24 BTC stolen from my bitstamp account 2FA and email confirmation protected

[gabridome]

I went on vacation on the 21st. On 23rd I logged in to bitstamp because I thought one week of storage of bitcoin on an exchange were too much.

My balance was zero $ and zero bitcoins. From the history I saw someone (not me) made this astonishing things:

* 2014-02-22 19:56:08   109.163.234.9   Logged in using two-factor authentication
* 2014-02-22 20:01:39   109.163.234.9   Opened bitcoin withdrawal request for 23.83677391 BTC to 1PGPkndy1nYLUee3nKKLez8smjqK5zBNKE
* 2014-02-22 20:01:39   109.163.234.9   Bitcoin withdrawal request: email was sent to user
* 2014-02-22 20:02:00   109.163.234.9   Bitcoin withdrawal request: email confirmed by user
* 2014-02-22 20:09:33   161.53.74.122   Changed user password
* 2014-02-22 20:12:33   96.47.226.20   Opened instant buy order for $36.30
* 2014-02-22 20:13:38   96.47.226.20   Opened bitcoin withdrawal request for 0.05965404 BTC to 1PGPkndy1nYLUee3nKKLez8smjqK5zBNKE
* 2014-02-22 20:13:38   96.47.226.20   Bitcoin withdrawal request: email was sent to user
* 2014-02-22 20:15:35   96.47.226.20   Bitcoin withdrawal request: email confirmed by user
* 2014-02-22 20:24:24   141.212.108.13   Changed user password

Has someone an idea of how an hacker could do this?

What do you suggest to do (Yes I know in the future I won't keep any money on exchanges)?

I wrote to Bitstamp support 5 days ago. Yet no answers.

Update: Bitstamp replied: nothing strange on their part. The email they sent the request for confirmation for the withdrawal was the usual one.

If you don't want to read everything what I can understand is that these things can happen!!!!
My device(s) has surely a very good malaware. I think is the phone but could be the two mac.

I'm sorry to repeat one things everyone has read but not everybody follows strictly:
Consider everything you don't keep in cold storage lost or strongly at risk. Your computer and/or your phone is not safe (as long it has been connected the Internet). Never leave money on the exchanges.

EDIT: Funds Have moved:
http://btc.blockr.io/address/info/1PGPkndy1nYLUee3nKKLez8smjqK5zBNKE
http://btc.blockr.io/tx/info/6ecebb49996c404739609152fe9c9ac2ea28dcc5a39aa327010fd6c89900bcd8
http://btc.blockr.io/tx/info/64a2756280c68615ec10fdd82a90ad014bb93b87e30bb2546cb4a1e8a16de648
http://btc.blockr.io/tx/info/6be0bac51251b0be01c97700b42c9c726608897826c5a53a8ff2bd3c0d441014

The last address in which my funds were clean was http://btc.blockr.io/address/info/3LkSW3SW9KuebH2t1FcqrTpKPnN8JRbYYh

[1713884826]

1713884826

[1713884826]

1713884826

[1713884826]

1713884826

[1713884826]

1713884826

[g27wr]

Man, sorry to hear that! I don't understand how they could have bypassed google authenticator without having your phone...unless it was an inside job.

[roslinpl]

Hmm..  maybe some keylogger installed with some app?

[bitvestor]

Well, either an inside job or you just had only Google email confirmation protected and forgot to enable the 2FA, no one can get to your phone or maybe your close friend look around not too far..

[uhoh]

Is your phone rooted?

Whoever took it also has access to your email.

[gabridome]

Is your phone rooted?

Whoever took it also has access to your email.

No my phone is not rooted and is always with me

[wallydz]

Look like auto transfert script ATS its used when you are infected that when you are logged in it transfer money directly to some addr
i am really sorry for your loss


EDIT : if you had your wallet in computer you will make the jober easier i guess


I say your comp is infected

[AnonyMint]

The NSA, GCHQ, etc may have their hackers working overtime to push Bitcoin towards regulation.

Seems like a large increase in hacking recently.

[gabridome]

Hmm..  maybe some keylogger installed with some app?

This is possible but I cannot explain the 2FA bypass.

[EvilPanda]

I know it's kind of irrelevant, but I always wonder why the exchanges allow to choose BTC adress when withdrawing funds. Why not ask the user to submit 3 btc addresses that may be used for withdrawals and never allow these to be changed? Bind them to the account and just allow the user to choose which one should be currently used. This way thieves would be completely cut off. They already can't withdraw fiat, so they buy btc with their victim's money and send those to themselves.

[gabridome]

Look like auto transfert script ATS its used when you are infected that when you are logged in it transfer money directly to some addr
i am really sorry for your loss


EDIT : if you had your wallet in computer you will make the jober easier i guess


I say your comp is infected

I was on vacation so I wasn't logged in. I left my house in the early afternoon. Nobody was at home and the hacking was at around 8:00 PM.

Moreover there is the email confirmation. It's really incredible.

BTW probably my Mac is infected.

[gabridome]

Well, either an inside job or you just had only Google email confirmation protected and forgot to enable the 2FA, no one can get to your phone or maybe your close friend look around not too far..

My wife hates bitcoin. My phone is always with me. My children are too young.
The only thing I have thought was that was actually me that withdrew from my account and then forgot about it but it is impossible because I don't have any clue about the destination address.

[HorseCoin]

maybe they were planning on buying that 24 BTC delorean

http://bitcoinmotor.com/

[gabridome]

One of the many things I cannot explain myself is why he has changed my password and changed it back.

[Dragonkiller]

One of the many things I cannot explain myself is why he has changed my password and changed it back.

so you can't login until he has totally cleared your account (the remaining $36.30)

edit: if you had 2fa enabled, i would suspect people that may have had physical access to your phone

[TheFootMan]

If an attacker has root access to bitstamp, he can bypass 2FA easily and alter the event log any which way he'd like.

Now, seeing that MtGox loss of coins might be (in my view) a black op or the work of a highly sophisticated private group, it is not unthinkable they will pull the same kind of shenanigans with other exchanges. It was claimed that hackers had control of MtGox servers for a long time (claimed by the one who released the source code and gawked about the 20gb db leak that's yet to surface). Seeing how lax MtGox was with most routines, it's not unthinkable that was the case. Also, as pointed out earlier, a resourceful group could've infiltrated MtGox through sophisticated methods, and even one or more inside plants.

Having access to the physical properties of MtGox means that their servers are compromised. Even if Mark did not give access credentials to important systems to others various surveilance may have revealed the methods used to gain access (video surveilance, keylogging etc.)

All ex-employees and current employees should be checked in a criminal investigation, also anyone that have ever entered the MtGox physical offices and/or have had close contact with Mark should be looked more closely at. An investigator should also monitor lifestyle of suspect individuals, property purchases, extensive travelling and such may give some indications.

All the leaks and the attempts of trying to make Mark look like an incompetent fool may be a deliberate attempt to make him a scapegoat and diverting attention from the real thiefs.

Now, there's been claims of Bitstamp e-mail addresses leaked. I have received no e-mail to the registered e-mail address with them, but others have. Seeing that e-mail addresses to at least parts of their customer database is compromised, it is not unthinkable that there might be hackers currently having access to their systems, just waiting for the right opportunity. Just emptying some user accounts gradually might also be a way of getting bitcoins without making too much noise.

Also, if personal devices are compromised, unless you're a computer security expert, you can't know for sure if that's infact the case or not. So best option is to reinstall all affected systems.

One cannot rule out the fact that it might be a rogue action from Bitstamp itself either. The simplest way to get bitcoins would be to just empty a user account, and then claim they can't do anything about it. Of course thats unethical and criminal, but how can you prove it?

I never looked into 2FA with google authenticator (if that's what being used), but maybe there's a log of events somewhere with google as well. If that log shows nothing, then it's likely that the theft happened with a adversariy having high level acces to Bitstamp systems.

If OP have downloaded any bitcoin apps, or installed any particular bitcoin software that's proprietary or not well known, he might as well have received some malicious software that's collected information and aided in the breach.

Lastly I'm very sorry for the loss of the OP and I applogize if anyone unjustly feels attacked in this thread, but really, with bitcoin you can't rule out anything. The incentive (ie. value) is so high that all kinds of things can be expected to happen.

[gabridome]

One of the many things I cannot explain myself is why he has changed my password and changed it back.

so you can't login until he has totally cleared your account (the remaining $36.30)

edit: if you had 2fa enabled, i would suspect people that may have had physical access to your phone

This make a lot of sense. Thank you for what it worths.

I was on vacation on the mountains in a flat with my family. My children are under 5 and my wife can hardly read emails.

Really It seems the only explanation for me is that I did it and forgot about it but there is no trace of the confirmation emails and I don't have trace of the destination address.

Sincerely this is too much: password hacked (20 characters thrown with lastpass, 2FA hacked, email hacked). Maybe it worth some investigation also for the community.

[Mikcik]

If 2 factor authorization is enabled that means that additional password will be sent to my mobile phone, right?

Do i have to pay for these sms?  I didnt find the answer anywhere...

[crazynoggin]

I'm going to have to say that it was likely a combination of things. Its possible that you downloaded a rouge app which when connected your phone to your computer to update your music or something, installed a keylogger on your computer. I would never rule out an inside job, but you also need to ensure your computer is virus and keylogger free before you access anything else that may have money on it.

Contact your phone company and see if you can get any records of texts sent from your device or received in case the thief somehow deleted it. It would seem that the person doing this has experience and is trying to cover up his/her tracks.

[softbluelight]

What email service do you use?  Can you check your login/logout histories or IP Addresses?  Gmail allows this, but I'm not sure about others.  Clearly this person had access to your email as well, to confirm the withdrawals.