idea of the trustworthiness (or not) of the site in question. If money is regularly disappearing with 2fa in place, you have to start wondering whether its an inside job. They won't even tell us who they are. That tells you something already ... Title: Re: Got hacked (?), 7ish btc lost!? Post by: U1TRA_L0RD on January 27, 2014, 03:18:09 AM I had a very similar experience with btc-e, I lost about 180 ltc, and 1.7 btc, they didn't get my other coins though. My 2fa was not compromised yet they removed all my funds. This was directly after I contacted btc-e support. I believe to this day btc-e is not a trustworthy company. Bulgarians! Any time anyone has coins stolen from an online exchange / wallet provider, they should definitely report it here. Then we can get an idea of the trustworthiness (or not) of the site in question. If money is regularly disappearing with 2fa in place, you have to start wondering whether its an inside job. They won't even tell us who they are. That tells you something already ... Title: Re: Got hacked (?), 7ish btc lost!? Post by: GreenBits on January 27, 2014, 04:10:20 AM Honestly, id take btce and cex.io off the list. I havent used my btce account in at least 6 months, it wasnt carrying a balance. had been using cex.io, but again low balance. if the compromise was inter exchange, there would be little financial incentive to take my particular account in those cases. the high value accounts were bit-mining.co and havelock (in that order). These have activity. But for the last week, pretty much the sole site ive been accessing has been bit-mining. which has been under maintenance roughly half that time.
this has to be the dumbest fucking thief in the land. deletes over 10 password reset emails to cover his tracks, and leaves fraudulent login notifications and trade notification sitting in the inbox. that seems highly illogical. given the lack of timestamps, ive asked bit-mining.co to provide a chronology of the intrusion. i still haven't been told definitively how the hacker got into my account. waiting for a response from them. Title: Re: Got hacked (?), 7ish btc lost!? Post by: bbit on January 27, 2014, 04:14:12 AM Probably something to do with email you have to be SUPER careful with that stuff.
Title: Re: Got hacked (?), 7ish btc lost!? Post by: GreenBits on January 27, 2014, 04:27:20 AM i wrote:
so, the attacker reset my password, utilized the reset to gain access to my account (got into my email), did the series of trades/withdrawal attempts, then, after they finished, as a final action, they reset the password again a second time? this is the sequence of events i have gleaned from our communications. you see, i remember coming to the terminal, seeing the commotion about a huge buy sell, then refreshing and seeing that small account balance before i attempted to withdraw (dont see my withdrawal attempts). when i hit the trade tab again, i was logged out, then my pass didnt work. that would indicate the password was reset (the second time i guess) while i was actively in chat. so this was happening while i was near my terminal? he already had the password.. why did this guy reset it to get a new one? and why lock me out of my account :) he was cool enough to leave me access to all the other accounts he compromised.. none of the other accounts compromised had password resets applied. he knew the password on earlier incursions (btce,cex,havelock) but needed to reset the password on my account here to get in? he had the credentials already... why risk locking the account? also, i cant seem to find a record of any of the password reset emails in my spam, trash, inbox, anywhere. How many password reset requests were issued? why wasnt the account locked in the initial series of password reset attempts, like the second time? also, if my email was compromised, the attacker neglected to delete the havelock trade notifications and btce login notifications yet deleted all the password reset emails (which would have been quite numerous, else it would have meant it was locked due to multiple attempts). are you absolutely sure that the attacker gained entry via a password reset? i think this is a red herring. no other service i have accessed in the last 5 days (lbc/gox/stamp) that doesnt share a common password with this incident was affected. all those accounts with different passwords ( accessed from the same compromised pc, using the same compromised email) are completely unaffected. i strongly urge you to continue investigation into the possibility my credentials were compromised on your end. thoughts? i response: Well, I can't answer all those questions for you, as I don't know what the hacker was thinking. However, I can attempt to make guesses, and maybe from them and any other information you may be aware of, you can determine what makes sense. "so, the attacker reset my password, utilized the reset to gain access to my account (got into my email), did the series of trades/withdrawal attempts, then, after they finished, as a final action, they reset the password again a second time? this is the sequence of events i have gleaned from our communications." Not entirely true. They attempted MANY password resets - so many, so close together, that our server's mail queue became too full and stopped sending mails to your email at all. Not sure what the point of this was. "you see, i remember coming to the terminal, seeing the commotion about a huge buy sell, then refreshing and seeing that small account balance before i attempted to withdraw (dont see my withdrawal attempts). when i hit the trade tab again, i was logged out, then my pass didnt work. that would indicate the password was reset (the second time i guess) while i was actively in chat." That, or your session had expired. Seems like an awful big coincidence that your session would expire just as this is occurring, however. "he already had the password. why did this guy reset it to get a new one?" Not sure. My original thought was that he first gained access to your email, and knew somehow beforehand that you were a bit-mining user. So, he went to reset your password, and, since he was in a rush (he somehow knew you were at the terminal as you say, perhaps), reset it a whole ton of times since our password resets sometimes take some time to get to your email. He got the password, deleted all the messages (explaining why you don't see any password reset emails in your inbox now), accessed your account, conducted the trades, possibly out of spite, or in some roundabout way to enrich himself, and finally logged out of the account. This theory is reasonable, but still doesn't support some of the facts. Specifically, (A) that there were no oddly-priced orders placed just before the transaction so the hacker could enrich himself, (B) that your other accounts were accessed... presumably with no password resets (because you can still access the accounts with your old password), and (C) that the hacker attempted to withdraw BTC, suggesting he is unfamiliar with our system. Also, you claim that your gmail had 2 step security placed on it, which renders that type of hack fairly unlikely. My other theory, which seems to hold a bit more water (I have developed it a bit more since yesterday, so bear with me), is that the hacker somehow got the password to your btc-e account, logged in, and didn't see any balance. However, he saw your chat username mcnastyfilth (I checked the BTC-E chat archive, you that indeed seems to be your name there: http://trollboxarchive.com/search.php?search_type=username&search=mcnastyfilth) . With this username he accessed your Cex.io account. When there was no balance in either of these, he noticed from the cex.io chat log that you mentioned Bit-Mining & Havelock. He drained your havelock account, attempted to drain your Bit-Mining account, and when he couldn't, decided to just destroy it out of spite instead. Title: Re: Got hacked (?), 7ish btc lost!? Post by: GreenBits on January 27, 2014, 04:49:53 AM rofl, why is everyone else so quick to assume that email caused this? I have 2 fa on my gmail with an android device. like, what about this makes poeple believe my email was compromised? gmail doesnt indicate that, and the sensitive information/lack off cleanup suggest that entry to my email was never gained.
There is more important shit in my email than the credentials for 7 btc. Why nothing else disturbed? The whole argument for my email being compromised rests on the fact that in order to access my bitmining.co account, my password was suppsedly reset, and that reset password was accessed from the only place it could, my inbox (the self same 2fa'd gmail account with an even more complex password). The takeaway: The only way that my bit-mining.co account was compromised was if my email was compromised.so if my email wasnt compromised, someone is lying to me. the guy had the password to get into the account. this was his last stop. 1)....but instead he resets it. 2)....then uses technomancy (accessing my gmail) to get the new password, 3)....deletes all the password reset messages to cover his tracks (LEAVING 4 sell/withdrawal/login notifications in the process, he didnt see those in the inbox apparently), all to: 4) to then to break into my account with the newly generated password. and, not being able to figure out the withdrawal system at bitmining (your cat could figure this out), attempted only 2 times to withdraw the balance after spending some of it for more ghs? which he sold at the lowest possible price? which, amazingly, he was so inept he put his btc address in an input field designed for a btc amount? should have taken the fuckin password and skipped to step 4, dont you think? this guy fought the gmail dragon/put malware/phished/cookiestole/i could give two fucks when he already has the username and pass? now does that scenario seem more likely, or this: password reset never happened? Title: Re: Got hacked (?), 7ish btc lost!? Post by: electerium on January 27, 2014, 08:08:00 AM This one is very simple
If we're positive that your email is safe, then there are 2 obvious explanations 1) you are keylogged (most likely) or 2) some bitcoin site that you use has had their database compromised. Because you use the same password for all of your bitcoin related activities it would not be too hard to begin targeting sites with your email address and password. He'd never even have to have physical access to your email. The physical address is enough to get into a site like havelock if you know the password. so what's the gist, kids? 1- always ALWAYS enable 2FA 2- always, ALWAYS make seperate passwords for every single site you use 3- use a some encrypted password manager or a physical notebook. Title: Re: Got hacked (?), 7ish btc lost!? Post by: GreenBits on January 27, 2014, 08:19:21 AM so what's the gist, kids? totally agree, now i know.1- always ALWAYS enable 2FA 2- always, ALWAYS make seperate passwords for every single site you use 3- use a some encrypted password manager or a physical notebook. but, i dont use the same password for all my bitcoin related activities. i use many different ones. let me clarify, only the exchanges i use for trading have this password. i utilize a variety of different passwords. lbc, mtgoox, btistamp, here, are all unique passwords, because i use them very infrequently. i dont believe i was keylogged, again, no other services were compromised. keylogger would get more than one password, correct? id be looking at total account compromise across the board, not just a single user/pass pair compromised (which seems to be the case). i have never accessed these accounts except at my home terminal. Title: Re: Got hacked (?), 7ish btc lost!? Post by: Sonny on January 27, 2014, 08:41:08 AM I had a very similar experience with btc-e, I lost about 180 ltc, and 1.7 btc, they didn't get my other coins though. My 2fa was not compromised yet they removed all my funds. This was directly after I contacted btc-e support. I believe to this day btc-e is not a trustworthy company. Bulgarians! Any time anyone has coins stolen from an online exchange / wallet provider, they should definitely report it here. Then we can get an idea of the trustworthiness (or not) of the site in question. If money is regularly disappearing with 2fa in place, you have to start wondering whether its an inside job. They won't even tell us who they are. That tells you something already ... Isn't btc-e based in Russia? I always hear that again and again in the forum... Title: Re: Got hacked (?), 7ish btc lost!? Post by: U1TRA_L0RD on January 27, 2014, 11:42:50 AM I had a very similar experience with btc-e, I lost about 180 ltc, and 1.7 btc, they didn't get my other coins though. My 2fa was not compromised yet they removed all my funds. This was directly after I contacted btc-e support. I believe to this day btc-e is not a trustworthy company. Bulgarians! Any time anyone has coins stolen from an online exchange / wallet provider, they should definitely report it here. Then we can get an idea of the trustworthiness (or not) of the site in question. If money is regularly disappearing with 2fa in place, you have to start wondering whether its an inside job. They won't even tell us who they are. That tells you something already ... Isn't btc-e based in Russia? I always hear that again and again in the forum... Title: Re: Got hacked (?), 7ish btc lost!? Post by: U1TRA_L0RD on January 27, 2014, 11:44:08 AM I had a very similar experience with btc-e, I lost about 180 ltc, and 1.7 btc, they didn't get my other coins though. My 2fa was not compromised yet they removed all my funds. This was directly after I contacted btc-e support. I believe to this day btc-e is not a trustworthy company. Bulgarians! Any time anyone has coins stolen from an online exchange / wallet provider, they should definitely report it here. Then we can get an idea of the trustworthiness (or not) of the site in question. If money is regularly disappearing with 2fa in place, you have to start wondering whether its an inside job. They won't even tell us who they are. That tells you something already ... Isn't btc-e based in Russia? I always hear that again and again in the forum... http://en.wikipedia.org/wiki/BTC-E Title: Re: Got hacked (?), 7ish btc lost!? Post by: westkybitcoins on January 27, 2014, 04:34:00 PM My opinion...
BTC-e is the key to all of this. You seem convinced that they aren't an issue because you hadn't used the site in so long. I'm not sure why you feel this matters. If anything, were a malicious employee to access the emails and passwords of users of the site, the lack of activity might be the very reason they decided to target you, perhaps figuring that they'd be able to do their deeds and it would be weeks before you noticed. 1) BTC-e seems to be chronologically the first target. 2) Your email wasn't compromised, and your system wasn't compromised. This seems pretty clear. 3) The common link to these sites was the password. 4) I would think the most likely means of retrieving the password would be from the (unencrypted!) data in one of the site's databases. 5) The password reset business is irrelevant (although whether you're being lied to by btc-mining isn't.) Seems clear to me the hacker did it just to throw you off the trail, and likely to lock you out of the account too (if he's going to just sell your stuff and not profit, might as well add one final slap-to-the-face while he's at it.) He apparently did his business, requested a bunch of password resets from the same session (or not), then changed the password on you. It all seems to boil down to your accounts being compromised by an inept, petty and vindictive thief who got your password and was expecting to hit gold. The only real question seems to be how he got the password. Presuming you don't have younger family members who dislike you poking through your stuff, my money is on BTC-e being the source of the password one way or another. EDIT: You might consider asking each site if their user password data is encrypted in their database, and if so how (md5, etc.) Not that any one of them couldn't just lie to you, but three sites giving quick, solid responses and one ignoring the question for a week or two would be pretty suspect. Title: Re: Got hacked (?), 7ish btc lost!? Post by: GreenBits on January 28, 2014, 12:46:13 AM I have edited my previous post because I made an accusation in error.
I had a considerable conversation with the administrator of bit-mining.co. after going over the details of the intrusion, and being informed of the security features behind the scenes, I no longer suspect that my account details were compromised. There was a mis communication during our emails which I based my accusation off of that was not correct; After being presented with the facts i can concur that bit-mining.co was not the vector of compromise. so, i will man up and face the music. I humbly apologize for my false accusation, demontn. I hope you accept it, and I sincerely wish the best for you and your service. besides this unfortunate incident, i honestly enjoyed your exchange. you have fair pricing and, now the we have spoken, decent customer service. ~Green So I guess that it was btce. i apologize to you guys for not listening. Title: Re: Got hacked (?), 7ish btc lost!? Post by: GroundRod on January 28, 2014, 09:22:57 AM Some great comments and support from other members here GreenBits, glad to see you had a chat with bit-mining, the site I think has great potential, more so now after reading your comments. As I was there live when it happened, will stand by you as witness to the criminal act. Was very saddened by your loss, so much so I canceled my trades & went to bed after it happened, doubt you got much sleep that night, anyway my few bitcoins have sat in my offline wallet for two+ years collecting value by doing NOTHING, putting them at risk like this, after what had just happened to you made me sick.
Anyway, got my own personal theory about what 'might' have happened, sent you a PM, please get back to me, so we might discuss it further... GroundRod |