Hello all,
Want to mention first that I am not here to blame anyone, probably the only one to blame is just me for not enabling 2FA.
I got hacked and here is the story.
Been using NH for about two weeks, I was like, let me jump on the train with the rest.
At the beginning I used Phoenix miner, that was the default miner in which NH was going but I noticed that after 10+ hours was getting many errors so after about 4/5 days I decided to go on Excavator.
In the whole time I managed to mine till last night about £50 worth when the account got hacked.
The hacker got full access on my PC (Main rig, because the one that I was planning to use for mining was keep crashing), used chrome and he went in to nice hash, he enabled 2fa on his phone and goodbye account. Went on my email and deleted the emails from nice hash.
This happened last night at 00:29. At 00:52 I woke up and checked my phone and saw notifications that I enabled 2FA on my NH account, straight away I could not log in as he was receiving the notifications for 2FA, and went for forgot password on NH.
Started sending them emails and look after anyone available from NH on Twitter, Discord.
Amazingly no one answered
so there are almost 24H now passed and no one bothered to answer to my account hacking emails.
As I said, not blaming anyone, already did another account and enabled 2FA, I enabled 2FA for all my email sessions and other crap like this, fixing the second rig that was supposed to be used for mining so I segregate everything that has to do with NH and all the rigs to Linux.
This is just more of a heads up for everyone, the shit is real, something did happened and we have the below scenarios:
1) Pheonix got hacked
2) NiceHash got hacked and someone changed the binaries for Phoenix and they are trying now to blame them.
3)Excavator got hacked
4)All the above
)
Seeing the Phoenix posts here he seems a legit guy/group so I am starting to discard scenario 1.
The fact that NiceHash can`t be bothered to answer my emails and don`t have any Customer Support in weekend makes me to go for Scenario two. I have emailed them on both the CS email and the 2FA one, you would imagine that they would considering the money that they spin.
LE:
Looking thru my hard drives I noticed a file created last night at 00:31, text file.
15PWpx4vXagY5cGDEvaKV2ZcW6kq8RfDNX
This is the wallet that he used, he even named it Trazor.
Phoenix mentioned about a windows bug so I will post the session from event viewer from my hacked pc.
http://Stay safe all
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: DESKTOP-XXXX
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x3d4
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.