Bitcoin Forum
November 02, 2024, 12:10:24 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Extremely easy to have coins stolen on Bitfinex!  (Read 793 times)
MistuhSoftee (OP)
Newbie
*
Offline Offline

Activity: 17
Merit: 0


View Profile
July 18, 2015, 02:02:41 PM
 #1

My friend recently had his coins stolen on BFX. Given how it happened hackers can apparently drain your account with as little as control of your email.

1. He had 2FA enabled
2. The ONLY thing the hackers needed was control of the email.

Presumably they started by gaining access to the email, searched that he had received emails from BFX before, reset his pw, then gained control of his account.  Because he had 2FA enabled, they used a trading algo to make the worst trades possible matched up with their own personal account at BFX until all the coins were drained.  For example they would trade BTC --> DRK  and then trade the DRK --> BTC back at a slightly worse price matched with their own algo and doing thousands of trades until all the money is gone.

Bitfinex has REFUSED TO REFUND his coins.  So they are setting precedent that they will REFUSE TO REFUND YOUR COINS AS WELL.  I would suggest staying away from them and say that this is one reason bitcoins will never ever become mainstream.
jdebunt
Legendary
*
Offline Offline

Activity: 1596
Merit: 1010


View Profile WWW
July 18, 2015, 02:09:51 PM
 #2

How can they execute trades if his account has 2FA? He must have had orders open then I assume? (never used BitFinex before)
TinEye
Hero Member
*****
Offline Offline

Activity: 639
Merit: 500



View Profile
July 18, 2015, 02:11:00 PM
 #3

i think you should enable 2fa to your email too or the security that microsoft is offering where you have another email doing the security and the back-up part, although i can't understand how they gained the access of the email, you didn't explain this very well.

in any case you should avoid using random mail on the web, gmail for example is well known and offer better security




                                                                    ▄▄▄▄▄▄▄▄▄
                                                                   ▄█████████                  ██████
                                                                   ███    ███                 ██   ██
         ████████████████████████████████████████████████████████████    ██████████████████████   ████████▀
        ██            ▄█          █▄                 █▄          ███            █▄          █        ▄██▀
       ██            ██           ███                ██   ▄▄▄▄▄  ███            ██   ▄▄▄▄▄  ██   █████▀
       ██   █████    ██   ████   ████   ██     ██    ██   ▀▀▀▀   ██    ██████   ██   ▀▀▀▀   ██   ████▀
      ██    █████   ██    ████   ████   ██     ██   ██          ███   ██████   ██          ██   ████▀
      ██            ██           ███   ███    ███   ██    ▀▀▀▀▀▀███            ██    ▀▀▀▀▀▀██   ▀▀▀████
      ███           ██▄            █   ██     ██    ██▄          █             ▀█▄          ██      ███
       █████████   ████████████████████████████████████████████████████████████████████████████████████
      ██           ██
    ██▀           ███
  ████████████████▀
MistuhSoftee (OP)
Newbie
*
Offline Offline

Activity: 17
Merit: 0


View Profile
July 18, 2015, 02:46:46 PM
 #4

He used gmail, and it was hacked.  2FA is not required for trades, only for withdrawals.  So the 2FA did its job in keeping the coins from being withdrew.  However the hackers were smart enough to realize this, and siphoned the money away through bad trades into their own trading account.
achow101
Staff
Legendary
*
Offline Offline

Activity: 3542
Merit: 6884


Just writing some code


View Profile WWW
July 18, 2015, 03:57:27 PM
 #5

He used gmail, and it was hacked.  2FA is not required for trades, only for withdrawals.  So the 2FA did its job in keeping the coins from being withdrew.  However the hackers were smart enough to realize this, and siphoned the money away through bad trades into their own trading account.
They don't require 2FA to login? That is pretty stupid.

Serpens66
Legendary
*
Offline Offline

Activity: 2954
Merit: 1131



View Profile
July 18, 2015, 04:54:13 PM
 #6

He used gmail, and it was hacked.  2FA is not required for trades, only for withdrawals.  So the 2FA did its job in keeping the coins from being withdrew.  However the hackers were smart enough to realize this, and siphoned the money away through bad trades into their own trading account.
They don't require 2FA to login? That is pretty stupid.
bitfinex do require 2FA for login (at least you can set it up this way)

Mit Cointracking (10% Rabatt) behältst du die Übersicht über all deine Trades und Gewinne. Sogar ein Tool für die Steuer ist dabei Wink                          
Great Freeware Game: Clonk Rage
binance.com hat nun auch SEPA und EUR Paare! Mit dem RefLink bekommst du 5% Rabatt auf die Tradinggebühren!
Karpeles
Legendary
*
Offline Offline

Activity: 1162
Merit: 1000


View Profile
July 18, 2015, 11:10:39 PM
 #7

Usually sites require personal information to disable 2FA. They managed to get such information, or only his email?

And why not add 2FA in the email too???
achow101
Staff
Legendary
*
Offline Offline

Activity: 3542
Merit: 6884


Just writing some code


View Profile WWW
July 18, 2015, 11:14:16 PM
 #8

He used gmail, and it was hacked.  2FA is not required for trades, only for withdrawals.  So the 2FA did its job in keeping the coins from being withdrew.  However the hackers were smart enough to realize this, and siphoned the money away through bad trades into their own trading account.
They don't require 2FA to login? That is pretty stupid.
bitfinex do require 2FA for login (at least you can set it up this way)
Then how was an attacker able to login to Bitfinex?

photon_coin
Sr. Member
****
Offline Offline

Activity: 310
Merit: 256


Photon --- The First Child Of Blake Coin --Merged


View Profile WWW
July 19, 2015, 12:32:52 AM
 #9

safest place for any coin is locked in a qt wallet

PolarPoint
Hero Member
*****
Offline Offline

Activity: 672
Merit: 500


View Profile
July 19, 2015, 01:18:15 AM
 #10

Your friend's gmail account was hacked, and used to reset The password of his Bitfinex account. That wasn't Bitfinex's fault. It's like asking for refund for having a weak password.

The person who took up those bid and offer trades would have financial gains on his other account, but there is no way to prove he was the hacker.
Amph
Legendary
*
Offline Offline

Activity: 3248
Merit: 1070



View Profile
July 19, 2015, 09:59:19 AM
 #11

safest place for any coin is locked in a qt wallet

the point is that he need coin to trade, so this suggestion is off topic

He used gmail, and it was hacked.  2FA is not required for trades, only for withdrawals.  So the 2FA did its job in keeping the coins from being withdrew.  However the hackers were smart enough to realize this, and siphoned the money away through bad trades into their own trading account.

i'm also the one who think that you should preserve your computer before anything else, if he downloaded something shady in the last few days then it's only his fault, use a dedicated desktop for trading and for storing your bitcoin and don't install or click NOTHING when you use this machine
Herbert2020
Legendary
*
Offline Offline

Activity: 1946
Merit: 1137


View Profile
July 19, 2015, 10:13:51 AM
 #12

My friend recently had his coins stolen on BFX. Given how it happened hackers can apparently drain your account with as little as control of your email.

sorry to hear that.

Quote
1. He had 2FA enabled
2. The ONLY thing the hackers needed was control of the email.

how did they log-in his account since it needs 2FA to log-in?

Quote
Presumably they started by gaining access to the email, searched that he had received emails from BFX before, reset his pw, then gained control of his account.  Because he had 2FA enabled, they used a trading algo to make the worst trades possible matched up with their own personal account at BFX until all the coins were drained.  For example they would trade BTC --> DRK  and then trade the DRK --> BTC back at a slightly worse price matched with their own algo and doing thousands of trades until all the money is gone.

how long did this thousands of trades take that he didn't realize his account was compromised

Quote
Bitfinex has REFUSED TO REFUND his coins.  So they are setting precedent that they will REFUSE TO REFUND YOUR COINS AS WELL.  I would suggest staying away from them and say that this is one reason bitcoins will never ever become mainstream.

it is a very well known fact that you should never keep your coins at any exchanger. there has been a lot of hacks, alleged hacks, and scams that makes everybody think twice before considering keeping the coins at an exchanger.

Weak hands have been complaining about missing out ever since bitcoin was $1 and never buy the dip.
Whales are those who keep buying the dip.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!