CaLPaR (OP)
Newbie
 Offline
Activity: 9
Merit: 0
|
 |
February 03, 2014, 02:22:09 AM |
|
About 14 hours ago I had about 700 Cat coins and 500000 Doge coins on my Cryptsy account. I have sold 0.02725061 BTC worth of DOGE and withdraw it to another address. Soon after as expected I received an email to verify the withdrawal.
About 30 minutes later my account got hacked. All of my Doge coins ware withdrawn from my account, All of my Cat coins ware sold to BTC and then they were also withdrawn from my account.
All of this happened while I was using my PC, therefore it can't be a remote desktop program. Secondly, this account has two factor authentication which requires access to my phone, which means that simply having my user name and my password would not help in this case.
The most disturbing thing hare is that I did not receive a verification email for any of these 2 withdrawals. As far as I know after every withdrawal from Cryptsy I'm supposed to get a email to verify the withdrawal, which clearly did not happen. Whoever did this managed to withdraw from my account without needing to access to my email account, which indicates that there is a serious security hole in Cryptsy.
By the time I found out about this all of the transactions ware already confirmed. I opened a support ticket, but I did not receive an answer yet. I just can't wrap my mind around this. How on earth did this happen? He bypassed my two factor authentication, he did it while I way using my PC, and he did it without needing to access my email.
I'm posting this because I'm looking for ideas about how whoever did this managed to accomplish this taking into account everything that I have just said.
Secondly I would like to know if this is a single case, or whether more people have experiences similar to this from Cryptsy.
|
|
|
|
|
|
|
|
|
|
"With e-currency based on cryptographic proof, without the need to
trust a third party middleman, money can be secure and transactions
effortless." -- Satoshi
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
CaLPaR (OP)
Newbie
Offline
Activity: 9
Merit: 0
|
|
February 03, 2014, 01:24:32 PM |
|
It looks like my BTC went through several addresses and ended here:
1Facb8QnikfPUoo8WVFnyai3e1Hcov9y8T
Does anyone know anything about this address? Can I find where it's from?
|
|
|
|
|
mattboldfield
Member
Offline
Activity: 70
Merit: 10
|
|
February 03, 2014, 03:28:34 PM |
|
I wish I could help you. Fuck me this is crazy. Keep us updated on whats happening man!!
|
|
|
|
|
|
subseaguru
|
|
February 03, 2014, 03:34:52 PM |
|
About 14 hours ago I had about 700 Cat coins and 500000 Doge coins on my Cryptsy account. I have sold 0.02725061 BTC worth of DOGE and withdraw it to another address. Soon after as expected I received an email to verify the withdrawal.
About 30 minutes later my account got hacked. All of my Doge coins ware withdrawn from my account, All of my Cat coins ware sold to BTC and then they were also withdrawn from my account.
All of this happened while I was using my PC, therefore it can't be a remote desktop program. Secondly, this account has two factor authentication which requires access to my phone, which means that simply having my user name and my password would not help in this case.
The most disturbing thing hare is that I did not receive a verification email for any of these 2 withdrawals. As far as I know after every withdrawal from Cryptsy I'm supposed to get a email to verify the withdrawal, which clearly did not happen. Whoever did this managed to withdraw from my account without needing to access to my email account, which indicates that there is a serious security hole in Cryptsy.
By the time I found out about this all of the transactions ware already confirmed. I opened a support ticket, but I did not receive an answer yet. I just can't wrap my mind around this. How on earth did this happen? He bypassed my two factor authentication, he did it while I way using my PC, and he did it without needing to access my email.
I'm posting this because I'm looking for ideas about how whoever did this managed to accomplish this taking into account everything that I have just said.
Secondly I would like to know if this is a single case, or whether more people have experiences similar to this from Cryptsy.
something like this happened to me on BTC-E last year. BTC was withdrawn from my account with no email confirmation. the hacker disabled my 2FA and BTC-E didn't email me or suspend the account (anytime 2FA is disabled the account is supposed to be locked for 2 weeks according to their FAQ's). after I grilled them and posted on their trollbox they locked my account for another month. |
|
|
|
|
Automatic
|
|
February 03, 2014, 03:38:35 PM |
|
Never used 'Cryptsy', but, as a software developer I can easily see how this occured. He bypassed my two factor authentication Once you login, you're asked to enter your two factor authentication details, right? After that, it doesn't ask you until your next login, correct? If this is the case, sounds like a piece of malware just stole the session authentication token (Cookie) and then used that (Maybe in conjunction with relaying the connection through your computer, in case Cryptsy checks the IP it was issued to). Whoever did this managed to withdraw from my account without needing to access to my email account, which indicates that there is a serious security hole in Cryptsy. Do you mind testing something? Withdraw something, verify it, then, without logging out, withdraw something else, tell me if it makes you verify then, in if doesn't, my first theory is looking all the better, if it doesn't, what actually stops him from just deleting the mail after he's done? Do you host your own mail server? Can you get logs? |
Please ask for a signed message from my on-site Bitcoin address (Check my profile) before doing any offsite trades with me.
|
|
|
ButchHashidy
Member
Offline
Activity: 76
Merit: 10
...and the BitcoinKid
|
|
February 03, 2014, 05:41:46 PM |
|
Something incredibly similar happened to me, only involving alot more BTC, and I've YET to get a response from cryptsy. It happened not too long after their last major update. All we want is an answer. Give us IP addresses involved with the transactions so we can figure out if it was MITM attack or as Automatic pointed out, session hijacking. If I remember correctly, none of our systems were connected to cryptsy, so session hijacking seems unlikely. Could it be a site bug? Perhaps, but cryptsy isn't answering any of our questions. Our ticket's been open for MONTHS now with no update. We're pretty irked. This has happened not once but TWICE. Since then I've increased password size and complexity and regenerated API keys and disabled api feature completely.
Unlike your misfortune, no BTC was actually withdrawn from our account. 2 Billion CENT was sold for LTC, then our ZET was sold for BTC. The LTC balance was sold for BTC, all ending with a very large and expensive NMC purchase. Then finally NMC was sold for BTC for a VERY TINY fraction of the worth of the rest of the coins. The end result is our entire balances of alt coins and btc were essentially wiped out. No withdrawals were made at all. So it made me wonder if this was a server side bug. As stated before I'm fairly certain no computers were connected to cryptsy and all sessions timed out.
I've updated the ticket on my end at least 4 times and NO response from cryptsy. The only way we were ever even given any type of support is when we caught BitJohn on IRC. He basically gave us the run around and said he'd look into it. TWO months ago. We WANT to be reimbursed, and we'd be satisfied if they'd dig through some logs and give us some HINT of an answer so we can either format the secure computers we transact with OR be completely reimbursed. Maybe if enough people come forward in this thread with similar problems, cryptsy will start to pay attention.
As a side note, me and my friends that trade take more precautions then the average user securing our trading PCs. We use deep freeze to lock down the drive from changes and lastpass to manage our very long and complex passwords, noscript and adblocker in the browser to minimize malware infections and the PCs used to trade are ONLY used for that and nothing else. We trade on MANY sites on these computers (including BTER, bitstamp, btc-e, gox, dgex), yet cryptsy was the only one affected.
|
Jumpin' Jack Hash is a gas gas gaas
|
|
|
|
jonanon
|
|
February 03, 2014, 05:43:35 PM |
|
Sorry to hear about this, one of the downfalls of BTC.
We need an exchange that will insure deposits of users, but this is very unlikely!
|
|
|
|
|
ButchHashidy
Member
Offline
Activity: 76
Merit: 10
...and the BitcoinKid
|
|
February 03, 2014, 05:53:55 PM |
|
Sorry to hear about this, one of the downfalls of BTC.
We need an exchange that will insure deposits of users, but this is very unlikely!
I do appreciate your apologies... it's more then cryptsy's given us haha. We'd be happy with just some simple answers. Give me the IP addresses involved w/ the transactions so I can see if it came from our homes or if it could have possibly been a MITM attack. Were they API calls that were responsible for the transactions. Something so simple, to let us know how to react. And if it turns out it was their end, I'd expect them to reimburse us no questions asked. |
Jumpin' Jack Hash is a gas gas gaas
|
|
|
|
balanghai
|
|
February 03, 2014, 06:04:51 PM |
|
Keep your pc clean.
|
|
|
|
|
CaLPaR (OP)
Newbie
Offline
Activity: 9
Merit: 0
|
|
February 03, 2014, 08:11:21 PM |
|
Once you login, you're asked to enter your two factor authentication details, right? After that, it doesn't ask you until your next login, correct? If this is the case, sounds like a piece of malware just stole the session authentication token (Cookie) and then used that (Maybe in conjunction with relaying the connection through your computer, in case Cryptsy checks the IP it was issued to). Apparently 2FA is not as secure as I thought. That's probably what happened. Do you mind testing something? Withdraw something, verify it, then, without logging out, withdraw something else, tell me if it makes you verify then, in if doesn't, my first theory is looking all the better, if it doesn't, what actually stops him from just deleting the mail after he's done? Do you host your own mail server? Can you get logs? It requires email verification for every withdrawal. I'm starting to believe that whoever did that actually managed to access my email, verify the withdrawals, and then delete all the withdrawal emails. I'm using an email address from walla.com which turns out to be not so secure. I just was under the impression that by using 2FA my Crypty account is uncrackable. Well, so much for that... |
|
|
|
|
ButchHashidy
Member
Offline
Activity: 76
Merit: 10
...and the BitcoinKid
|
|
February 03, 2014, 08:16:58 PM |
|
Once you login, you're asked to enter your two factor authentication details, right? After that, it doesn't ask you until your next login, correct? If this is the case, sounds like a piece of malware just stole the session authentication token (Cookie) and then used that (Maybe in conjunction with relaying the connection through your computer, in case Cryptsy checks the IP it was issued to). Apparently 2FA is not as secure as I thought. That's probably what happened. Do you mind testing something? Withdraw something, verify it, then, without logging out, withdraw something else, tell me if it makes you verify then, in if doesn't, my first theory is looking all the better, if it doesn't, what actually stops him from just deleting the mail after he's done? Do you host your own mail server? Can you get logs? It requires email verification for every withdrawal. I'm starting to believe that whoever did that actually managed to access my email, verify the withdrawals, and then delete all the withdrawal emails. I'm using an email address from walla.com which turns out to be not so secure. I just was under the impression that by using 2FA my Crypty account is uncrackable. Well, so much for that... I thought the same thing.. Almost immediately after this happened, I checked my gmail logs to see if any foreign IP had accessed my account. None at all. |
Jumpin' Jack Hash is a gas gas gaas
|
|
|
CaLPaR (OP)
Newbie
Offline
Activity: 9
Merit: 0
|
|
February 03, 2014, 08:45:43 PM |
|
Unlike your misfortune, no BTC was actually withdrawn from our account. 2 Billion CENT was sold for LTC, then our ZET was sold for BTC. The LTC balance was sold for BTC, all ending with a very large and expensive NMC purchase. Then finally NMC was sold for BTC for a VERY TINY fraction of the worth of the rest of the coins. The end result is our entire balances of alt coins and btc were essentially wiped out. No withdrawals were made at all. Wow, that's a pretty unusual way to steal one's coins. That's the only way I can think right now that would actually enable to deplete account's balance without needing to access its email address, which shows that having a secure email address won't always save you. I think it's a shame that there is no option to require 2FA for every withdrawal and every trade that I make. |
|
|
|
|
|
Automatic
|
|
February 03, 2014, 10:29:07 PM |
|
Once you login, you're asked to enter your two factor authentication details, right? After that, it doesn't ask you until your next login, correct? If this is the case, sounds like a piece of malware just stole the session authentication token (Cookie) and then used that (Maybe in conjunction with relaying the connection through your computer, in case Cryptsy checks the IP it was issued to). Apparently 2FA is not as secure as I thought. That's probably what happened. Do you mind testing something? Withdraw something, verify it, then, without logging out, withdraw something else, tell me if it makes you verify then, in if doesn't, my first theory is looking all the better, if it doesn't, what actually stops him from just deleting the mail after he's done? Do you host your own mail server? Can you get logs? It requires email verification for every withdrawal. I'm starting to believe that whoever did that actually managed to access my email, verify the withdrawals, and then delete all the withdrawal emails. I'm using an email address from walla.com which turns out to be not so secure. I just was under the impression that by using 2FA my Crypty account is uncrackable. Well, so much for that... I thought the same thing.. Almost immediately after this happened, I checked my gmail logs to see if any foreign IP had accessed my account. None at all. Then refer back to my relaying, it'd be super simple to do, I'm pretty sure I could bring up some example code for you in a minute, simple as:- 1. Zombie computer (I.E. you, infected), connects to owner, 1.1.1.1:8493. 2. Zombie computer (I.E. you, infected), also connects to gmail.com:443. 3. Zombie computer (I.E. you, infected) then forwards all incoming traffic from gmail to the owner (1.1.1.1). 4. Zombie computer (I.E. you, infected) then forwards all incoming traffic from the owner (1.1.1.1) to gmail. No foreign IP addresses, as, everything is router through you. In fact, this is probably one of the most common tools in a botnet program, not only for this, but, to be able to then execute not-so-legal things from someone who isn't linked to you. |
Please ask for a signed message from my on-site Bitcoin address (Check my profile) before doing any offsite trades with me.
|
|
|
|
|
|
subseaguru
|
|
February 07, 2014, 01:09:27 PM |
|
yes. that account has a lot of deposits for a short time period. |
|
|
|
KWH
Legendary
Offline
Activity: 1904
Merit: 1045
In Collateral I Trust.
|
|
February 07, 2014, 01:18:52 PM |
|
I've used Cryptsy and actually been annoyed at how fast the sessions time out as in a few minutes or even in mid trade. Anyone else?
|
When the subject of buying BTC with Paypal comes up, I often remember this:
Insanity: doing the same thing over and over again and expecting different results.
Albert Einstein
|
|
|
PolybiusSquare
Newbie
Offline
Activity: 6
Merit: 0
|
|
February 08, 2014, 08:05:18 PM |
|
Any updates on this?
|
|
|
|
|
CaLPaR (OP)
Newbie
Offline
Activity: 9
Merit: 0
|
|
February 13, 2014, 01:44:19 AM |
|
Any updates on this? So far it looks like the guys on Crypty don't have any intention to respond to my support ticket. As for the address I mentioned before, it seems to belong to Mtgox which isn't very helpful. I included the original transactions of the withdraws from my account in case anyone is interested: BTC transaction: 6bcb605dad4c252958c9e33d67fe7e3f91739db0fc126fc01a0ca528404066fa DOGE transaction: cda9f2e70c6c898ddb21447324563299e2e07099ab0b8aa21c9af16e8c573f43 |
|
|
|
|
mattboldfield
Member
Offline
Activity: 70
Merit: 10
|
|
February 13, 2014, 02:46:05 AM |
|
Fkn bullshit man!! Fkn losers y can't they even fkn reply to to this poor cunt?
I hate hearing shit like this, this whole game is ran by fucking cock sucking scammers, Probably Chinese filth!!!
Fuck it all man, jibbing fucking cunt system overload!...
Anyone with half a brain could run this shit better than these horse porno stars!
|
|
|
|
|
MsCollec
Legendary
Offline
Activity: 1400
Merit: 1000
|
|
February 13, 2014, 03:24:14 AM |
|
I hate to read about stories like this, it sucks  |
|
|
|
|
|
BitPappa
|
|
April 07, 2014, 03:04:56 AM |
|
I had Bitcoin that ended up at this nefarious 277K BTC address (1Facb8QnikfPUoo8WVFnyai3e1Hcov9y8T), taken from a 2FA Blockchain.info account in January. Strangely, it didn't take everything, just a nice round number which was the majority.
Regarding the theory of someone hijacking a session, I guess the only way that would be possible is if malware were on my computer? And if malware with that capability were on my machine, why wouldn't it have stolen more (either that first time, or when I've logged in subsequently over the past 3 months)?
|
|
|
|
|
|
|
