Someone hacked into our Blockchain.com wallet

[Get-Paid.com]

Someone posted here a scam (Crypton-Exchange.net), one of our admins was naive to try it, and the site told him to install an addon in order to withdraw the funds, naively he installed it and now we realized someone withdrew $2,300 from our Blockchain.com account (money that we intended to use to pay publishers, sadly is gone now).

The money was sent to 16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S
https://www.blockchain.com/btc/tx/0fe187e55c07772d47d1c588c80195f5977aa139d814feb39bdab968253c8f60

The addon was:
https://chrome.google.com/webstore/detail/cr-cash-plugin/joofmeiidadomccpmeaoagdogmbifhlh/related
From CryptoDraw.org

Few questions:

1) How did the Chrome addon allowed someone to withdraw funds from Blockchain.com? Isn't Blockchain.com safe?
2) Does this admin of ours need to format his laptop and change all passwords? He did remove that Chrome extension from his laptop.
3) Is anyone familiar with these types of scams? Can you provide more info about this Google Chrome extension etc.?

[1713561503]

1713561503

[1713561503]

1713561503

[1713561503]

1713561503

[1713561503]

1713561503

[jackg]

1. Chrome addons allow access to a lot of things. I'm assuming it asks you by giving you a menu of permissions as to what the site is allowed to access. I think you should format chrome (if they use user profiles, just delete that and start afresh). Maybe be clever and don't give him access to your wallet if he can't browse the internet without damaging your companies reputation/finances.
2. I don't think chrome addons have access to anything but google chrome and stuff that's put on it (switching out chrome for a better browser such as firefox is also what I'd suggest ).


You ought to go here and log exactly what happened to them: https://chrome.google.com/webstore/report/joofmeiidadomccpmeaoagdogmbifhlh

Also give them a 1 star review and explain what happened, at the moment others are still at risk and you have a responsibility to inform them.




EDIT: blockchain.com isn't as secure as a wallet on your computers either (such as an encrypted electrum wallet). 

[bitmover]

Well, first thing change your browser to a more reliable one, such as Firefox.

Were you logged on blockchain.com wallet when you installed the add-on?
Did you do all the security steps in blockchain.com wallet? Did you use 2fa, for example?

Often people don't follow basic security steps which are recommend by the services...maybe a 2fa could have avoided this.

Answering yohr questions:

1- blockchain.com wallet is not the safest, however its not a scam, and it is a nice initiative for newbies. It is easy to use and if you all follow all recommended security steps, you are *somehow* safe, but you should never use it for high amounts.
The add-on probably installed some kind of malware and , if you were already logged, easy to get...or if you had no 2fa and password was saved in browser?

2-i would definitely format it. Additionally, I would buy a ledger nano from the official retailer. https://www.ledger.com

3 -i am not familiar, but ledger nano allows you to use it safely in any infected computer.

[Get-Paid.com]

Were you logged on blockchain.com wallet when you installed the add-on?

Yes.

Did you do all the security steps in blockchain.com wallet? Did you use 2fa, for example?

Did not use 2FA.

[bob123]

1) How did the Chrome addon allowed someone to withdraw funds from Blockchain.com? Isn't Blockchain.com safe?

If your 'admin' was logged into the account AND the addon has rights to 'view all sites and interact with them' (has to be accepted when installed), then the addon can do whatever it wants to.

Blockchain.com is a web wallet. Each other type of wallet is more secure than a web wallet.

However, this shouldn't happen. A malicious addon can indeed steal your funds this way.

2) Does this admin of ours need to format his laptop and change all passwords? He did remove that Chrome extension from his laptop.

He probably(!) doesn't need to format his laptop. Changing all passwords wouldn't hurt (at least those saved in chrome AND from sites visited while the addon was installed).

3) Is anyone familiar with these types of scams? Can you provide more info about this Google Chrome extension etc.?

Malicious addons have been used since years to steal secret information (passwords).

Might give us information about the addon, so that we can report it to google ?

[Get-Paid.com]

Might give us information about the addon, so that we can report it to google ?

Thanks for trying to help, this info was given above in the first post:

The addon was:
https://chrome.google.com/webstore/detail/cr-cash-plugin/joofmeiidadomccpmeaoagdogmbifhlh/related
From CryptoDraw.org

[WebdeveIoper]

Installing random chrome plugins is like opening random .exe files, very dangerous. I just use Opera and the only addon I use is uBlock Origin. I rather stay safe then sorry.

[zupdawg]

Someone posted here a scam (Crypton-Exchange.net), one of our admins was naive to try it, and the site told him to install an addon in order to withdraw the funds, naively he installed it and now we realized someone withdrew $2,300 from our Blockchain.com account (money that we intended to use to pay publishers, sadly is gone now).

The money was sent to 16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S
https://www.blockchain.com/btc/tx/0fe187e55c07772d47d1c588c80195f5977aa139d814feb39bdab968253c8f60

The addon was:
https://chrome.google.com/webstore/detail/cr-cash-plugin/joofmeiidadomccpmeaoagdogmbifhlh/related
From CryptoDraw.org

Few questions:

1) How did the Chrome addon allowed someone to withdraw funds from Blockchain.com? Isn't Blockchain.com safe?
2) Does this admin of ours need to format his laptop and change all passwords? He did remove that Chrome extension from his laptop.
3) Is anyone familiar with these types of scams? Can you provide more info about this Google Chrome extension etc.?

I mostly fall to them on their first try, gladly I am not that fool to install the said ad-on.

1. before you install the said ad-on, it will ask for the user permission to be able to edit and read the datas on most used crypto websites and email providers
2. Not sure about this one but a reformat is better

[bitmover]

Were you logged on blockchain.com wallet when you installed the add-on?

Yes.

Did you do all the security steps in blockchain.com wallet? Did you use 2fa, for example?

Did not use 2FA.

I believe the add-on didn't have any access to your passwords then. It could only somehow Access your wallet that was already logged in in the same browser.... :/

[electronicash]

this the reason why 2FA can be useful in a way. 
i would suggest to reinstall the OS, wipe out everything just to make sure its safe to use the computer again. some hackers leave a bug that will connect to repositories and install a program in the background and then again collect data from you.

[Get-Paid.com]

this the reason why 2FA can be useful in a way. 
i would suggest to reinstall the OS, wipe out everything just to make sure its safe to use the computer again. some hackers leave a bug that will connect to repositories and install a program in the background and then again collect data from you.

We have done all this, 2FA is now activated.
We lost 0.52 BTC (around $2,300) - it was intended to pay publishers, we wish the thief that karma would hit him back for what he did, those bad people who like to steal money from others should be punished. Karma will take care of it.

[NeuroticFish]

You may consider using proper stand alone/installed wallet on your computer. It should be safer than websites - at least this problem would have been avoided.
Also if you plan to proceed with bigger funds, a hardware wallet (or cold storage) would be the next step.

[bob123]

Thanks for trying to help, this info was given above in the first post:

The addon was:
https://chrome.google.com/webstore/detail/cr-cash-plugin/joofmeiidadomccpmeaoagdogmbifhlh/related
From CryptoDraw.org

Thanks for pointing out. I somehow missed the URL 

I have filed a report regarding this browser extension.

It could only somehow Access your wallet that was already logged in in the same browser.... :/

Not only somehow, but most probably simply trough stealing cookies from the browser.

Stealing cookies is quite an easy approach to gather access to an account, logged in from the browser.

You can regard cookies as an identifier. Anyone who has this explicit cookie (which is assigned to user X in the database of website Y), has access to he account.

[...] we wish the thief that karma would hit him back for what he did, those bad people who like to steal money from others should be punished. Karma will take care of it.

Well.. to be honestly.. you basically asked for it. Installing shady add-on's with 1 rating AND using a web wallet is crying to get funds stolen.

While i do not support the behavior of stealing funds, this is one of the lowest-effort-steals i have come across on this forum.
The only one to blame, definitely is your 'admin'.

[mocacinno]

I had the same plugin pushed to me from the owner of cryptrave.com. Usually i wouldn't fall for this trick, but i actually lost a family member on monday, and i was just browsing bitcointalk aimlessly without paying attention after the news actually hit me... I actually felt like playing with a no-deposit bonus would distract me a little bit, and i actually fell for the scammer's trick. Luckily I had the reflex not logging in to any funded wallet while the plugin was installed, so so far i wasn't robbed.

I'm still figuring out which steps i need to take in order to be safe... Offcourse i completely removed all files from my chrome portable and installed a clean version, but i'm wondering what to do with the passwords saved by chrome, my keepass database, my desktop wallets (most of my funds are in my ledger and trezor HW wallets, but i still keep some spending money on a couple desktop wallets)...
I have downloaded the plugin's sourcecode, but at the moment i don't have the energy to truely vet it... On a quick browse, i actually found the array where the hacker defined his wallet addresses for the different (alt)coins he's trying to steal:
t = [];
t.BTC = "16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S", t.ETH = "0x03b70dc31abf9cf6c1cf80bfeeb322e8d3dbb4ca", t.ETC = "0x4F53C9882Ba87d2D7c525dF2aEF2540EFB6e32e5", t.BCH = "1PCh7w6LdcEv1sWd5wtvkELHcWe5HumUi3", t.LTC = "LRPChoyN8qLWENjo1dUjk2bESZjE7bQ6sP";

https://bitcointalk.org/index.php?topic=5076352

[bob123]

I'm still figuring out which steps i need to take in order to be safe... Offcourse i completely removed all files from my chrome portable and installed a clean version, but i'm wondering what to do with the passwords saved by chrome, my keepass database, my desktop wallets (most of my funds are in my ledger and trezor HW wallets, but i still keep some spending money on a couple desktop wallets)...

If there is no chrome vulnerability which allows an extension to break out of the isolated environment (which i doubt currently), your local machine is not compromised.
Even if there were such a vulnerability, i heavily doubt that these developers would be able to exploit it.

Your saved passwords SHOULD be safe (again, if there is no vulnerability OR the developer aren't intelligent enough to make use of a potential vulnerability).

Your keepass database (local KeePass, not browser extension LastPass) is safe.
Your desktop wallets are safe too.

If the add-on had full access to each site you visit (which it probably had), all passwords which you have entered while it was installed can be (and most probably are) compromised.
Each data entered into the browser while it was installed can be compromised.


But the most important thing is, your local machine is safe.

[jackg]

Nothing to do with them. They do not have your wallet keyss....

Oh of course, you’re the guy who said to the other user to back up their wallet addresses .

You seem a bit oddly too in the know of how the software works (or your interpretation of it, they probably do have the keys) so would you care to enlighten us as to how you yourself have been enlightened?

[aplistir]

3 -i am not familiar, but ledger nano allows you to use it safely in any infected computer.

That is what their add says.
But I would not use ledger in an infected machine.
Yes, you have to accept the payment, but a clever program could wait for you to make a bitcoin transaction and change it before it is send to ledger for confirmation.

And then you just might confirm the payment. Particularly if the output address looks similar than the real output address. 

[bob123]

3 -i am not familiar, but ledger nano allows you to use it safely in any infected computer.

That is what their add says.
But I would not use ledger in an infected machine.
Yes, you have to accept the payment, but a clever program could wait for you to make a bitcoin transaction and change it before it is send to ledger for confirmation.

Sure, that's perfectly possible.

However, this would require one to create a malicous version of ledger live (or electrum) for this specific purpose.

And that's where the 2FA (confirming the TX on the ledger screen by physically pressing a button) comes into play.
If you confirm the amount + address, you're fine.

And then you just might confirm the payment. Particularly if the output address looks similar than the real output address. 

Generating a 'similar looking address' is not as easy as you might thing.

Vanity gens need multiple hour/days/weeks to generate an address with 6 or 7 chosen chars.

So, if you want to generate a 'similar looking' address at runtime, you'll get 1 or 2 chars identical. The rest will be different.

That's the beauty of a big 'key space'.

[bitmover]

3 -i am not familiar, but ledger nano allows you to use it safely in any infected computer.

That is what their add says.
But I would not use ledger in an infected machine.
Yes, you have to accept the payment, but a clever program could wait for you to make a bitcoin transaction and change it before it is send to ledger for confirmation.

And then you just might confirm the payment. Particularly if the output address looks similar than the real output address. 

Not that easy because you have to confirm the address in ledger nano led visor

[Get-Paid.com]

I'm still figuring out which steps i need to take in order to be safe... Offcourse i completely removed all files from my chrome portable and installed a clean version, but i'm wondering what to do with the passwords saved by chrome, my keepass database, my desktop wallets (most of my funds are in my ledger and trezor HW wallets, but i still keep some spending money on a couple desktop wallets)...

If there is no chrome vulnerability which allows an extension to break out of the isolated environment (which i doubt currently), your local machine is not compromised.
Even if there were such a vulnerability, i heavily doubt that these developers would be able to exploit it.

Your saved passwords SHOULD be safe (again, if there is no vulnerability OR the developer aren't intelligent enough to make use of a potential vulnerability).

Your keepass database (local KeePass, not browser extension LastPass) is safe.
Your desktop wallets are safe too.

If the add-on had full access to each site you visit (which it probably had), all passwords which you have entered while it was installed can be (and most probably are) compromised.
Each data entered into the browser while it was installed can be compromised.


But the most important thing is, your local machine is safe.

Thanks for the info about this.
How certain are you regarding this information? (say on a scale of 1 to 10).