**OFFICIAL? - My BTC-e Account Got Hacked and All Funds Stolen thread

[bitbadger]

I too am currently attemping to withdraw my funds from BTCe.

I only signed up for an account with them a few weeks back but I've already formed a bad impression of their service.

As said by others here, you get cryptic one or two word replies from their support in bad English which are hard to decipher the meaning of.

Their web interface is threadbare and does not inspire confidence.

Nor does the fact that they are based in Russia inspire confidence. I don't think I'm being prejudiced here, but I do not trust businesses that are based in Russia.

Ive already having bad experiences right now with an exchange in Western Europe and their incompetence.

God knows what a Bitcoin exchange in Russia will manage to cook up by comparison.

So I'm out.

[jargoman]

I found this piece of javascript in an html file that mysteriously appeared on my computer after clicking a trollbox link. I still have my coins but do believe someone hacked or attempted to hack me. It seems that multiple exploits are being used. Can someone confirm my suspicion that this is malicious javascript?

Code:

 <script id="swift_action_queue">
          (

	function(){
		function f(a){	

			a=a || window.event;

			if(!a)return;

			!a.target&&a.srcElement&&(a.target=a.srcElement);

			if(!j(a))return;

			if(!document.addEventListener){
				var b={};
				for(var c in a)b[c]=a[c];

				a=b
			}

			a.preventDefault=a.stopPropagation=a.stopImmediatePropagation=function(){};

			d.push(a);

			return!1
		}

		function g($){
			i();

			for(var b=0,c;c=d[b];b++){
				var e=$(c.target);
				if(c.type=="click"&&c.target.tagName.toLowerCase()=="a"	){	
					var f=$.data(	e.get(0),"events"),g=f&&f.click,j=!c.target.hostname.match(a)||!c.target.href.match(/#$/);

					if(!g&&j){
						window.location=c.target.href;
						continue
					}
				}

				e.trigger(c)
			}

			window.swiftActionQueue.wasFlushed=!0
		}


		function i(){	
			e&&clearTimeout(e);
			for( var a=0; a<c.length; a++) document["on"+c[a]]=null

		}


		function j(c){

			var d=c.target.tagName.toLowerCase();

			if(d=="label") if(c.target.getAttribute("for")){ var e=document.getElementById(c.target.getAttribute("for"));


			if(e.getAttribute("type")=="checkbox")return!1
			}else for(var f=0;f<c.target.childNodes.length;f++)if((c.target.childNodes[f].tagName||"").toLowerCase()=="input"&&c.target.childNodes[f].getAttribute
("type")=="checkbox")return!1;	if(d=="textarea"||d=="input"&&c.target.getAttribute("type")=="text"||c.target.getAttribute("contenteditable")=="true")if(c.type.match(b))return!1;return c.metaKey?!1:c.clientX&&c.shiftKey&&d=="a"?!1:c.target&&c.target.hostname&&!
c.target.hostname.match(a)?!1:!0}var a=/^([^\.]+\.)*twitter.com$/,b=/^key/,c=["click","keydown","keypress","keyup"],d=[],e=null;for(var k=0;k<c.length;k++)document["on"+c[k]]=f;setTimeout(i,1e4);window.swiftActionQueue={flush:g,wasFlushed:!1}})();
        </script>
        <script id="composition_state">
          (function(){function a(a){a.target.setAttribute("data-in-composition","true")}function b(a){a.target.removeAttribute("data-in-composition")}if(document.addEventListener){document.addEventListener("compositionstart",a,!1);document.addEventListener("compositionend"
,b,!1)}})();
        </script>

[bradmurmz]

Look at the source for twitter.com... Not sure where you got that from, but its just code from twitter.

[jargoman]

Look at the source for twitter.com... Not sure where you got that from, but its just code from twitter.

That code was found on my computer. It may be created by twitter but I believe someone is using it as a xss attack. The line b=/^key/,c=["click","keydown","keypress","keyup"]  suggests it's a key logger (maybe I am wrong). I'm thinking the attack goes like this. attacker posts a malicious link, it attampts to launch a java 0day to install a backdoor trojan. If that doesn't succeed it drops a phishing page outside the javascript sandbox probably by using the java 0day. Then the victim may then be tricked into clicking the locally dropped file which would run out side the sandbox. Then the attacker would ddos btce or use some other exploit to cause the user to become logged out. When the user quickly logs back in the attacker has the javascript running in another tab listening to windowing events outside the sand box and successfully retrieving their password.

Either a, there are multiple attackers using different methods, or there is a modern toolkit that is at work here.

[ryantc]

for the record, just lost about 30 TRC from my account,

so change all coins to BTC and transfer to mtgox (safer? maybe?)

never store a penny in that exchange wallet, ever again.

[Unclegogi]

This night 100TRC were stolen from my account.
Password was unique and strong, it was not used on other services, it did not have some parts from my user name or e-mail,
I didn't give it to anyone, there are no viruses on my PC, I did not click any bad links, javascript is switched off via noscript.

[crazy_rabbit]

This night 100TRC were stolen from my account.
Password was unique and strong, it was not used on other services, it did not have some parts from my user name or e-mail,
I didn't give it to anyone, there are no viruses on my PC, I did not click any bad links, javascript is switched off via noscript.

Did you check the alt-forum thread about the TRC fork? Maybe your TRC wasn't really ever "real" in the first place. You might have bought fake TRC.

[Pingonious]

I was hacked as well on 4/17. Has anyone had any luck with BTC-e support on the issue?

[ZephramC]

First MtGox delays, then bitcoin-24.com, then terracoin ASICwars (and terrawallet), slush DDoS, now BTC-e.

I do not know if I have been hacked, but I cannot get to my finances, balance, account setting. Written to BTCe support several minutes ago and waiting for reply.

[Pingonious]

First MtGox delays, then bitcoin-24.com, then terracoin ASICwars (and terrawallet), slush DDoS, now BTC-e.

I do not know if I have been hacked, but I cannot get to my finances, balance, account setting. Written to BTCe support several minutes ago and waiting for reply.

I have been waiting a few days for a new reply from them.

[joesmoe2012]

Just enabled email confirm on withdraws thanks for te heads up guys.

[tigerfree]

i just lost 3.3 btc FUCK BTC-e there db is leaked

[crazy_rabbit]

i just lost 3.3 btc FUCK BTC-e there db is leaked

just now?

[joesmoe2012]

This hap

i just lost 3.3 btc FUCK BTC-e there db is leaked

More info please. You posted this very vague sentence in a couple of BTC-e threads, please substantiate a bit.

[mr_random]

Just as a heads up to people, if you adjust your account settings so that you need to be sent an email to make a withdrawal, a hacker who gains access can't change your email address until you validate the change email request via a link sent to your email. So the hacker will need to hack your email address too. If you set up google 2 factor authentication on your email this should be nigh-on impossible unless the hacker gains access to your phone as well.

[phr0stbyt3]

Just as a heads up to people, if you adjust your account settings so that you need to be sent an email to make a withdrawal, a hacker who gains access can't change your email address until you validate the change email request via a link sent to your email. So the hacker will need to hack your email address too. If you set up google 2 factor authentication on your email this should be nigh-on impossible unless the hacker gains access to your phone as well.

This was not the case when my account got breached, or it was just simply bypassed. My email and password were changed, and funds withdrawn.

Just an update, I can't get any responses from BTC-e support that have more than a few words of broken english, so I will consider my 4.55 BTC lost as a hard lesson learned:
if it looks like a website from the aol 5.0 era, it's probably just as secure.

[mr_random]

Just as a heads up to people, if you adjust your account settings so that you need to be sent an email to make a withdrawal, a hacker who gains access can't change your email address until you validate the change email request via a link sent to your email. So the hacker will need to hack your email address too. If you set up google 2 factor authentication on your email this should be nigh-on impossible unless the hacker gains access to your phone as well.

This was not the case when my account got breached, or it was just simply bypassed. My email and password were changed, and funds withdrawn.

Just an update, I can't get any responses from BTC-e support that have more than a few words of broken english, so I will consider my 4.55 BTC lost as a hard lesson learned:
if it looks like a website from the aol 5.0 era, it's probably just as secure.

Hmm. I've tested this on my account and if I have the 'Withdraw only with request on E-Mail' enabled, to then change the email address or turn off the 'Withdraw only with request on E-Mail' I have to confirm the change by email (This is the first thing I checked months back when I joined btc-e.com, because I realised otherwise it makes the whole email confirmation feature unsafe and pointless if a hacker accesses your acount). Not calling you are a liar but are you absolutely sure you had the 'Withdraw only with request on E-Mail' enabled? If I gave a hacker my password he wouldn't be able to withdraw my funds because he needs my email account to disable the withdraw protection.

[phr0stbyt3]

Just as a heads up to people, if you adjust your account settings so that you need to be sent an email to make a withdrawal, a hacker who gains access can't change your email address until you validate the change email request via a link sent to your email. So the hacker will need to hack your email address too. If you set up google 2 factor authentication on your email this should be nigh-on impossible unless the hacker gains access to your phone as well.

This was not the case when my account got breached, or it was just simply bypassed. My email and password were changed, and funds withdrawn.

Just an update, I can't get any responses from BTC-e support that have more than a few words of broken english, so I will consider my 4.55 BTC lost as a hard lesson learned:
if it looks like a website from the aol 5.0 era, it's probably just as secure.

Hmm. I've tested this on my account and if I have the 'Withdraw only with request on E-Mail' enabled, to then change the email address or turn off the 'Withdraw only with request on E-Mail' I have to confirm the change by email (This is the first thing I checked months back when I joined btc-e.com, because I realised otherwise it makes the whole email confirmation feature unsafe and pointless if a hacker accesses your acount). Not calling you are a liar but are you absolutely sure you had the 'Withdraw only with request on E-Mail' enabled? If I gave a hacker my password he wouldn't be able to withdraw my funds because he needs my email account to disable the withdraw protection.

Withdraw on email, in this case, is a moot point. The attacker was able to compromise my account, change my password and then change the email address on the account as demonstrated by not being able to reset my password until talking to support 24 hours later.

Withdraw on email does nothing if you can just change the email address.

[TimJBenham]

Withdraw on email does nothing if you can just change the email address.

Change of email address should always be notified to the old email address.

[TsuyokuNaritai]

Withdraw on email does nothing if you can just change the email address.

Change of email address should always be notified to the old email address.

Notified isn't much good. Does it require email confirmation to change the email address?