I would also appreciate, if Bittrex, as a responsible business, would compensate my losses at least partially. LOL wtf...I have bad OPSEC give me my money back... You sir are first class asshole, 100% cock sucker.
|
|
|
How's the investigation going richie?
|
|
|
Dejavu, the Dev is silent.
|
|
|
Looks like i was mistaken... after a couple ticket responses and going back further in some cases... there have been login from IPs unknown. Please focus on finding a common denominator to these attacks.
richie@bittrex
So my machine wasn't compromised. UNKNOWN_IP_LOGOFF 134.3.254.67 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-02 11:17:09.710 So how about reimbursing my coins? 1300 rads 800 exp 15000 aur 333,000 bcr That just means someone was able to get your l/p ... nothing has changed... not sure why you think it has. So don't take any responsibility towards your users funds? We absolutely do, but if you lost your login/password and don't have 2fa enabled, there is nothing we can do. I'm trying to help you guys find a common denominator which is why I jumped on this thread. If it is going to turn into something unproductive, i'm happy to disengage. richie@bittrex in Ritchie's defense with no 2FA enabled another possibility here is the user or some of them are lying. How would Ritchie be able to tell the difference between a hacker using my PC and ME using it? As much as i may speculate Bittrex is behind this i also can not rule out Fraud by users. Which logically makes it hard for him to pay coins out.. If it was an end-user scam and he pays it would never stop & he would go broke. I know your just exploring all the angles here, I ain't no scammer, far from it, i'm the victim. I worked hard trading to get those coins, I put a lot of time and effort in, only to find disappear into the either.
|
|
|
Here are my log files, obviously I had to obfuscate my IP because of the crazies in here:
LOGIN **.**.76.98 Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:36.0) Gecko/20100101 Firefox/36.0 2016-04-03 02:43:00.480 DISABLE_2FA **.**.76.98 Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20131011 Firefox/23.0 2016-04-02 14:18:16.347 DISABLE_2FA **.**.76.98 Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20131011 Firefox/23.0 2016-04-02 14:16:15.100 ENABLE_2FA **.**.76.98 Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20131011 Firefox/23.0 2016-04-02 14:01:28.287 PENDING_2FA **.**.76.98 Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20131011 Firefox/23.0 2016-04-02 14:00:58.077 IMAGE_INITIATE_NETVERIFY **.**.76.98 Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:36.0) Gecko/20100101 Firefox/36.0 2016-04-02 13:05:29.767 LOGIN **.**.76.98 Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:36.0) Gecko/20100101 Firefox/36.0 2016-04-02 12:45:36.673 LOGOFF 194.103.142.82 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-02 12:43:57.787 LOGOFF **.**.76.98 Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:36.0) Gecko/20100101 Firefox/36.0 2016-04-02 12:39:41.187 LOGOFF 87.126.174.177 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-02 12:36:58.877 LOGIN 109.176.195.67 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0 2016-04-02 12:31:41.697 LOGIN **.**.76.98 Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:36.0) Gecko/20100101 Firefox/36.0 2016-04-02 12:31:30.597 LOGOFF **.**.76.98 Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:36.0) Gecko/20100101 Firefox/36.0 2016-04-02 12:31:12.633 LOGIN 194.103.142.82 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-02 12:13:55.107 LOGIN 87.126.174.177 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-02 11:59:37.770 UNKNOWN_IP_LOGOFF 134.3.254.67 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-02 11:17:09.710 LOGIN 109.91.101.14 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-02 11:15:17.143 LOGIN **.**.76.98 Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:36.0) Gecko/20100101 Firefox/36.0 2016-04-01 19:20:22.410 LOGIN **.**.76.98 Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20131011 Firefox/23.0 2016-04-01 16:03:34.063 LOGIN 2.100.168.93 Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20131011 Firefox/23.0 2016-04-01 05:15:42.980
I have two machines, one in my bedroom run linux mint:
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:36.0) Gecko/20100101 Firefox/36.0
The one in my living room also runs mint but I had to change the UI to get netflix to run:
Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20131011 Firefox/23.0
|
|
|
Everyone is ready? Soon will end the maintenance... i feel it.... When it does go live, everyone enable 2fa if you haven’t already.
|
|
|
Looks like i was mistaken... after a couple ticket responses and going back further in some cases... there have been login from IPs unknown. Please focus on finding a common denominator to these attacks.
richie@bittrex
So my machine wasn't compromised. UNKNOWN_IP_LOGOFF 134.3.254.67 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-02 11:17:09.710 So how about reimbursing my coins? 1300 rads 800 exp 15000 aur 333,000 bcr That just means someone was able to get your l/p ... nothing has changed... not sure why you think it has. So don't take any responsibility towards your users funds? We absolutely do, but if you lost your login/password and don't have 2fa enabled, there is nothing we can do. I'm trying to help you guys find a common denominator which is why I jumped on this thread. If it is going to turn into something unproductive, i'm happy to disengage. richie@bittrex Good swerve. I don't think my machine was compromised, I didn't down load any dodgy software all my software comes from official repos or github. The login log files shown it wasn't just my browser logged in yesterday. I will admit that I did not have 2fa enabled, that was my only mistake. Why not make 2fa mandatory? You can disengage, you and your exchange are losing creditability by the second.
|
|
|
Looks like i was mistaken... after a couple ticket responses and going back further in some cases... there have been login from IPs unknown. Please focus on finding a common denominator to these attacks.
richie@bittrex
So my machine wasn't compromised. UNKNOWN_IP_LOGOFF 134.3.254.67 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-02 11:17:09.710 So how about reimbursing my coins? 1300 rads 800 exp 15000 aur 333,000 bcr That just means someone was able to get your l/p ... nothing has changed... not sure why you think it has. So don't take any responsibility towards your users funds?
|
|
|
Looks like i was mistaken... after a couple ticket responses and going back further in some cases... there have been login from IPs unknown. Please focus on finding a common denominator to these attacks.
richie@bittrex
So my machine wasn't compromised. UNKNOWN_IP_LOGOFF 134.3.254.67 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-02 11:17:09.710 So how about reimbursing my coins? 1300 rads 800 exp 15000 aur 333,000 bcr
|
|
|
This is a weird mystery and where is the report(s) of failed login attempts. AKA:email notifications on 2Fa users.. get it?
Apparently i am FUD'ing.. I like to call it Scientific procedure.
Being an inside job at Bittrex has not been ruled out. Nor has Bittrex itself being hacked. Sorry Bittrex guys but that is the truth.. your "word" is just not going to cut it.
I wish i had local access to all machines to check them out for you all.
I'd like to see the OP maybe build a profile of sorts. Start by listing any downloaded/Compiled crypto programs such as Miners or Wallets. And maybe list your Browser + OS too.. and if 2FA was on. (plus IP's of course)
What is it here now 3 guys that have come forward?
From the sounds of it i think the blame is either on Bittrex or the local users. And more & more i am thinking it was a staff member behind it. Maybe skimming account funds for ages with "you got hacked" stories. But who ever is doing it, started doing it too much lately.
Bittrex you don't get the benefit of the doubt.. nobody in Crypto does. That is what i call common-sense.
I hope that your theory is not true, bittrex has been a pretty solid exchange, but if it is true then it would be the end for them. Even if it was true, how would we prove it?
|
|
|
Does anyone know if it easy to disable 2FA in case you lose your phone?
You need to write the private key on some paper and store it in a safe place, doesn't matter if you lose your phone then.
|
|
|
leigh2k14,
Did you use the same email and password for any mining pool or other sites?
No, I haven't mined for quite some time. It's unique to bittrex. so are you telling that your computer was hacked and that is how you lost your BTC's right . if you are having an unique password for bittrex then it is the only possible way. We are still trying to establish weather it was our machines that were hacked or bittrex, having a password unique to bittrex doesn't make it un hackable.
|
|
|
I just had a thought, if this attack was initiated from my machine, then why wasn't any other of my exchange accounts effected? Why just bittrex?
Good question, indeed! Now when I have changed all passwords, turned on 2FA all over even for my microwave, bought big pack of condoms and such, may I also ask the same: why only bittrex? You might wanna double bag those condoms, just to be sure.
|
|
|
hmm interesting how this is turning out. I have sort of known Ryan and chatted with him a bunch of times last few years. And best i could tell he seemed like an honest guy.
I last talked to him i think on Cryptsy's Freenode IRC channel. Where i do know Bittrex-Ritchie hangs out (and i believe is higher up than Ryan)
SO you *may get answers if you go on IRC and find Ritchie.
So i checked my account and it was fine and i have no 2fa either. I also have maybe $20 worth of coins LOL
But this got me thinking if a hacker is trying multiple accounts why has no one come forward saying they got alerts from failed login attempts ? Like how would you know the account has 2fa or not unless you TRIED logging in? Like i have used my email on places and i notice some attempts randomly to get into my Steam account (all failed) Point being is i get a validation email + warning etc.
So if no one is getting any alerts then how the fuck does the hacker know how to choose only accounts with no 2fa.. unless they work there LOL
I could work at an exchange then rip-off all kinds of guys and i would of course pick the guys with no 2fa then i would tell them all well you got hacked noobs.. fix your Norton + updates yur Bitcointalk !
Interesting theories, i'm leaning towards, the bittrex servers being compromised, and the hacker is picking off all the accounts without 2fa with at least 1BTC in them. I think your $20 is safe lol. On other exchanges, I get login successful or failed email notifications, not on bittrex though. How does the attacker know if the account has 2fa? Unless they try logging on to them one by one. Firstly, please stop trying to generate fud; its completely unproductive. If our servers were compromised, there are way easier ways to get your money out. It doesn't make any sense. What I can tell you is that there have been multiple accounts hacked with the same pattern, all within the last 48 hours. I can also tell you that none of the affected accounts had logins from suspicious or unknown IPs which leads us to believe it is a rooted machine vs credential lost. Lastly, this isn't specific to an OS based on the UA strings we've seen which points to some kind of browser plugin/toolbar. Please crowdsource this to figure out commonalities and please turn on 2fa if you do not have it on. Thanks richie@bittrex UNKNOWN_IP_LOGOFF 109.93.135.147 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-01 15:06:14.713 LOGIN 194.204.45.101 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-01 14:01:36.360 I just noticed something similar on my logs: LOGIN 87.126.174.177 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 2016-04-02 11:59:37.770 That's not my browser, this is me: LOGIN **.**.76.98 Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:36.0) Gecko/20100101 Firefox/36.0 2016-04-02 12:45:36.673
|
|
|
its 200k marketcap dude, coinmarketcap calculate with old supply. its because des did a coin swap, right now there are like 1.6 million des in total.
thanks for letting me know, has someone contacted coinmarketcap to get them to change that? is there a des block explorer with updated figures? Coinmarketcap needs the block explorer to update. is there a bloc explorer? Not yet, we're waiting on the dev to build it.
|
|
|
the DES swap was for 10 times the amount?
yes Hi jase, did you notice a 333K dump or BCR yesterday, that was the thief dumping my bag. Hope BCR doesn't start to go up in value while i try to buy more.
|
|
|
its 200k marketcap dude, coinmarketcap calculate with old supply. its because des did a coin swap, right now there are like 1.6 million des in total.
thanks for letting me know, has someone contacted coinmarketcap to get them to change that? is there a des block explorer with updated figures? Coinmarketcap needs the block explorer to update.
|
|
|
I just had a thought, if this attack was initiated from my machine, then why wasn't any other of my exchange accounts effected? Why just bittrex?
I can't say exactly how many accounts were affected, but it is an uptick from our normal volumes. I have no clue why nothing else was affected, but I've sent your logs to you via the ticket. If you want to ask any other questions, feel free to find us in our slack - slack.bittrex.com. thanks, richie@bittrex Please keep us updated if you find out any more info. Errrr, I feel violated
|
|
|
I just had a thought, if this attack was initiated from my machine, then why wasn't any other of my exchange accounts effected? Why just bittrex?
|
|
|
hmm interesting how this is turning out. I have sort of known Ryan and chatted with him a bunch of times last few years. And best i could tell he seemed like an honest guy.
I last talked to him i think on Cryptsy's Freenode IRC channel. Where i do know Bittrex-Ritchie hangs out (and i believe is higher up than Ryan)
SO you *may get answers if you go on IRC and find Ritchie.
So i checked my account and it was fine and i have no 2fa either. I also have maybe $20 worth of coins LOL
But this got me thinking if a hacker is trying multiple accounts why has no one come forward saying they got alerts from failed login attempts ? Like how would you know the account has 2fa or not unless you TRIED logging in? Like i have used my email on places and i notice some attempts randomly to get into my Steam account (all failed) Point being is i get a validation email + warning etc.
So if no one is getting any alerts then how the fuck does the hacker know how to choose only accounts with no 2fa.. unless they work there LOL
I could work at an exchange then rip-off all kinds of guys and i would of course pick the guys with no 2fa then i would tell them all well you got hacked noobs.. fix your Norton + updates yur Bitcointalk !
Interesting theories, i'm leaning towards, the bittrex servers being compromised, and the hacker is picking off all the accounts without 2fa with at least 1BTC in them. I think your $20 is safe lol. On other exchanges, I get login successful or failed email notifications, not on bittrex though. How does the attacker know if the account has 2fa? Unless they try logging on to them one by one. Firstly, please stop trying to generate fud; its completely unproductive. If our servers were compromised, there are way easier ways to get your money out. It doesn't make any sense. What I can tell you is that there have been multiple accounts hacked with the same pattern, all within the last 48 hours. I can also tell you that none of the affected accounts had logins from suspicious or unknown IPs which leads us to believe it is a rooted machine vs credential lost. Lastly, this isn't specific to an OS based on the UA strings we've seen which points to some kind of browser plugin/toolbar. Please crowdsource this to figure out commonalities and please turn on 2fa if you do not have it on. Thanks richie@bittrex Thanks for the reply richie. Means this is a cross platform attack, and the attack was from user IP's (yet to be confirmed) some sort of browser plugin hack makes more sense. Just checked my browser plugis in firefox, I didn't see anything that wasn't supposed to be there, that being said they could of modified an existing plugin. please mail the effected users with their login logs so we can double check that it was an attack initiated from our local machines. So how many accounts have been effected? I suggest that all people effected reformat your OS, it can't be trusted anymore.
|
|
|
|