130 BTC stolen from Bitstamp account

[mikef]

My Bitstamp account was compromised last night (Apr 30th). I was foolish enough to store 130 BTC there - without 2-factor authentication. So I can only blame myself. But I thought I'd write about this as I expect there are a lot of victims..

So I expect this is some kind of XSS attack similar to the BTC-e reports. I was not running noscript. Using Firefox 20.0.1 on winxp. The same exploit was probably targeting BTC-e users, because I got a login warning from 46.19.137.78 at 30.04.13 16:39. They have fortunately now forced email confirmation of withdrawals so I was not affected. Had I noticed this on time, I could have escaped the theft on Bitstamp.

I can see that someone logged in from 46.19.137.78 and 85.159.237.4 on my Bitstamp account. Funds were transferred to address 1FbXHeWdLfo6RSTV3xaMRYKGVTk9iLgiZc . Only funds stolen from my account have gone through that address.

Coins were moved immediately forward through several addresses. Following the transactions, I was surprised to see that everything ended up in the same address though: 1NwbXavc82UAg6qjYikQAcBMabEzKoGJxC . Currently, this account contains 2860 BTC, no withdrawals.

The thief left a message via email for some reason - included below.

I expect there's nothing I can do to get back my coins. For information leading to recovery of funds, I'm glad to compensate 25% of amount recovered.

So I hope I have at least learnt the hard way to always use 2-factor authentication and block javascript.


Return-path: <bitcoinjedi@live.com>
Envelope-to: XXX
Delivery-date: Wed, 01 May 2013 00:13:44 +0300
Received: from bay0-omc4-s25.bay0.hotmail.com ([65.54.190.227])
        by XXX with smtp (Exim 4.72)
        (envelope-from <bitcoinjedi@live.com>)
        id 1UXHro-0008CP-TP
        for XXX; Wed, 01 May 2013 00:13:43 +0300
Received: from BAY171-W77 ([65.54.190.200]) by bay0-omc4-s25.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
         Tue, 30 Apr 2013 14:13:31 -0700
X-EIP: [ASFJqLis8vc0ni6MFAnXMPkE37Ubt0Ny]
X-Originating-Email: [bitcoinjedi@live.com]
Message-ID: <BAY171-W777AD5AC4C1054A8D12C18D5B30@phx.gbl>
Content-Type: multipart/alternative;
        boundary="_4f98ada4-5c25-496a-99cc-2b7dbace59d3_"
From: Bitcoin Jedi <bitcoinjedi@live.com>
To: XXX
Date: Tue, 30 Apr 2013 21:13:31 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 30 Apr 2013 21:13:31.0524 (UTC) FILETIME=[91258440:01CE45E7]
X-SA-Exim-Connect-IP: 65.54.190.227
X-SA-Exim-Mail-From: bitcoinjedi@live.com
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on XXX
X-Spam-Level:
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
        HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1
Subject: bitcoin
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:26:47 +0000)
X-SA-Exim-Scanned: Yes (on XXX)
Content-Length: 980

Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64

hey !

thanks for bitcoin !
you want new password now
dont use winxp , its bad

bai
xiangfu

[roxannemmorganB599]

Are you clicking any links? How did the attacker attacked you what vector did he used? That was very big amount I felt sorry for what happens to you.

[cparsley]

ouch!

[maxmint]

Wow, that's bad. Feeling sorry for you.

I would like to see some sort of email confirmation request before coins can actually get withdrawn from bitstamp ("...if you want to withdraw coins, then click this link to confirm...". This would be an additional security layer and might help prevent theft like this one.

[Evolekam]

He used a proxy for both logins I believe, the first one said Anonymous Proxy, the second one is located in the Netherlands.

[Cryingsoul]

Only post bitcoins on your account when you want to sell them on the same day.
I feel sorry man

[md34ma]

Oh man.. When dealing with that much money, security is a very important factor.

[akabane]

Bad news, I feel sorry for you.

Thanks for the warning will use the 2 factor auth starting from now !

[mikef]

Thank you all for your condolences, much appreciated.

So far I haven't found out about the attack vector. I'm going through my browser history, but so far I haven't discovered anything. Lately, I've been very careful what I click. Especially bitcoin-related :-)

I expect it should lessen the risk of XSS attacks if I run a separate browser for trading? If not a virtual machine..
Not that I do that much day trading. Fortunately not all was lost, as I had transferred some of my holdings to paper wallets.

[Zumba]

Hello there..

I feel sorry for you too :/

As above was mentioned.. have you clicked any links?

Or: Have you recieved ANY unexpected Mails from BitStamp?

Have you been logged in, with your mobile connection, or unexpected on an open wlan?

Have you installed any toolbars on your browser?

Do you use the newest version of the browser?

Have you traded with some people for the first time, and send them your ID (not password)?

It could be an Injection attack too..


Again.. I'm very sorry.. hope you havent lost too much..


Greetings
Zumba

[Valerian77]

Maybe - if you are able to follow the BTC address chain to the target address - you have a slight chance to get the IP address of the thief:
http://bitcoin.stackexchange.com/questions/193/how-do-i-see-the-ip-address-of-a-bitcoin-transaction
last comment (answered Apr 24 '12 at 7:07)

Man i would never put an answer here but i have to. It seems most of you aren't aware of the fact that bitcoin clients connect to an irc server to find more nodes. Its very simple to get the ip address of each client that connects to that irc server. Im currently in the process of linking this to bitcoin address and transactions, but im sure its nothing but an hour or two away. Just a little digging.

[bitcoinminerz]

That's so messed up, I really feel so sorry for you and wish you the best.