Bitcoin Forum

I went on vacation on the 21st. On 23rd I logged in to bitstamp because I thought one week of storage of bitcoin on an exchange were too much.

My balance was zero $ and zero bitcoins. From the history I saw someone (not me) made this astonishing things:

* 2014-02-22 19:56:08   109.163.234.9   Logged in using two-factor authentication
* 2014-02-22 20:01:39   109.163.234.9   Opened bitcoin withdrawal request for 23.83677391 BTC to 1PGPkndy1nYLUee3nKKLez8smjqK5zBNKE
* 2014-02-22 20:01:39   109.163.234.9   Bitcoin withdrawal request: email was sent to user
* 2014-02-22 20:02:00   109.163.234.9   Bitcoin withdrawal request: email confirmed by user
* 2014-02-22 20:09:33   161.53.74.122   Changed user password
* 2014-02-22 20:12:33   96.47.226.20   Opened instant buy order for $36.30
* 2014-02-22 20:13:38   96.47.226.20   Opened bitcoin withdrawal request for 0.05965404 BTC to 1PGPkndy1nYLUee3nKKLez8smjqK5zBNKE
* 2014-02-22 20:13:38   96.47.226.20   Bitcoin withdrawal request: email was sent to user
* 2014-02-22 20:15:35   96.47.226.20   Bitcoin withdrawal request: email confirmed by user
* 2014-02-22 20:24:24   141.212.108.13   Changed user password

Has someone an idea of how an hacker could do this?

What do you suggest to do (Yes I know in the future I won't keep any money on exchanges)?

I wrote to Bitstamp support 5 days ago. Yet no answers.

Update: Bitstamp replied: nothing strange on their part. The email they sent the request for confirmation for the withdrawal was the usual one.

If you don't want to read everything what I can understand is that these things can happen!!!!
My device(s) has surely a very good malaware. I think is the phone but could be the two mac.

I'm sorry to repeat one things everyone has read but not everybody follows strictly:
Consider everything you don't keep in cold storage lost or strongly at risk. Your computer and/or your phone is not safe (as long it has been connected the Internet). Never leave money on the exchanges.

EDIT: Funds Have moved:
http://btc.blockr.io/address/info/1PGPkndy1nYLUee3nKKLez8smjqK5zBNKE
http://btc.blockr.io/tx/info/6ecebb49996c404739609152fe9c9ac2ea28dcc5a39aa327010fd6c89900bcd8
http://btc.blockr.io/tx/info/64a2756280c68615ec10fdd82a90ad014bb93b87e30bb2546cb4a1e8a16de648
http://btc.blockr.io/tx/info/6be0bac51251b0be01c97700b42c9c726608897826c5a53a8ff2bd3c0d441014

The last address in which my funds were clean was http://btc.blockr.io/address/info/3LkSW3SW9KuebH2t1FcqrTpKPnN8JRbYYh

Man, sorry to hear that! I don't understand how they could have bypassed google authenticator without having your phone...unless it was an inside job.

Hmm..  maybe some keylogger installed with some app?

Well, either an inside job or you just had only Google email confirmation protected and forgot to enable the 2FA, no one can get to your phone or maybe your close friend look around not too far..

Is your phone rooted?

Whoever took it also has access to your email.

No my phone is not rooted and is always with me

Look like auto transfert script ATS its used when you are infected that when you are logged in it transfer money directly to some addr
i am really sorry for your loss


EDIT : if you had your wallet in computer you will make the jober easier i guess


I say your comp is infected

The NSA, GCHQ, etc may have their hackers working overtime to push Bitcoin towards regulation.

Seems like a large increase in hacking recently.

This is possible but I cannot explain the 2FA bypass.

I know it's kind of irrelevant, but I always wonder why the exchanges allow to choose BTC adress when withdrawing funds. Why not ask the user to submit 3 btc addresses that may be used for withdrawals and never allow these to be changed? Bind them to the account and just allow the user to choose which one should be currently used. This way thieves would be completely cut off. They already can't withdraw fiat, so they buy btc with their victim's money and send those to themselves.

I was on vacation so I wasn't logged in. I left my house in the early afternoon. Nobody was at home and the hacking was at around 8:00 PM.

Moreover there is the email confirmation. It's really incredible.

BTW probably my Mac is infected.

My wife hates bitcoin. My phone is always with me. My children are too young.
The only thing I have thought was that was actually me that withdrew from my account and then forgot about it but it is impossible because I don't have any clue about the destination address.

maybe they were planning on buying that 24 BTC delorean

http://bitcoinmotor.com/

One of the many things I cannot explain myself is why he has changed my password and changed it back.

so you can't login until he has totally cleared your account (the remaining $36.30)

edit: if you had 2fa enabled, i would suspect people that may have had physical access to your phone

If an attacker has root access to bitstamp, he can bypass 2FA easily and alter the event log any which way he'd like.

Now, seeing that MtGox loss of coins might be (in my view) a black op or the work of a highly sophisticated private group, it is not unthinkable they will pull the same kind of shenanigans with other exchanges. It was claimed that hackers had control of MtGox servers for a long time (claimed by the one who released the source code and gawked about the 20gb db leak that's yet to surface). Seeing how lax MtGox was with most routines, it's not unthinkable that was the case. Also, as pointed out earlier, a resourceful group could've infiltrated MtGox through sophisticated methods, and even one or more inside plants.

Having access to the physical properties of MtGox means that their servers are compromised. Even if Mark did not give access credentials to important systems to others various surveilance may have revealed the methods used to gain access (video surveilance, keylogging etc.)

All ex-employees and current employees should be checked in a criminal investigation, also anyone that have ever entered the MtGox physical offices and/or have had close contact with Mark should be looked more closely at. An investigator should also monitor lifestyle of suspect individuals, property purchases, extensive travelling and such may give some indications.

All the leaks and the attempts of trying to make Mark look like an incompetent fool may be a deliberate attempt to make him a scapegoat and diverting attention from the real thiefs.

Now, there's been claims of Bitstamp e-mail addresses leaked. I have received no e-mail to the registered e-mail address with them, but others have. Seeing that e-mail addresses to at least parts of their customer database is compromised, it is not unthinkable that there might be hackers currently having access to their systems, just waiting for the right opportunity. Just emptying some user accounts gradually might also be a way of getting bitcoins without making too much noise.

Also, if personal devices are compromised, unless you're a computer security expert, you can't know for sure if that's infact the case or not. So best option is to reinstall all affected systems.

One cannot rule out the fact that it might be a rogue action from Bitstamp itself either. The simplest way to get bitcoins would be to just empty a user account, and then claim they can't do anything about it. Of course thats unethical and criminal, but how can you prove it?

I never looked into 2FA with google authenticator (if that's what being used), but maybe there's a log of events somewhere with google as well. If that log shows nothing, then it's likely that the theft happened with a adversariy having high level acces to Bitstamp systems.

If OP have downloaded any bitcoin apps, or installed any particular bitcoin software that's proprietary or not well known, he might as well have received some malicious software that's collected information and aided in the breach.

Lastly I'm very sorry for the loss of the OP and I applogize if anyone unjustly feels attacked in this thread, but really, with bitcoin you can't rule out anything. The incentive (ie. value) is so high that all kinds of things can be expected to happen.

This make a lot of sense. Thank you for what it worths.

I was on vacation on the mountains in a flat with my family. My children are under 5 and my wife can hardly read emails.

Really It seems the only explanation for me is that I did it and forgot about it but there is no trace of the confirmation emails and I don't have trace of the destination address.

Sincerely this is too much: password hacked (20 characters thrown with lastpass, 2FA hacked, email hacked). Maybe it worth some investigation also for the community.

If 2 factor authorization is enabled that means that additional password will be sent to my mobile phone, right?

Do i have to pay for these sms?  I didnt find the answer anywhere...

I'm going to have to say that it was likely a combination of things. Its possible that you downloaded a rouge app which when connected your phone to your computer to update your music or something, installed a keylogger on your computer. I would never rule out an inside job, but you also need to ensure your computer is virus and keylogger free before you access anything else that may have money on it.

Contact your phone company and see if you can get any records of texts sent from your device or received in case the thief somehow deleted it. It would seem that the person doing this has experience and is trying to cover up his/her tracks.

What email service do you use?  Can you check your login/logout histories or IP Addresses?  Gmail allows this, but I'm not sure about others.  Clearly this person had access to your email as well, to confirm the withdrawals. 

First: thank you for the reply.
I'm not a computer security expert.
I will reinstall all my systems (2 Macs and a samsung SII).
I have been using google authenticator since the beginning and I haven't ever heard about such a log but I will check.
I did have downloaded bitcoin apps. Many of them. One in particular has been then prooved a malaware (the stealth address mac tool). But I removed that and the infected files that were found malicious afterwards.

I don't feel attacked and I know I had to expect everything but this has been overwhelming. I believe in bitcoin and keep the majority of my coins offline but I thought that 2FA, 20 characters unique password and confirmation email was enough for a week. I was wrong.

I only hope this to be useful to other because I have never read about such a thing

good point!
I only searched for email not for logins. The only problem is that I access from three devices but I'll investigate.

I don't have any connection betwen my phone and Mac except google for contact, calendar and mail.
I will try to ask my carrier even if I have no faith in their support...

Thank you

I know that IP geolocation is not accurate but according to Google I have had an access to my gmail account from France 12 hours ago and one from Romania one day ago (two country I'm obviously not in).

This could be misleading but I have now a strong suspect my gmail account is hacked. I have immediatly changed my passwords and I will set up 2FA for that account

Reinstallation of systems is a tedious process. But that's the best option going forward. That will ensure you have a clean system state. Make sure you take backup of everything important you have before you do this.

In regards to logs with gogle authenticator, you might try to ask Mike Hearn - if he has the time to answer. He's on this forum.  Profile: https://bitcointalk.org/index.php?action=profile;u=2700
He works for google afaik. He might not be able to give you any log data, but maybe he can point you in the right direction. Getting hold of google reps in general is quite hard.. :( If you're persistent you might go to police and have a police officer ask them, they might be better at answering then. But even if you get such info, it might be a dead end. But IF there's no log data at google's side - that indicates that the thief has bypassed 2FA and it's a theft done by Bitstamp or someone with high level access to their systems. If that's the case, then I think they would have to reimburse you. But I am not a lawyer, but I think that should hold up in court. It's a bit like a bank allowing your bank account to be emptied without you logging in. They would have to compensate you. But these are just my thoughts.

You had downloaded bitcoin apps, many of them... Be very careful with this in the future. If you download any bitcoin apps or programs, don't use it on the same phone/machine that you use for bitcoin activities. I know that's kind of silly as you most likely won't have 2 phones - but this is the reality if you want to stay secure. Rather access websites if you need bitcoin information on the phone than installing all kinds of apps. I assume you run android on your phone, and it's known for having security problems.

If you had malware installed, that's not good at all. Even if it was removed and all files are reported to be removed by any antivirus software, or done manually that is still not proof it is actually removed in full. Although antivirus programs are quite good, many malware authors constantly try to avoid detection from anti-virus programs, and if some kind of malware has not made it into the antivirus makers list, it might as well go undetected.

You're saying you don't feel attacked. If there's an attack on your devices, you will probably not notice anything visually, it will just happen.

you thought that 2FA, 20 characters unique password and confirmation email was enough for a week -> if your systems are compromised you will not be safe with this. Malware on your devices can do anything that you can do.

Going forward, and I hope you still will be into bitcoin, I would suggest creating a cold wallet and move any coins you want to store for a long term there.
Also, for using bitcoins, I would advise to have a single device for this, for instance a cheap notebok running linux.

Having some coins accessible from a phone wallet is ok, but not more than you can afford to lose. So for instance if you have 30 BTC, you could have 20 BTC in a cold wallet and 9 on the bitcoin notebook and 1 on a phone wallet, or just transfer from the notebok to the phone wallet whenever you need to have some coin available on your phone.

And don't do any websurfing at all or at least not on weird pages (clicking suspicious links on various forums and on reddit may not be too smart) or installation of strange apps on the bitcoin machine, just have a network connection

I sincerely hope you will not encounter anything more troubles in the future. Having a dedicated machine for linux might seem like overkill, but it is better than losing a lot of money! If you can't afford a dedicated machine, running a virtual machine with bitcoind might also be a solution, some malware would have a lot harder time to access bitcoins residing in a virtual machine.

Update: On 2/22 I had an access to my gmail account fro Cyprus... Never been there.

Just thinking out loud. Some banks have region restrictions on payment cards. So for instance if your details are lost, they can't be used in say Asia. Not sure if google has such features on Gmail, but limiting usage of Gmail to say only a certain country, or even a whitelist of ip's might be a good idea. Not sure if that kind of stuff even exist with gmail.

Hackers usually leverage servers all over the place to hide their tracks.

I will try to disturb Mike Hearn.
You are perfectly right about phone and desktop apps and also about cold storage. I use three methods:

• Paper wallet
• Brain wallet (I know... I know... I'm going to change that)
• Offline Electrum on BTCVault distribution

I'm also waiting for my trezor as many are...
I keep just sloppy wallets on my apps (mycelium, android wallet, blockchain, hive, etc.). Bitstamp was the only temporary exception but evidently was enough.

Quite possible for email. Less explicative for the bitstamp account and 2FA authentication...

If you saved either the 2FA code key they give you when you first set it up, or the QR code image itself, an attacker would be able to use that to bypass 2FA.

Did you store a backup of your 2FA secret somewhere that is accessible from the internet (such as on your main computer)? If the attacker somehow obtained your 2FA secret, he could have used that to generate his own, perfectly correct 2FA-codes.

Alternatively, if your computer was already compromised at the time you activated 2FA, it is possible that some malware captured the 2FA secret at that point.

One thing come to my mind:
Thanks to what everybody has written I could think that the only thing they could hack was the phone.
I read about some malaware able to steal your session while you are logged in.
It is possible that I logged in on that night on my phone on bitstamp. If they stole my session they had been able to do what they did and they could have access to my mail too but that's just an hypothesis. My wife tells me she doesn't remember I was playing on the phone but I do remember having done something that night.

If you logged into Bitstamp on your phone, the hacker would have access to your login credentials, and if you accessed gmail on the phone and also used it for 2FA, you were 100% compromised.

I encrypt them with gpg immediatly. I wouldn't say that to be the weak point...

Yes. this could be it.  :-[

Or at least is the least fantascientific hypothesis I could immagine. The phone is the attack vector probably.

???

http://kidshealth.org/kid/stay_healthy/body/headers_93032/K_sleepwalking1.gif

I'm just trying to think to everything possible even if not feasible... I have never heard about something so sophisticated and I must think I had an involuntary part in it...

Update: Bitstamp replied.
in summary they haven't detected anything strange or suspicious in the related operations on their part.
In my ticket I specifically asked if there heve been changes in my account email but there were not. So it's obvious to me that he had also the control of my email. This is also confirmed by the connection from different tor related IPs.

They suggested me to contact a computer expert. It will be tough I think. I have to start from scratch.

I lost 30 BTC at bitstamp about 6 months ago

did not get them back - suspect a inside job or bug in there system
in my case no email was sent to me ( and they had no log of email being sent)

in your case to guess a long password and 2FA in get into to your account is nearly impossible to crack

even if the thief has access to your pc  they still need your phone for the 2fa

I think they have a bug  or it's a inside job ----  bitstamp are not very helpful ---- as most exchanges all care but no responsibly ---- IE  store your money on  cold wallet --- don't trust anyone --- it's like cash

sorry for your loss

Big lesson learned.
Thanks everybody for taking care.

I'm really frustrated. if 2FA, strong password,confirmation email is not enough I don't know how is possible to develop this thing in which I strongly believed.

Paper and offline wallets are not handy, hardware wallets are not ready, brainwallets are not safe.

what you can do? You will track IP? IP of someone who did not know anything about this?

You can only track transaction, and maybe - maybe you can find someone on some forum with wallet address where your money were transfered.

Not a lot you can do.

Seems like your Bitcoins are still @1PGPkndy1nYLUee3nKKLez8smjqK5zBNKE ... so it is hard to track owner ...

Lesson : do not use Bitstamp
Lesson2: do not keep your money @ exchange.

I agree,
logging into email & bitstamp from the same phone you get the 2FA codes from kinda compromises the idea of 2FA.
Before using 2FA on phones, you would get a little RSA standalone token for this purpose. The idea is, to get the 2FA codes from a disconnected source from the one you type your normal password in, so if somebody just hacks you he can't get into your accounts without also stealing the RSA token physically from you.

And if you have to get your RSA codes from an internet connected phone (which I think, at this point is still fine) it is still some longshot that if your PC is compromised your phone will be too. But to login from the same phone you get 2FA from is obviously the easiest way to get compromised, as it completly eliminates the idea that something physical also has to be stolen from you for gaining access to your accounts.

I also agree with the poster who said there should be an option of bitstamp and other sites to set some withdraw addresses, and only be able to change them with another password and maybe some wait time also (obviously not forced on the users, but optional settings). Would make stealing a whole lot harder. And then you could even set one of those addresses to some safely stored paper wallet and in case you get paranoid that you might be infected, you can just sent it there.

Indeed ... so best storage is cold storage - but there is a chance for devs to dev some nice antihack apps for bitcoin users.

convenience is an advanced feature.

you're blaming tools (2FA, strong pw, conf email) when none of that has anything to do with you being compromised.

Your level of being compromised would render basically any computer system vulnerable, it has nothing to do with bitcoin and everything to do with your being hacked via bad software OR the issue of trusting a 3rd party with a "promise."


for example, confirmation emails with a static confirm link only work if your email isn't compromised. they should link you to a page on the site that requires you to use a specific IP address, redundant 2FA and possibly another password for a secure login. That would be "more secure" but "less convenient."

Does you cellphone have access to your email and  Google Authenticator?
If so could somebody got access to your phone while on vacation?

they took 5 days to answer you? thats a fucking disgrace

Sorry for your loss OP

Do we have a list of exchanges that have implemented this locked-withdrawal address? I heard of it earlier but can't remember the site that was going to use it.

I think given the implications, that this feature should be universal in all exchanges.

Disgrace is how Bitstamp indeed is threating their customers. MtGox had same problem.. perhaps both exchanges will get their lessons..

Most likely a login session on the phone was not terminated, so hacker simply re-enter bitstamp and at the same time email account is usually auto-login, no 2FA is required

There is a weakness from bitstamp's side: You don't need 2FA code for withdraw. Since usually your email session is always logged in, once a malware took control of the device, he only need to wait until you logged into bitstamp

I just checked my computer, my email session is always automatically logged in, so it is also possible a malware can withdraw all my coins when I logged into bitstamp. Scary but true :-[ :-[

If i understood properly from what i read, my bets would be on the the hacker having had access to your smartphone.
Either via some malware you installed OR via known security holes in the software installed on your device and or known backdoors the NSA builds into every such spy-device known as smartphone, the hacker also knew about.

It is my understanding that via your smartphone you accessed also your email, were trading on bitstamp and also using it for the 2FA

So the hacker had access to your email password via the phone, bistamp password, and of course the 2FA  (be it a keylogger, trojan with full access, NSA backdoor, security hole in your smartphone OS etc)


The above is the reason why i refuse to own a smart(dumb)phone and decided to use an old laptop with linux to do the 2 factor authentication for me.

The laptop will never touch the internet ever again. The codes for the 2 FA are on a usb stick and also printed out in case of hardware damage allowing me to restore the 2FA on another device if ever required. (you have to make sure the clock on the laptop displays the right time or 2FA won't work)

There are probably many ways to do the 2FA in linux, like using jauth, or installing virtualbox and then install android within it(old laptop too slow for this), but i decided to use wine and used winauth inside it.

To use winauth you first have to install dotnet 4.0 however, and that is not so easy. Tutorials on the net using winetricks did not work for me. I ended up copying the whole msnet 4.0 folders into the appropriate locations in the wine folders from a win98 install in virtualbox and to my surprise it worked...

Yes I have logged in from my phone to bitstamp and I had there my google authenticator installed.
Yes I had my email account with the password saved on the same phone
Yes it was connected to a 3g data plan

I don't use authenticator, is it possible to just log into your regular google account and disable it in settings? Attacker seemed to have used email as 2FA.
Your phone should've sent you all sorts of notifications when you got those emails unless you turned them off, or the attacker immediately turned off sync/notifications when they got control of your gmail.

I also endorse the immutable withdraw address(es) option to prevent this in the future. They will need control over your wallet as well to get the coins or somehow social engineer the exchange into resetting the immutable withdraw addresses.

The only form of 2FA possible on Bitstamp is Google Authenticator.

this seems like the most likely to me. it bypasses 2fa and if they already had your email it would be easy. wait till you log in to bitstamp, initiate withdrawal, confirm the email.

if it is from inside bitstamp it's very scary thought to have.

if I read correctly it seems they managed to restore your usual password after the hack, am i right?

No offense, but what the hell is this supposed to mean? "I did it and forgot about it?" Who moves 11000-16000 USD and "forgets" about it?

This would have been my guess also, but from the history it says:


109.163.234.9 is a TOR relay, so it seems it was the hacker that did a full logon from TOR using 2FA (also it is the same address that withdraws the BTC).

The most likely option then is that they have access to (atleast) your phone.

I think the reason the hacker changed the password was so you would not log on yourself and change the password in case you saw the withdrawal email. He then changed it back to cover his tracks, just in case you would not notice.

* Did he delete the confirmation emails bitstamp sent from your email?

* You should make a list of all ip addresses the hackers used and confirm that they are TOR relays on https://metrics.torproject.org/relay-search.html
Not likely, but the hacker might have made a mistake somewhere in not using TOR.

* It would be interesting if you could export a list from your Android phone of all the applications installed and post it here, especially those installed just (1-2 weeks) before the hack.

Sad and expensive indeed ...
I hope you will recover soon.

Try to keep tracking their wallet address with your btc. One day they must spend it. Maybe they will do a small mistake and you will be able to track them. But perhaps this would be difficult.

I agree... Do you know a good address tracker? I used one last year but I don't even remember the name (it wasn't so good anyway)

This part only makes sense if you have a keylogger.

I am guessing that you have an android phone?  :-\

This couldn't happen with strong security measures.
It 's time to demand that the exchanges do their job seriously.

http://dassori.me/2014/03/06/open-letter-dear-bitcoin-exchanges/

Is it possible that the machine you used to gpg encrypt them is compromised?

Its been 6 months and the money still hasn't moved.

Why steal money and not transfer it out? Especially when back in Feb it was worth double of what it is worth today.