Bitcoin Forum
May 19, 2019, 01:45:25 PM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: URGENT! A 2nd Hack into our Blockchain wallet  (Read 507 times)
Get-Paid.com
Sr. Member
****
Offline Offline

Activity: 798
Merit: 291



View Profile WWW
November 30, 2018, 04:01:06 PM
 #1

We posted about the 1st hack here:
https://bitcointalk.org/index.php?topic=5077276.0

We added a 2FA to protect our Blockchain account, and nonetheless the hacker managed to get another $2,000 from the account - how?!

We got no SMS, no email notification, nothing that told us about this hack, so how did the hacker manage to hack again into that account?

If he had the 12 words (Backup Phrase) from the 1st hack - could he access the funds "without letting us know"? Is it possible?

Can anyone please advise?


Get Paid in BTC For Watching Videos, Clicking on Ads, Completing Offers And More @ Get-Paid.com

Visit: http://www.get-paid.com
1558273525
Hero Member
*
Offline Offline

Posts: 1558273525

View Profile Personal Message (Offline)

Ignore
1558273525
Reply with quote  #2

1558273525
Report to moderator
1558273525
Hero Member
*
Offline Offline

Posts: 1558273525

View Profile Personal Message (Offline)

Ignore
1558273525
Reply with quote  #2

1558273525
Report to moderator
1558273525
Hero Member
*
Offline Offline

Posts: 1558273525

View Profile Personal Message (Offline)

Ignore
1558273525
Reply with quote  #2

1558273525
Report to moderator
NEW GAME FORMAT
JACKPOT UP TO $8000+
Guess The Symbols Of a Real Ethereum Hash
PLAY NOW
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1558273525
Hero Member
*
Offline Offline

Posts: 1558273525

View Profile Personal Message (Offline)

Ignore
1558273525
Reply with quote  #2

1558273525
Report to moderator
1558273525
Hero Member
*
Offline Offline

Posts: 1558273525

View Profile Personal Message (Offline)

Ignore
1558273525
Reply with quote  #2

1558273525
Report to moderator
Get-Paid.com
Sr. Member
****
Offline Offline

Activity: 798
Merit: 291



View Profile WWW
November 30, 2018, 04:02:55 PM
 #2

When you go on Blockchain.com to help logging in:
https://login.blockchain.com/en/#/help

You can choose - "Recover your wallet with your 12 word backup phrase" - but if you do that you need to change the current password in the account. How did the hacker knew what was the new password?

When we logged into our hacked account we used the same password from before, so how did the hacker "change" the password back to the original and just took the funds?

Would appreciate any advice.

Get Paid in BTC For Watching Videos, Clicking on Ads, Completing Offers And More @ Get-Paid.com

Visit: http://www.get-paid.com
AdolfinWolf
Hero Member
*****
Offline Offline

Activity: 1036
Merit: 899


🐸📣📣📣 FORSAAAAN!


View Profile
November 30, 2018, 04:04:59 PM
 #3

When you go on Blockchain.com to help logging in:
https://login.blockchain.com/en/#/help

You can choose - "Recover your wallet with your 12 word backup phrase" - but if you do that you need to change the current password in the account. How did the hacker knew what was the new password?

When we logged into our hacked account we used the same password from before, so how did the hacker "change" the password back to the original and just took the funds?

Would appreciate any advice.


If he has the 12 word seed, i'm pretty sure he'll be able to import that into other wallets such as electrum.[1] -- if that's the case, you won't receive any notification whatsoever.

But you state that he also reverted the password back. -- I have no clue what's happening there/how that is possible. I'd heavily suggest to avoid using webwallets in the future.



[1]
See how you can transfer your blockchain.info seed into electrum here; https://bitcoin.stackexchange.com/questions/66601/how-can-i-migrate-from-blockchain-wallet-to-electrum

Get-Paid.com
Sr. Member
****
Offline Offline

Activity: 798
Merit: 291



View Profile WWW
November 30, 2018, 04:10:15 PM
 #4


But you state that he also reverted the password back. -- I have no clue what's happening there/how that is possible. I'd heavily suggest to avoid using webwallets in the future.


If the hacker just used the 12 word seed with another wallet, then he left the Blockchain web wallet intact without changing the password i.e. he hasn't changed the password, he just left everything and took the funds, is that what you're saying?

So Blockchain sends no notification if you import the wallet using the 12 word seed? Is that what happened here?

Get Paid in BTC For Watching Videos, Clicking on Ads, Completing Offers And More @ Get-Paid.com

Visit: http://www.get-paid.com
bob123
Hero Member
*****
Offline Offline

Activity: 896
Merit: 1004



View Profile WWW
November 30, 2018, 04:12:48 PM
Merited by LoyceV (5), Foxpup (4), dbshck (3), Jet Cash (2)
 #5

So Blockchain sends no notification if you import the wallet using the 12 word seed? Is that what happened here?

It is impossible for blockchain.com to know whether the seed as been imported into another wallet.

But let me understand this:
You have used the SAME wallet with the SAME seed on the SAME 3rd party service which is way less secure than a normal wallet AFTER the attacker gained access to your account?

Really.. ?


A really good advice from me: Please stop any business around crypto.
First learn the basics (yes, BASICS), then start dealing with money.

NeuroticFish
Legendary
*
Offline Offline

Activity: 1848
Merit: 1208


There are no mistakes. Only opportunities wasted.


View Profile
November 30, 2018, 04:16:41 PM
 #6

So Blockchain sends no notification if you import the wallet using the 12 word seed? Is that what happened here?

If the hacker got your seed or private key, he doesn't have to use with Blockchain.com wallet. And if he used it with other wallet, that other wallet will not notify you (why should do that?).
If the user moved away your funds, again, why would Blockchain.com do anything? Since the wallet's seed/private key was used on Bitcoin network, it's considered a legit access.


Now again. I wrote in the 1st hack post too. Consider using a proper (new!) wallet (with new address!!) on a virus-safe computer. Since you already lost 4k$, you should also spend 100$ and get a hardware wallet.

bitmover
Sr. Member
****
Offline Offline

Activity: 476
Merit: 699



View Profile
November 30, 2018, 04:22:17 PM
Merited by vapourminer (1)
 #7

You have used the SAME wallet with the SAME seed on the SAME 3rd party service which is way less secure than a normal wallet AFTER the attacker gained access to your account?

Really.. ?


A really good advice from me: Please stop any business around crypto.
First learn the basics (yes, BASICS), then start dealing with money.

That's crazy. I don't understand.

You were hacked, then you kept your remaining funds there? Or did you put more funds in the hacked account?

 Why didn't you move your funds to another safer Wallet, such as Electrum or ledger as we suggested?

This makes no sense in either way.

When you were hacked, that account was compromised, and that computer as well.
I would format your computer and use only hard wallets.

If you wanna keep working with cryptocurrency, hire someone to manage your funds for you, maybe a escrow?

You really should look for basic information regarding wallets and security. But for you, I can only recommend a ledger nano wallet . You can use it in any infected machine. And please , never tell your seed to anyone, write it in a piece of paper, because no hacker can hack a paper. Never take a picture or something like that.

Get-Paid.com
Sr. Member
****
Offline Offline

Activity: 798
Merit: 291



View Profile WWW
November 30, 2018, 04:25:23 PM
 #8

Or did you put more funds in the hacked account?
 Why didn't you move your funds to another safer Wallet, such as Electrum or ledger as we suggested?

Moved funds to the same account, a terrible and costly mistake.
Yes, now we would use safer wallets.

Get Paid in BTC For Watching Videos, Clicking on Ads, Completing Offers And More @ Get-Paid.com

Visit: http://www.get-paid.com
Get-Paid.com
Sr. Member
****
Offline Offline

Activity: 798
Merit: 291



View Profile WWW
November 30, 2018, 04:35:16 PM
 #9

So Blockchain sends no notification if you import the wallet using the 12 word seed? Is that what happened here?

It is impossible for blockchain.com to know whether the seed as been imported into another wallet.

But let me understand this:
You have used the SAME wallet with the SAME seed on the SAME 3rd party service which is way less secure than a normal wallet AFTER the attacker gained access to your account?

Really.. ?


A really good advice from me: Please stop any business around crypto.
First learn the basics (yes, BASICS), then start dealing with money.

We are experts at advertising and paying users, yes, when it comes to Crypto we have to learn a very hard lesson here.
Who in his right mind would use a compromised account to store more funds?

Yes, it's a terrible mistake, people do make mistakes, this one is indeed quite a costly one, it's no fun for sure, but we would have to storm it out and move on.

Thanks guys for letting us know hackers can use the 12 word seed to move funds without any notification in your web wallet.

So just to clarify, you could have all the "protection" you want, such as 2FA, email verification etc. - but if someone has your Blockchain 12 word seed - he can easily move the funds without having to go through all these security steps, correct?!

So basically these security steps are "Good for nothing" pretty much?!

Get Paid in BTC For Watching Videos, Clicking on Ads, Completing Offers And More @ Get-Paid.com

Visit: http://www.get-paid.com
AdolfinWolf
Hero Member
*****
Offline Offline

Activity: 1036
Merit: 899


🐸📣📣📣 FORSAAAAN!


View Profile
November 30, 2018, 04:35:36 PM
 #10


But you state that he also reverted the password back. -- I have no clue what's happening there/how that is possible. I'd heavily suggest to avoid using webwallets in the future.


If the hacker just used the 12 word seed with another wallet, then he left the Blockchain web wallet intact without changing the password i.e. he hasn't changed the password, he just left everything and took the funds, is that what you're saying?

So Blockchain sends no notification if you import the wallet using the 12 word seed? Is that what happened here?

That's probably what happend, yes. It's a possibility for sure, and would explain why the blockchain.info wallet is still intact.

I'm not entirely sure how blockchain.info works in terms of how often you can export your seed, (i thought you could only do it once?), but i'm pretty sure that there's probably a way around that.

So just to clarify, you could have all the "protection" you want, such as 2FA, email verification etc. - but if someone has your Blockchain 12 word seed - he can easily move the funds without having to go through all these security steps, correct?!
Unless you encrypted your seed, yes. (Which again, is (AFAIK) not possible with Blockchain.info)

Quote
So basically these security steps are "Good for nothing" pretty much?!

Not really though. With blockchain.info you can only get someone's seed ( AFAIK, correct me if i'm wrong, i'm not exactly an expert on Blockchain.info) if you have access to his account.
2FA/email verification do make accessing/cracking someone's (web!)wallet a lot harder.

bob123
Hero Member
*****
Offline Offline

Activity: 896
Merit: 1004



View Profile WWW
November 30, 2018, 04:35:49 PM
Merited by vapourminer (1)
 #11

You were hacked, then you kept your remaining funds there? Or did you put more funds in the hacked account?


He had a compromised blockchain.info wallet and put more funds into this account (with the same seed).



When you were hacked, that account was compromised, and that computer as well.
I would format your computer and use only hard wallets.

He hasn't been hacked.

The 'admin' downloaded a malicious chrome add-on which allowed the attacker to withdraw all funds + get the seed.

The computer is most probably clean (at least not infected from this malware).
But regarding the very little knowledge about security + crypto, the PC might as well be compromised.



I'm not entirely sure how blockchain.info works in terms of how often you can export your seed, (i thought you could only do it once?), but i'm pretty sure that there's probably a way around that.


AFAIK, you can export the seed as often as you want.
Allowing to export it once wouldn't make sense IMO.

Get-Paid.com
Sr. Member
****
Offline Offline

Activity: 798
Merit: 291



View Profile WWW
November 30, 2018, 04:44:57 PM
 #12

bob123, you seem like you're pretty spot on.
Thanks.

Get Paid in BTC For Watching Videos, Clicking on Ads, Completing Offers And More @ Get-Paid.com

Visit: http://www.get-paid.com
bitmover
Sr. Member
****
Offline Offline

Activity: 476
Merit: 699



View Profile
November 30, 2018, 05:01:29 PM
Merited by dbshck (2), Jet Cash (2), vapourminer (1)
 #13

So basically these security steps are "Good for nothing" pretty much?!


No. These security steps makes your blockchain.info wallet safer. This wallet was made to be used with all security steps done.

When you have done all security steps, your account is not going to be compromised so easily.

In your case, if you had 2fa+email verification the attacker would not be able to withdraw your funds, as a 2fa would be asked of him. He would not be able to see your seed, as 2fa is required for that as well. That's not 100%< far from it... But if there is 1% more security, it's worth.

When the attacker saw your seed, it's gone. It's not a matter of the wallet you are using anymore. Bitcoin and the blockchain technology was designed that way. In Bitcoin, the owner of the funds is the person who owns the Private key.

The seed is, simple put, a mathematical function that generate all your private keys.  that's why it must be kept safe. When it was compromised, all your wallet is compromised, you need a new one.


I'm not entirely sure how blockchain.info works in terms of how often you can export your seed, (i thought you could only do it once?), but i'm pretty sure that there's probably a way around that.

You can just click a button "see words" and you will see them.

Get-Paid.com
Sr. Member
****
Offline Offline

Activity: 798
Merit: 291



View Profile WWW
November 30, 2018, 05:08:14 PM
 #14

So basically these security steps are "Good for nothing" pretty much?!


No. These security steps makes your blockchain.info wallet safer. This wallet was made to be used with all security steps done.

When you have done all security steps, your account is not going to be compromised so easily.

In your case, if you had 2fa+email verification the attacker would not be able to withdraw your funds, as a 2fa would be asked of him. He would not be able to see your seed, as 2fa is required for that as well. That's not 100%< far from it... But if there is 1% more security, it's worth.

When the attacker saw your seed, it's gone. It's not a matter of the wallet you are using anymore. Bitcoin and the blockchain technology was designed that way. In Bitcoin, the owner of the funds is the person who owns the Private key.

The seed is, simple put, a mathematical function that generate all your private keys.  that's why it must be kept safe. When it was compromised, all your wallet is compromised, you need a new one.


I'm not entirely sure how blockchain.info works in terms of how often you can export your seed, (i thought you could only do it once?), but i'm pretty sure that there's probably a way around that.

You can just click a button "see words" and you will see them.

Thanks for the help bitmover!

Get Paid in BTC For Watching Videos, Clicking on Ads, Completing Offers And More @ Get-Paid.com

Visit: http://www.get-paid.com
LoyceMobile
Member
**
Offline Offline

Activity: 341
Merit: 66

theymos: "scammers are often pretty stupid"


View Profile
November 30, 2018, 05:17:47 PM
 #15

Have you considered the possibility of an inside job? In other words: how much do you trust your admin?

LoyceV on the road (or in bed, couch, ....). Don't deal with this account, I use it on untrusted devices.
<<your text here for free? come up with something good>>
Look at me, I'm DT3!
AdolfinWolf
Hero Member
*****
Offline Offline

Activity: 1036
Merit: 899


🐸📣📣📣 FORSAAAAN!


View Profile
November 30, 2018, 06:03:56 PM
Last edit: November 30, 2018, 06:17:57 PM by AdolfinWolf
 #16

AFAIK, you can export the seed as often as you want.
Allowing to export it once wouldn't make sense IMO.

I can vaguely remember that in earlier versions of their webwallet, you could only backup your phrase once. Seems like that's not the case anymore. (Or maybe it has never been.)

Have you considered the possibility of an inside job? In other words: how much do you trust your admin?
This is indeed an interesting vector.

one of our admins was naive to try it, and the site told him to install an addon in order to withdraw the funds, naively he installed it <...>

He's either pretty damn naive / tech/bitcoin illiterate, or he might be gaming you.  Huh

I mean, you said it yourself;
Who in his right mind would use a compromised account to store more funds?

Even if i knew nothing about bitcoin, i'd probably stop using such an account after it was compromised. I guess that might just be me though.


Something that's also interesting; the first time that you got hacked, the funds got send to

https://www.blockchain.com/btc/address/16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S

Which seems to be/could be some sort of collection of people that fell victim to this extension.

The second adress however, https://www.blockchain.com/btc/address/1MiMbMZF7QB47AaUp1sg4CWzsPFq7Ruo2e
Only has 1 transaction.

Why would the "hacker" create/send it to a new/clean adress, when he didn't do so in the first place?
Ah well. I'm probably reaching here.

LeGaulois
Copper Member
Legendary
*
Offline Offline

Activity: 1064
Merit: 1084

Bitcoin Ninja Unregulated Banker Unbanking Folks


View Profile
November 30, 2018, 06:07:28 PM
 #17

Have you considered the possibility of an inside job? In other words: how much do you trust your admin?

While reading the OP, I was wondering if it could be something about the APIs, (if the site owner is using any). I am not familiar with it but what about if the hacker is just using it . The hacker didn't access the wallet via the web interface (otherwise he would have received his code), nor via a compromised OS.

bitmover
Sr. Member
****
Offline Offline

Activity: 476
Merit: 699



View Profile
November 30, 2018, 06:24:47 PM
 #18

Have you considered the possibility of an inside job? In other words: how much do you trust your admin?

While reading the OP, I was wondering if it could be something about the APIs, (if the site owner is using any). I am not familiar with it but what about if the hacker is just using it . The hacker didn't access the wallet via the web interface (otherwise he would have received his code), nor via a compromised OS.

When he installed the add-on, he was logged on the wallet in the same browser. Maybe the add-on accessed the browser , like Trojan or something like that.

LeGaulois
Copper Member
Legendary
*
Offline Offline

Activity: 1064
Merit: 1084

Bitcoin Ninja Unregulated Banker Unbanking Folks


View Profile
November 30, 2018, 09:08:54 PM
 #19

My bad. I have re-read his first thread linked in OP. But in the discussion, he mentioned he formatted his OS, etc too...

zupdawg
Hero Member
*****
Offline Offline

Activity: 658
Merit: 508


View Profile
December 01, 2018, 12:59:25 AM
 #20

Have you considered the possibility of an inside job? In other words: how much do you trust your admin?

This is probably the case here, if they still continue to get hacked even the ad-on is removed on the browser as they said previously on the first thread. AFAIK an ad-on dont have a virus-like function that can still access the device if its removed.

Am I spamming? Report me!
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!