Bitcoin Forum

So weeks ago I lost over 20k USD in Crypto.

I had all the private keys, passwords, etc saved in my email draft & I had 2 fa SMS verification didn't know that someone can break it easily. Ended up losing all my savings. Don't use sim verification ever it's pointless there are multiple ways to break it.

If you can afford then buy a hardware wallet. and if you can't then don't store your important data online or anywhere connected to online.

Write down on paper secret codes & keys.

Use different passwords.

Again be very careful with security, If you keep anything online then you're putting yourself at risk.

Err. We literally had the past few years flooded with news of funds getting stolen due to carelessness of the holders. Not sure how this is still happening knowing that you're on Bitcointalk, which is pretty up to date with hackings and breaches. A lot of people have been very very very vocal about security.

Oh well, painful mistake for you I guess. Look at the bright side. While 20k is a good amount of money, better learn a hard lesson losing the $20k rather than learning your lesson when you already have like $100k+ or more. Best of luck moving forward.

I'm sorry this happened to you.


Sounds like it was webmail something like gmail so it doesn't have to be a break in to your account to steal your information. It can be many other things like a cross site scripting attack from another tab or a rogue browser extension or malware on your computer.

Sorry for your loss... Stay positive and just consider it as an expensive lesson learnt.

SMS 2FA is pretty weak. At least if you are to go for 2 factor authentication for your email, go for the strongest that is a available and that is authy or google authenticator.

Keeping your login credentials and private keys in email drafts, cloud storage like Dropbox or online notebooks is also not wise. Those are the first places the hacker checks out.

I feel sorry for your lost...
But, I am a little curious why you have been the target by them? Or they are just have some random targets and finding only the big fish on their targets.

I also experienced last month about my centralized exchange account, when someone able to log in it via my email address and correct password but didn't able to proceed because it needs SMS 2FA from my sim card, so he/she didn't able to proceed, but after that I activate my 2FA uding authy/google authenticator which is much stronger.

Mobile verification is not that good at all. In my country, almost anyone can reclaim any working SIM card. I've been a victim before. Someone purchased my number again.
Always use something like Google Authenticator or Authy. I guess Authy is better because it can be restored in case of losing the phone.
And using someone else's Google account on your phone is risky too. My phone was once reset by a thief who stole my friends phone.
Be careful. Don't lose all your money.  :-\

Back to 2017 , i used to store my secret codes in a text file , compress it in winrar file locked by a long sophisticated password , then upload it to my DropBox which also secured by sms verification [gmail] . At that time, i hadn't any secure device and had to access my accounts from different computers. Even after i repaired my laptop, that winrar file stayed a long time before i deleted it and reset all my codes. I didn't thought sim verification may not be secure enough, as also for a hacker may have access to content in a locked zipped file.
Am so sorry about your lost . This is shocked !
Am also a little bit curious about how this did happened to you ? I mean how they have access to your email ? Is it possible to brute force codes sent via sms or sophisticated long password for Winrar ?

If you are storing your private keys/passwords/seed keys into online, no Authenticator is safe. It's better if we can use paper wallet or hardware wallet. Or at least, we don't store our private keys/seed keys online. It can be written form.
Sorry to hear about your loss. OP, you are a old bitcointalker. It's very unexpected mistake from members like you. You must have known about these security issue long ago.

Correct! This is also my line of thinking when I was victimized by  phishing but so far,that incident has taught me to be more security conscious and be more vigilant with our assets.

Needless to say, we must employ certain security practices  like installing security products, using password managers. etc.,  that could help in strengthening the  defenses of our systems.

Most importantly, no matter what happens to us, just don't give up! Imho.

For someone who is a member from early 2016 things like this should not happen, it has been repeated thousands of times that private keys/seed should not be stored on e-mail or as unencrypted documents on PC/smartphone. Some members also say that if you have more then $500 in BTC that in this case hardware/paper wallet is necessary. But in my opinion, even $100 worth of crypto justifies investing in security.

When I say security, I don't just mean on hardware wallets, but also in PC/smartphone security. $20k is big money, so even though the chances are very small for the return of coins, the whole thing needs to be reported to the police.

Thats very unfortunate mate, that was a huge money, this is a lesson to all never ever store your important keys on your email/gmail this is very risky much safe to store on your hdd with password or in a portable hdd if you have no hardware wallet Im also storing mine in my portable hdd so that wherever I go I can securely hide it somewhere in my house.

I always store any seed or private key on paper. And if there's an option for 2FA, I always prefer authenticator apps over SMS verification. That's why I said it. Thank you mate.

Also concerned about what happened to you Iwan, I will make your experience a valuable lesson for me.
Many people may still be ignoring the security of their money so far and I am also one of them, even if buying one hardware wallet might not be the only thing that can be bought. But more often ignore it.

This is ridiculous in my opinion, and as soon as possible will set aside money to buy it. Security is the main thing that must always be maintained if we have large amounts of assets and even if small.

2FA SMS is one of a secure way to protect your online accounts if I'm not mistaken. I can only think of how it happened is that someone around you has the physical access to your phone and also knows your email pass and that's how they accessed your email account, maybe I'm wrong. It's the two locks a hacker needs to break to get inside. However, have you identified the way it happened yet?

$20k is not a small amount and I also feel that you should report to the police as Lucius suggested, only if Crypto is legal in your country.

It sure is really surprising. Not saying that high rank & early registration date = smart, but you'd really expect a bit more security awareness from someone who's been in the forum for some time already. My guess that in the case of OP, it's more of the "ehh, no ones going to hack me" reasons. Because hot damn storing very very sensitive information on an email account is a very very very novice move.

Not really, hackers also getting updated with security development. It's not easy to bypass 2FA code but we can't say its impossible.

Phishing SMS 2FA codes – How hackers bypass two-factor authentication (https://www.hacker9.com/phishing-sms-2fa-codes.html)

Make sure to back up your 2FA codes safely before activating it; then you can restore your 2FA on other phones.

I copy & paste or write codes down manually; then when I enter the activation code for the first time, I type it manually by looking at my backup codes (not directly copying and pasting from computers). I do this because I want to make sure that backup codes saved correctly and can be used later.

I totally agree with you...


I agree but in order to hack an email account the hacker needs to break at least two locks (if 2fa is enabled), isn't it?
And the hacker to succeed, the user (email owner) needs to click a link from a phishing email and then needs to put the login credentials, otherwise no. That's a long process.

A month or two ago, I got an email saying that someone tried to access my email (the email template was the same as Google's template) and asked me to verify, but when I checked the sender email I found that it was not Google but just a phishing attempt. So I didn't even click any link from that phishing email. What I want to say is that a hacker will never succeed without our help, we all just need to be more careful, that's all.


edit:
If it is not a case of phishing email than what could be other ways except a known person?

I was thinking that ther might be a person who has physical access then steal the email and hack the sms 2fa verification security by doibg what findingnemo provided and getaway with it. It will be easier for that person to steal your money since your passwords, private keys are stored online which storing online is not the most suitable way to keep your info safe.

I know how you feel right now and I am truly sorry for your loss. I've gone through this before and in my case I lost around 8k $. I have a strong feeling that who hacked me is someone I know though
Since then, I never save my private keys or passwords on any online platform regardless of how much secure it may sound.

I think I should recheck my email to see If there is still any sensitive data saved there.

I actually removed my phone number from all my Google accounts, because it seems to be much more of a vulnerability than a security or safety measure these days. It's just ridiculous how easy it is to steal someone's phone number. I use Google 2FA app for all my important accounts, and I hope there's no vulnerabilities in it that can allow attackers to bypass it like the do with phones.

Hey sorry to here. I documented my own recent Fuck up in regards to keeping my coins safe. I wasn't anywhere near the 20K mark, but it stings non the less. Good on you for sharing your info, and moving forward please secure things better. There is tons of information out there on how to keep all of that information as safe as possible, as well as multiple backups you can use. Hopefully you are in a situation where you can rebuild, form here. Don't dwell on it is the best advice I can give, just learn from it.

I deeply regret for your big loss.
Can you tell us where you store your data, please? Did you store them online, on Cloud-storage services, ie.?
Using throw-away emails for new services when you want to try them.
Using different emails and different passwords for different services.
Don't store all your money on one account, on one service/exchange/ wallet. Decentralize your funds over wallets/services/ exchanges.

---

Above all, security is most important and "Prevention is always better than cure".

Great move from disconnecting your mobile numbers to your Google account. Instead of using Google's 2FA app, you might want to check Aegis authenticator instead though. I made a quick topic about it here: https://bitcointalk.org/index.php?topic=5192978

Is this for real? I'm very sorry to hear that. I just can't believe that this could be possible. How come hackers now can even crack the sim verification on OUR phone well its on our possession unless it got stolen or lost and found by someone who good in hacking.

I appreciate that you share youre experience about that. Many will know that this incident could happened. So I must disconnect all phone attachment on my email just to be safe. I'm disappointed how hackers evolve fast also on doing this kind of stealing.

I am sorry for your loss. We should not rely on a certain type of security, it is best to divide the account into different parts and keep it separate in many places. I never leave the private key and password in one place, the private key and the password are always shared in many places. Besides, the private key of the most wealthy wallet was written down 2 pieces of paper and stored in the most reliable places.

Another way of getting bypass 2FA is SIM swap (https://en.wikipedia.org/wiki/SIM_swap_scam) this will work only is the actual owner of that number lost access to it or lost mobile, so scammer doesn't need physical access to the mobile.

Not actually. It can work even if the owner of the mobile number still has access to his/her mobile number. The hacker can still gain access if the hacker did his/her social engineering well enough to convince the customer service representative of the telecommunications company that the victim is registered on. People are honestly underestimating this attack.

Damn, feel sorry for you. Storing any important data online is very risky. However there are opportunities to recover stolen funds by some companies. The key is to find reliable one like Coinfirm, they handles strictly with reclaiming stolen cryptocurrencies by wallet verification and are working on a new blockchain system for PKO Bank Polski- one of the biggest banks in Eastern Europe.

I don't consider myself to be a great security/crypto expert, but over the years of using the internet/computer and by reading/posting on this forum I have learned a lot of good and useful things, I try to apply them in the best way possible. I'm not surprised when things like this happen to a beginner, but experienced members should not allow themselves something like this.

I always consider myself a potential target, by those I know and by strangers lurking across the internet. They're always looking for ways to get their hands our coins, and those who are not constantly alert will remain short-sleeved sooner or later.

I think this is a good information to boost our security and now I have plans to do the same in the upcoming days since it makes sense that I think it could significantly lessen any attack vector that the attackers would use to do a security breach on our systems.

Thanks for this tip. I think this app is a great alternative to Google's Authenticator and Authy and I find it having a good balance between security and functionality. Will try this asap. :)

i have seen many threads about hacking and precaution stuff  , 20 k is lot of money and pains to be losing
spending some money and buying a hardware wallet is better then losing money and regret after , i have separate notebook to have all private keys written

i would say you lost a lot of money to learn this lesson

It should be one of your main priority as you enter investment in crypto. All of the things you are working hard for will go to waste if you are going to be careless with your security. There are a lot of stories here already narrating how they ended up loosing all the money they have as they avoided paying attention on the safety of their keys. If you know you are having a hard time on being a responsible investor, you should avoid storing large amount of money in your hardware wallet to avoid massive loss of money and regrets.

In OP's case, it really doesn't matter what wallet he's using. Even if OP's using the most ultra securest hardware wallet in the history of mankind, it still wouldn't really matter if the mnemonic seed was written down or stored somewhere not-so-secure and easily-accessible-for-hackers as an email account.

When we are online we should always keep in mind that we are public and we are connected to every people around the world so every information we have stored online isn't 100% safe so it is really true that no matter how secured your wallet is if the key into it is stored and placed somewhere isn't secured then your like giving away money to hackers.

Even with the 2fa SMS or Google Authentication, you need to enforce some of your own precautionary measures.

1- Keep a separate email for exchanges / online crypto wallets and never display that email on social media etc so no one will know that email belongs to a person who holds the crypto.

2- Writing down secret keys on a paper is also risky, even if you do ,then make them duplicate and also do not write the code in a sequence.

3- Keep the backup codes for 2fa in a separate place because you do not want yourself to be locked out if you ever lost your 2fa device.

Really sad story and I hope that it wasn`t your last money. I have similar case when I was keeping my private key in Word file (yeah, I`m fool) and then someone hacked my computer, because I downloaded untrusted app. Fortunately, I didn`t keep a lot of money on that wallet and I lost not much money, but since that I`ve been keeping everything on paper in secret place)

I suppose that many newbies are careless so we need to make treads like this to teach them how to keep money safely

I wouldn't advise that. I would advise to use all security possibilities there is. If SMS verification can be "hacked", so be it, but its a one more barrier that must be defeated before your funds will be endangered.
Many times news writers give some of defenses to public knowledge to let hackers try other defenses of theirs. Always they end up with many problems/got hacked coz they wanted it, lowered defenses on purpose.

Great tips and thank you for that. I totally agree that storing your funds in the hardware wallet is the best way. Cold storage only. Moreover, it's good to take care which cryptocurrency exchange do you use and how safe it is. Use only a reliable ones, like for example Kraken, CoinDeal or KuCoin.

You already made one mistake by storing your Crypto information online and you are about to make a second mistake by following your own

advice, namely : "Write down on paper secret codes & keys." Just remember one thing, paper is a very vulnerable material and it can get damaged

by water, direct sunlight and even someone cleaning the house and throwing it away by accident. If you have to write or print it, make sure you

laminate it and store it away from direct sunlight. Also make sure you have duplicate copies and it is stored in 2 or more separate locations for

some redundancy. <Your house might burn down>  :o

It is a reality that our funds in online wallet is not safe, the hackers and scammers are becoming more intelligence and skillful than before and it can break the security that we have nowadays. I still also prefer to store my cryptocurrencies in hardware wallet for me to ensure the safety of my fund.

Hardware wallet should be have by every crypto users, we should invest in having hardware wallet for our security if we wanted to last long in crypto as hackers scammers were attacking every crypto users that's why need to secure our wallets, don't dare to put too much amount in one exchange or wallet that are accessible online as hackers have their own ways on attacking.