Stolen Bitfinex Coins on the Move

[DimiZb]

The Kraken has frozen 0.4BTC, but nobody knows if the other exchanges will all freeze the coins. I bet Coinbase chooses to freeze. I have never heard of Xzzx or quadrigaCX.

https://www.cryptocoinsnews.com/bitfinexs-hacked-bitcoins-move-5-recovery-bounty-offered/

Drew Samsen, Applications Team Leader at Bitfinex, told CCN that it appears coins have been moved to LocalBitcoins, Xzzx, BTC-e, Bitcoin.de, Coinbase, Kraken, CoinsBank and quadrigaCX. He further stated that Kraken has frozen 0.4BTC, but it is not clear whether some of the other exchanges will follow suite.

Hmm, the hacker must be not happy because exchanges will freeze his money, but we are happy because those exchanges which freezes the hacker's bitcoin is moral action, cheers for moral action in the community.

[miningdude]

I don't think its stolen funds ethier, because bitfinex just sitting and drinking a bleach probly they stole it from users and call it a hack or whatever they want to call that shit.

[Zadicar]

The Kraken has frozen 0.4BTC, but nobody knows if the other exchanges will all freeze the coins. I bet Coinbase chooses to freeze. I have never heard of Xzzx or quadrigaCX.

https://www.cryptocoinsnews.com/bitfinexs-hacked-bitcoins-move-5-recovery-bounty-offered/

Drew Samsen, Applications Team Leader at Bitfinex, told CCN that it appears coins have been moved to LocalBitcoins, Xzzx, BTC-e, Bitcoin.de, Coinbase, Kraken, CoinsBank and quadrigaCX. He further stated that Kraken has frozen 0.4BTC, but it is not clear whether some of the other exchanges will follow suite.

Hmm, the hacker must be not happy because exchanges will freeze his money, but we are happy because those exchanges which freezes the hacker's bitcoin is moral action, cheers for moral action in the community.

This is a nice action for the team leader of Bitfinex which he made some announcements regarding on this matter.Hackers would really have a hard time to encash those funds but still i could think of some ways that hackers would use to encash those coins.There are lots of local wallet provider Bitfinex would hardly to trace that specially if that wallet provider uses main wallet.

[deisik]

It is more about losing the traceability of the stolen coins (if we assume that they were really stolen). It doesn't matter into how many wallets you divide the coins, they can still be traced back to a wallet to which the coins allegedly had been moved by the hackers right after the hack. A simple program can easily do that, thus these coins will still remain tainted and can be frozen by any exchange or mixer that listens to or believes what Bitfinex is saying, i.e. that the coins from a certain wallet are theirs

Basically that. It really surprises me that there are still people not being able to understand that whatever you do with your coins, that everything can be traced quite easily. Another point of simple ignorace is the fact that they think these coins can be mixed, or be sent to an exchange where after that you convert these stolen coins into whatever altcoins. I can't think of any serious service or exchange that hasn't been notified about the addresses the stolen coins have been sitting in

Just like you're surprised at folks who can't understand that any transaction can be easily traced back to its origin, I'm no less surprised why people are as easily led to believe everything that Bitfinex says to us. Did they provide any evidence that the coins that have been recently reported as moving had actually been stolen from them? As a conspiracy theory, they (or someone closely affiliated with them) might have been moving the coins to test waters. Really, if they got frozen they are expected to get transferred back to Bitfinex. If not, they could be sold and their track thus would be lost for good...

In either case, Bitfinex is losing nothing if they are really behind this "hack"

[Immakillya]

The dàmage is already been made. Our trust is lost because of that incident. They should have did that earlier. Many months have passed and now they decided to chase the hacker. They are just doing this to catch our interest. Can they recover the stolen coins? I think it will take a very long time to happen.

[carlfebz2]

The dàmage is already been made. Our trust is lost because of that incident. They should have did that earlier. Many months have passed and now they decided to chase the hacker. They are just doing this to catch our interest. Can they recover the stolen coins? I think it will take a very long time to happen.

Agree,trust on bitfinex have been destroyed already but still they are making such move now because bitfinex are just monitoring on the wallet that the funds have been stored and now they saw that its moving they are making actions now but i believe and same as you mentioned i think its really hard to recover up those coins that have been stolen in the past.

[greentea]

Could someone please tell me how exchanges are going to know if they receive stolen bitcoins? is there some kind of alarm going off when they are deposited?

Most likely it will be the bitcoin community that alerts the exchange that the coins are moving or being deposited.

If all the coins go to poloniex or some exchange like that, the reddit community or someone will be all over the chatbox
telling the admins to investigate. 

They could also just use a simple API or transaction alert to notify them if coins are moving from those addresses into their exchange.

[HI-TEC99]

I still fully think that Bitfinex are the ones that stole those coins, I really HOPE they aren't but my gut says that this is all them.

I guess they're trying to get their name out a bit right now.

Yep, this has to be the most obvious inside job in Bitcoin history.

I'd like to know If Bitfinex user accounts have 2 Factor Auth. Because If That's the case, It'll be an inside man kinda hack. as Far as I know 2 Fact Authentication can't be breached except there's an inside man who acts as an accomplice. Either Bitfinex I believe some day, The truth will soon be out

They had 2FA but it is irrelevant in this case

Since the hacker could just have broken into their servers from outside and stolen the keys totally bypassing this method of authentication. The coins hadn't been stolen from someone's account (as you erroneously seem to assume), they had been purportedly stolen from Bitfinex cold wallet(s) itself (themselves). But what is highly suspicious here is that all these wallets require multisignature. That pretty much means that all the sigs had been reachable to the attacker (which is yet more fishy) or it was exactly that, the inside job

2FA is useless if a customer service representative at a telecom carrier is negligent and forwards or ports your phone number to a hacker’s device. It's a common reason for big hacks.

Customer service representatives who don't ask all the security questions they should often give hackers control of people's phone numbers.

http://www.forbes.com/sites/laurashin/2016/12/20/hackers-have-stolen-millions-of-dollars-in-bitcoin-using-only-phone-numbers/

In all these cases, as with Kenna’s, the hackers don’t even need specialized computer knowledge. The phone number is the key. And the way to it get control of it is to find a security-lax customer service representative at a telecom carrier. Then the hacker can use the common security measure called two-factor authentication (2FA) via text. Logging in with 2FA via SMS is supposed to add an extra layer of security beyond your password by requiring you to input a code you receive via SMS (or sometimes phone call) on your mobile phone. All fine and dandy if you’re in possession of your phone number. But if it’s been forwarded or ported to your hacker’s device, then that code is sent straight to them, giving them the keys to your email, bank accounts, cryptocurrency, Facebook and Twitter accounts, and more.

Last summer, the National Institutes of Standards and Technology, which sets security standards for the federal government, “deprecated” or indicated it would likely remove support for 2FA via SMS for security. While the security level for the private sector is different from that of the government, Paul Grassi, NIST senior standards and technology advisor, says SMS “never really proved possession of a phone because you can forward your text messages or get them on email or on your Verizon website with just a password. It really wasn’t proving that second factor.”

[SaShiRaJaVu]

I don't think its stolen funds ethier, because bitfinex just sitting and drinking a bleach probly they stole it from users and call it a hack or whatever they want to call that shit.

May be it is true may be not. Either way the FBI is investigating the case and if it is an inside job sure they will catch the culprit as i think this is the only case investigated by the FBI when it comes to bitcoin exchanges.It is not that easy to recover the funds and if you check the history of bitcoin exchanges none of the coins have being recovered till now,so the hopes of recovery are very slim.

[BitHodler]

I don't think its stolen funds ethier, because bitfinex just sitting and drinking a bleach probly they stole it from users and call it a hack or whatever they want to call that shit.

May be it is true may be not. Either way the FBI is investigating the case and if it is an inside job sure they will catch the culprit as i think this is the only case investigated by the FBI when it comes to bitcoin exchanges.It is not that easy to recover the funds and if you check the history of bitcoin exchanges none of the coins have being recovered till now,so the hopes of recovery are very slim.

If it was actually an inside job, then Bitfinex has had enough time to set up a plan to distract the attention away from the majority of the stolen coins.

In that matter, Bitfinex is having a great advantage over every entity involved in the investigations. They can just point the investigators to certain addresses containing a few thousand coins to keep them busy.

In the worst case these investigations can take a few years if Bitfinex operators have done their job well. And in that time these coins will have been cleaned (if they haven't done so already).

But then again, I personally believe it was an inside job, but there is no proof despite the shady behavior of Bitfinex before and after the alleged theft. One thing however is certain, this exchange shouldn't be trusted anymore.

[pinkflower]

The mixer services are currently under scrutiny from most governments and they will possibly work with the authorities to identify

the people behind this hack. If they resist, they will just attract a lot of negative attention and they do not need that now. The

authorities do not need to ask nicely, they can just force them with a Subpoena through the courts. The exchanges is no problem,

because they already work with most governments, if they adhere to AML/KYC regulations.     

But think of a situation if they give in to the demands of the government of some country. This will also hurt the reputation of the BTC mixing service too. Most people from the darknet market will stop using them and what will happen? They might close down because of the pressure from the government or if theyre anonymous, they could run and hide with all the BTC they are holding becoming another scam. It could happen.

[Mometaskers]

They'll probably only be able to recover a small part of it, if ever. As for returning it to the owners, how would that exactly work? Are each single bit tagged? Hopefully even if they don't recover much, this would show the way on how exchanges and mixer operators can work together to foil thieves. I mean, there's no point stealing something if you can't gain anything out of it.

[Xester]

It is more about losing the traceability of the stolen coins (if we assume that they were really stolen). It doesn't matter into how many wallets you divide the coins, they can still be traced back to a wallet to which the coins allegedly had been moved by the hackers right after the hack. A simple program can easily do that, thus these coins will still remain tainted and can be frozen by any exchange or mixer that listens to or believes what Bitfinex is saying, i.e. that the coins from a certain wallet are theirs

Basically that. It really surprises me that there are still people not being able to understand that whatever you do with your coins, that everything can be traced quite easily. Another point of simple ignorace is the fact that they think these coins can be mixed, or be sent to an exchange where after that you convert these stolen coins into whatever altcoins. I can't think of any serious service or exchange that hasn't been notified about the addresses the stolen coins have been sitting in

Just like you're surprised at folks who can't understand that any transaction can be easily traced back to its origin, I'm no less surprised why people are as easily led to believe everything that Bitfinex says to us. Did they provide any evidence that the coins that have been recently reported as moving had actually been stolen from them? As a conspiracy theory, they (or someone closely affiliated with them) might have been moving the coins to test waters. Really, if they got frozen they are expected to get transferred back to Bitfinex. If not, they could be sold and their track thus would be lost for good...

In either case, Bitfinex is losing nothing if they are really behind this "hack"

It is unclear if bitfinex is involved with the lost bitcoins or they are also victims. Many are clamoring that they are possibly the perpetrator themselves and they just transferred the blame to hackers. This idea comes from the observation that bitfinex has not made a significant move to catch or trace this hackers on the run. The investors who lost their coins had not seen the sincerity of bitfinex pertaining this matter and so they believe that it was inside job definitely.

[deisik]

They had 2FA but it is irrelevant in this case

Since the hacker could just have broken into their servers from outside and stolen the keys totally bypassing this method of authentication. The coins hadn't been stolen from someone's account (as you erroneously seem to assume), they had been purportedly stolen from Bitfinex cold wallet(s) itself (themselves). But what is highly suspicious here is that all these wallets require multisignature. That pretty much means that all the sigs had been reachable to the attacker (which is yet more fishy) or it was exactly that, the inside job

2FA is useless if a customer service representative at a telecom carrier is negligent and forwards or ports your phone number to a hacker’s device. It's a common reason for big hacks.

Customer service representatives who don't ask all the security questions they should often give hackers control of people's phone numbers

Sad but totally true

I read a similar story when clients of a certain bank had their money stolen through this or similar method, through negligence of their mobile operator. I don't know all the technical details of that story but as I got it, hackers gained access to Internet banking by stealing logins and passwords of their victims, then managed to get SMS confirmations redirected to their phones and thereby they were able to successfully withdraw the funds. If I remember correctly, the bank in question had to refund the stolen money, though I'm not sure if it was entirely their decision or a court had demanded them to refund

[pinkflower]

They had 2FA but it is irrelevant in this case

Since the hacker could just have broken into their servers from outside and stolen the keys totally bypassing this method of authentication. The coins hadn't been stolen from someone's account (as you erroneously seem to assume), they had been purportedly stolen from Bitfinex cold wallet(s) itself (themselves). But what is highly suspicious here is that all these wallets require multisignature. That pretty much means that all the sigs had been reachable to the attacker (which is yet more fishy) or it was exactly that, the inside job

2FA is useless if a customer service representative at a telecom carrier is negligent and forwards or ports your phone number to a hacker’s device. It's a common reason for big hacks.

Customer service representatives who don't ask all the security questions they should often give hackers control of people's phone numbers

Sad but totally true

I read a similar story when clients of a certain bank had their money stolen through this or similar method, through negligence of their mobile operator. I don't know all the technical details of that story but as I got it, hackers gained access to Internet banking by stealing logins and passwords of their victims, then managed to get SMS confirmations redirected to their phones and thereby they were able to successfully withdraw the funds. If I remember correctly, the bank in question had to refund the stolen money, though I'm not sure if it was entirely their decision or a court had demanded them to refund

What about the kind of 2FA that uses the google authenticator app? Those are much safer than the ones used via SMS. Didnt one of the biggest investors of Ethereum and Augur get his cellphone hacked and had all his ETH and REP stolen? I dont know the whole story of what happened but it there was a blog from Kraken that said the hackers were able to receive his 2FA codes.

[deisik]

They had 2FA but it is irrelevant in this case

Since the hacker could just have broken into their servers from outside and stolen the keys totally bypassing this method of authentication. The coins hadn't been stolen from someone's account (as you erroneously seem to assume), they had been purportedly stolen from Bitfinex cold wallet(s) itself (themselves). But what is highly suspicious here is that all these wallets require multisignature. That pretty much means that all the sigs had been reachable to the attacker (which is yet more fishy) or it was exactly that, the inside job

2FA is useless if a customer service representative at a telecom carrier is negligent and forwards or ports your phone number to a hacker’s device. It's a common reason for big hacks.

Customer service representatives who don't ask all the security questions they should often give hackers control of people's phone numbers

Sad but totally true

I read a similar story when clients of a certain bank had their money stolen through this or similar method, through negligence of their mobile operator. I don't know all the technical details of that story but as I got it, hackers gained access to Internet banking by stealing logins and passwords of their victims, then managed to get SMS confirmations redirected to their phones and thereby they were able to successfully withdraw the funds. If I remember correctly, the bank in question had to refund the stolen money, though I'm not sure if it was entirely their decision or a court had demanded them to refund

What about the kind of 2FA that uses the google authenticator app? Those are much safer than the ones used via SMS. Didnt one of the biggest investors of Ethereum and Augur get his cellphone hacked and had all his ETH and REP stolen? I dont know the whole story of what happened but it there was a blog from Kraken that said the hackers were able to receive his 2FA codes

I don't really know, so I can't say anything of substance on this matter

I never used the Google authenticator before, and somehow I considered SMS verification a more reliable and safe method of confirming transactions. Are you sure that it is a really much better way of authenticating (probably, I should look deeper into the matter myself). On the other hand, if someone gets his phone hacked, wouldn't Google auth be as risky to use on this phone? Anyway, it would be beneficial for all if someone more knowledgeable than me chimed in on this

[Carlton Banks]

What about the kind of 2FA that uses the google authenticator app? Those are much safer than the ones used via SMS. Didnt one of the biggest investors of Ethereum and Augur get his cellphone hacked and had all his ETH and REP stolen? I dont know the whole story of what happened but it there was a blog from Kraken that said the hackers were able to receive his 2FA codes.

For using the Google Authenticator 2FA protocol, you don't need a device that's connected to the internet, it just needs to be set to the correct time and date. So, you could mitigate attacks against a phone by keeping a separate phone specifically for your 2FA keys and app, that has no SIM or any WiFi connection.

I would recommend against using Google's closed source Authenticator client on a phone connected to the internet/phone network, but it's probably not an issue for an air-gapped phone. FreeOTP is a good open source authenticator that uses Google's protocol, if you're wanting to use an open source client.

[deisik]

What about the kind of 2FA that uses the google authenticator app? Those are much safer than the ones used via SMS. Didnt one of the biggest investors of Ethereum and Augur get his cellphone hacked and had all his ETH and REP stolen? I dont know the whole story of what happened but it there was a blog from Kraken that said the hackers were able to receive his 2FA codes.

For using the Google Authenticator 2FA protocol, you don't need a device that's connected to the internet, it just needs to be set to the correct time and date. So, you could mitigate attacks against a phone by keeping a separate phone specifically for your 2FA keys and app, that has no SIM or any WiFi connection

That seems interesting

Say, I have an Android emulator installed on my computer (I was using it when there hadn't yet been a tablet version of WhatsApp, and WhatsApp worked), so I could install Google Authenticator there, disable the network connection and use it safely? Is FreeOTP available in Google Play? What is the basic principle behind this method of authentication, in two words (as you understand it)?

[Carlton Banks]

Say, I have an Android emulator installed on my computer (I was using it when there hadn't yet been a tablet version of WhatsApp, and WhatsApp worked), so I could install Google Authenticator there, disable the network connection and use it safely?

You could do that, although I would describe it as "safer", not absolutely safe. It's just a mouse move in the IT security cat & mouse game.

Is FreeOTP available in Google Play? What is the basic principle behind this method of authentication, in two words (as you understand it)?

I believe Play Store has it, but I get my FreeOTP app from the F-Droid Store

It uses the same protocol as GAuth. The principle is that the app creates a "One Time" access code that is only valid for a few minutes. The website checking the access code has a copy of your GAuth key (they gave it to you to begin with), and so they can ascertain that the code you provide to them is authentic. It (the access code) is essentially just your Gauth key and the current time/date run through a hashing algorithm (I think it's a multiple hash algo affair, the codes are shorter than the bitlengths of the hash algos used)
'

[deisik]

Say, I have an Android emulator installed on my computer (I was using it when there hadn't yet been a tablet version of WhatsApp, and WhatsApp worked), so I could install Google Authenticator there, disable the network connection and use it safely?

You could do that, although I would describe it as "safer", not absolutely safe. It's just a mouse move in the IT security cat & mouse game.

Is FreeOTP available in Google Play? What is the basic principle behind this method of authentication, in two words (as you understand it)?

I believe Play Store has it, but I get my FreeOTP app from the F-Droid Store

It uses the same protocol as GAuth. The principle is that the app creates a "One Time" access code that is only valid for a few minutes. The website checking the access code has a copy of your GAuth key (they gave it to you to begin with), and so they can ascertain that the code you provide to them is authentic. It (the access code) is essentially just your Gauth key and the current time/date run through a hashing algorithm (I think it's a multiple hash algo affair, the codes are shorter than the bitlengths of the hash algos used)

That seems to be the point that I was missing in understanding what GAuth is basically about (and needed to know). But in that case, I can't possibly see how it can be safer than sms verification. Essentially, the hacker just needs to steal your GAuth code (which is simply your access key) to confirm anything which you set to confirm with it. Indeed, you would still need access to a user account for which the access code is being generated but you would anyway need this access to make use of a successful phone hack. Therefore, I guess, we can compare the security of these two methods of authentication directly, and I don't see any advantages of Google Authenticator. Stealing this key is likely much easier than hacking a phone

What else am I missing here?