24 BTC stolen from my bitstamp account 2FA and email confirmation protected

[gabridome]

If an attacker has root access to bitstamp, he can bypass 2FA easily and alter the event log any which way he'd like.

Now, seeing that MtGox loss of coins might be (in my view) a black op or the work of a highly sophisticated private group, it is not unthinkable they will pull the same kind of shenanigans with other exchanges. It was claimed that hackers had control of MtGox servers for a long time (claimed by the one who released the source code and gawked about the 20gb db leak that's yet to surface). Seeing how lax MtGox was with most routines, it's not unthinkable that was the case. Also, as pointed out earlier, a resourceful group could've infiltrated MtGox through sophisticated methods, and even one or more inside plants.

Having access to the physical properties of MtGox means that their servers are compromised. Even if Mark did not give access credentials to important systems to others various surveilance may have revealed the methods used to gain access (video surveilance, keylogging etc.)

All ex-employees and current employees should be checked in a criminal investigation, also anyone that have ever entered the MtGox physical offices and/or have had close contact with Mark should be looked more closely at. An investigator should also monitor lifestyle of suspect individuals, property purchases, extensive travelling and such may give some indications.

All the leaks and the attempts of trying to make Mark look like an incompetent fool may be a deliberate attempt to make him a scapegoat and diverting attention from the real thiefs.

Now, there's been claims of Bitstamp e-mail addresses leaked. I have received no e-mail to the registered e-mail address with them, but others have. Seeing that e-mail addresses to at least parts of their customer database is compromised, it is not unthinkable that there might be hackers currently having access to their systems, just waiting for the right opportunity. Just emptying some user accounts gradually might also be a way of getting bitcoins without making too much noise.

Also, if personal devices are compromised, unless you're a computer security expert, you can't know for sure if that's infact the case or not. So best option is to reinstall all affected systems.

One cannot rule out the fact that it might be a rogue action from Bitstamp itself either. The simplest way to get bitcoins would be to just empty a user account, and then claim they can't do anything about it. Of course thats unethical and criminal, but how can you prove it?

I never looked into 2FA with google authenticator (if that's what being used), but maybe there's a log of events somewhere with google as well. If that log shows nothing, then it's likely that the theft happened with a adversariy having high level acces to Bitstamp systems.

If OP have downloaded any bitcoin apps, or installed any particular bitcoin software that's proprietary or not well known, he might as well have received some malicious software that's collected information and aided in the breach.

Lastly I'm very sorry for the loss of the OP and I applogize if anyone unjustly feels attacked in this thread, but really, with bitcoin you can't rule out anything. The incentive (ie. value) is so high that all kinds of things can be expected to happen.

First: thank you for the reply.
I'm not a computer security expert.
I will reinstall all my systems (2 Macs and a samsung SII).
I have been using google authenticator since the beginning and I haven't ever heard about such a log but I will check.
I did have downloaded bitcoin apps. Many of them. One in particular has been then prooved a malaware (the stealth address mac tool). But I removed that and the infected files that were found malicious afterwards.

I don't feel attacked and I know I had to expect everything but this has been overwhelming. I believe in bitcoin and keep the majority of my coins offline but I thought that 2FA, 20 characters unique password and confirmation email was enough for a week. I was wrong.

I only hope this to be useful to other because I have never read about such a thing

[gabridome]

What email service do you use?  Can you check your login/logout histories or IP Addresses?  Gmail allows this, but I'm not sure about others.  Clearly this person had access to your email as well, to confirm the withdrawals. 

good point!
I only searched for email not for logins. The only problem is that I access from three devices but I'll investigate.

[gabridome]

I'm going to have to say that it was likely a combination of things. Its possible that you downloaded a rouge app which when connected your phone to your computer to update your music or something, installed a keylogger on your computer. I would never rule out an inside job, but you also need to ensure your computer is virus and keylogger free before you access anything else that may have money on it.

Contact your phone company and see if you can get any records of texts sent from your device or received in case the thief somehow deleted it. It would seem that the person doing this has experience and is trying to cover up his/her tracks.

I don't have any connection betwen my phone and Mac except google for contact, calendar and mail.
I will try to ask my carrier even if I have no faith in their support...

Thank you

[gabridome]

What email service do you use?  Can you check your login/logout histories or IP Addresses?  Gmail allows this, but I'm not sure about others.  Clearly this person had access to your email as well, to confirm the withdrawals. 

good point!
I only searched for email not for logins. The only problem is that I access from three devices but I'll investigate.

I know that IP geolocation is not accurate but according to Google I have had an access to my gmail account from France 12 hours ago and one from Romania one day ago (two country I'm obviously not in).

This could be misleading but I have now a strong suspect my gmail account is hacked. I have immediatly changed my passwords and I will set up 2FA for that account

[TheFootMan]

....snip....

First: thank you for the reply.
I'm not a computer security expert.
I will reinstall all my systems (2 Macs and a samsung SII).
I have been using google authenticator since the beginning and I haven't ever heard about such a log but I will check.
I did have downloaded bitcoin apps. Many of them. One in particular has been then prooved a malaware (the stealth address mac tool). But I removed that and the infected files that were found malicious afterwards.

I don't feel attacked and I know I had to expect everything but this has been overwhelming. I believe in bitcoin and keep the majority of my coins offline but I thought that 2FA, 20 characters unique password and confirmation email was enough for a week. I was wrong.

I only hope this to be useful to other because I have never read about such a thing

Reinstallation of systems is a tedious process. But that's the best option going forward. That will ensure you have a clean system state. Make sure you take backup of everything important you have before you do this.

In regards to logs with gogle authenticator, you might try to ask Mike Hearn - if he has the time to answer. He's on this forum.  Profile: https://bitcointalk.org/index.php?action=profile;u=2700
He works for google afaik. He might not be able to give you any log data, but maybe he can point you in the right direction. Getting hold of google reps in general is quite hard.. If you're persistent you might go to police and have a police officer ask them, they might be better at answering then. But even if you get such info, it might be a dead end. But IF there's no log data at google's side - that indicates that the thief has bypassed 2FA and it's a theft done by Bitstamp or someone with high level access to their systems. If that's the case, then I think they would have to reimburse you. But I am not a lawyer, but I think that should hold up in court. It's a bit like a bank allowing your bank account to be emptied without you logging in. They would have to compensate you. But these are just my thoughts.

You had downloaded bitcoin apps, many of them... Be very careful with this in the future. If you download any bitcoin apps or programs, don't use it on the same phone/machine that you use for bitcoin activities. I know that's kind of silly as you most likely won't have 2 phones - but this is the reality if you want to stay secure. Rather access websites if you need bitcoin information on the phone than installing all kinds of apps. I assume you run android on your phone, and it's known for having security problems.

If you had malware installed, that's not good at all. Even if it was removed and all files are reported to be removed by any antivirus software, or done manually that is still not proof it is actually removed in full. Although antivirus programs are quite good, many malware authors constantly try to avoid detection from anti-virus programs, and if some kind of malware has not made it into the antivirus makers list, it might as well go undetected.

You're saying you don't feel attacked. If there's an attack on your devices, you will probably not notice anything visually, it will just happen.

you thought that 2FA, 20 characters unique password and confirmation email was enough for a week -> if your systems are compromised you will not be safe with this. Malware on your devices can do anything that you can do.

Going forward, and I hope you still will be into bitcoin, I would suggest creating a cold wallet and move any coins you want to store for a long term there.
Also, for using bitcoins, I would advise to have a single device for this, for instance a cheap notebok running linux.

Having some coins accessible from a phone wallet is ok, but not more than you can afford to lose. So for instance if you have 30 BTC, you could have 20 BTC in a cold wallet and 9 on the bitcoin notebook and 1 on a phone wallet, or just transfer from the notebok to the phone wallet whenever you need to have some coin available on your phone.

And don't do any websurfing at all or at least not on weird pages (clicking suspicious links on various forums and on reddit may not be too smart) or installation of strange apps on the bitcoin machine, just have a network connection

I sincerely hope you will not encounter anything more troubles in the future. Having a dedicated machine for linux might seem like overkill, but it is better than losing a lot of money! If you can't afford a dedicated machine, running a virtual machine with bitcoind might also be a solution, some malware would have a lot harder time to access bitcoins residing in a virtual machine.

[gabridome]

What email service do you use?  Can you check your login/logout histories or IP Addresses?  Gmail allows this, but I'm not sure about others.  Clearly this person had access to your email as well, to confirm the withdrawals. 

good point!
I only searched for email not for logins. The only problem is that I access from three devices but I'll investigate.

I know that IP geolocation is not accurate but according to Google I have had an access to my gmail account from France 12 hours ago and one from Romania one day ago (two country I'm obviously not in).

This could be misleading but I have now a strong suspect my gmail account is hacked. I have immediatly changed my passwords and I will set up 2FA for that account

Update: On 2/22 I had an access to my gmail account fro Cyprus... Never been there.

[TheFootMan]

What email service do you use?  Can you check your login/logout histories or IP Addresses?  Gmail allows this, but I'm not sure about others.  Clearly this person had access to your email as well, to confirm the withdrawals. 

good point!
I only searched for email not for logins. The only problem is that I access from three devices but I'll investigate.

I know that IP geolocation is not accurate but according to Google I have had an access to my gmail account from France 12 hours ago and one from Romania one day ago (two country I'm obviously not in).

Just thinking out loud. Some banks have region restrictions on payment cards. So for instance if your details are lost, they can't be used in say Asia. Not sure if google has such features on Gmail, but limiting usage of Gmail to say only a certain country, or even a whitelist of ip's might be a good idea. Not sure if that kind of stuff even exist with gmail.

[TheFootMan]

Update: On 2/22 I had an access to my gmail account fro Cyprus... Never been there.

Hackers usually leverage servers all over the place to hide their tracks.

[gabridome]

....snip....

First: thank you for the reply.
I'm not a computer security expert.
I will reinstall all my systems (2 Macs and a samsung SII).
I have been using google authenticator since the beginning and I haven't ever heard about such a log but I will check.
I did have downloaded bitcoin apps. Many of them. One in particular has been then prooved a malaware (the stealth address mac tool). But I removed that and the infected files that were found malicious afterwards.

I don't feel attacked and I know I had to expect everything but this has been overwhelming. I believe in bitcoin and keep the majority of my coins offline but I thought that 2FA, 20 characters unique password and confirmation email was enough for a week. I was wrong.

I only hope this to be useful to other because I have never read about such a thing

Reinstallation of systems is a tedious process. But that's the best option going forward. That will ensure you have a clean system state. Make sure you take backup of everything important you have before you do this.

In regards to logs with gogle authenticator, you might try to ask Mike Hearn - if he has the time to answer. He's on this forum.  Profile: https://bitcointalk.org/index.php?action=profile;u=2700
He works for google afaik. He might not be able to give you any log data, but maybe he can point you in the right direction. Getting hold of google reps in general is quite hard.. If you're persistent you might go to police and have a police officer ask them, they might be better at answering then. But even if you get such info, it might be a dead end. But IF there's no log data at google's side - that indicates that the thief has bypassed 2FA and it's a theft done by Bitstamp or someone with high level access to their systems. If that's the case, then I think they would have to reimburse you. But I am not a lawyer, but I think that should hold up in court. It's a bit like a bank allowing your bank account to be emptied without you logging in. They would have to compensate you. But these are just my thoughts.

You had downloaded bitcoin apps, many of them... Be very careful with this in the future. If you download any bitcoin apps or programs, don't use it on the same phone/machine that you use for bitcoin activities. I know that's kind of silly as you most likely won't have 2 phones - but this is the reality if you want to stay secure. Rather access websites if you need bitcoin information on the phone than installing all kinds of apps. I assume you run android on your phone, and it's known for having security problems.

If you had malware installed, that's not good at all. Even if it was removed and all files are reported to be removed by any antivirus software, or done manually that is still not proof it is actually removed in full. Although antivirus programs are quite good, many malware authors constantly try to avoid detection from anti-virus programs, and if some kind of malware has not made it into the antivirus makers list, it might as well go undetected.

You're saying you don't feel attacked. If there's an attack on your devices, you will probably not notice anything visually, it will just happen.

you thought that 2FA, 20 characters unique password and confirmation email was enough for a week -> if your systems are compromised you will not be safe with this. Malware on your devices can do anything that you can do.

Going forward, and I hope you still will be into bitcoin, I would suggest creating a cold wallet and move any coins you want to store for a long term there.
Also, for using bitcoins, I would advise to have a single device for this, for instance a cheap notebok running linux.

Having some coins accessible from a phone wallet is ok, but not more than you can afford to lose. So for instance if you have 30 BTC, you could have 20 BTC in a cold wallet and 9 on the bitcoin notebook and 1 on a phone wallet, or just transfer from the notebok to the phone wallet whenever you need to have some coin available on your phone.

And don't do any websurfing at all or at least not on weird pages (clicking suspicious links on various forums and on reddit may not be too smart) or installation of strange apps on the bitcoin machine, just have a network connection

I sincerely hope you will not encounter anything more troubles in the future. Having a dedicated machine for linux might seem like overkill, but it is better than losing a lot of money! If you can't afford a dedicated machine, running a virtual machine with bitcoind might also be a solution, some malware would have a lot harder time to access bitcoins residing in a virtual machine.

I will try to disturb Mike Hearn.
You are perfectly right about phone and desktop apps and also about cold storage. I use three methods:

• Paper wallet
• Brain wallet (I know... I know... I'm going to change that)
• Offline Electrum on BTCVault distribution

I'm also waiting for my trezor as many are...
I keep just sloppy wallets on my apps (mycelium, android wallet, blockchain, hive, etc.). Bitstamp was the only temporary exception but evidently was enough.

[gabridome]

The IPs there are Tor servers so apparently Tor was used to hide the thief's real IP.

One thing I am wondering about here: Do you have a e-mail program on your phone? One where login credentials are stored?

It would be that they just compromised your phone there and leveraged that to rob you blind.

Quite possible for email. Less explicative for the bitstamp account and 2FA authentication...

[Saicere]

If you saved either the 2FA code key they give you when you first set it up, or the QR code image itself, an attacker would be able to use that to bypass 2FA.

[Rannasha]

Did you store a backup of your 2FA secret somewhere that is accessible from the internet (such as on your main computer)? If the attacker somehow obtained your 2FA secret, he could have used that to generate his own, perfectly correct 2FA-codes.

Alternatively, if your computer was already compromised at the time you activated 2FA, it is possible that some malware captured the 2FA secret at that point.

[gabridome]

One thing come to my mind:
Thanks to what everybody has written I could think that the only thing they could hack was the phone.
I read about some malaware able to steal your session while you are logged in.
It is possible that I logged in on that night on my phone on bitstamp. If they stole my session they had been able to do what they did and they could have access to my mail too but that's just an hypothesis. My wife tells me she doesn't remember I was playing on the phone but I do remember having done something that night.

[TheFootMan]

One thing come to my mind:
Thanks to what everybody has written I could think that the only thing they could hack was the phone.
I read about some malaware able to steal your session while you are logged in.
It is possible that I logged in on that night on my phone on bitstamp. If they stole my session they had been able to do what they did and they could have access to my mail too but that's just an hypothesis. My wife tells me she doesn't remember I was playing on the phone but I do remember having done something that night.

If you logged into Bitstamp on your phone, the hacker would have access to your login credentials, and if you accessed gmail on the phone and also used it for 2FA, you were 100% compromised.

[gabridome]

If you saved either the 2FA code key they give you when you first set it up, or the QR code image itself, an attacker would be able to use that to bypass 2FA.

I encrypt them with gpg immediatly. I wouldn't say that to be the weak point...

[gabridome]

One thing come to my mind:
Thanks to what everybody has written I could think that the only thing they could hack was the phone.
I read about some malaware able to steal your session while you are logged in.
It is possible that I logged in on that night on my phone on bitstamp. If they stole my session they had been able to do what they did and they could have access to my mail too but that's just an hypothesis. My wife tells me she doesn't remember I was playing on the phone but I do remember having done something that night.

If you logged into Bitstamp on your phone, the hacker would have access to your login credentials, and if you accessed gmail on the phone and also used it for 2FA, you were 100% compromised.

Yes. this could be it. 

Or at least is the least fantascientific hypothesis I could immagine. The phone is the attack vector probably.

[(A)social]

[gabridome]

I'm just trying to think to everything possible even if not feasible... I have never heard about something so sophisticated and I must think I had an involuntary part in it...

[gabridome]

Update: Bitstamp replied.
in summary they haven't detected anything strange or suspicious in the related operations on their part.
In my ticket I specifically asked if there heve been changes in my account email but there were not. So it's obvious to me that he had also the control of my email. This is also confirmed by the connection from different tor related IPs.

They suggested me to contact a computer expert. It will be tough I think. I have to start from scratch.

[hardpick]

I lost 30 BTC at bitstamp about 6 months ago

did not get them back - suspect a inside job or bug in there system
in my case no email was sent to me ( and they had no log of email being sent)

in your case to guess a long password and 2FA in get into to your account is nearly impossible to crack

even if the thief has access to your pc  they still need your phone for the 2fa

I think they have a bug  or it's a inside job ----  bitstamp are not very helpful ---- as most exchanges all care but no responsibly ---- IE  store your money on  cold wallet --- don't trust anyone --- it's like cash

sorry for your loss