Bitcoin Forum
December 08, 2022, 02:40:24 AM *
News: Bitcointalk Community Awards
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Blockchain.info account hacked (450+ BTC)  (Read 3496 times)
ffssixtynine (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250



View Profile
January 14, 2014, 02:45:05 PM
Last edit: January 14, 2014, 04:40:16 PM by ffssixtynine
 #1

I'm posting this on behalf of a third party. The theft was almost certainly due to poor security and no use of a cold wallet rather than an issue at blockchain.info.

https://blockchain.info/address/1E1ppQabUCsJekEJaXv74TwKnGfJ2YJANX
https://blockchain.info/address/13TEX8Zfj2bvY7RXYy6TaxFHCZc4R5Ha8M

I've removed the rest of the post whilst this is being investigated, but the above addresses shall remain here for those people who track these things.
1670467224
Hero Member
*
Offline Offline

Posts: 1670467224

View Profile Personal Message (Offline)

Ignore
1670467224
Reply with quote  #2

1670467224
Report to moderator
1670467224
Hero Member
*
Offline Offline

Posts: 1670467224

View Profile Personal Message (Offline)

Ignore
1670467224
Reply with quote  #2

1670467224
Report to moderator
In order to achieve higher forum ranks, you need both activity points and merit points.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1670467224
Hero Member
*
Offline Offline

Posts: 1670467224

View Profile Personal Message (Offline)

Ignore
1670467224
Reply with quote  #2

1670467224
Report to moderator
Sephera
Member
**
Offline Offline

Activity: 112
Merit: 10



View Profile WWW
January 15, 2014, 09:12:19 AM
 #2

Was there 2 factor auth?
guybrushthreepwood
Legendary
*
Offline Offline

Activity: 1232
Merit: 1195



View Profile
January 16, 2014, 05:39:55 PM
 #3

Was there 2 factor auth?

Probably not going by this "the theft was almost certainly due to poor security". Blockchain is pretty safe if you use all the security features.
malevolent
can into space
Staff
Legendary
*
Offline Offline

Activity: 3430
Merit: 1711



View Profile
January 16, 2014, 05:58:34 PM
 #4

Was there 2 factor auth?

Probably not going by this "the theft was almost certainly due to poor security". Blockchain is pretty safe if you use all the security features.

2FA won't help if the malware is going to wait until the wallet is decrypted after the owner logs in.

guybrushthreepwood
Legendary
*
Offline Offline

Activity: 1232
Merit: 1195



View Profile
January 16, 2014, 06:58:18 PM
 #5

Was there 2 factor auth?

Probably not going by this "the theft was almost certainly due to poor security". Blockchain is pretty safe if you use all the security features.

2FA won't help if the malware is going to wait until the wallet is decrypted after the owner logs in.

What about if you have the second password option on to spend the funds, or is your entire wallet vulnerable as soon as you log in?
escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
January 16, 2014, 08:03:25 PM
 #6

OP I will suggest victim to stop using that pc and  check for any kind of virus infection manually or with the help of some antivirus (Malwarebyets), once you find some infected don't remove/quarantine them (Some av's remove files automatically so make sure to disable that option). First Zip those infected files and keep them safe in a usb and then remove infections. Also Look for any kind of suspicious folder etc that was not created by you in that system.

Then provide those files to me for analysis.

Ps:
Look for unauthorized access logs in emails and other sites and note all IP address.
You can also Install a firewall and check for any suspicious connections or ports (You can find all malware related port list on net)


If you want help, msg me anytime.
ffssixtynine (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250



View Profile
January 17, 2014, 08:31:01 AM
 #7

I just typed a long post only to have my iPad lose it! Try again... Please, no comments on the security failures or lack of hot/cold wallet. Not helpful and already a major point of discussion. This is about finding what actually happened and seeing if someone can be caught for once if it wasn't a hacker heist, which it may not be.

I would really like to bounce some stuff off some others who have experience with thefts and/or bitcoin security and dev.

Theft 1 emptied a single address which was 65% of the wallet and was done outside of Blockchain. The address was the default one created with the account. If a wallet was cracked or a thief stole the log in details, the thief had everything they needed to take it all. The wallet history also indicated that this was the right move, not a partial clearance in the hope for more big funds.

Theft 2 was done very shortly after a few people knew of the security issues and probably theft. It was done on the blockchain network, web or mobile or API, and was done by a human in a rush. I suspect a mobile device. Check the transactions and you'll see what I mean. Correct me if you think I am wrong.

Theft 2 was also done whilst the merchant was trying to log in to move the money. This was on a different mac to the one used earlier in the day, and every time previously, to move a few BTC out once the theft was discovered. Both macs were used for bitcoin activities and the usual one sounds generally secure. Neither mac has ever lost money on other bitcoin accounts. Both macs were used in a form which avoids basic key logging. No record or visible evidence of microphone or camera hacks. Can't be sure of course. A home network was used.

As much as I would usually point to compromised machines, this smells awkward. There was, however, a chrome trading bot extension on both macs. I don't have the name in front of me right now but there is no record of problems, and no trading accounts have lost money as of right now.

Why the timing, why the human being emptying the account, why the completely different modus operandi compared to theft 1, which seems like a leaked or insecure single private key?

Funds have yet to move for either theft. The addresses have not been used for other funds. How normal is that in organised thefts vs opportunist ones?

Blockchain.info claim they keep no logs unless users turn them on. They weren't on, sigh.

Edit: the security issues meant that anyone with access to the code had what they needed to empty the wallet as per theft 2. The wallet was also accessed by API.
ffssixtynine (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250



View Profile
January 17, 2014, 08:49:14 AM
 #8

Was there 2 factor auth?

Probably not going by this "the theft was almost certainly due to poor security". Blockchain is pretty safe if you use all the security features.

2FA won't help if the malware is going to wait until the wallet is decrypted after the owner logs in.

What about if you have the second password option on to spend the funds, or is your entire wallet vulnerable as soon as you log in?

A compromised machine defeats all of this the moment your wallet is decrypted. If you have two passwords, that only happens in a form that reveals private keys when you enter your second password. The precise form of malware dictates whether they will get your keys, but I would certainly use the on screen keyboard that is popped up for the second password in order to defeat a more basic keylogger.

2FA was off in this case. It would not have protected API access (unless this supports 2FA) but it would have protected a web log in. There are so many points of failure security wise there is no point in even starting. However, bad security doesn't always lead of thefts, it just creates the opportunity. The question is who took the opportunity and which weakness was exploited.
ffssixtynine (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250



View Profile
April 21, 2015, 09:03:14 PM
 #9

Update: The money is moving as of right now.

New addresses are:

1KnbMbHiJGWMAh8f953b29AHt4F1RA4a1E
1PevTMzkXHni1njiY1sKsR7c69vRwdyqhw
1FbjNKrUnEtdSdHsw76CXTY6yJvTckxVKM
13sACCMNr7YPHs8qdXKrTkZWdZZWXu7Tkt


This hack may have been part of a much larger scam, hard for me to say.
Quickseller
Copper Member
Legendary
*
Offline Offline

Activity: 2800
Merit: 2285


View Profile
April 21, 2015, 09:40:43 PM
 #10

Update: The money is moving as of right now.

New addresses are:

1KnbMbHiJGWMAh8f953b29AHt4F1RA4a1E
1PevTMzkXHni1njiY1sKsR7c69vRwdyqhw
1FbjNKrUnEtdSdHsw76CXTY6yJvTckxVKM
13sACCMNr7YPHs8qdXKrTkZWdZZWXu7Tkt


This hack may have been part of a much larger scam, hard for me to say.

I am sorry to say, however the money is more likely then not gone. Whoever stole your funds is most likely going to use some kind of mixer/tumbler which will mean that you will think you are tracing the funds but in reality someone completely unrelated to the attacker/thief is using/moving the funds. In theory you could use some kind of blockchain analysis tool/software to try to figure out which mixer the funds were sent to and when, however with dealing with that small of an amount it will be difficult to determine "where" the mixer sent the funds to (e.g. what were the "exit" addresses of the mixer)

Chipmixer[/url][/color][/td][/tr][/table][/center]
ffssixtynine (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250



View Profile
April 21, 2015, 09:43:01 PM
 #11

I am sorry to say, however the money is more likely then not gone. Whoever stole your funds is most likely going to use some kind of mixer/tumbler which will mean that you will think you are tracing the funds but in reality someone completely unrelated to the attacker/thief is using/moving the funds. In theory you could use some kind of blockchain analysis tool/software to try to figure out which mixer the funds were sent to and when, however with dealing with that small of an amount it will be difficult to determine "where" the mixer sent the funds to (e.g. what were the "exit" addresses of the mixer)

1) Not my money, just to be clear, I was brought in at the time.

2) I deal with other cases which use tumblers. They're a pain but not impossible to track money through. The real problem is even when on the other side, what can you actually do to find out who people are and even then get the money from them? It's very difficult.

However, that shouldn't stop us trying (what you say is completely correct of course and my client has written the funds off, unhappily).
PolarPoint
Hero Member
*****
Offline Offline

Activity: 672
Merit: 500


View Profile
April 21, 2015, 09:47:31 PM
 #12

I am sorry for your friend's loss. 450 btc is a lot of money. Why did he stored so much in a web wallet? Spend a fraction of his savings in a hardware wallet would have prevented this.
ffssixtynine (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250



View Profile
April 21, 2015, 09:50:23 PM
 #13

I am sorry for your friend's loss. 450 btc is a lot of money. Why did he stored so much in a web wallet? Spend a fraction of his savings in a hardware wallet would have prevented this.

A company (merchant), not a friend, and this was Jan 2014 so pre hardware wallets. That said, the security was poor and I suspect compromised machines in any case - a browser plug in for Bitcoin trading was in use. Either way, the thief has decided to move the money about this evening...
ffssixtynine (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250



View Profile
April 21, 2015, 09:53:26 PM
 #14

Interestingly this money is on the move as well - from a StealthBit theft:

http://www.reddit.com/r/Bitcoin/comments/1xf2qj/my_wallet_just_emptied_into_this_address/
Quickseller
Copper Member
Legendary
*
Offline Offline

Activity: 2800
Merit: 2285


View Profile
April 21, 2015, 09:55:44 PM
 #15

I am sorry to say, however the money is more likely then not gone. Whoever stole your funds is most likely going to use some kind of mixer/tumbler which will mean that you will think you are tracing the funds but in reality someone completely unrelated to the attacker/thief is using/moving the funds. In theory you could use some kind of blockchain analysis tool/software to try to figure out which mixer the funds were sent to and when, however with dealing with that small of an amount it will be difficult to determine "where" the mixer sent the funds to (e.g. what were the "exit" addresses of the mixer)

1) Not my money, just to be clear, I was brought in at the time.

2) I deal with other cases which use tumblers. They're a pain but not impossible to track money through. The real problem is even when on the other side, what can you actually do to find out who people are and even then get the money from them? It's very difficult.

However, that shouldn't stop us trying (what you say is completely correct of course and my client has written the funds off, unhappily).

When I refer to "your" funds, I am referring to your funds on behalf of your client (for simplistic sake).

Assuming you can figure out what addresses the money was withdrawn to (and assuming they do not go through a 2nd tumbler) then you can trace the funds to hopefully what will be an exchange. You would then ask the exchange for the identity of the account owner(s) identity(es) (you would probably need to use some legal process to get them).

If you do have experience in tracing money through tumblers, I believe that stunna was looking for someone that could tell him which exchange certain coins were deposited to that were stolen from his casino.

Chipmixer[/url][/color][/td][/tr][/table][/center]
ffssixtynine (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250



View Profile
April 21, 2015, 10:06:14 PM
 #16

I do but it's painfully time consuming and probability based. I would hope someone has a more automated service to calc probabilities these days, but how enforceable that would be in a legal case I wouldn't want to guess. I wish I could help more.

The above coins have yet to be tumbled, but these could be tumbler addresses. I'd be surprised if they aren't being tumbled if this were from a virus creator.
escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
August 14, 2017, 10:44:08 PM
 #17

Update: The money is moving as of right now.

New addresses are:

1KnbMbHiJGWMAh8f953b29AHt4F1RA4a1E
1PevTMzkXHni1njiY1sKsR7c69vRwdyqhw
1FbjNKrUnEtdSdHsw76CXTY6yJvTckxVKM
13sACCMNr7YPHs8qdXKrTkZWdZZWXu7Tkt


This hack may have been part of a much larger scam, hard for me to say.


OP Your funds were moved recently to these addresses.
1981pXHcPN8smS9y8U5pMQDvWNiensppX2
16TXVCfNPYCNzK98AAayQxQj6uKG6X8h9W
1FbjNKrUnEtdSdHsw76CXTY6yJvTckxVKM
1MSsNboSvG29FgpZaGzJ2XvXuBTs5uTNS2

Keep an eye on BCH balance also.
romani245
Sr. Member
****
Offline Offline

Activity: 269
Merit: 255


View Profile
August 14, 2017, 11:16:09 PM
 #18

Update: The money is moving as of right now.

New addresses are:

1KnbMbHiJGWMAh8f953b29AHt4F1RA4a1E
1PevTMzkXHni1njiY1sKsR7c69vRwdyqhw
1FbjNKrUnEtdSdHsw76CXTY6yJvTckxVKM
13sACCMNr7YPHs8qdXKrTkZWdZZWXu7Tkt

This hack may have been part of a much larger scam, hard for me to say.


OP Your funds were moved recently to these addresses.
1981pXHcPN8smS9y8U5pMQDvWNiensppX2
16TXVCfNPYCNzK98AAayQxQj6uKG6X8h9W
1FbjNKrUnEtdSdHsw76CXTY6yJvTckxVKM
1MSsNboSvG29FgpZaGzJ2XvXuBTs5uTNS2

Keep an eye on BCH balance also.

Very interesting. Unfortunately, it's unlikely there will be a favorable outcome here. Even if the hacker (or someone associated with them through transactions) moves coins to an exchange where their identity is verified, it would be very difficult to definitively link anyone to the computer intrusion charges.
john2231
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1001



View Profile
August 14, 2017, 11:45:33 PM
 #19

Update: The money is moving as of right now.

New addresses are:

1KnbMbHiJGWMAh8f953b29AHt4F1RA4a1E
1PevTMzkXHni1njiY1sKsR7c69vRwdyqhw
1FbjNKrUnEtdSdHsw76CXTY6yJvTckxVKM
13sACCMNr7YPHs8qdXKrTkZWdZZWXu7Tkt

This hack may have been part of a much larger scam, hard for me to say.


OP Your funds were moved recently to these addresses.
1981pXHcPN8smS9y8U5pMQDvWNiensppX2
16TXVCfNPYCNzK98AAayQxQj6uKG6X8h9W
1FbjNKrUnEtdSdHsw76CXTY6yJvTckxVKM
1MSsNboSvG29FgpZaGzJ2XvXuBTs5uTNS2

Keep an eye on BCH balance also.

Very interesting. Unfortunately, it's unlikely there will be a favorable outcome here. Even if the hacker (or someone associated with them through transactions) moves coins to an exchange where their identity is verified, it would be very difficult to definitively link anyone to the computer intrusion charges.
He was monitoring where the funds transfer and i think he wants to get the BCC just to get the benefits and sell it to gain more bitcoins..
As i can seen the thread is really old thread what is the purposes of keep this alive again?
I don't think if its a hacker holding bitcoin but i think this is the new owner of bitcoin not a hacker or maybe a business. .
reflector
Sr. Member
****
Offline Offline

Activity: 826
Merit: 263



View Profile
August 15, 2017, 05:56:43 AM
 #20

I am sorry for your friend's loss. 450 btc is a lot of money. Why did he stored so much in a web wallet? Spend a fraction of his savings in a hardware wallet would have prevented this.

A company (merchant), not a friend, and this was Jan 2014 so pre hardware wallets. That said, the security was poor and I suspect compromised machines in any case - a browser plug in for Bitcoin trading was in use. Either way, the thief has decided to move the money about this evening...

There are many scam attempts have happened by the Blockchain, coinbase even paypal too. I do not understand the bitcoin wallet without the dat file or private key. That cannot be done.

Once in 2015, I just Googled the blockchain wallet and trying to login with the site to transfer 0.06 btc for one trade but amount in my wallet was hack or theft. Hence, I understood that I passed the ad link which similar to the site's URL.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!