GreenBits (OP)
Legendary
 Offline
Activity: 1148
Merit: 1048
|
 |
January 26, 2014, 09:46:46 AM |
|
is also posted in service discussion in case a mod wants to hit me. my bad.
I am at a loss.
I walk back to the chat window of bit-mining.co to notice an amazing market crash /rebound. Excited, i check my buy orders (placed at a premium spot). Refresh the page. 0 btc and zero ghs. Refresh the page again. Im logged out of my account with a changed pass.
Odd.
After contacting the operator via pm and email, I'm informed that I've had an unusual number of password reset attempts, and id need a manual password reset, which was provided.
So I'm in my account, not liking what i see
zero balances.
it seems someone compromised the account, then proceeded to purchase ghs at an unusually high price. then, having purchased as much ghs as they could with my balance, proceeded to sell all the rest of the ghs back to the market, closing my 7 btc position at .00000956btc. they purchased ghs at .05 per ( when the market rate is .015 all day, it crashed earlier) and attempted to sell 999.99999999, i only had 250~ which filled orders down to .001)
you see, you can only withdraw to one single address, supplied at account creation. i thought this would be a foolproof security feature, i didnt expect my account to be griefed. whats odd is that, according to the operator, they attempted to put a btc address in the withdrawal field, as if they werent familiar with the service. so i guess once they figured out they couldnt withdraw the btc (yet they were competent enough to utilize the orderbooks on havelock/cex), they decided to be a dick.
dont know why they purchased, then sold. seems a thief would just sell and go. would have been thwarted by the security feature, but this speculative thief is interesting.
and thats not all.
the got into my havelock account, sold my 330 neobee shares, and withdrew that bitcoin to a green address.
they also logged into my btce, nothing there to take, they also got into my cex account. sld my namecoins and i guess figured it wasnt worth it.
so, these three services all share the same pass user name. i know, im dumb. whatever. we are past that at this point, dont lecture me. what i cant figure out is how they got into my cex.io account (same pass, dif username). although i just realized that my username is in my ref link. that solves that.
they accessed btce around 9:25 est from IP: 50.136.152.85
got into havelock
2014-01-25 21:07:32 withdraw withdraw to: 1BzbergrjuUShb927P3vUbtQZW1firSsjC ฿1.07008294 ฿0.0010
and got into my bit-mining.co account, no time stamps because there is no trans history save an internal one support sent showing the odd account activity i had.
cex:
2014-01-26 02:26:56 0.00221686 BTC 0.00221686 BTC SELL Sold 0.3172 NMC at 0.00698785 BTC
details:
i havent installed any software. this comp is old and only used for trading.
i have fully updated antivirus with automatic scanning
i havent opened any email attachments/emails period. nor opened any programs save chrome.
i rebooted the computer once yesterday ( i reboot about once a week)
my gmail has 2fa, i have possession of the device, (had disabled 2fa on btce and havelock, kicks own ass)
didnt update any software, and the only pages i have visited today are this forum, havelock, cex.io, lmb-holdings and bitcoinmiami. using chrome. google details said im the only ip that has accessed my account.
bit-mining.co said
Hello ljackson, we have identified the individual on the other side of the order at 0.027. We are trying to determine if it's related; if it isn't, we shouldn't be giving you their email.
As for access to the account, it appears as if it was done by resetting your password. There was multiple attempts made shortly before the trades were executed. Also, I would recommend changing your password on ALL other accounts, especially your email, bitcoin-related accounts, and any other accounts you recently accessed using the computer you last used to log onto bit-mining. Also, try to log off any other individuals accessing your gmail account (click details in the bottom right hand corner of any gmail page), because that is where the password reset emails went.
i never received any email for a password reset though. its not in trash. also, it doesnt seem that anyone but myself has logged into my gmail for some days. only a single ip (mine) in the activity log. again, ive done no unusual activities in the last few days, ive even done less browsing than average, had been parked at the bit-mining chatroom waiting for trading to be enabled, was locked for two days waiting for bitcoind to sync so i could withdraw.
so, what the fuck happened?
all these services had a common password. 3 had the same username (bitming,btce,havelock), one had a username that could be determined by public information from me (cex,io, my signature).
No other service ive utilized on this computer (mtgx, bitstamp, lbc) was compromised. they all have different passwords. i dont think i was keylogged. and ive utilized these services extensively, with tabs open, for months with no problems. secure wifi i think (corporate housing, wifi has pass, know most if not all of neighbors in entire building personally, none with technical expertise for this)
|
|
|
|
|
|
bitbitz
|
|
January 26, 2014, 09:49:09 AM |
|
Damn, that sucks, hope all will be alright.
|
|
|
|
|
GreenBits (OP)
Legendary
Offline
Activity: 1148
Merit: 1048
|
|
January 26, 2014, 10:04:36 AM
Last edit: January 28, 2014, 07:03:33 AM by GreenBits |
|
im starting to think my email wasnt compromised at all.
|
|
|
|
|
|
Sonny
|
|
January 26, 2014, 10:08:59 AM |
|
im starting to think my email/computer wasnt compromised at all.
Sorry to hear your loss. Do you have any clue now? |
|
|
|
|
HairyMaclairy
Legendary
Offline
Activity: 1414
Merit: 2174
Degenerate bull hatter & Bitcoin monotheist
|
|
January 26, 2014, 10:18:49 AM |
|
Email for reset could have been trashed then permanently deleted.
|
|
|
|
|
GreenBits (OP)
Legendary
Offline
Activity: 1148
Merit: 1048
|
|
January 26, 2014, 10:24:28 AM
Last edit: January 28, 2014, 07:04:44 AM by GreenBits |
|
my gmail was never compromised. and the password reset of the bit-mining account occurred after they had gained access to the account. i was told the ip address appears to be that of a mobile phone. i cant even open bitmining on my android device since the site changes. trade log: (provided by admin) Canceling 1617 for ljackson0214@gmail.com
Crediting ljackson0214@gmail.com with 20.00000000 GHs
Sell order canceled for ljackson0214@gmail.com, refunded 20.00000000
Canceling 1701 for ljackson0214@gmail.com
Crediting ljackson0214@gmail.com with 10.00000000 GHs
Sell order canceled for ljackson0214@gmail.com, refunded 10.00000000
Canceling 1703 for ljackson0214@gmail.com
Crediting ljackson0214@gmail.com with 10.00000000 GHs
Sell order canceled for ljackson0214@gmail.com, refunded 10.00000000
Canceling 1704 for ljackson0214@gmail.com
Crediting ljackson0214@gmail.com with 10.00000000 GHs
Sell order canceled for ljackson0214@gmail.com, refunded 10.00000000
Canceling 1792 for ljackson0214@gmail.com
Buy order canceled for ljackson0214@gmail.com, refunded 1.1800059.
Withdrawing 0 BTC for ljackson0214@gmail.com
Can't withdraw 0 BTC for ljackson0214@gmail.com
Withdrawing 0 BTC for ljackson0214@gmail.com
Can't withdraw 0 BTC for ljackson0214@gmail.com
Selling ljackson0214@gmail.com 1.50000000 GHs at 0.0270001
Buying ljackson0214@gmail.com 52.08 GHs at 0.0500000
ljackson0214@gmail.com did not have 2.06 BTC to sell
Buying ljackson0214@gmail.com 32.1974668 GHs at 0.0500000
Selling ljackson0214@gmail.com 999.99999999 GHs at 0.0000003
ljackson0214@gmail.com did not have 999.99999999 GHs to sell
Selling ljackson0214@gmail.com 32.1974668 GHs at 0.0000003what motive would someone have to do this? and how did they get my password? im the only person with physical access to this comp. pass was not bruted. 2fa on gmail, no suspicious logins according to google. support at bitmining suggested this:
Hello Ljackson,
I am not aware how your email was accessed, and neither are you, so this is why I specifically recommend CHANGING it as soon and as fast as possible. Here are some ways in which hackers commonly bypass google auth:
(1) Cookie stealing: Once a device is logged in, no google auth is used, even if the device's location changes. If the google login cookie was stolen from your computer, it would look to google like your computer changed location, and thus not prompt for google auth.
(2) Device Passwords: Devices accessing your google account (such as phones, etc...) do not prompt for a google auth, but instead use a special device-unique login code. If that login code was stolen, then google wouldn't prompt for google auth.
(3) Trojans: If your account was logged onto gmail, and your computer had a trojan, the trojan can cause your own computer to execute commands on gmail in the background, without your being aware of it.
I'm not saying that necessarily gmail was the cause of your issue, but given what I know, it seems likely. The only other reasoning for why your account password could be reset so many times is if the hacker accessed your account, conducted the trades, then, unaware of how to change your password, simply reset it many times to the point where our system stops sending emails. also It looks to me increasingly unlikely that the original hacked account was Bit-Mining.
First: How would the username "mcnastyfilth" be obtained from your Bit-Mining account, so they would know to log into Cex with that username?
Second: The server time for the first trade on Bit-Mining was 2014-01-25 22:24:49. The server time for the BTC-E login was 26.01.14 06:25. Now, even taking into account the difference in server times (BTC-E and bit-mining don't operate in the same time zone), by subtracting off the current server time at each, the BTC-E login occurred prior to the compromising of your Bit-Mining account. The same goes for the cex.io login, as far as I can see.
Third: The user attempted to withdraw BTC from your bit-mining account by entering in the address 1BzbergrjuUShb927P3vUbtQZW1firSsjC at the amount prompt. This indicates that he wasn't familiar with the Bit-Mining system, and didn't know that you couldn't withdraw the BTC to a different BTC address.
If I were you, I would attempt to contact the BTC-E administrators (they seem to be the account that was accessed first). I will continue the investigation at Bit-Mining, however, just in case. |
|
|
|
|
GreenBits (OP)
Legendary
Offline
Activity: 1148
Merit: 1048
|
|
January 26, 2014, 10:26:49 AM |
|
Email for reset could have been trashed then permanently deleted.
true, but wouldnt the remote login show up in the google details tab? it indicates im the only one who has accessed my gmail. if they had, wouldnt a unique, distant ip show up on this list? Browser (Chrome) Show details * United States (SC) (24.31.11.165) 5:25 am (0 minutes ago) Browser (Chrome) Show details * United States (SC) (24.31.11.165) 4:20 am (1 hour ago) Browser (Chrome) Show details * United States (SC) (24.31.11.165) 3:37 am (1.5 hours ago) Browser (Chrome) Show details * United States (SC) (24.31.11.165) 2:49 am (2.5 hours ago) Browser (Chrome) Show details * United States (SC) (24.31.11.165) 2:06 am (3 hours ago) Browser (Chrome) Show details * United States (SC) (24.31.11.165) Jan 25 (23 hours ago) Browser (Chrome) Show details * United States (SC) (24.31.11.165) Jan 25 (1 day ago) Browser (Chrome) Show details * United States (SC) (24.31.11.165) Jan 25 (1 day ago) Browser (Chrome) Show details * United States (SC) (24.31.11.165) Jan 24 (2 days ago) Browser (Chrome) Show details * United States (SC) (24.31.11.165) Jan 24 (2 days ago) |
|
|
|
|
GreenBits (OP)
Legendary
Offline
Activity: 1148
Merit: 1048
|
|
January 26, 2014, 10:41:15 AM |
|
and i havent accessed btce ever from a mobile device, and not within the last 6 months on a terminal. i never verified with them.odd the first service to be compromised is the one i use the least.
|
|
|
|
|
U1TRA_L0RD
Full Member
Offline
Activity: 126
Merit: 100
CAUTION: Angry Man with Attitude.
|
|
January 26, 2014, 12:37:18 PM |
|
There is no getting them back if the hacker used a proxy to hide their tracks.
|
|
|
|
|
|
vitalemontea
|
|
January 26, 2014, 12:45:23 PM |
|
They can access your email through your PC when it is at idle OR use your computer as proxy to avoid gmail verification and shit.
|
|
|
|
|
Meuh6879
Legendary
Offline
Activity: 1512
Merit: 1011
|
|
January 26, 2014, 12:48:20 PM |
|
so, what the fuck happened? Well, shit append. BTW, you must always transfer bitcoin to a local Bitcoin-QT sofware to secure your money. Hacked plateforme is like "rain in california" ...  |
|
|
|
|
|
empoweoqwj
|
|
January 26, 2014, 01:24:28 PM |
|
Never keep significant amount of bitcoins online - that's what offline wallets were designed for.
|
|
|
|
|
|
meelvanchris
|
|
January 26, 2014, 01:32:06 PM |
|
Not to make you paranoid. Just maybe something to think about.
Reading from what you've said with password resets, if could be fairly easy to do so via your email. Then like stated already someone could delete those files permanently from trash so it wouldnt show up there.
I still think its somewhere in email comprimise.
Either someone hacked into your pc and remotedly guided it to your mail etc. (maybe with remember me's, passwords embedded into your browser?)
(Or small chance and im hoping for your sake it really wasnt that, someone could have personally been sitting behind your pc while you were away...)
ANyway.. sorry for your loss
|
|
|
|
|
EvilPanda
|
|
January 26, 2014, 02:45:20 PM |
|
The biggest mistake was having the same passwords. You also say one of them could be determined by public info. Did you log into Gox or any other sites that were not haked lately? From the password guessing and the fact that the other passes were not found I would exclude keylogger. Either someone hacked your pc eg. through remote desktop feature, or tapped into your wireless if you have one. There is also a small chance they just obtained some info about you and decided to guess your password based on that.
Interesting how they could bring your balance to 0. A typical exchange doesn't allow you to place an ask order below the minimum bid - if you do that it will go for the minimal price anyway.
|
|
|
|
GreenBits (OP)
Legendary
Offline
Activity: 1148
Merit: 1048
|
|
January 26, 2014, 06:44:09 PM
Last edit: January 28, 2014, 07:05:39 AM by GreenBits |
|
question to those you suspect my email was compromised...
why would the thief delete a password reset email ( supposedly to cover his tracks) and leave 3 trade notifications from havelock and a login successful email from btce?
so, this guy accesses my havelock account, sells my stuff and withdraws 1.07 btc (doesnt reset password) (account 6 months old)
goes to btce, nothing there, moves on (doesnt reset password) (account old as time, unused for months)
goes to cex.io, sells namecoins, doesnt withdraw anything though (no password reset) (account 6 months old)
and then goes to bit-mining.co, spends account balance buying assets, then sells assets off at absolute lowest price (password reset) (2 week old account)
from admin of bit mining:
As for access to the account, it appears as if it was done by resetting your password. There was multiple attempts made shortly before the trades were executed. Also, I would recommend changing your password on ALL other accounts, especially your email, bitcoin-related accounts, and any other accounts you recently accessed using the computer you last used to log onto bit-mining. Also, try to log off any other individuals accessing your gmail account (click details in the bottom right hand corner of any gmail page), because that is where the password reset emails went.
also from bitmining:
I'm not saying that necessarily gmail was the cause of your issue, but given what I know, it seems likely. The only other reasoning for why your account password could be reset so many times is if the hacker accessed your account, conducted the trades, then, unaware of how to change your password, simply reset it many times to the point where our system stops sending emails.
so, was my password reset then gmail used to access my account? or was my account accessed, then my password reset? because the reset occurred supposedly before the theft. which is odd, why reset a password you already had? to break into email to resteal it? also, if you have stolen credentials, why reset them?
so.. no deletion of any other emails that showed the account intrusion.
thief also didnt withdraw from the service that would need email verification to do so (cex.io)
seems to indicate my email wasnt compromised.
i cant store ghs/stocks in an offline wallet. hence being on the exchanges i use.
|
|
|
|
|
the_poet
Legendary
Offline
Activity: 1137
Merit: 1035
Bitcoin accepted here
|
|
January 26, 2014, 06:52:16 PM |
|
90BTC stolen in the other thread, now another theft?
This is getting scary...
|
Under construction.
|
|
|
GreenBits (OP)
Legendary
Offline
Activity: 1148
Merit: 1048
|
|
January 26, 2014, 07:01:02 PM |
|
and yes, i should have used different passes, used to utilize 2fa on both havelock and btce, so was never an issue for me until i disabled it sometime later (stopped trading on those exchanges for a while).
this thief is a study in contrast. tech savvy enough to compromise 2fa gmail, intercept a password reset email, and delete it permanently.
while ignoring 4 other emails that show clear, unauthorized access to my accounts.
it seems obvious that the fact my cex.io balance wasnt withdrawn means my email wasnt compromised. withdrawing from cex.io requires email confirmation. my username/password was compromised out in the wild.
|
|
|
|
|
U1TRA_L0RD
Full Member
Offline
Activity: 126
Merit: 100
CAUTION: Angry Man with Attitude.
|
|
January 26, 2014, 07:02:41 PM |
|
90BTC stolen in the other thread, now another theft?
This is getting scary...
Damn right it is, Im getting my wallet and storing it into a USB drive. These hackers will bring down bitcoin and then there wont be bitcoin, They are stupid fucks who have no brains. |
|
|
|
|
GreenBits (OP)
Legendary
Offline
Activity: 1148
Merit: 1048
|
|
January 26, 2014, 07:12:10 PM
Last edit: January 28, 2014, 07:06:20 AM by GreenBits |
|
no other service i use has been compromised, including non btc accounts. only services with that common password
|
|
|
|
|
|
EFFV
|
|
January 26, 2014, 07:21:50 PM
Last edit: April 29, 2014, 07:57:26 PM by EFFV |
|
I had a very similar experience with btc-e, I lost about 180 ltc, and 1.7 btc, they didn't get my other coins though.
My 2fa was not compromised yet they removed all my funds.
This was directly after I contacted btc-e support.
I believe to this day btc-e is not a trustworthy company.
|
|
|
|
|
