Extremely easy to have coins stolen on Bitfinex!

[MistuhSoftee]

My friend recently had his coins stolen on BFX. Given how it happened hackers can apparently drain your account with as little as control of your email.

1. He had 2FA enabled
2. The ONLY thing the hackers needed was control of the email.

Presumably they started by gaining access to the email, searched that he had received emails from BFX before, reset his pw, then gained control of his account.  Because he had 2FA enabled, they used a trading algo to make the worst trades possible matched up with their own personal account at BFX until all the coins were drained.  For example they would trade BTC --> DRK  and then trade the DRK --> BTC back at a slightly worse price matched with their own algo and doing thousands of trades until all the money is gone.

Bitfinex has REFUSED TO REFUND his coins.  So they are setting precedent that they will REFUSE TO REFUND YOUR COINS AS WELL.  I would suggest staying away from them and say that this is one reason bitcoins will never ever become mainstream.

[jdebunt]

How can they execute trades if his account has 2FA? He must have had orders open then I assume? (never used BitFinex before)

[TinEye]

i think you should enable 2fa to your email too or the security that microsoft is offering where you have another email doing the security and the back-up part, although i can't understand how they gained the access of the email, you didn't explain this very well.

in any case you should avoid using random mail on the web, gmail for example is well known and offer better security

[MistuhSoftee]

He used gmail, and it was hacked.  2FA is not required for trades, only for withdrawals.  So the 2FA did its job in keeping the coins from being withdrew.  However the hackers were smart enough to realize this, and siphoned the money away through bad trades into their own trading account.

[achow101]

He used gmail, and it was hacked.  2FA is not required for trades, only for withdrawals.  So the 2FA did its job in keeping the coins from being withdrew.  However the hackers were smart enough to realize this, and siphoned the money away through bad trades into their own trading account.

They don't require 2FA to login? That is pretty stupid.

[Serpens66]

He used gmail, and it was hacked.  2FA is not required for trades, only for withdrawals.  So the 2FA did its job in keeping the coins from being withdrew.  However the hackers were smart enough to realize this, and siphoned the money away through bad trades into their own trading account.

They don't require 2FA to login? That is pretty stupid.

bitfinex do require 2FA for login (at least you can set it up this way)

[Karpeles]

Usually sites require personal information to disable 2FA. They managed to get such information, or only his email?

And why not add 2FA in the email too???

[achow101]

He used gmail, and it was hacked.  2FA is not required for trades, only for withdrawals.  So the 2FA did its job in keeping the coins from being withdrew.  However the hackers were smart enough to realize this, and siphoned the money away through bad trades into their own trading account.

They don't require 2FA to login? That is pretty stupid.

bitfinex do require 2FA for login (at least you can set it up this way)

Then how was an attacker able to login to Bitfinex?

[photon_coin]

safest place for any coin is locked in a qt wallet

[PolarPoint]

Your friend's gmail account was hacked, and used to reset The password of his Bitfinex account. That wasn't Bitfinex's fault. It's like asking for refund for having a weak password.

The person who took up those bid and offer trades would have financial gains on his other account, but there is no way to prove he was the hacker.

[Amph]

safest place for any coin is locked in a qt wallet

the point is that he need coin to trade, so this suggestion is off topic

He used gmail, and it was hacked.  2FA is not required for trades, only for withdrawals.  So the 2FA did its job in keeping the coins from being withdrew.  However the hackers were smart enough to realize this, and siphoned the money away through bad trades into their own trading account.

i'm also the one who think that you should preserve your computer before anything else, if he downloaded something shady in the last few days then it's only his fault, use a dedicated desktop for trading and for storing your bitcoin and don't install or click NOTHING when you use this machine

[Herbert2020]

My friend recently had his coins stolen on BFX. Given how it happened hackers can apparently drain your account with as little as control of your email.

sorry to hear that.

1. He had 2FA enabled
2. The ONLY thing the hackers needed was control of the email.

how did they log-in his account since it needs 2FA to log-in?

Presumably they started by gaining access to the email, searched that he had received emails from BFX before, reset his pw, then gained control of his account.  Because he had 2FA enabled, they used a trading algo to make the worst trades possible matched up with their own personal account at BFX until all the coins were drained.  For example they would trade BTC --> DRK  and then trade the DRK --> BTC back at a slightly worse price matched with their own algo and doing thousands of trades until all the money is gone.

how long did this thousands of trades take that he didn't realize his account was compromised

Bitfinex has REFUSED TO REFUND his coins.  So they are setting precedent that they will REFUSE TO REFUND YOUR COINS AS WELL.  I would suggest staying away from them and say that this is one reason bitcoins will never ever become mainstream.

it is a very well known fact that you should never keep your coins at any exchanger. there has been a lot of hacks, alleged hacks, and scams that makes everybody think twice before considering keeping the coins at an exchanger.