Multiple Bittrex accounts hacked everyone enable 2fa

[gloana]

I don't understand how a bittrex account got hacked while the email box was not touched because before you can withdraw funds, you have to approve the withdrawal from a link sent into your mail box. So how did the hacker withdraw without getting approval via that link?

That's a good question. Also interested in this.

[1714003451]

1714003451

[1714003451]

1714003451

[1714003451]

1714003451

[chilly2k]

I don't understand how a bittrex account got hacked while the email box was not touched because before you can withdraw funds, you have to approve the withdrawal from a link sent into your mail box. So how did the hacker withdraw without getting approval via that link?

That's a good question. Also interested in this.

    It looks like they traded the coins (rather badly) with another account.  That other account could then withdraw.  So in the below case.  He had XMR and AMP, but ended up with sling. 

Its not save with Bittrex, my account was hacked too.
Password: uniqe to Bittrex!
No 2-factor auth.

No other compromised account, no hacked e-mail as i know.
Using linux on all systems.

Lost about 7 BTC in AMP and XMR.
Bittrex: no help.

Insider Job?

What i have learned (very old advice): leave no money on exchanges!


For your information:

Code:

Login Time: 10/21/2016 06:50
IP Address: 2a03:b0c0:0003:00d0:0000:0000:1c0e:d001
User Agent: Mozilla/5.0 (Microsoft Windows NT 6.2.9200.0); rv:22.0) Gecko/20130405 Firefox/22.0 

then they did this transactions:

Code:

Closed Date	Opened Date	Market	Type	Bid/Ask	Units Filled 	Units Total 	Actual Rate 	Cost / Proceeds
10/21/2016 02:28:32 PM	10/21/2016 02:28:25 PM	BTC-SLING	Limit Sell	0.00003600	317.04699022	317.04699022	0.00003599	0.01138516
10/21/2016 02:28:15 PM	10/21/2016 02:28:15 PM	BTC-SLING	Limit Buy	0.00006900	317.04699022	317.04699022	0.00006899	-0.02193093
10/21/2016 02:27:57 PM	10/21/2016 02:27:48 PM	BTC-SLING	Limit Sell	0.00003600	610.71547174	610.71547174	0.00003599	0.02193079
10/21/2016 02:27:32 PM	10/21/2016 02:27:32 PM	BTC-SLING	Limit Buy	0.00006900	610.71547174	610.71547174	0.00006899	-0.04224470
10/21/2016 02:26:56 PM	10/21/2016 02:26:48 PM	BTC-SLING	Limit Sell	0.00003400	1245.59679507	1245.59679507	0.00003399	0.04224442
10/21/2016 02:26:38 PM	10/21/2016 02:26:38 PM	BTC-SLING	Limit Buy	0.00007100	1245.59679507	1245.59679507	0.00007099	-0.08865846
10/21/2016 02:26:03 PM	10/21/2016 02:25:53 PM	BTC-SLING	Limit Sell	0.00003333	2666.66581622	2666.66581622	0.00003332	0.08865778
10/21/2016 02:25:43 PM	10/21/2016 02:25:43 PM	BTC-SLING	Limit Buy	0.00007400	2666.66581622	2666.66581622	0.00007399	-0.19782660
10/21/2016 02:25:20 PM	10/21/2016 02:25:12 PM	BTC-SLING	Limit Sell	0.00003200	6197.52763099	6197.52763099	0.00003199	0.19782508
10/21/2016 02:24:59 PM	10/21/2016 02:24:58 PM	BTC-SLING	Limit Buy	0.00007100	6197.52763099	6197.52763099	0.00007099	-0.44112452
10/21/2016 02:24:37 PM	10/21/2016 02:24:25 PM	BTC-SLING	Limit Sell	0.00003200	13819.57341100	13819.57341100	0.00003199	0.44112078
10/21/2016 02:24:14 PM	10/21/2016 02:24:13 PM	BTC-SLING	Limit Buy	0.00007500	13819.57341100	13819.57341100	0.00007499	-1.03905917
10/21/2016 02:23:54 PM	10/21/2016 02:23:44 PM	BTC-SLING	Limit Sell	0.00003050	17253.62103694	17253.62103694	0.00003049	0.52491986
10/21/2016 02:23:21 PM	10/21/2016 02:23:21 PM	BTC-SLING	Limit Buy	0.00007500	17253.62103694	17253.62103694	0.00007499	-1.29725662
10/21/2016 02:22:53 PM	10/21/2016 02:22:44 PM	BTC-SLING	Limit Sell	0.00003056	17253.62103694	17253.62103694	0.00003055	0.52595248
10/21/2016 02:22:27 PM	10/21/2016 02:22:27 PM	BTC-SLING	Limit Buy	0.00007500	17253.62103694	17253.62103694	0.00007499	-1.29714334
10/21/2016 02:22:07 PM	10/21/2016 02:22:01 PM	BTC-SLING	Limit Sell	0.00003012	17153.62103694	17153.62103694	0.00003011	0.51537540
10/21/2016 02:21:43 PM	10/21/2016 02:21:43 PM	BTC-SLING	Limit Buy	0.00007500	17153.62103694	17153.62103694	0.00007499	-1.28973785
10/21/2016 02:21:30 PM	10/21/2016 02:21:24 PM	BTC-SLING	Limit Sell	0.00003011	17102.42451400	17102.42451400	0.00003010	0.51366662
10/21/2016 02:21:11 PM	10/21/2016 02:21:11 PM	BTC-SLING	Limit Buy	0.00007500	17102.42451400	17102.42451400	0.00007496	-1.28526196
10/21/2016 02:20:32 PM	10/21/2016 02:19:38 PM	BTC-SLING	Limit Sell	0.00003050	10614.87137900	10614.87137900	0.00003049	0.32294420
10/21/2016 02:19:49 PM	10/21/2016 02:19:48 PM	BTC-AMP	Limit Sell	0.00025800	7208.75669560	7208.75669560	0.00025909	1.86309939
10/21/2016 02:19:24 PM	10/21/2016 02:19:24 PM	BTC-SLING	Limit Buy	0.00007500	10614.87137900	10614.87137900	0.00007494	-0.79747907
10/21/2016 02:18:50 PM	10/21/2016 02:18:43 PM	BTC-SLING	Limit Sell	0.00003050	10899.80840078	10899.80840078	0.00003049	0.33161305
10/21/2016 02:18:34 PM	10/21/2016 02:18:34 PM	BTC-SLING	Limit Buy	0.00007500	10899.80840078	10899.80840078	0.00007499	-0.81952932
10/21/2016 02:18:12 PM	10/21/2016 02:18:07 PM	BTC-SLING	Limit Sell	0.00003050	10870.23084700	10870.23084700	0.00003049	0.33071319
10/21/2016 02:17:56 PM	10/21/2016 02:17:56 PM	BTC-SLING	Limit Buy	0.00007500	10870.23084700	10870.23084700	0.00007498	-0.81712997
10/21/2016 02:17:23 PM	10/21/2016 02:17:15 PM	BTC-SLING	Limit Sell	0.00003050	10766.45894396	10766.45894396	0.00003049	0.32755605
10/21/2016 02:16:50 PM	10/21/2016 02:16:50 PM	BTC-SLING	Limit Buy	0.00007450	10766.45894396	10766.45894396	0.00007396	-0.79835343
10/21/2016 02:16:29 PM	10/21/2016 02:16:23 PM	BTC-SLING	Limit Sell	0.00003050	10067.47784451	10067.47784451	0.00003049	0.30629043
10/21/2016 02:16:11 PM	10/21/2016 02:16:11 PM	BTC-SLING	Limit Buy	0.00006541	5007.88935140	5007.88935140	0.00006540	-0.32838409
10/21/2016 02:16:00 PM	10/21/2016 02:16:00 PM	BTC-SLING	Limit Buy	0.00006535	5059.58849311	5059.58849311	0.00006534	-0.33146361
10/21/2016 02:15:05 PM	10/21/2016 02:14:56 PM	BTC-SLING	Limit Sell	0.00003000	5145.22682156	5145.22682156	0.00002999	0.15397091
10/21/2016 02:14:46 PM	10/21/2016 02:14:46 PM	BTC-SLING	Limit Buy	0.00006526	5145.22682156	5145.22682156	0.00006519	-0.33630585
10/21/2016 02:14:20 PM	10/21/2016 02:14:14 PM	BTC-SLING	Limit Sell	0.00003000	5144.91112403	5144.91112403	0.00002999	0.15396147
10/21/2016 02:13:57 PM	10/21/2016 02:13:39 PM	BTC-SLING	Limit Buy	0.00006400	4351.91052082	4500.00000000	0.00006395	-0.27901762
10/21/2016 02:13:21 PM	10/21/2016 02:13:21 PM	BTC-SLING	Limit Buy	0.00006540	793.00060321	793.00060321	0.00005994	-0.04765391
10/21/2016 02:12:41 PM	10/21/2016 02:12:35 PM	BTC-SLING	Limit Sell	0.00003000	4297.17680816	4297.17680816	0.00002999	0.12859302
10/21/2016 02:12:21 PM	10/21/2016 02:12:21 PM	BTC-SLING	Limit Buy	0.00006526	1022.23344507	1022.23344507	0.00005999	-0.06148439
10/21/2016 02:11:37 PM	10/21/2016 02:11:36 PM	BTC-SLING	Limit Buy	0.00006526	3274.94336309	3274.94336309	0.00004500	-0.14774848
10/21/2016 02:11:20 PM	10/21/2016 02:11:19 PM	BTC-XMR	Limit Sell	0.01019861	484.15670224	484.15670224	0.01030000	4.97434709

[gloana]

Thanks for explaining this.

[Strongkored]

Setup my Bittrex account with 2fa now, i just think email verification for withdrawal is secure but double safety for my account is the best way, i hope all member should understand about security, always make different password with another account/make uniqe, setup account email with phone number verification, use 2fa for all exchange account

[Aesthete]

I have this version - I had an account on Crypsty with the same login and password. May be this database accounts from Crypsty came to bad guys?

request to the victims - you were on Crypsty with the same password?

[legendbtc]

Mine and another member of this forum have been hacked today, I lost 8BTC worth of alts, i'm not sure how much CosaNostra lost.

https://bitcointalk.org/index.php?topic=1416068.msg14399775#msg14399775

And before you ask, no I did not have 2fa set up (lesson learned).

Have any others been hacked?

Many people will start activating 2fa to their account after seeing your post, really very bad for those stupid who hacked. Many hardworking people used their mind to make some profits in trading, but these stupid people simply hacking account it is really unfair. Better send a support ticket to them atleast you will get back your account.

[DesertDuke]

I just saw this thread. I lost BTC on Bittrex too when I inadvertently clicked on a site that looked like Bittrex after I had googled 'Bittrex'.

Basically I was phished, the login page looked exactly like the Bittrex login page and when I entered my PW and 2FA I noticed that the miscreant then also had access to my Bittrex account and had placed all of my altcoins on AutoSell, it was frightening watching all of my coins get sold by someone else in real time !.

I was lucky however, I just managed to insert my own BTC address from another exchange and transferred the resulting BTC to it before the miscreant could transfer them out, with less than a second to spare. I lost some BTC from the autoselling which sold my coins at a knock down price.

Of course, in hindsight I could have just blocked the account by clicking on the auto email sent when I logged in but I panicked and wasn't conscious of that option at that time.

That was a frightening experience and now I ALWAYS check that the exchange website is the correct one. I ALWAYS use the virtual keyboard in the OS, ALWAYS use 2FA and different PW's for all accounts, ALWAYS use a completely separate email for exchanges than for day to day correspondence.  Good luck out there, it's a dangerous world ! DD

[ccs5t]

Just had my account hacked too. No idea how it happened . The hacker logged in an hour after I did and tried to trade my account down

[khufuking]

Just had my account hacked too. No idea how it happened . The hacker logged in an hour after I did and tried to trade my account down

Did you got hacked just now ? this is an old thread but from what you posting it is appear you got hacked now ! did you have your 2fa on ? please explain more i have an account there .

[Dogeboi3210]

leigh2k14,

Did you use the same email and password for any mining pool or other sites?

No, I haven't mined for quite some time.

It's unique to bittrex.

Yeah, passwords leaks are everywhere on the internet now. If you don't have 2FA to secure your coins, you deserve to get hacked.

[dissident]

I just saw this thread. I lost BTC on Bittrex too when I inadvertently clicked on a site that looked like Bittrex after I had googled 'Bittrex'.

Basically I was phished, the login page looked exactly like the Bittrex login page and when I entered my PW and 2FA I noticed that the miscreant then also had access to my Bittrex account and had placed all of my altcoins on AutoSell, it was frightening watching all of my coins get sold by someone else in real time !.

I was lucky however, I just managed to insert my own BTC address from another exchange and transferred the resulting BTC to it before the miscreant could transfer them out, with less than a second to spare. I lost some BTC from the autoselling which sold my coins at a knock down price.

Of course, in hindsight I could have just blocked the account by clicking on the auto email sent when I logged in but I panicked and wasn't conscious of that option at that time.

That was a frightening experience and now I ALWAYS check that the exchange website is the correct one. I ALWAYS use the virtual keyboard in the OS, ALWAYS use 2FA and different PW's for all accounts, ALWAYS use a completely separate email for exchanges than for day to day correspondence.  Good luck out there, it's a dangerous world ! DD

I bought a 2D barcode scanner on ebay. You can get them used for 20-50 bucks.  I created a 32 character password that is random gibberish, put it on a QR code, laminated it, and that's my lastpass password.   All of my website passwords are random gibberish created from GRC's random generator and I don't know any of my passwords (except forums, they are set up on a way where I can type them in). The ones for these exchanges are probably 15-20 characters long. An example password would be "S,!60$9RF.UN`_=0P  Lastpass fills them in so any fake websites the lastpass won't detect the site as valid.

2 factor is enabled on everything. The backup QR codes are stored in my safe deposit box. My lastpass recovery email address is a dedicated gmail account with it's own 32 character password, also protected by 2 factor authentication. I don't store that password on lastpass.   Basically everything is as secure as I would make it. To steal my shit they'd need my 2 factor authentication device, an old droid phone, my qr codes, stored in my wallet, along with my lastpass login email address, and they'd have to get all this and use it before I had a change to go and change the passwords.   I already have backup replacement passwords ready hidden in an undisclosed location of my house. Everything's as secure as I can make it.

[majsta]

Last night lot of strange things happened. In total about 168K of FTC, 17.5K VTC and bunch of other alts were stolen(destroyed) on bittrex from me. In total 11BTC worth.
All of this happened just after I applied for enhanced account verification, well maybe day after, and that is strangest thing.
Yes I didn't have 2FA, my bad but still I don't get what happened.
He didn't do any single withdraw, instead he was dumping my coins and buying them again at higher price. He was doing that for one hour, imagine that! before that he was logged in for 3 hours into my account doing nothing.
This could indicate buy - sell rotation and that in fact he was sending my coins over his bittrex account without withdrawing them then from there to send them over his account.
Final "sales" happened on ETH and REP.
Question is also this, how is possible that two persons can be logged in the same time to bittrex. Because I m always logged in, I didn't shut down my computer since last year, so keylogger or something is not an option. How is possible that someone could hack password who was unique and used only for bittrex. There is also captcha verification and he could pass it only if he had exact password, so brute force word list or something is also out of the question.
It started from:

Login Time: 05/09/2017 21:33
IP Address: 213.230.77.40
User Agent: okhttp/3.4.0

then:

Login Time: 05/09/2017 23:12
IP Address: 204.236.213.246
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

Tracking down Ip address is just waste of time nowdays...
 
In total 80 buy/sale requests over various coins.
Here is how it started:




Then there is how ended:




Again what was the point of this if this wasn't something I said earlier to transfer coins to his own bittrex account. This was purely to destroy them all. Any thoughts on this matter?

[not.you]

Last night lot of strange things happened. In total about 168K of FTC, 17.5K VTC and bunch of other alts were stolen(destroyed) on bittrex from me. In total 11BTC worth.
All of this happened just after I applied for enhanced account verification, well maybe day after, and that is strangest thing.
Yes I didn't have 2FA, my bad but still I don't get what happened.
He didn't do any single withdraw, instead he was dumping my coins and buying them again at higher price. He was doing that for one hour, imagine that! before that he was logged in for 3 hours into my account doing nothing.
This could indicate buy - sell rotation and that in fact he was sending my coins over his bittrex account without withdrawing them then from there to send them over his account.
Final "sales" happened on ETH and REP.
Question is also this, how is possible that two persons can be logged in the same time to bittrex. Because I m always logged in, I didn't shut down my computer since last year, so keylogger or something is not an option. How is possible that someone could hack password who was unique and used only for bittrex. There is also captcha verification and he could pass it only if he had exact password, so brute force word list or something is also out of the question.
It started from:

Login Time: 05/09/2017 21:33
IP Address: 213.230.77.40
User Agent: okhttp/3.4.0

then:

Login Time: 05/09/2017 23:12
IP Address: 204.236.213.246
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

Tracking down Ip address is just waste of time nowdays...
 
In total 80 buy/sale requests over various coins.
Here is how it started:




Then there is how ended:




Again what was the point of this if this wasn't something I said earlier to transfer coins to his own bittrex account. This was purely to destroy them all. Any thoughts on this matter?

The way I understand it is that they have orders in (on their own accounts) on some obscure coins that are far outside of the normal trading range.  If the market depth on those coins is low, then they can use another account to buy through the depth and hit their own posted trades.  So for example they have shitcoins listed at 1 BTC per shitcoin.  Shitcoin only sells for .0000001 BTC but the entire market depth of real sell orders is less than one BTC total.  So they use the stolen account to buy up all the shitcoins including the ones they have listed for 1 BTC from their own account.  Then when they switch back to their own account they have a profit from selling shitcoins for 1 BTC each.  Basically any coin that has low market depth can be used this way.

Bittrex is one of those exchanges that lets you be logged in on more than one computer at a time.  I sometimes have my work computer logged in even though my home computer is already logged in.  As opposed to poloniex which logs out any currently logged in session when a new one is logged in.

[marketone]

Setup my Bittrex account with 2fa now, i just think email verification for withdrawal is secure but double safety for my account is the best way, i hope all member should understand about security, always make different password with another account/make uniqe, setup account email with phone number verification, use 2fa for all exchange account

Now a days every exchange is facing same situation, so we have to care about your accounts by setting them with 2fa. We don't know exactly when fraud people will hack exchanges. So we have to be very careful and by setting 2fa.

[WarrEagle]

I've never been hacked, but always take the necessary precautions. 2FA is a no brainer, along with strong password security, also run MalwareBytes, they have the strongest detection engine and will usually catch the zero day stuff based on heuristics.

[betlord90]

Setup my Bittrex account with 2fa now, i just think email verification for withdrawal is secure but double safety for my account is the best way, i hope all member should understand about security, always make different password with another account/make uniqe, setup account email with phone number verification, use 2fa for all exchange account

Now a days every exchange is facing same situation, so we have to care about your accounts by setting them with 2fa. We don't know exactly when fraud people will hack exchanges. So we have to be very careful and by setting 2fa.

People thought that they are invincible from those attack and they doesn't want to take the hassle setting up the 2fa feature in their account but if they where been hit and compromised then im pretty sure that they will add that feauture immediately. Same on what happens to me i never setted up my 2fa until i've been hacked by unknown guy who spread some bounties and asking our email to received his freakin freebies and the result of that he breached unto my bittrex account and learned so many things after that hack.

[bosamfo]

So i was not crazy after all. The same thing happened to me yesterday (19th June, 2017) night too (close to midnight) although i have 2FA enabled with a verified account. Yes i have 2FA enabled even as i write, unbelievable but it happened. I posted in a group to warn members of my plight so they atleast move their hard earned money to their offline wallets and they laughed at me, and blamed for my loss 🙁

I did some search and realized i was not the only one on that day. Check this out: http://highoncoins.com/cryptocurrency-trading-tips/do-not-use-two-factor-authenticatoin-with-bittrex/#comment-12347

I hope in the future Bittrex enables the possibilities of withdrawal confirmation emails even with 2FA, so at least one would stand a chance against the hacker if once email account is not already compromised. Such is the case in Perfect Money and Coinpayments

So my advice is to please keep your hard earned coins/btc offline esp those you are holding for long term and not trading with.

Thank you

NB:
please do not belittle my comments, call me names, call me a liar or worse and think or say to yourself "this will never happen to me". Ask me last week and i would have sung the same song. This hacking business is real and it could happen to you. 

[M4nUnit]

Hi all!

I got hacked on 19th June too, around 1am. The hacker sold around 0.7btc of Altcoins to buy Bitcoin. 2FA was not enabled, I did it right now.
I don't understand something, I cannot see it in the login history.


The orders were sent around 1am, but nobody logged in during this 19th of June. How is this possible?


Any chance to recover these altcoins with Bitrex?

[enta2k]

I guess you mail got compromised too.
Sry I´m a bit late

You can´t be paranoid enough with altcoins, enable every security feature you can.

[Nicol3]

I think it's the safest thing to do in you enable 2fa on your bittrex account especially now there are a lot who have been hacked. So to be safe and won't regret afterwards then better place a 2fa asap.