|
Sephera
|
|
January 15, 2014, 09:12:19 AM |
|
Was there 2 factor auth?
|
|
|
|
guybrushthreepwood
Legendary
Offline
Activity: 1232
Merit: 1195
|
|
January 16, 2014, 05:39:55 PM |
|
Was there 2 factor auth?
Probably not going by this " the theft was almost certainly due to poor security". Blockchain is pretty safe if you use all the security features.
|
|
|
|
malevolent
can into space
Legendary
Offline
Activity: 3472
Merit: 1724
|
|
January 16, 2014, 05:58:34 PM |
|
Was there 2 factor auth?
Probably not going by this " the theft was almost certainly due to poor security". Blockchain is pretty safe if you use all the security features. 2FA won't help if the malware is going to wait until the wallet is decrypted after the owner logs in.
|
Signature space available for rent.
|
|
|
guybrushthreepwood
Legendary
Offline
Activity: 1232
Merit: 1195
|
|
January 16, 2014, 06:58:18 PM |
|
Was there 2 factor auth?
Probably not going by this " the theft was almost certainly due to poor security". Blockchain is pretty safe if you use all the security features. 2FA won't help if the malware is going to wait until the wallet is decrypted after the owner logs in. What about if you have the second password option on to spend the funds, or is your entire wallet vulnerable as soon as you log in?
|
|
|
|
escrow.ms
Legendary
Offline
Activity: 1274
Merit: 1004
|
|
January 16, 2014, 08:03:25 PM |
|
OP I will suggest victim to stop using that pc and check for any kind of virus infection manually or with the help of some antivirus (Malwarebyets), once you find some infected don't remove/quarantine them (Some av's remove files automatically so make sure to disable that option). First Zip those infected files and keep them safe in a usb and then remove infections. Also Look for any kind of suspicious folder etc that was not created by you in that system.
Then provide those files to me for analysis.
Ps: Look for unauthorized access logs in emails and other sites and note all IP address. You can also Install a firewall and check for any suspicious connections or ports (You can find all malware related port list on net)
If you want help, msg me anytime.
|
|
|
|
ffssixtynine (OP)
|
|
January 17, 2014, 08:31:01 AM |
|
I just typed a long post only to have my iPad lose it! Try again... Please, no comments on the security failures or lack of hot/cold wallet. Not helpful and already a major point of discussion. This is about finding what actually happened and seeing if someone can be caught for once if it wasn't a hacker heist, which it may not be.
I would really like to bounce some stuff off some others who have experience with thefts and/or bitcoin security and dev.
Theft 1 emptied a single address which was 65% of the wallet and was done outside of Blockchain. The address was the default one created with the account. If a wallet was cracked or a thief stole the log in details, the thief had everything they needed to take it all. The wallet history also indicated that this was the right move, not a partial clearance in the hope for more big funds.
Theft 2 was done very shortly after a few people knew of the security issues and probably theft. It was done on the blockchain network, web or mobile or API, and was done by a human in a rush. I suspect a mobile device. Check the transactions and you'll see what I mean. Correct me if you think I am wrong.
Theft 2 was also done whilst the merchant was trying to log in to move the money. This was on a different mac to the one used earlier in the day, and every time previously, to move a few BTC out once the theft was discovered. Both macs were used for bitcoin activities and the usual one sounds generally secure. Neither mac has ever lost money on other bitcoin accounts. Both macs were used in a form which avoids basic key logging. No record or visible evidence of microphone or camera hacks. Can't be sure of course. A home network was used.
As much as I would usually point to compromised machines, this smells awkward. There was, however, a chrome trading bot extension on both macs. I don't have the name in front of me right now but there is no record of problems, and no trading accounts have lost money as of right now.
Why the timing, why the human being emptying the account, why the completely different modus operandi compared to theft 1, which seems like a leaked or insecure single private key?
Funds have yet to move for either theft. The addresses have not been used for other funds. How normal is that in organised thefts vs opportunist ones?
Blockchain.info claim they keep no logs unless users turn them on. They weren't on, sigh.
Edit: the security issues meant that anyone with access to the code had what they needed to empty the wallet as per theft 2. The wallet was also accessed by API.
|
|
|
|
ffssixtynine (OP)
|
|
January 17, 2014, 08:49:14 AM |
|
Was there 2 factor auth?
Probably not going by this " the theft was almost certainly due to poor security". Blockchain is pretty safe if you use all the security features. 2FA won't help if the malware is going to wait until the wallet is decrypted after the owner logs in. What about if you have the second password option on to spend the funds, or is your entire wallet vulnerable as soon as you log in? A compromised machine defeats all of this the moment your wallet is decrypted. If you have two passwords, that only happens in a form that reveals private keys when you enter your second password. The precise form of malware dictates whether they will get your keys, but I would certainly use the on screen keyboard that is popped up for the second password in order to defeat a more basic keylogger. 2FA was off in this case. It would not have protected API access (unless this supports 2FA) but it would have protected a web log in. There are so many points of failure security wise there is no point in even starting. However, bad security doesn't always lead of thefts, it just creates the opportunity. The question is who took the opportunity and which weakness was exploited.
|
|
|
|
ffssixtynine (OP)
|
|
April 21, 2015, 09:03:14 PM |
|
Update: The money is moving as of right now.
New addresses are:
1KnbMbHiJGWMAh8f953b29AHt4F1RA4a1E 1PevTMzkXHni1njiY1sKsR7c69vRwdyqhw 1FbjNKrUnEtdSdHsw76CXTY6yJvTckxVKM 13sACCMNr7YPHs8qdXKrTkZWdZZWXu7Tkt
This hack may have been part of a much larger scam, hard for me to say.
|
|
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2996
Merit: 2374
|
|
April 21, 2015, 09:40:43 PM |
|
Update: The money is moving as of right now.
New addresses are:
1KnbMbHiJGWMAh8f953b29AHt4F1RA4a1E 1PevTMzkXHni1njiY1sKsR7c69vRwdyqhw 1FbjNKrUnEtdSdHsw76CXTY6yJvTckxVKM 13sACCMNr7YPHs8qdXKrTkZWdZZWXu7Tkt
This hack may have been part of a much larger scam, hard for me to say.
I am sorry to say, however the money is more likely then not gone. Whoever stole your funds is most likely going to use some kind of mixer/tumbler which will mean that you will think you are tracing the funds but in reality someone completely unrelated to the attacker/thief is using/moving the funds. In theory you could use some kind of blockchain analysis tool/software to try to figure out which mixer the funds were sent to and when, however with dealing with that small of an amount it will be difficult to determine "where" the mixer sent the funds to (e.g. what were the "exit" addresses of the mixer)
|
|
|
|
ffssixtynine (OP)
|
|
April 21, 2015, 09:43:01 PM |
|
I am sorry to say, however the money is more likely then not gone. Whoever stole your funds is most likely going to use some kind of mixer/tumbler which will mean that you will think you are tracing the funds but in reality someone completely unrelated to the attacker/thief is using/moving the funds. In theory you could use some kind of blockchain analysis tool/software to try to figure out which mixer the funds were sent to and when, however with dealing with that small of an amount it will be difficult to determine "where" the mixer sent the funds to (e.g. what were the "exit" addresses of the mixer)
1) Not my money, just to be clear, I was brought in at the time. 2) I deal with other cases which use tumblers. They're a pain but not impossible to track money through. The real problem is even when on the other side, what can you actually do to find out who people are and even then get the money from them? It's very difficult. However, that shouldn't stop us trying (what you say is completely correct of course and my client has written the funds off, unhappily).
|
|
|
|
PolarPoint
|
|
April 21, 2015, 09:47:31 PM |
|
I am sorry for your friend's loss. 450 btc is a lot of money. Why did he stored so much in a web wallet? Spend a fraction of his savings in a hardware wallet would have prevented this.
|
|
|
|
ffssixtynine (OP)
|
|
April 21, 2015, 09:50:23 PM |
|
I am sorry for your friend's loss. 450 btc is a lot of money. Why did he stored so much in a web wallet? Spend a fraction of his savings in a hardware wallet would have prevented this.
A company (merchant), not a friend, and this was Jan 2014 so pre hardware wallets. That said, the security was poor and I suspect compromised machines in any case - a browser plug in for Bitcoin trading was in use. Either way, the thief has decided to move the money about this evening...
|
|
|
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2996
Merit: 2374
|
|
April 21, 2015, 09:55:44 PM |
|
I am sorry to say, however the money is more likely then not gone. Whoever stole your funds is most likely going to use some kind of mixer/tumbler which will mean that you will think you are tracing the funds but in reality someone completely unrelated to the attacker/thief is using/moving the funds. In theory you could use some kind of blockchain analysis tool/software to try to figure out which mixer the funds were sent to and when, however with dealing with that small of an amount it will be difficult to determine "where" the mixer sent the funds to (e.g. what were the "exit" addresses of the mixer)
1) Not my money, just to be clear, I was brought in at the time. 2) I deal with other cases which use tumblers. They're a pain but not impossible to track money through. The real problem is even when on the other side, what can you actually do to find out who people are and even then get the money from them? It's very difficult. However, that shouldn't stop us trying (what you say is completely correct of course and my client has written the funds off, unhappily). When I refer to "your" funds, I am referring to your funds on behalf of your client (for simplistic sake). Assuming you can figure out what addresses the money was withdrawn to (and assuming they do not go through a 2nd tumbler) then you can trace the funds to hopefully what will be an exchange. You would then ask the exchange for the identity of the account owner(s) identity(es) (you would probably need to use some legal process to get them). If you do have experience in tracing money through tumblers, I believe that stunna was looking for someone that could tell him which exchange certain coins were deposited to that were stolen from his casino.
|
|
|
|
ffssixtynine (OP)
|
|
April 21, 2015, 10:06:14 PM |
|
I do but it's painfully time consuming and probability based. I would hope someone has a more automated service to calc probabilities these days, but how enforceable that would be in a legal case I wouldn't want to guess. I wish I could help more.
The above coins have yet to be tumbled, but these could be tumbler addresses. I'd be surprised if they aren't being tumbled if this were from a virus creator.
|
|
|
|
escrow.ms
Legendary
Offline
Activity: 1274
Merit: 1004
|
|
August 14, 2017, 10:44:08 PM |
|
Update: The money is moving as of right now.
New addresses are:
1KnbMbHiJGWMAh8f953b29AHt4F1RA4a1E 1PevTMzkXHni1njiY1sKsR7c69vRwdyqhw 1FbjNKrUnEtdSdHsw76CXTY6yJvTckxVKM 13sACCMNr7YPHs8qdXKrTkZWdZZWXu7Tkt
This hack may have been part of a much larger scam, hard for me to say.
OP Your funds were moved recently to these addresses. 1981pXHcPN8smS9y8U5pMQDvWNiensppX2 16TXVCfNPYCNzK98AAayQxQj6uKG6X8h9W 1FbjNKrUnEtdSdHsw76CXTY6yJvTckxVKM 1MSsNboSvG29FgpZaGzJ2XvXuBTs5uTNS2 Keep an eye on BCH balance also.
|
|
|
|
romani245
|
|
August 14, 2017, 11:16:09 PM |
|
Update: The money is moving as of right now.
New addresses are:
1KnbMbHiJGWMAh8f953b29AHt4F1RA4a1E 1PevTMzkXHni1njiY1sKsR7c69vRwdyqhw 1FbjNKrUnEtdSdHsw76CXTY6yJvTckxVKM 13sACCMNr7YPHs8qdXKrTkZWdZZWXu7Tkt
This hack may have been part of a much larger scam, hard for me to say.
OP Your funds were moved recently to these addresses. 1981pXHcPN8smS9y8U5pMQDvWNiensppX2 16TXVCfNPYCNzK98AAayQxQj6uKG6X8h9W 1FbjNKrUnEtdSdHsw76CXTY6yJvTckxVKM 1MSsNboSvG29FgpZaGzJ2XvXuBTs5uTNS2 Keep an eye on BCH balance also. Very interesting. Unfortunately, it's unlikely there will be a favorable outcome here. Even if the hacker (or someone associated with them through transactions) moves coins to an exchange where their identity is verified, it would be very difficult to definitively link anyone to the computer intrusion charges.
|
|
|
|
john2231
|
|
August 14, 2017, 11:45:33 PM |
|
Update: The money is moving as of right now.
New addresses are:
1KnbMbHiJGWMAh8f953b29AHt4F1RA4a1E 1PevTMzkXHni1njiY1sKsR7c69vRwdyqhw 1FbjNKrUnEtdSdHsw76CXTY6yJvTckxVKM 13sACCMNr7YPHs8qdXKrTkZWdZZWXu7Tkt
This hack may have been part of a much larger scam, hard for me to say.
OP Your funds were moved recently to these addresses. 1981pXHcPN8smS9y8U5pMQDvWNiensppX2 16TXVCfNPYCNzK98AAayQxQj6uKG6X8h9W 1FbjNKrUnEtdSdHsw76CXTY6yJvTckxVKM 1MSsNboSvG29FgpZaGzJ2XvXuBTs5uTNS2 Keep an eye on BCH balance also. Very interesting. Unfortunately, it's unlikely there will be a favorable outcome here. Even if the hacker (or someone associated with them through transactions) moves coins to an exchange where their identity is verified, it would be very difficult to definitively link anyone to the computer intrusion charges. He was monitoring where the funds transfer and i think he wants to get the BCC just to get the benefits and sell it to gain more bitcoins.. As i can seen the thread is really old thread what is the purposes of keep this alive again? I don't think if its a hacker holding bitcoin but i think this is the new owner of bitcoin not a hacker or maybe a business. .
|
|
|
|
reflector
|
|
August 15, 2017, 05:56:43 AM |
|
I am sorry for your friend's loss. 450 btc is a lot of money. Why did he stored so much in a web wallet? Spend a fraction of his savings in a hardware wallet would have prevented this.
A company (merchant), not a friend, and this was Jan 2014 so pre hardware wallets. That said, the security was poor and I suspect compromised machines in any case - a browser plug in for Bitcoin trading was in use. Either way, the thief has decided to move the money about this evening... There are many scam attempts have happened by the Blockchain, coinbase even paypal too. I do not understand the bitcoin wallet without the dat file or private key. That cannot be done. Once in 2015, I just Googled the blockchain wallet and trying to login with the site to transfer 0.06 btc for one trade but amount in my wallet was hack or theft. Hence, I understood that I passed the ad link which similar to the site's URL.
|
|
|
|
|