LocalBitcoins vulnerability: 6 case of stolen funds confirmed as of now

[mk4]

WARNING: DO NOT LOGIN TO LOCALBITCOINS
LocalBitcoins seems to be fine now.

Typing this on mobile right now. Just saw this on Reddit.

Thread:

When visiting the localbitcoins forum: https://localbitcoins.com/forums/

Users are prompted to log into their account, as if they have been logged out. This only seems to happen if you are already logged in. This is is a PHISHING SITE and 2FA codes are being used to empty customer accounts. Withdrawals have since been suspended by LocalBitcoins.

https://www.reddit.com/r/Bitcoin/comments/ajzym3/psa_localbitcoinscom_compromised_do_not_attempt/

For now we currently have little to no information about what happened/what's happening.


EDIT: Currently not confirmed, but the hackers wallet was said to be this address: 13WaahhsiGph4ysmQtjVhVTdgQUSL62KJr

7.95205862 BTC was sent to this address as of this moment.


EDIT #2: Still no announcement from LocalBitcoins as of now. Will be editing the title of this thread after the things clear up.

https://twitter.com/LocalBitcoins


EDIT #3 Finally an update from LocalBitcoins. Edited the topic title.

LocalBitcoins' report on the security vulnerability 26.01.2019

We would like to inform that today 26.01.2019 at approximately 10:00:00 UTC, LocalBitcoins has detected a security vulnerability - an unauthorised source was able to access and send transactions from a number of affected accounts. Outgoing transactions were temporarily disabled while we investigated the case.

We were able to identify the problem, which was related to a feature powered by a third party software, and stop the attack. At the moment, we are determining the correct number of users affected - so far six cases have been confirmed. For security reasons, the forum feature has been disabled until further notice.

Outgoing transactions have already been re-enabled and we have taken a number of measures to address this issue and secure the limited number of accounts that might have been at risk.

Your LocalBitcoins accounts are currently safe to log in and use - we encourage you to enable Two-factor authentication, if you have not yet.

We sincerely apologise for any inconvenience this might have caused.

Kind Regards, LocalBitcoins

https://www.reddit.com/r/localbitcoins/comments/ak1u8m/localbitcoins_report_on_the_security/

[1713303020]

1713303020

[1713303020]

1713303020

[1713303020]

1713303020

[100bitcoin]

Reports of lots of coin loss are surfacing. No official update on their twitter as of yet - https://twitter.com/LocalBitcoins

[HippiePyro]

Forum has been disabled. Here we go again.

[jademaxsuy]

WARNING: DO NOT LOGIN TO LOCALBITCOINS

Typing this on mobile right now. Just saw this on Reddit.

Thread:
"When visiting the localbitcoins forum: https://localbitcoins.com/forums/

Users are prompted to log into their account, as if they have been logged out. This only seems to happen if you are already logged in. This is is a PHISHING SITE and 2FA codes are being used to empty customer accounts. Withdrawals have since been suspended by LocalBitcoins."

https://www.reddit.com/r/Bitcoin/comments/ajzym3/psa_localbitcoinscom_compromised_do_not_attempt/

another exchanges attack. Bitcoin may be vulnerable from.decrypting but its exchanges are not safe and it is vulnerable from hijacking or hacking it from someone. The problem now starts when a user has stored some of its crypto in the exchanges. Probably you will going to wake up one day losing all the crypto in the exchange wallet.

[OmegaStarScream]

From the look of it, there have been few reports and the damage is not that big (or still not reported from the users yet). If that's the case and the team is as professional as they claim to be, they should reimburse the users. Just another reason on why you shouldn't keep your funds in exchanges by the way.

[mk4]

From the look of it, there have been few reports and the damage is not that big (or still not reported from the users yet). If that's the case and the team is as professional as they claim to be, they should reimburse the users. Just another reason on why you shouldn't keep your funds in exchanges by the way.

From the looks of it based on the discussions, it seems like the forum-side of LocalBitcoins was compromised and the hacker is using the login to phish the forum accounts, for the hacker to be able to withdraw the funds of the users. Hopefully it stopped here as the forum has been disabled. Not 100% sure though.

[bellamente]

How long will this go on? Another cryptocurrency exchange has been cracked. Phishing, one of the most experienced viruses. I hope the team of the LOCALBITCOINS project will do everything to ensure that the cryptocurrency remains with the owners

[leninay]

How long will this go on? Another cryptocurrency exchange has been cracked. Phishing, one of the most experienced viruses. I hope the team of the LOCALBITCOINS project will do everything to ensure that the cryptocurrency remains with the owners

Not surprising, every year they hack the exchanges, just recently there was information about breaking into large crypto exchanges and selling verified user documents

https://www.ccn.com/hacked-customer-data-from-world-leading-cryptocurrency-exchanges-for-sale-on-the-dark-web/

How do you not understand that to keep money even in the bank is unsafe and especially on the exchanges

My advice to you is to keep your cryptocurrency in cold wallets on your computer and this will not protect you from hacking by 100%

In my opinion this is the safest place

[mk4]

How long will this go on? Another cryptocurrency exchange has been cracked. Phishing, one of the most experienced viruses. I hope the team of the LOCALBITCOINS project will do everything to ensure that the cryptocurrency remains with the owners

As long as exchanges are around, hacks will happen whether we like it or not.


Update: edited the topic to include the message from LocalBitcoins.

[o_e_l_e_o]

Looks like localbitcoins managed to shut this down pretty quickly after it started up actually, but the hackers still managed to make off with just shy of 8 BTC ($28,000) from 5 users (assuming that 1 address is the only address they used). Wonder if localbitcoins will compensate the users affected?

Once again, we have to wonder why users keep leaving large amount of funds on exchanges. Say it with me now: Not your keys, not your bitcoin. Not your keys, not your bitcoin. Not your keys, not your bitcoin. Not your keys, not your bitcoin.

[romero121]

Localbitcoins.com was one among the best platform that has got its service around the world. Quite often bitcoin fraudulent activities happen through localbitcoins. This time the same has taken place in large scale as more and more hackers have focused over the cryptocurrency network. Two year back I lost through a hack that was completely because of not enabling two factor authentication.

[goldexp83]

wow this is pretty scary, was it the first time happening???

I like localbitcoin and always thought its a pretty good site, not that fancy but usability is totally there

I hope more safe system will be in place to avoid this kind of scary hacks

[mk4]

Wonder if localbitcoins will compensate the users affected?

They should just compensate the stolen bitcoin in my opinion. While 8 BTC is definitely a lot for me, it's probably not that much for them when taking into account how much they're potentially earning. Compensating the stolen BTC would be a great PR move too.

wow this is pretty scary, was it the first time happening???

I like localbitcoin and always thought its a pretty good site, not that fancy but usability is totally there

I hope more safe system will be in place to avoid this kind of scary hacks

It's the first time for LocalBitcoins as far as I know. In the hackers point of view, getting past LocalBitcoins itself is probably difficult, hence the attacker went for the weaker link: the forum software. Correct me if I'm wrong, but the LocalBitcoins exchange itself and the LocalBitcoins forum has accounts that are connected; so the attacker took advantage of this. Quite smart really.

[FedorIzmailov]

I once said that you need to store Bitcoin, namely, you knew about your cold wallets, but you used other exchanges.

[o_e_l_e_o]

Whats about our personal information are they are safe too or the attackers take it too ?

This was a man-in-the-middle type attack on individual users' accounts, stealing their 2FA keys via the forum to log in to their LBC accounts and transfer out their funds. There was no hack on the main LBC wallets or databases, so your personal information won't be affected. I would encourage everyone, however, to think twice before performing KYC with any service online. Just because your documents weren't accessed with this attack, doesn't mean they won't be accessed in the future.

They should just compensate the stolen bitcoin in my opinion.

According to this reddit post, one of the affected users has already had his lost balance reimbursed.

[pixie85]

I once said that you need to store Bitcoin, namely, you knew about your cold wallets, but you used other exchanges.

You can't expect everything to be stored in cold wallets. They stole a very small number of coins and as long as the loss is small it can be reimbursed and won't affect the business that much. If you have 1000 Bitcoin on your platform it's natural that up to 10% will be in hot wallets but some businesses like that Korean exchange that was hacked had all of their money in hot wallets.

[kelz1]

These hackers are becoming very sophisticated, i wouldn't be surprised if it was the same team behind the electrum wallet hack as it follows the same pattern of phishing for login details. Bad day for bitcoiners as localbitcoins is a good website

[squatter]

We were able to identify the problem, which was related to a feature powered by a third party software, and stop the attack.

Are there any more details about this third party software and what the vulnerability was exactly?

I read a couple articles about the attack and I was led to believe this was a DNS spoofing attack on the forum subdomain. It sounds like that's not actually the case?

They should just compensate the stolen bitcoin in my opinion.

According to this reddit post, one of the affected users has already had his lost balance reimbursed.

Glad to hear it. If the losses were really limited to 8 BTC, they should just compensate the victims out of goodwill.

[nc50lc]

I once said that you need to store Bitcoin, namely, you knew about your cold wallets, but you used other exchanges.

Typical... you know that those bitcoins are in an Exchange because users want/need to trade right? (Apparently, obviously, surely, most of them got their "own" wallet)
You can't easily use a Cold wallet that was buried 20-feet under a random area guided with a "X" on a map to buy a HYPEd shitcoin before it get pumped.

If that's the case and the team is as professional as they claim to be, they should reimburse the users. Just another reason on why you shouldn't keep your funds in exchanges by the way.

I'm afraid that keeping most of the coins in a hot/cold wallet not possible for someone who's day trading. Personally, I prefer keeping higher exchange balance than in cold wallet since highly-priced orders yield higher profit.
Specially now that the price is on its (*typo edit) best buy, predictable low-liqudity and mostly everyone is expecting a rise.

Usually, it goes like this:
Source (ex.Mining)---→(HotWallet)--→EXCHANGE---(Mixer)---→Cold Wallet (Savings)
Other Sources-------⤴---------------⤴                 ↪-----→Hot Wallet  (Expenses)

Fortunately, legitimate exchanges today are heavily regulated and problems such as missing funds can be legally resolved.

[mk4]

Are there any more details about this third party software and what the vulnerability was exactly?

I read a couple articles about the attack and I was led to believe this was a DNS spoofing attack on the forum subdomain. It sounds like that's not actually the case?

I don't think they have given specific information about this matter as of now, but I don't think it's a DNS attack. But for what it looks like in my opinion, I'm personally leaning more on a javascript/XSS injection on the forum software. Probably omething like:

User visits forum --> script executes --> probably redirects the user to a phishing site(?)

Just my rough guess.