Bitcoin Forum

Well, this is a first in my 10+ Bitcoin career... Hacked, but I *STRONGLY* believe it is on FreeBitco.in's side and I would strongly suggest NOT logging into your account until Support settles it.

(Background: I own FreeBitcoins.com (http://FreeBitcoins.com) and AltQuick.com (http://AltQuick.com).  We have used FreeBitco.in for years to help fund our own faucet.)

1. I received an email that I had won a $300 affiliate prize.
2. I logged into my account and saw the 0.004 flash to zero.
3. I received an email for a withdraw to an unknown account:15C8FetAcZ7fkdgf2FAHamwqX4EUE1zhgP
4. I deleted this email right away to prevent it from being clicked if I was pwned.
5. I changed the password and applied QR 2fa on my account.
6. I then received an email that my withdraw to the unknown account was canceled. (April 30 at 21:47)
7. I then requested an "Instant" withdraw to my Bitcoin address on file as fast as possible after the above time and confirmed that it had not changed.  Normally this withdrawal takes 15 minutes.  I used my profile address button and double checked my addy before clicking as well.
8. Roughly an hour later, at April 30 at 22:42, I received an email that my payment had been processed to 15C8FetAcZ7fkdgf2FAHamwqX4EUE1zhgP.  I never received a second email for the payment after the first one canceled... which seemed strange.

This seems to have happened to multiple prize winners and appears to be a targeted attack for the prize money.

It also seems to be that FreeBitcoin is likely has their system compromised.  I used no copy/paste.  All of my account information is showing the same as I've had it forever on my front end.

Something is seriously wrong.  I've used this website for *years* and hate writing this.

https://i.ibb.co/0DYgSD5/hacked.png

https://ip.bitcointalk.org/?u=https%3A%2F%2Fi.ibb.co%2FmztBhcb%2Fhacked2.png&t=661&c=XvbaQbZcstHFcQ

My normal and unchanged account address:

https://i.ibb.co/7C2rGkV/wtf.jpg

I strongly believe this was a targeted hack because I can't understand why I wouldn't have been targeted on 4/10 or 4/11.  

https://i.ibb.co/KLVZ73X/ex.jpg

There are also multiple users who won the contest that appear to have had the same thing happen to them as well.

For the time being, we've temporarily removed our FreeBitco.in affiliate links from AltQuick.com and FreeBitcoins.com.  (Which I hate doing as well, because we have over 5,800 affiliates...)

I waited a few days to see if their customer support would answer in their thread before making this post.  My OP is here: https://bitcointalk.org/index.php?topic=320959.msg64015156#msg64015156

I'm certainly not compromised because if someone was changing my addy's... lol.. 0.004 btc would be the least of my losses.

It feels too strange to be random.

Hoping this gets rectified and solved on FreeBitco.in's end.

My situation is identical.

I won tenth place in the referral wagering contest which initiated a sequence of events exactly as the OP described above.

I should disclose that I was one of the original chat moderators (Antminer) on Cointiply back in 2018. Unnatural and FlatfootHarry entrusted me with their young brand.

Despite what may be construed by some as a conflict of interest, I have always held freebitco.in in equally high regard.

Given the situation at freebitco.in and lack of support or user engagement otherwise, I would recommend avoiding any interaction with freebitco.in until the current situation is resolved.

USER ID12591058

My deposit not credited to my account USER ID 4548360
I made two transfers to my account:
1. TRANSACTION
c89f3e5fc455e8e97cf60c86e626848bc12bc4616ef6af00994e232f48915890

2. Transaction
c97dd551d9d1c1255cbba7b9a6fa7eecba868922977463fc1f8e10800f174580

BTC is credited to the wallet balance 15xgSi6AuH2qdni23EoofPBnoHzyFpzuU5, but not to the my account balance.

Screenshot of the btc address on the fbc website:
https://ibb.co/Qc9pPwz

Please return my money to the btc address:
bc1qncasm898lfrjmzks4aa69nv5td5khp4ek3jf6c

The amount of damage: 2000 usd

A similar post https://bitcointalk.org/index.php?topic=5495091.0;dt talks about users who have changed their security settings recently on freebitco.in

Code:
What happened: over the month of April, I had made large deposits of $2,000 at least three times and made my way into the monthly wagering contest. As one of the top 10, I ended up winning the contest at number 7 for a total of $500. Upon winning I received an email confirming my victory
https://i.imgur.com/rW1fvb7.png
However, less than a couple minutes later I noticed that my balance was drained and set to zero and I had gotten an email stating that I had made a withdrawal request which I did not make. I didn't even have time to.
https://i.imgur.com/mvHbjQf.png
I did not confirm the withdrawal as in I did not click the link. Therefore, it should be sent back to my balance within an hour.
I immediately started to change my 2fa and my passwords to keep my account secure.
https://i.imgur.com/svUWSzf.png
https://i.imgur.com/fjLAS4W.png

While in the meantime My unauthorized request was canceled because the hour had lapsed. And the money was put back into my account.
https://i.imgur.com/olzcwZM.png

I also had changed my deposit address into my crypto.com  wallet and made that into my default address.
Scammed by freebitco.in https://imgur.com/gallery/3HUWdyy

I tried to cash it out however it got sent to a totally different address supposably my Bitcoin wallet on freebitco.in and it happened to be my old address so I changed my default address yet it sent it to my old address which I don't know how it did that
 Here are two screenshots of how I don't even know this is possible.
https://i.imgur.com/UNGWjUh.png
https://i.imgur.com/1kUxsDW.png

Now since I enabled my 2fa. It made it so I no longer needed a to do a email confirmation before the deposit was sent so I never got a verification email.

However, I got a verification that the Bitcoin had been sent to this supposed old address which I never sent to. Furthermore, the balance never showed up.
https://i.imgur.com/pFhAN9p.png

Here is a screenshot of it being confirmed on the freebitco.in website saying that I got a deposit from myself, however it never showed up in my balance.
https://i.imgur.com/GHhcd9l.png


At that moment I was screwed. Here's a summary of what I think is going on.

Keep in mind that the owner of the website the Quinn fails to ever respond to problems his users face on his website. Here's the summary.


The 2fa thing is part of the scam.

They make a withdraw request which triggers the email.

As a result of an UN requested withdrawal the customer gets spooked and immediately changes there security settings in belief that this will help secure there account.

However, this is a trojan horse that that allows the  withdrawal confirmation request to be disabled.

Thus, the original attacker is able to capitalize on the ignorance of the individual who is thinking there securing there account by enabling there 2fa security measures.

Using fear to trap the individual into unknowingly let there defense down and be luted by either hackers or some one on the inside or backend of the freebitco.in site.

It's genius really but completely f***** up

Either way, security or no security measures anyone can be targeted rendering this website
Extremely dangerous for anyone who has a balance.

This happened to me the other day right after I had won the wagering contest 7th place $500.

We can speculate all we want as to whether or not the websites secure .

But the fact that the matter is there's a few of us that would like to get the hard-earned money that we won.

So we can keep talking about what's wrong with the website or we can discuss how we're going to make reparations to these individuals.

However, if it's an inside job, there's little chance for recovering the funds other than reporting to the FTC and financial crimes units.

Mr. Quinn in my opinion is either part of The problem by allowing this to happen or he's directly involved. Either way, he's guilty by association because he knows his website's faulty and he fails to do anything about it.

And I also have another issue which I doubt will ever get solved. But I ordered a hardware wallet with my hard-earned reward points. I never got that wallet and I never got refunded my reward points but that's an issue for some other time I guess. Or that ship is already sailed which sucks.

:

Scammers Profile Link: https://bitcointalk.org/index.php?action=profile;u=143168 

https://freebitco.in/#



Reference Link: c2e76e8865c2757c040f0f58b12866eaa6d2426aea40b4dcedfb527e36e9f0bb ...


Amount Scammed:
0.00823099 BTC ($500) 


Payment Method:
BTC on https://blockchain.com


Proof ofPayment: https://www.blockchain.com/explorer/transactions/btc/c2e76e8865c2757c040f0f58b12866eaa6d2426aea40b4dcedfb527e36e9f0bb... 


USER ID 53314860

I see that several people have already been victims of a hacker attack on the fbc website. Is it really possible that we will be reimbursed for our losses?

By right, the victims should be compensated as long as the breach is verified on their end.

I hope so...

... but by the moment i have been stolen twice, my account is in danger because after more than 26 hours i see the wrong deposit address clicking the "Deposit" button and the cashtravel script then i cannot play, widthdraw or deposit (they has left my account to 0) and after some emails and facebook claim i haven't received any answer.

By right? Please, tell me how to ask for the compensation because i have screenshots and in fact, if you go to the Stats in my account it is so clear that the information does not fit with the real addresses i have got.

It's a real shame that things like this happen with this service, and it seems to me that the owner can't (or doesn't want to) maintain his project the way he used to. When we add to that that the official representative on the forum no longer communicates with anyone (at least not publicly), then it is quite clear that things have gone downhill.

I advise everyone to refrain from making deposits until further notice, and to be extra careful when making withdrawals - I personally have a nice sum there, but I don't know if it's worse to do nothing for now or to still try to make a withdrawal :-\

I have a similar situation. I cannot make an additional deposit because the deposit address was replaced with a false one and I cannot withdraw funds, since upon final confirmation of the withdrawal the address is automatically replaced with the address of the attackers and the funds go to them

Similar quandary...

Freebitco.in support is known for being slow to response here in the forum even when their website still running smoothly without this multiple issue occur. This slow support already backfire now when multiple users already have a same complaints which is related to security breach.

This issue was already pointed out to them multiple times yet they keep ignoring since they view most of the complaints here as hoax. Now that the real issue arises, no one from support or representative is available to answer the concern which is sucks since this is regarding a security breach.

They might suffer huge loss just because they have a very poor customer support.

My advices if you decide to withdraw:

• Verify your deposit address is the correct one clicking on the Deposit button in the home page.
• Important: Even if it puts your correct address in the withdrawal window or you think that entering it by hand will work... don't do it. First check the previous point!!!
• Go to developer tools in your internet navigator and in the source tab, take a look to the code in the path: Top > freebitco.in > ?op=home
• Search in the right code "cash" or "cashtravel". If you find it, don't do anything because your account is compromised.
• Pray because it seems nobody in Freebitco.in wants to investigate this TERRIBLE security issue.

Just cashed out all my satoshis from the platform yesterday after reading all these news. Withdrawal went fine and arrived on my wallet without delays, as usual.

It really seems only a few number of accounts are compromised, although we can't give ourselves the luxury of playing with luck there, because if there are any flaws on the system, and support team isn't concerned about it, nothing prevent us from being the next victims.

Personally, I prefer to retreat while I can.

It's really sad to see this new bombard of complaints against freebitco.in right after the novel it took for them to solve an issue with another user which didn't have his deposit credited for 6 months of waiting.

We can't trust so much a service which completely lost touch with its community.

It seems to me the freebitco.in's backend works as it should but somebody found a way to inject a script on the front-end of the app and it manipulates the DOM and tricks you into doing the shit you shouldn't be doing.

Like: "You are hacked, send x amount of btc to this adress to get unhacked"

In reality, you weren't hacked at all. It is just what this script kiddie wants you to believe. Regardless of that, it should be handled asap.

I didn't do anything. I certainly wasn't tricked into doing anything

I received an email notification that I had won a place in the wagering contest. I was expecting this email. I didn't click any links.

I opened chrome and clicked my freebitcoin bookmark to check if the prize money was in my account. It was. I was staring right at the balance. It disappeared. Went to zero. Then the referral coins started trickling in again.

Then I got an email notification about a pending withdrawal.

I hadn't done anything except open freebitcoin in chrome to check my balance.

After an hour the withdrawal was reversed and the coins returned to my account.

That's when I made the mistake of enabling 2FA

Even with 2fa, my default profile address never changed (pictured), and that's the withdraw I used.

2fa should protect... unless it's displaying a fake address, because I tripled checked that dude. (no emails notifying of account changes either)

I don't think it's by chance that the contest winners got hit.  It was a big way to leak that amount at once for someone that is in the system, but doesn't have the private keys + requires action from the user.  *shrugs*

I'm looking forward to an official answer or update...

Same here, my profile address never changed.

I didn't even attempt a withdrawal.

The hackers triggered the withdrawal seconds after the prize money was credited to my account, and somehow they managed to bypass my profile address.

Ouch, gotcha... Takes the sting out of me at least trying to get process a little less stingy... *sigh*

They must have been able to solve our 2fa "upgrade" for us... how kind.

I think you got a fake email because the attacker already knew that you were going to be one of the winners of that contest. Who is the sender? Did it come from freebitco.in?

As the other victims pointed out, there seems to be a malicious script that’s targeting certain people. However this script loads on your browser. (Client-side) That means it has the ability to show you anything. Who knows what’s in that script… It can probably show a fake deposit address too.

That’s where you were getting tricked.

 Just because you saw 0 balance didn’t mean you actually had 0 because your balance’s record kept at the back-end (server-side) of the application.

So till freebitco.in finds a fix, nobody should do anything stupid like sending coins to another wallet or deposit to a fake address. Better stay away for a while.

Some people managed to withdraw their coins successfully, maybe try that

Yeah same. Sooner or later my balance will hit the minimum withdrawal threshold. Will the hackers attempt to strike again!?

I did nothing. Yet the hackers were still able to initiate a withdrawal of my entire balance, and overwrite my profile address.

The only thing that saved me was the payment request confirmation email.

Then I enabled 2FA and it was all gone.

In hindsight, if I hadn't enabled 2FA I'd still have my coins.

It was only $50. Fortunately I'd withdrawn April earnings before the wagering contest winners were announced.

It seems there's no way to defend against this attack other than to disable 2FA. Even so, that's no guarantee that deposits or withdrawals will be sent to an address you specify.

At least with 2FA disabled you'll get a payment request confirmation email and you can decide whether to approve the payment or not.

That email looks legit. It is probably not a part of the attacker’s plan. Still though, like I said what you see on your browser isn’t the truth probably as the victims are loading a malicious script. As long as the backend of the app is safe, you shouldn’t worry. Hopefully it is safe ;D

Thanks for the info, because it means that the entire system is not compromised, but someone obviously has access to a part of the system that they are manipulating for malicious purposes. Given that in some posts it was possible to read that freebitco occasionally has help from the side, it is possible that one of the external collaborators decided to use their access to the system and the apparent current lack of control and supervision from the owner.

Yes, understood. Thankyou.

I'd like to know more about this malicious script. Do you know if anyone has posted the script source code to Pastebin or simular.

I’d like to look when I am home but I am scared to touch that shit too as I also have an acc there.

I wonder if this script can send a withdrawal request or change the withdrawal address though. Since it has an access to the client side, it can do whatever it wants. (From your side)

In my case, stolen twice in the last month (one depositing from kraken to a "new" Diposit Address that appeared in the Freebitco.in Deposit window and another one making a widthdrawal introducing the address manually but when clicking the widthdraw button all changed (I have an screenshot just before clicking and the sent movement in the Stats - Profile page naming another address different to the one I wrote).

More than 48 hours later, my Deposit address continue being false and i have the cashtravel script in the developer tools. I have tested in 2 different PCs, 3 different navigators and 1 mobile phone. In all of them the Deposit address is not the mine one.

Then, i cannot recover my address, I cannot use the page. Freebitco.in have some emails but...

Yes, it can do both. An unauthorised withdrawal was initiated on my account. And it was able to bypass my profile address instead inserting the attackers address.

Shiet. Now we all can panic.

TheQuin where the hell are you man your establishment has caught FIRE!

Absolutely!

If you have 2FA enabled you won't get a payment request confirmation email from freebitco.in

What you will get is a payment sent confirmation email.

The attackers targeted the bigger fish. This time...

Yeah.

It's not safe to deposit. The attackers can change the destination address.

It's not safe to withdraw. For the same reason.

It's not safe to stand idly by and do nothing. The attackers can initiate a withdrawal and overwrite the profile adress

The attackers know that their attack was successful.
I would expect them to target any user with a balance above the minimum withdrawal threshold next.

The attackers also know that the vulnerability that they are exploiting will sooner or later be patched

If you can get your coins out now before the attackers make their next move...

It is not safe and there is more than one problem. There has been talk of a cashtravel script that those of us affected have had but now it no longer appears and even so, the deposit addresses are fake (and it is not possible to change it) so any withdrawal can go to any unknown address.

This is the address where all my funds were stolen and still is the Deposit address when i click the Deposit button: 144p3SroEwDs1rdMmBqkCKHLpQ2TUCH3Li.

My real Diposit address does not even appear in the old ones inside the window.

I have made my account available to freebitco.in by email for investigation but they do not respond to any email. I hope they are doing something even if it is silent.

By the moment, of couse I cannot do anything in freebitco.in and i am recomending not using the page.

If the attackers are able to bypass the 2FA security and to initiate withdrawals whenever they want why you are the only user reporting it till now? They would have no reason to wait before withdrawing as much funds as they can, so I think many people would already be here complaining about random withdrawals happening spontaneously. That's why your claim is a little bit surprising. Are you sure no one living with you, has been able to steal your funds? If yes, are you sure your 2FA device is safe and hasn't been compromised too?

The OP listed points 1-8 above

My situation and reaction was almost identical. Obviously the amount I won was different. The unknown address was also different.

I didn't say, "the attackers are able to bypass the 2FA security..."

I said they were able to initiate an unauthorised withdrawal, bypass my default profile address and insert an unknown Bitcoin address.

It's important to note that this happened prior to enabling 2FA.

After I enabled 2FA, I initiated an authorised withdrawal. The attackers hijacked this withdrawal.

What I said in relation to 2FA was you won't receive a payment request confirmation if 2FA is enabled.

So, having 2FA enabled therefore does work to the attackers advantage.


Maybe something got lost in the translation.

Initially I didn't make a withdrawal.

I just opened freebitcoin to check my balance just as you did.




Someone has pasted a version of the malicious cash travel js here https://pastebin.ai/eo0q78pbuj

@BayAreaCoins

Someone mentioned in another simular topic that the link to the malicious script was somehow hidden in the advanced tracking using tags button code on the freebitco.in site.

https://bitcointalk.org/index.php?topic=5492456.msg64033700#msg64033700

I actually did click that button days prior to the attack on my account.

Food for thought.

OK, so that people no longer have doubts about how the address is being changed when withdrawing funds. At the end of the video, watch carefully how my output address was changed!!! I hope no one else will say that we are deceiving you and the site is not hacked!
https://www.dropbox.com/scl/fi/rsu1hq8tgj810e2p8bqj7/video_20240505_093225_edit.mp4?rlkey=me946bfe2utlhz2vtc3yqjgg7&st=ywer9mzb&dl=0
https://ibb.co/PtqN3Mw
https://ibb.co/cgCnxQ1

Update!!:
After I posted the video with the substitution of the withdrawal address, an hour later I tried to withdraw funds again and surprisingly my address did not change and the withdrawal went to the correct address! Is it a coincidence??? Or are hackers monitoring this forum topic?

It appears you do not have 2FA enabled which is why you received a payment request confirmation email and were therefore able to abort the withdrawal by not clicking the confirmation link in the email.

I have disabled 2FA for this reason.

Thankyou for the video. Much appreciated.

I also turned off 2fa for this reason, but! there is one important caveat, if you withdraw funds to an address linked to an fbc account, then an email with a confirmation link will not be sent. Therefore, you need to make a withdrawal to an address that is not linked to the account!

Thanks for the additional information.

It would seem then that the safest course of action is to turn off 2FA and generate a new Bitcoin wallet address. And of course confirming the address before clicking the confirmation link in the email.

I looked through the malicious JS code. It seems to be targetting user id 31898443 specifically (unless a different ID is loaded based on the url parameters used to load the js from the cashtravel site.

It appears then to hit https://bitwrecken.com/?action=new&id=31898443 to get the new / rogue deposit address. Presumably this is done so the attackers can cycle through various different rogue deposit addresses, or even randomise them.

There is a then a html element called main_deposit_address which is replaced by the value retrieved from the bitwrecken.com site

The script is actually rather simple in how it works, nothing complicated going on.

The worrying part, is how the attackers were able to embed this into the freebitco.in site and whether it has affected all users. It feels like those who clicked the advanced tracking button in the referral page may be the ones who were hit, but not seen any confirmation of this.

Thankyou for your analysis.

What do you make of this
https://cdn.jsdelivr.net/gh/feleryunfbc/js/jquery.min.js

It looks like something you'd expect to see on https://www.ioccc.org/

That rogue jquery cdn include is some serious obfuscation. It doesn't look like that one is easy to unobfuscate, It is an enormous function built by lots of mini functions referencing memory addresses, very hard to follow. It would take me hours to decipher all that.

It's gone!

The malicious code is gone. But the lost funds were not reimbursed to us and it seems they are not going to, they just threw us

We don't know if freebitco.in has done something or if it was the hackers who removed the malicious code to calm us down, but they will come back.
Seeing that Freebitco.in has neither responded to any email, nor has it given any explanation nor does it appear anywhere, I believe it was the second option and I also believe that there will be no refund. We have been robbed and have lost our funds.

trust in freebitco.in = 0%

Your attitude and the attitude of all those who have suffered financial loss is completely logical and I agree that the reputation of this service is quite damaged after everything that happened. However, I think that they should be given a chance to show that they are still serious about what they are doing.

We recently had an example where one user received his deposit after 8 months if I am not mistaken, so although it is difficult to find justification for such a delay in solving the problem, we should not completely reject the possibility that freebitco will compensate all those who were victims of malicious scripts.

I agree, it's early days in Freebitco time and I've never seen a case so far where the fault has been found to be with Freebitco and the affected user has not been recompensed.

You're not mistaken about the case you mention, it was a deposit issue, the poor guy really went through it and understandably came to a similar conclusion that his funds were lost.

If Freebitco.in returns me some of what I lost and if I see that everything is safe again, I will raise my confidence and write it for everyone here. I have been with Freebitco.in for years now and I want to continue...

...but this week Freebitco.in is not giving me reasons to do so.

Update: At least it seems FBC is making something. I have a new window i have never seen before (PENDING DEPOSITS) with a deposit from Kraken i have made some minutes ago.

I keep sending emails to support, to TheQuin, and waiting for someone responsible for Freebico.in to answer me something, TheQuin, Support, or whoever.

I won't stop until my stolen money is returned.

My Freebitco.in ID: 51895659

Same to me but when you talk about support you mean the email in the FAQS menu into the page? Because i have sent many emails and they never answered.

I would love the my stolen money was returned and someone responsible for Freebico.in gave some explanations as well.

My Freebitco.in ID: 38757724

Hi Drazen2003,

Yes, e-mail:  support@freebitco.in

Thank you very much blackmtl308,

I have written with images and documentation but... have you got an answer? I have sent many emails these last days and I never get an answer.

Don't spam their support.  That just annoys and slows things down.

I am looking forward to hearing wtf happened.  I'm not worried about the tiny prize, it's just strange and a response would be cool.

Also, I don't use advanced links. 

Patching is a priority to talking.  We would like to keep a good affiliate relationship with FreeBitco.in, but know users are safe.   (I'm not feeling very safe atm :P)

Anyway it seeems FBC is waking up, first Thequin has recently logged in, the script is of the page and the number 10 lambo winner has been announced even the outcome was already as expected.

Anyhow since the script was loaded from his website FBC is responsible, even you have injoyed our 12,5 BTC for your riant holiday.

So @thequin let me know when you are going to send me the 2000€ and 19300€ back.

Some days after causing the loss of all the funds of some users and having received emails with evidence of the hack, nobody from Freebitco.in has answered my emails or contact to me. We still don't know if the hackers can attack again when they wanted.

The user @TheQuin either responded to the private message I sent him.

I cannot trust in Freebitco.in by the moment.

I also have no response from the support

No response from support.

This issue impacted a handful of wagering contest winners. As far as we know.


Malicious scripts gone (cashtravel js).

Attacker's website down (bitwrecken.com).

Complicit accounts disappeared (feleryunfbc: github, jsdelivr).

Evidence vanished.


We know the truth.

What happened can happen again. To us. To others.


Since the attack, I have made a successful withdrawal.

For now, I intend to withdraw everything. No wagering. No deposits.

Confidence remains low.

It all seems pointless. Support is inactive. I don't know what to do. We gathered people, we have evidence, but it's all useless

Freebitco.in never responded to me and my money was stolen because of Freebitco.in

People have to be clear that if there is any problem there is no one in technical support so everything accumulated can be lost and no one will help us.

Did someone got paid back already?

I still havent got an answer about a missing 21300€ from our accounts.

I didn't get it back. No answer was given. Does anyone have contact information for the admin of the fbc site?

https://www.talkimg.com/images/2024/06/03/cXoad.jpeg

No response from support.

No response from TheQuin.


List of reported security vulnerabilities:

https://www.openbugbounty.org/reports/domain/freebitco.in/

Has anyone been contacted about the theft? I wrote several emails and personal messages to support, sent them a video of how the address changed during the withdrawal, but never received a response.

I'm still getting near daily email (spams) from them which make no mention of any trouble.

Have none of you clicked "reply" and seen what happens?

I sent them messages to 2 email addresses( support@freebitco.in noreply@freebitco.in) and wrote a personal message on this site, and a message was also sent through the fbc website in the FAQ section. There is no feedback from them

As a programmer I suggest all scammed users to check which browser extensions they have in common.
It is easier for extension to put any code inside any website so always use extensions that are neccessary and trusted.

I also want to ask how you guys are making so much money on fbc :D

The only thing we seem to have in common is that our USER IDs were visible on the fbtc site.

For example the daily jackpot leaderboard and the wagering and referral contest leaderboards.

I have no browser extensions, system is updated daily and avast reports no issues.

The attacker claimed he used a known xss vulnerability to steal our funds.

Deposit and withdrawal addresses were manipulated among other things.

Fbtc knew or should have known about unpatched xss security vulnerabilities.

Bugbounty lists some of these unpatched security vulnerabilities:

https://www.openbugbounty.org/reports/domain/freebitco.in/

Here is an example of the injected malicious code used during the second wave of attacks:

https://pastebin.ai/eo0q78pbuj

Hopefully no one will risk clicking those emails, we may never know what's in there that might lead to the hackers extending their attack to more and more people. That sucks for Freebitcoin is having this kind of problem, it's a good thing that it's not them that's causing the problems and that it's the hackers. They still have some responsibility to it though and maybe improving in their security online and offline is probably their only solution to this one.

With XSS vuln. attacker cannot insert a script in your browser. So my concern again is that you should look for common extensions. Your ids were targeted because attacker was sure there are funds and did not want to ping normal users with uncertain balances.

As far as these vuln. are concerned they are patched already I have check one of un-patched. I think fbc does not update their bugs fixation there.

I have no extensions on my fbtc device.

You cannot install chrome extensions on the chrome browser on android.

I really do appreciate your input.

Discussion is always healthy and can sometimes provide insight to a difficult problem.

Cross Site Scripting (XSS)

Overview


Reflected XSS Attacks

Stored XSS Attacks

Blind Cross-site Scripting

Source: https://owasp.org/www-community/attacks/xss/


Further reading: https://owasp.org/www-community/Types_of_Cross-Site_Scripting

I have knowledge about XSS. If you are using android then kindly make sure your browser is official and safe. And also check if you have some malware on your device.

XSS attack requires users to click on a link to get the script from attacker. Through XSS attack attacker cannot upload scripts to servers. It is like maybe you clicked on malicious link  from any source/forum/thread etc. Or your device is compromised. Which is very unlikely as this many users cannot get their devices compromised at same time. Also if devices were compromised then results would be worse.

Also check links you received through email because I am sure more of victims logged in from links in email. Maybe attacker can exploit a way to trigger automatic emails through some way.

These are all attack methods that I have learned and experience so far and most probably all possibilities for an XSS vulnerability to be exploited. Because without social engineering this attack vector is not so useful.

I am talking about XSS vulnerabilities reported on bug bounty platform shared before. If attacker have some server type access then it is worse

I don’t understand why FBC doesn’t respond, there is no reaction from them. It's a shame that they don't want to help deceived users

I haven't searched deep in this thread, but are the addresses where the BTC were sent somehow one of your deposit addresses? The OP doesn't mention this detail, I think something fucky is going on, but not actually a scam.

I was wrong. The deposit address was the attacker address and was not actually an official deposit address linked to the users. The website was hacked either by a third party or an inside job.

It’s pretty obvious that the new address used is from unknown wallet address or else this will not be an issue at all since they will still receive their Bitcoin on their other wallet address.

The address use is from a hacker since I remember some of the victim track it and goes to unknown address that is not related to their withdrawal history. I believe the hacker manage to inject malware to players computer or on the freebitco.in side which never clear since the admin of the casino never answer this issue.

I was investigating another user https://bitcointalk.org/index.php?topic=320959.msg64180553#msg64180553 (https://bitcointalk.org/index.php?topic=320959.msg64180553#msg64180553) that had something similar happen to them. But he noticed that the address was indeed one of his freebitco.in deposit. The money wasn't credited, but the on-chain transaction is indeed to his own deposit address.

If the OP of this thread didn't happen to check if the address is one of their deposit (and honestly, why would he?) it might be worth checking it out. If the deposit was indeed made to his own freebico.in wallet this indicate a fuck up of the automatic system they employ, and not fraud/scam/hack.

I was wrong. The deposit address was the attacker address and was not actually an official deposit address linked to the users. The funds are not actually in freebitco.in's hands. It was not a simple/weird bug. The website was hacked either by a third party or an inside job.

The writing was on the wall and we posted about it 3 months ago, and yet, there are still bad-sses who attack us for being responsive to users and running 20 legitimate faucets for over 7 years (we started in 2017 and freebitco.in in 2013).

So let's say it again - the writing WAS ON THE WALL !

https://bitcointalk.org/index.php?topic=5487189.0

Hopefully someone would finally listen. It's not about just fixing a code, it's about getting control of your faucet.

They can't do it in the current structure, it's impossible.

The sign of them of collapsing is now getting clearer. Their lack of personnel despite they have lots of users using their service is one factor why the casino management will collapse just like this.

I’m not a faucet user anymore so I can’t relate to the details about their faucet but one thing is for sure that this casino never prepared for this kind of issue. Worst is the founder mismanaged the Bitcoin funds that result to this unimproved service even they are existing for a long time.


Again the OP is high rank and known for being involved on many business. I doubt that he will be overlooked the address that he used in the past.

https://www.dropbox.com/scl/fi/rsu1hq8tgj810e2p8bqj7/video_20240505_093225_edit.mp4?rlkey=me946bfe2utlhz2vtc3yqjgg7&st=ywer9mzb&dl=0

I recorded from the screen of my smartphone how the hackers replaced the output address with their own (at the end of the video you can see how the address changed to the address of the attackers). This happened automatically after clicking the withdraw button

This was precisely a hacker attack, since this address no longer appears in the list of my deposit addresses, it has disappeared. It disappeared on May 5th, after I posted this video!

Even if this is an internal error with freebitco, my money is lost in any case, as support is not going to answer user problems

Are you sure? Can you check again even under "OLD DEPOSIT ADDRESSES" that the address 15xgSi6AuH2qdni23EoofPBnoHzyFpzuU5 doesn't show? Can you post an image?

Of course, I'm sure. https://ibb.co/KN4j5gJ

Don't think of me as a dickhead, I am just trying to help, if what you say is true then it's very damning of hacking if not an inside job!
But... before moving from the headspace of "it was a bug, they need to fix it :(" to "*grabs pitchforks* it was an inside job, burn it to the ground! >:(" (I jut find it less likely on priors), I would like to have more. Can you show everyone the picture of the current deposit address and all of the previous addresses?

Sorry again to doubt you, but I am mentally deep in this hole rn, and I would like to verify all that is verifiable.

https://ibb.co/ZNBZW9b

*grabs pitchfork*

I see there  have been a lot of issues with Freebitco.in lately, and the team has yet to provide any answers. While I haven't followed all the stories, it seems that many users are experiencing much hacking incidents and issues about receiving emails, withdrawal trials that they didn’t make with their accounts, funds are stolen or orders are not processed due to the 2nd otp. Personally, I haven't encountered any of these issues on my account, but what is concerning for me more is that the team is not responding to the situation yet knowing Freebitco.in is one of the best and secure faucets and casinos I have ever experienced.

We are missing a lot of details about what exactly is going on. Should we take any precautions with our accounts or not even login inside?

It's truly sad to see this, and you can see in our own thread people are attacking us for expressing these views 3 months ago warning everyone:

https://bitcointalk.org/index.php?topic=5487189.0

Truly nuts how some people think!

We don't want them to fail. We have over 120k referrals with them (like our Youtube video shows).

We just share our own experience as faucet owners, 20 faucets, since 2017. We also posted a blog post about this here in February 2024:

https://freebitcoin.io/articles/changes-to-our-faucets-from-feb-2024

Use webmachine archive to verify, the text written here was posted then, it wasn't changed or altered - this was unfortunately a prediction of a black swan event. Why?

Because we saw what happens to many faucets now. Hackers use anything they can to drain them and drain user accounts. You need to communicate this to your users and you have to show you are hands on on the problem. Otherwise, this is only the beginning.

They can still get out of this, all they need to do is to finally change their business model and apply common sense practices and things will start flying again. Right now it seems like they choose the same approach they had with their "sister" site:

https://freebitcoin.io/articles/what-happened-to-free-doge
(This article is from 2020)

we are nearly 2,5 months further and this Samuel Das aka wetsuit still haven't said or done anything to compensate the problems that he is personal responsible for, nor replied any of us.

We (our group of high rollers) losses 21300€ by this scam/hack.

And the scam is even bigger. Funtokens slowly will be worth nothing and Samuel Das aka wetsuit or better say the CEO of freebitco.in and Funtokens, are fucking our asses.

Let me tell you this, we have spended more then 1 million US on his website, a contract killer or hacker will cost us less.

Let that be the final warning for you!

Well, gentlemen who have suffered, this answer is simply ridiculous, and just an excuse and unwillingness to do something about our problem. We were deceived (robbed) and they are not going to do anything about it. Support is a useless thing freebitco.

soslex, Lambo winner, also targeted by the hack.

@BayAreaCoins and everyone else affected that hasn't already done so, you might try reaching out to the new CS representative about what happened:


They are confirmed to be an actual employee of freebitco.in.

I'm wondering if anybody who commented in this thread is experiencing a "back to normal" situation at this website, or has been compensated for their losses.

Fun tokens was the worst idea they came up with. I said it when they first introduced it: “This casino will become freefuntokens soon” TheQuin didn’t agree with me. I wanted to believe him and part of me did.

The casino didn’t really become freefuntokens but what I really meant was “the casino will go shit soon” and it looks like it did.

I hate it when an online bitcoin casino issues its own currency. Just-dice also did it and issued CLAMs and nowadays nobody uses it anymore.

Issuing your own casino tokens is a sign of bankruptcy to me.

They should have kept freedogecoin alive.

Hello, yesterday I tried to contact a new member of technical support, in the main discussion thread, since I don’t have the opportunity to write to him in direct messenger. At this moment I have not received a response. Compensation has also not been received until now.

Now you're a Jr. Member, so perhaps you can message them now.

I know the events are being blamed on the user, but there seems to be much more to it than that, like perhaps some kind of hacker (whether an insider or outsider, we don't know) was able to insert some malicious code into the website & cause people to send coins to addresses that weren't theirs.

There is a new support team at Freebitco.in, after 2 months I received a response by email.

Freebitco.in Support Team User CSFBC, is now accepting messages from Newbies as well.

Even though they didn't respond to me, what I actually sent in the message, basically, the stolen money, as happened to most of you, at least there is someone who is taking care of it.

I will continue with this, until I receive financial compensation for the loss.

Hi,
CSFBC is not responding to me

It's not their own currency, they didn't create it, it was existing before and the currency has a different name before being rebranded: Funfair. It has been launched in 2017 at an ICO price of $0.007 according to Etherscan (https://etherscan.io/token/0x419d0d8bdd9af5e606ae2232ed285aff190e711b#tokenInfo). They really tried to develop it after acquiring it, they've carried it onto another blockchain/layer2 network, they've created a wallet and a bridge, they've launched a casino, a decentralized sportsbook, and a GameFi platform using it, they've added a burning scheme and lock investment/stacking offers including on Binance, and they list it on several big exchanges. Unfortunately the price is falling (certainly because of the high stacking APY) but we can't say they did nothing, they stood by with their arms crossed.