Bitcoin Forum
June 22, 2024, 12:19:06 PM *
News: Voting for pizza day contest
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: 130 BTC stolen from Bitstamp account  (Read 1070 times)
mikef (OP)
Newbie
*
Offline Offline

Activity: 7
Merit: 0


View Profile
May 01, 2013, 03:11:09 PM
 #1

My Bitstamp account was compromised last night (Apr 30th). I was foolish enough to store 130 BTC there - without 2-factor authentication. So I can only blame myself. But I thought I'd write about this as I expect there are a lot of victims..

So I expect this is some kind of XSS attack similar to the BTC-e reports. I was not running noscript. Using Firefox 20.0.1 on winxp. The same exploit was probably targeting BTC-e users, because I got a login warning from 46.19.137.78 at 30.04.13 16:39. They have fortunately now forced email confirmation of withdrawals so I was not affected. Had I noticed this on time, I could have escaped the theft on Bitstamp.

I can see that someone logged in from 46.19.137.78 and 85.159.237.4 on my Bitstamp account. Funds were transferred to address 1FbXHeWdLfo6RSTV3xaMRYKGVTk9iLgiZc . Only funds stolen from my account have gone through that address.

Coins were moved immediately forward through several addresses. Following the transactions, I was surprised to see that everything ended up in the same address though: 1NwbXavc82UAg6qjYikQAcBMabEzKoGJxC . Currently, this account contains 2860 BTC, no withdrawals.

The thief left a message via email for some reason - included below.

I expect there's nothing I can do to get back my coins. For information leading to recovery of funds, I'm glad to compensate 25% of amount recovered.

So I hope I have at least learnt the hard way to always use 2-factor authentication and block javascript.


Return-path: <bitcoinjedi@live.com>
Envelope-to: XXX
Delivery-date: Wed, 01 May 2013 00:13:44 +0300
Received: from bay0-omc4-s25.bay0.hotmail.com ([65.54.190.227])
        by XXX with smtp (Exim 4.72)
        (envelope-from <bitcoinjedi@live.com>)
        id 1UXHro-0008CP-TP
        for XXX; Wed, 01 May 2013 00:13:43 +0300
Received: from BAY171-W77 ([65.54.190.200]) by bay0-omc4-s25.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
         Tue, 30 Apr 2013 14:13:31 -0700
X-EIP: [ASFJqLis8vc0ni6MFAnXMPkE37Ubt0Ny]
X-Originating-Email: [bitcoinjedi@live.com]
Message-ID: <BAY171-W777AD5AC4C1054A8D12C18D5B30@phx.gbl>
Content-Type: multipart/alternative;
        boundary="_4f98ada4-5c25-496a-99cc-2b7dbace59d3_"
From: Bitcoin Jedi <bitcoinjedi@live.com>
To: XXX
Date: Tue, 30 Apr 2013 21:13:31 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 30 Apr 2013 21:13:31.0524 (UTC) FILETIME=[91258440:01CE45E7]
X-SA-Exim-Connect-IP: 65.54.190.227
X-SA-Exim-Mail-From: bitcoinjedi@live.com
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on XXX
X-Spam-Level:
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
        HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1
Subject: bitcoin
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:26:47 +0000)
X-SA-Exim-Scanned: Yes (on XXX)
Content-Length: 980

Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64

hey !

thanks for bitcoin !
you want new password now Wink
dont use winxp , its bad

bai
xiangfu
roxannemmorganB599
Full Member
***
Offline Offline

Activity: 126
Merit: 100


View Profile
May 01, 2013, 03:49:58 PM
 #2

Are you clicking any links? How did the attacker attacked you what vector did he used? That was very big amount I felt sorry for what happens to you.
cparsley
Full Member
***
Offline Offline

Activity: 215
Merit: 100



View Profile
May 01, 2013, 03:58:04 PM
 #3

ouch!

maxmint
Hero Member
*****
Offline Offline

Activity: 700
Merit: 500



View Profile
May 01, 2013, 04:10:27 PM
 #4

Wow, that's bad. Feeling sorry for you.

I would like to see some sort of email confirmation request before coins can actually get withdrawn from bitstamp ("...if you want to withdraw coins, then click this link to confirm...". This would be an additional security layer and might help prevent theft like this one.

My PGP-Key: 462D02D8
Verify my messages using keybase: https://keybase.io/maxmint
Evolekam
Newbie
*
Offline Offline

Activity: 29
Merit: 0



View Profile
May 01, 2013, 04:11:55 PM
 #5

He used a proxy for both logins I believe, the first one said Anonymous Proxy, the second one is located in the Netherlands.
Cryingsoul
Newbie
*
Offline Offline

Activity: 38
Merit: 0



View Profile
May 01, 2013, 04:15:33 PM
 #6

Only post bitcoins on your account when you want to sell them on the same day.
I feel sorry man
md34ma
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
May 01, 2013, 04:21:26 PM
 #7

Oh man.. When dealing with that much money, security is a very important factor. Sad
akabane
Member
**
Offline Offline

Activity: 113
Merit: 10


View Profile
May 01, 2013, 04:23:35 PM
 #8

Bad news, I feel sorry for you.

Thanks for the warning will use the 2 factor auth starting from now !
mikef (OP)
Newbie
*
Offline Offline

Activity: 7
Merit: 0


View Profile
May 01, 2013, 04:29:09 PM
 #9

Thank you all for your condolences, much appreciated.

So far I haven't found out about the attack vector. I'm going through my browser history, but so far I haven't discovered anything. Lately, I've been very careful what I click. Especially bitcoin-related :-)

I expect it should lessen the risk of XSS attacks if I run a separate browser for trading? If not a virtual machine..
Not that I do that much day trading. Fortunately not all was lost, as I had transferred some of my holdings to paper wallets.
Zumba
Newbie
*
Offline Offline

Activity: 6
Merit: 0


View Profile
May 01, 2013, 04:42:49 PM
 #10

Hello there..

I feel sorry for you too :/

As above was mentioned.. have you clicked any links?

Or: Have you recieved ANY unexpected Mails from BitStamp?

Have you been logged in, with your mobile connection, or unexpected on an open wlan?

Have you installed any toolbars on your browser?

Do you use the newest version of the browser?

Have you traded with some people for the first time, and send them your ID (not password)?

It could be an Injection attack too..


Again.. I'm very sorry.. hope you havent lost too much..


Greetings
Zumba
Valerian77
Sr. Member
****
Offline Offline

Activity: 437
Merit: 255


View Profile
May 01, 2013, 04:44:55 PM
 #11

Maybe - if you are able to follow the BTC address chain to the target address - you have a slight chance to get the IP address of the thief:
http://bitcoin.stackexchange.com/questions/193/how-do-i-see-the-ip-address-of-a-bitcoin-transaction
last comment (answered Apr 24 '12 at 7:07)
Quote
Man i would never put an answer here but i have to. It seems most of you aren't aware of the fact that bitcoin clients connect to an irc server to find more nodes. Its very simple to get the ip address of each client that connects to that irc server. Im currently in the process of linking this to bitcoin address and transactions, but im sure its nothing but an hour or two away. Just a little digging.
bitcoinminerz
Newbie
*
Offline Offline

Activity: 14
Merit: 0



View Profile
May 01, 2013, 04:49:56 PM
 #12

That's so messed up, I really feel so sorry for you and wish you the best.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!