Got hacked and lost $30,000 on hitbtc, avoid this garbage site

[btc9785]

I believe this is what happened: the hacker hacked into the mail server of hitbtc or intercepted the password reset email triggered by him, then reset my password and gained access to my account. The login history of my email box showed no abnormal access at all; the password reset email that the hacker triggered was received unread. The hacker can't withdraw anything after resetting the password; however, he converted all my coins to BTC, then bought expensive SWT orders placed by him, and then sold the SWT to a very cheap order that was also placed by him. He repeated this process a couple times, then all my digital assets worth $30000+ were almost gone. Even though I have perfect security on my computer, even though the hacker cannot withdraw anything from my account, my $30000+ are all gone.

From what I have seen, this security problem has been there for quite a while. Yet, hitbtc did nothing to prevent this from happening again. Shame on them. I'm writing this in hope to find someone who also got hacked recently. Together we can form a group and force hitbtc to get our money back. We can initiate a court fight if that's necessary.

Here's my trading history after being hacked. You can see the hacker bought SWT with a very high price and then sold them with a much lower price.
https://i.imgur.com/Bxe3CCd.png

[magneto]

I believe this is what happened: the hacker hacked into the mail server of hitbtc or intercepted the password reset email triggered by him, then reset my password and gained access to my account. The login history of my email box showed no abnormal access at all; the password reset email that the hacker triggered was received unread. The hacker can't withdraw anything after resetting the password; however, he converted all my coins to BTC, then bought expensive SWT orders placed by him, and then sold the SWT to a very cheap order that was also placed by him. He repeated this process a couple times, then all my digital assets worth $30000+ were almost gone. Even though I have perfect security on my computer, even though the hacker cannot withdraw anything from my account, my $30000+ are all gone.

From what I have seen, this security problem has been there for quite a while. Yet, hitbtc did nothing to prevent this from happening again. Shame on them. I will never use this trash site ever again.

The thing is you can't provide any proof that it was their fault. They could easily argue that you did not secure your device correctly or sufficently and not take the blame for it. But i think that with so many complaints about random people placing orders on people's accounts for hitbtc, it's not a coincidence anymore.

I remember a few months ago there was a guy who got hacked, and the hacker bought some shitcoins off the markets for ridiculous prices. I guess that's how they funneled their money out to ensure that tehy do not get caught.

Don't use them if you don't trust them. Nobody is forcing you to, and i don't think anyone should use hitbtc for such high amounts anyways. Sorry for your losses.

[warningsigns]

I'm struggling to understand how something like this can happen. Aren't there withdrawal limits? 2FA? Are there no email-verified withdrawal procedures in place? How can someone intercept a third party email message when it is clearly linked to a very specific email address?

Either this was done by one very clever hacker or there is somebody inside HitBTC laughing all the way to the bank.

[mobnepal]

Your $30,000 vanished just because of hacker selling it at lower price than what he have bought at? Why would he will spend his hours to make such a silly move rather than just wait for next few hours to be able to withdraw all those money out.

Also if you have some screenshots of your account than post it.

If you haven't activated 2FA there than actually its you who are responsible for this security breach also you might have used your email password in other sites too without any additional security measures activated in your email account.

[barnes13]

Any form of security of our exchange account is a personal responsibility, and if you believe that this error from the exchange is reported immediately.

If this is a weakness of the exchange there should be many other members who will also experience the same thing.

Never put your huge money in exchange for long periods of time because things can turn bad in unexpected circumstances

[audaciousbeing]

I believe this is what happened: the hacker hacked into the mail server of hitbtc or intercepted the password reset email triggered by him, then reset my password and gained access to my account. The login history of my email box showed no abnormal access at all; the password reset email that the hacker triggered was received unread. The hacker can't withdraw anything after resetting the password; however, he converted all my coins to BTC, then bought expensive SWT orders placed by him, and then sold the SWT to a very cheap order that was also placed by him. He repeated this process a couple times, then all my digital assets worth $30000+ were almost gone. Even though I have perfect security on my computer, even though the hacker cannot withdraw anything from my account, my $30000+ are all gone.

From what I have seen, this security problem has been there for quite a while. Yet, hitbtc did nothing to prevent this from happening again. Shame on them. I will never use this trash site ever again.

But my own question is how did you even get access to this amount of information to know that all this process occur on your account. The fundamental truth is that if this truly happen but its an isolated case, there is no winning but if its repeated to several people, it shows that there is a breach on their own security.

You haven't even posted any information or evidence to support your claim with this could be quickly passed off as FUD and having assets worth that much on an exchange site is something that beats my imagination.

[bittraffic]

Screenshots would be something interesting for this accusations.

But OP had made his email address known to the hacker? This I think is one mistake, revealing your NOT throwaway email is something that hacker or just an email spammer would be interested of.

[premium_domainer]

I read your post three times but couldn't get your theory how they pass your 2fa.

If you didn't set 2fa up and you were holding 30.000$ on there, it is only your fault no-one else.

[btc9785]

Your $30,000 vanished just because of hacker selling it at lower price than what he have bought at? Why would he will spend his hours to make such a silly move rather than just wait for next few hours to be able to withdraw all those money out.

Also if you have some screenshots of your account than post it.

If you haven't activated 2FA there than actually its you who are responsible for this security breach also you might have used your email password in other sites too without any additional security measures activated in your email account.

If I remember correctly, you need to click the email verification link to withdraw. The hacker has no access to my email account, thus can't withdraw. But he can trade. BTC/SWT is a very small pair. Say I have 1 BTC, then the hacker sold the BTC with the price of 1 BTC = 0.1 SWT, then bought BTC again with the price of 1 BTC = 10 SWT. Boom, I only have 0.01 BTC now, a huge part of my money is gone. This can only be done in a very small volume pair.

I am definitely responsible since I did not active 2FA. But this problem already happened one month ago. See this post: https://thebitcoin.pub/t/my-account-was-hacked-on-hitbtc/14153

One month later, same thing happened again. It's impossible to say this is solely my problem. hitbtc should also be blamed.

[btc9785]

First, I would like to thank all the replies. I already contacted hitbtc support. But if you have ever dealt with them, you would know it takes forever for them to respond.

Second, for anyone who wants screenshot, I found this: https://pbs.twimg.com/media/DROFJlFWsAErNqt.jpg:large

I'm still trying to collect all the info for proof, I will post again when I am 100% ready.

Third, I certainly understand that not activating 2FA is my fault. But clearly the hacker has a way to intercept the emails, you can check this post: https://thebitcoin.pub/t/my-account-was-hacked-on-hitbtc/14153

Also, this happened to other people. For example: https://forum.hitbtc.com/discussion/comment/8314

I'm writing this in hope to find someone who also got hacked recently. Together we can form a group and force hitbtc to get our money back. We can initiate a court fight if that's necessary. In addition, I'm trying to warn everyone: hitbtc is a scam site, don't use it!

[Colorblind]

I would say you are wrong. I don't see as a possibility that hacker could somehow intercept e-mails from exchange. They simply knew your password then logged in. Since they did no access to e-mail they couldn't just withdraw so they had to execute "low volume" scam - i.e convert everything to BTC then buy some low volume coin for those btc from their own account. If you had 2fa you would probably be fine, but the only thing you can do is to ask exchange to look into attacker's account information (since they know who was doing low volume scam).
Don't get your hopes up, since if it was me running an exchange I would most certainly refuse to assist you for numerous reasons (but the main would be the fact you did not have 2fa and exchange can simply blame you in this case to avoid any hassle).

Sorry for your loss. Hope you resolve this somehow.

[btc9785]

I would say you are wrong. I don't see as a possibility that hacker could somehow intercept e-mails from exchange. They simply knew your password then logged in. Since they did no access to e-mail they couldn't just withdraw so they had to execute "low volume" scam - i.e convert everything to BTC then buy some low volume coin for those btc from their own account. If you had 2fa you would probably be fine, but the only thing you can do is to ask exchange to look into attacker's account information (since they know who was doing low volume scam).
Don't get your hopes up, since if it was me running an exchange I would most certainly refuse to assist you for numerous reasons (but the main would be the fact you did not have 2fa and exchange can simply blame you in this case to avoid any hassle).

Sorry for your loss. Hope you resolve this somehow.

It seems impossible that hacker can somehow intercept the emails. And this was part of the reason I thought my coins would be safe without 2FA. But the thing is, the hacker indeed found a way to do that. Almost all victims got hacked by resetting the password. This shows the hacker does not know the original password. There's is no other ip login history in my email account. Thus, the hacker has no access to my email account. Also, I never click the password reset link myself. Then the only explanation is that the hacker intercepts the emails sending by hitbtc.

hitbtc is using a third-party email service, which I think is https://mandrillapp.com/. My guess is that either the hacker hacked into the servers of this particular email service, or the hacker is an internal member of that email service. The worst possibility would be this is done by hitbtc's own employee.

[Slow death]

I'm lost in this story and as I am someone curious there are some things that I would like to know:

when you login to your hitbtc account, they do not send a link to you to click and authorize your entry in your hitbtc account?

when you withdraw any currency, do not you receive an email containing the link that authorizes the withdrawal of that currency?

Do you have an picture of the negotiation history of your account?

Do you have a picture of the history of withdrawals from your account?

[btc9785]

I'm lost in this story and as I am someone curious there are some things that I would like to know:

when you login to your hitbtc account, they do not send a link to you to click and authorize your entry in your hitbtc account?

when you withdraw any currency, do not you receive an email containing the link that authorizes the withdrawal of that currency?

Do you have an picture of the negotiation history of your account?

Do you have a picture of the history of withdrawals from your account?

No, you don't need to click a link to authorize your entry in hitbtc.

Yes, email authorization is required to withdraw. However, the hacker did not withdraw anything directly from my account. He simply converted all my coins to some altcoins with a price that is much lower than the market price. I believe he took the order that he placed on the orderbook using his own account.

My original post contains the trading history after my account being hacked.

No, as I just mentioned, the hacker did not withdraw anything.

[pornluver]

I would say you are wrong. I don't see as a possibility that hacker could somehow intercept e-mails from exchange. They simply knew your password then logged in. Since they did no access to e-mail they couldn't just withdraw so they had to execute "low volume" scam - i.e convert everything to BTC then buy some low volume coin for those btc from their own account. If you had 2fa you would probably be fine, but the only thing you can do is to ask exchange to look into attacker's account information (since they know who was doing low volume scam).
Don't get your hopes up, since if it was me running an exchange I would most certainly refuse to assist you for numerous reasons (but the main would be the fact you did not have 2fa and exchange can simply blame you in this case to avoid any hassle).

Sorry for your loss. Hope you resolve this somehow.

It seems impossible that hacker can somehow intercept the emails. And this was part of the reason I thought my coins would be safe without 2FA. But the thing is, the hacker indeed found a way to do that. Almost all victims got hacked by resetting the password. This shows the hacker does not know the original password. There's is no other ip login history in my email account. Thus, the hacker has no access to my email account. Also, I never click the password reset link myself. Then the only explanation is that the hacker intercepts the emails sending by hitbtc.

hitbtc is using a third-party email service, which I think is https://mandrillapp.com/. My guess is that either the hacker hacked into the servers of this particular email service, or the hacker is an internal member of that email service. The worst possibility would be this is done by hitbtc's own employee.

So the hacker need to be able to read email to reset password. The hacker didn't just login with your password. However, they cannot withdraw. So hackers can access reset password email but cannot access withdraw email?