Mt.Gox Account secured with Yubikey but still had 29 BTCs stolen

[JRam]

https://i.imgur.com/DyjeYdh.jpg

https://i.imgur.com/TL1rJxc.jpg

https://i.imgur.com/J4dL01c.jpg

https://i.imgur.com/2WiPhYj.jpg

All of the trade activity in the screenshot are not mine. I originally had $4,000 in USD but the culprit converted it to BTC and withdrew.

How hard is it to bypass the Yubikey? I was not even awake at around 4 AM when this happened so I don't think it is malware or plishing. In case this is some form of delayed malware, I'm doing a full scan at the moment with Malwarebytes. I am beginning to suspect Mt.Gox internal operations of doing this especially after hearing all the news about Mt.Gox's financial problems.

When you think about it, the IP address that stole my coins was from China and I am based in the US. Any half decent business would find this to be a red flag and delay the withdrawal. Maybe Mt. Gox is deliberately letting these glaring red flags slide?

I don't want to believe it but the possibility of the largest BTC exchange stealing from its users paints a grim picture for BTC. If my suspicions are correct, I hope this serves as a warning to the rest of the BTC community.

[01BTC10]

I know it sounds dumb but I remember reading about someone who had a YubiKey but forgot to activate it in his MtGox security center.

[JRam]

I know it sounds dumb but I remember reading about someone who had a YubiKey but forgot to activate it in his MtGox security center.

Can you clarify? I see my Yubikey specifically under "Withdrawals".

[01BTC10]

I know it sounds dumb but I remember reading about someone who had a YubiKey but forgot to activate it in his MtGox security center.

Can you clarify? I see my Yubikey specifically under "Withdrawals".

You should be good then.

[JRam]

I know it sounds dumb but I remember reading about someone who had a YubiKey but forgot to activate it in his MtGox security center.

Can you clarify? I see my Yubikey specifically under "Withdrawals".

You should be good then.

Haha, well apparently not since someone still managed to steal from my account. I added screenshots of the Yubikey. Yubikeys aren't supposed to be easy to crack are they? I can only think of Mt. Gox itself doing this so I will never trust them again.

[01BTC10]

I know it sounds dumb but I remember reading about someone who had a YubiKey but forgot to activate it in his MtGox security center.

Can you clarify? I see my Yubikey specifically under "Withdrawals".

You should be good then.

Haha, well apparently not since someone still managed to steal from my account. I added screenshots of the Yubikey. Yubikeys aren't supposed to be easy to crack are they? I can only think of Mt. Gox itself doing this so I will never trust them again.

I don't have any clue what went wrong in your case but at least you didn't forget to activate your YubiKey like I've already seen in the past.

Does the OTP value I see is Google Authenticator? If you did a backup of the seed somewhere it could have been stolen.

[Luno]

You don't have Google authenticate or a paired cell phone also on your withdraw methods?

If a Yubikey can be faked every university or other business using them are in trouble and no, you can't sniff the key from a Yubikey it's a hard coded non recursive algorithm that calculates the last characters of you key every time you press the button. The long press used for withdrawals is even more complex.

So Gox hack or inside theft?

[Pokerfan]

Go into "Security Center" -> "Current API Keys"

Confirm there's nothing there.

[JRam]

Go into "Security Center" -> "Current API Keys"

Confirm there's nothing there.

https://i.imgur.com/CKuu90B.jpg

I use the TobbeLino trade bot https://github.com/TobbeLino/GoxTradingBotTobli but its API key was only granted permissions to get_info and trade. This bot was also disabled for over a week so I don't think this is the cause.

[BurtW]

https://blockchain.info/address/1Zq3rJPzNMi9vJ1KqT9SKfAcfHx8NYVds

Just looking for clues...

Why 2.00 + 2.00 + 25.20793 to get them out instead of one transaction?

Then they moved 52 out of their wallet and we get to see a lot of the addresses in their wallet.

Then they moved 101 out of the same wallet and we get to see a lot more of the addresses in their wallet.

So it appears we have a lot to go on here...

47 of the 101 ended up here:  

https://blockchain.info/address/1AYTN944QaxUJiy2kkeyMoue1DNXBtvFTy

56 of the 101 ended up here:  

https://blockchain.info/address/12HXeLmimYVQUz2kojkPcMHHPQYPMaAond

Some of the coins went through this interesting address:  

https://blockchain.info/address/1LBCfs6JUWCgZWzHddHuiZsSMZ7E64YmcP

Does anyone recognize this mixing method?

[ardana123]

Must be the api access you enabled if you had a yubikey configured.

[01BTC10]

Must be the api access you enabled if you had a yubikey configured.

API key was only granted permissions to get_info and trade.

[ardana123]

Maybe his computer was on at the time, logged in on his Gox account? Someone might've taken over the computer.

[rufusBTC]

there should be a way to reverse these type of transactions when something unauthorized occurs. that's the weakness of BTC right now.

[CIYAM]

there should be a way to reverse these type of transactions when something unauthorized occurs. that's the weakness of BTC right now.

Bitcoin doesn't work like that but exchanges could very easily let you set up your account so that say a BTC transfer won't occur until 24+ hours after requesting it giving you time to cancel such theft attempts.

Bitcoin's *strength* is that it isn't reversible - but that does make it harder when building services that use it to help protect the users (it's always going to be a trade-off between speed and expense).

[niko]

there should be a way to reverse these type of transactions when something unauthorized occurs. that's the weakness of BTC right now.

Yeah, that's the same reason why nobody in the world uses cash... huge weakness.

@OP: sorry for your loss. Also, thank you for sharing the information here. It is important that we get to the bottom of this. It's mind boggling. Even if your PC was completely compromised, and you were logged into gox that night, the hacker still needed to long press the yubikey. This is assuming your settings did not leave any holes via API or google auth, etc.

[JRam]

Maybe his computer was on at the time, logged in on his Gox account? Someone might've taken over the computer.

https://i.imgur.com/2WiPhYj.jpg

My PC is located in my home but the person who withdrew had an ip address from China. Malwarebytes did not detect anything that I think would take over my computer. I'm not sure what it could be.

there should be a way to reverse these type of transactions when something unauthorized occurs. that's the weakness of BTC right now.

Yeah, that's the same reason why nobody in the world uses cash... huge weakness.

@OP: sorry for your loss. Also, thank you for sharing the information here. It is important that we get to the bottom of this. It's mind boggling. Even if your PC was completely compromised, and you were logged into gox that night, the hacker still needed to long press the yubikey. This is assuming your settings did not leave any holes via API or google auth, etc.

Holes via Google auth? Can you clarify?

https://blockchain.info/address/1Zq3rJPzNMi9vJ1KqT9SKfAcfHx8NYVds

Just looking for clues...

Why 2.00 + 2.00 + 25.20793 to get them out instead of one transaction?

Maybe someone was testing if they got around my Yubikey but I still don't know how. I am still suspecting Mt. Gox itself doing this.

[01BTC10]

You do have a lot of annoying AdWare, this shouldn't be found on a "secure" computer.

[JRam]

You do have a lot of annoying AdWare, this shouldn't be found on a "secure" computer.

I've did a bit of digging into these AdWare but none of them seems to be able to take over my computer or is even related to bitcoin. I'm running MSE atm but it never recorded any attacks in its log. The logged ip address that did the transfer was from China; is this really something that originated from my PC? I'm still not sure how my Yubikey was bypassed unless it was by Mt. Gox employees.

[01BTC10]

There is a weakness if the Google Authenticator seed was somehow compromised. I'm not sure if a session cookie could had been stolen to login without the YubiKey then using Google Authenticator for withdrawal. That would explain the external IP but I'm not sure if stealing your cookie would work.