How did this hack happen?

[healimonster]

I have used blockchain.info as a place to store one of my wallets for many years now. It has never been compromised. Every time I log into the wallet I am required to verify I am logging in via an email sent. Nearly all of my logins over the years have been from my laptop at home. This past weekend when bitcoin hit 60k while visiting my parents (on their secure wifi) I logged in to blockchain.info on my phone (updated google pixel phone) via the chrome browser. I had to verify my log in attempt in my email as usual. At 8:36am I saw my balance, an all-time high, it was there. I used my phone, as usual for a few minutes, checked on the news feed. Checked text messages. A few minutes later I went back to the blockchain page to look at the balance again and it was zero.  The one outgoing transaction took place at the same time I was logged in and using my phone.

https://www.blockchain.com/btc/tx/54cbef2320e888e9720c1301b597872bde216a549ecd0b49444a8c9a81ae83bf

My phone is updated with the latest security patches and I don't have Russian or Chinese ringtone apps on my phone.

Any ideas on how this happened?

[1714867331]

1714867331

[1714867331]

1714867331

[BlackHatCoiner]

I have used blockchain.info as a place to store one of my wallets for many years now.

But blockchain.com isn't a place to store your wallets for many years! You have to understand that you're trusting your laptop and every program it has installed, your email service, your phone (if it has access to your email account) and blockchain.com itself.

Any ideas on how this happened?

There are millions of ideas on how did this happen, but I'd say the most probable:  The phone had something malicious installed. I'm sorry for your four thousands of dollars damage. I hope you now know that you should never store any bitcoin online. Use non-custodian wallets instead.

I don't have Russian or Chinese ringtone apps on my phone.

What does that have to do with your security?

[bitmover]

I have used blockchain.info as a place to store one of my wallets for many years now.

But blockchain.com isn't a place to store your wallets for many years! You have to understand that you're trusting your laptop and every program it has installed, your email service, your phone (if it has access to your email account) and blockchain.com itself.

That's the point.

If you keep your money in a hot wallet, you might be ok for 1,2,3,4,5 years, but eventually you may lose your coins.

Specially if you do things like that:

This past weekend when bitcoin hit 60k while visiting my parents (on their secure wifi) I logged in to blockchain.info on my phone (updated google pixel phone) via the chrome browser. I had to verify my log in attempt in my email as usual. At 8:36am I saw my balance, an all-time high, it was there. I used my phone, as usual for a few minutes, checked on the news feed. Checked text messages. A few minutes later I went back to the blockchain page to look at the balance again and it was zero.

You kept logging in your account, in many different wifi... Then you use the phone to read stuff, go back the wallet and so on. This is ok if you just have a few bucks in your hot wallet... There are many possible attack vectors there.

You can have a few thousand dollars in your phone. But then, I would advice you to have a proper mobile wallet (such as electrum or mycellium), which are dedicated app that have the keys stored only inside your device.

Your private keys from blockchain.com are online, in a server from blockchain.com.... they could be hacked, or a hacker could intercept your connection between you and blockchain.com... or you could be hacked, or phone or computer.

The best solution for your case, imo, is to buy a hardware wallet. They are safe and easy to use.

If you want to check your balance everytime, you can just track your address in blockchain.com website (not your wallet), and if you have multiple wallets you can check the balance in a service like this one. (where you just paste your addresses and check their balances, no logins, no private keys.)

[Hydrogen]

Nearly all of my logins over the years have been from my laptop at home. This past weekend I logged in to blockchain.info on my phone (updated google pixel phone) via the chrome browser.

Many chrome browser extensions are compromised. Many python libraries (upon which chrome extensions are built) contain malicious code. One of your browser extensions could have stolen your blockchain session cookie and forwarded it to an attacker, who utilized it to hijack your session login credentials and swipe your coins.

That seems like the easiest method for an attacker to pull that off. Many phones are rumored to contain built in backdoors but that would be harder and more tedious and so perhaps less likely.

Python libraries could be one of the most heavily exploited attack vectors utilized at the moment. Which is strange as many are pushing python to be used for everything, almost as if they're unaware of how unstable and riddled with exploits it has become.

Almost $5k lost.    That's a good chunk of change. Sorry. Hope you can recover it somehow.

[healimonster]

I don't have Russian or Chinese ringtone apps on my phone.

What does that have to do with your security?
[/quote]

"The phone had something malicious installed."

[hatshepsut93]

If you used to log in on laptop and everything was ok, but the moment you used your phone you got hacked it's clear that the problem is in your phone. Maybe it's OS, maybe the browser is vulnerable, maybe their wifi isn't as secure as you think. Scan your phone with some antivirus. Manually check each app if there are reports about malicious activity, starting with your apps with the lowest downloads. Maybe other sites that you have visited made an XSRF attack against Blockchain.com.

Blockchain.com or any other website is the worst option for using Bitcoin, especially if they don't do 2FA for every transaction. Hardware wallet is the best option for people who don't understand cybersecurity, but even they aren't fully foolproof.

[healimonster]

Nearly all of my logins over the years have been from my laptop at home. This past weekend I logged in to blockchain.info on my phone (updated google pixel phone) via the chrome browser.

Many chrome browser extensions are compromised. ...
Almost $5k lost.    That's a good chunk of change. Sorry. Hope you can recover it somehow.

Thank you for your response and technical analysis instead of reciting best practices.  I am convinced that it had to be connected to me logging in via chrome on my phone. I don't think my phone's Chrome browser has any extensions but it certainly has plenty of cookies. The timing of the transaction is very curious. It is not like my credentials were stolen and it was sent in the middle of the night. It was sent only when I was logged in and the first time I logged in on my phone.  Very good advice by another responder to simply check the balance on the blockchain and not logging in - duh. Lessoned learned. This was not my main wallet (I have hardware and paper wallets) it was just a wallet I use to mine to years ago and it only had a few hundred dollars in it. Which turned to a thousand dollars, and this past weekend it turned into five thousand. Oh well.  "Hope you can recover it somehow"  If only.

[examplens]

Check this {Warning} New Malware is stealing your Google 2FA!!
Maybe you will recognise some of "the symptoms" on your side. I am not saying that is this happened in your case, but obviously that Google authenticator is compromised and they are not safe ^{or less safe} any more.

[2double0]

What made you to store such a big amount of btc (it used to be small when btc was 10k or less but now it is so big) on Blockchain.info wallet which does not even give you the private key of that address? Your email may have been hacked in this case because emails have your wallet identifier and if the thief knows/cracks your password, beware that you may lose all your coins.

[Lorence.xD]

The moment you said that your wallet is in blockchain.info, I know what is the mistake that you did. You should know that you shouldn't trust anything online especially with a wallet that has I guess has a considerable amount of funds. Online wallets are prone to attacks and your account must have been compromised during an attack a long time ago and they are just waiting for you to store more bitcoin in it. You said that you are using a laptop, you could have invested in a cold wallet and just access it anytime you want with the laptop.

[Lucius]

healimonster, is this the first time you have logged in to your online wallet using that mobile phone? I'm asking you this because you used wireless internet with your parents, which you say is safe, but regardless of max protection, today it is possible to hack wireless Wi-Fi networks within minutes or hours. If WPS is enabled on the modem, or if the setup protection is like WEP - hackers have the door fully open with little effort.

Either way, it's either something malicious on your phone or the Wi-Fi you connected to was hacked and someone got your login information the moment you logged in. In both cases, the only correct solution is a hard reset of the device.

[mindrust]

Android phone + blockchain.com wallet = R.i.P

And now it is impossible to get your funds back. Crypto doesn't forgive mistakes and it is definitely not suitable for everybody. It could happen to anyone though. Till it happens you'd never think you would be the next victim but there it is, it happens.

[vapourminer]

personally i NEVER use wifi on my phone. its turned permanently off.

when a phones wifi is on it will check in with any wifi signal it can. whether you want it to or not.

i treat any wifi network as compromised.

[doctor877]

the way these hackers work sometimes makes it seem as if they are spirits. there is usually a loophole which they use to act everytime and in this case it could the wifi you used or your device is compromised. this is a huge loss, i wish you recovery from it in many folds. henceforth you should be careful of network you access, and try to step your wallet security even if you have to use blockchain wallet.

[Lucius]

Android phone + blockchain.com wallet = R.i.P

Not necessarily so, but generally internet users pay very little attention to online security, and when it comes to smartphones that percentage is even lower. I can't claim that the OP would have been saved if it had AV/anti-malware, but it's certainly not enough to have an updated OS. From some past cases, I know that the iOS blockchain app was marked as something that many were hacked for.

personally i NEVER use wifi on my phone. its turned permanently off.

I only use my home wi-fi network which is maximally protected, but I agree with you that it is still a risk. It would be best to use a wired connection, and it's not exactly an option on a smartphone, although it's feasible via an additional adapter.

[healimonster]

personally i NEVER use wifi on my phone. its turned permanently off.

when a phones wifi is on it will check in with any wifi signal it can. whether you want it to or not.

i treat any wifi network as compromised.

Valid point and wifi can definitely be sketchy but this was with the latest xfinity router and a non-default password. I am not a wifi hacking expert but I think you need proximity to the wifi in order to hack it. This was in the suburbs with zero foot or car traffic and there might have been two houses in wifi range. The chance that one of those houses had some hacker in it sniffing packets at 8:30 on a Sunday morning seems very very low.

[Fatunad]

personally i NEVER use wifi on my phone. its turned permanently off.

when a phones wifi is on it will check in with any wifi signal it can. whether you want it to or not.

i treat any wifi network as compromised.

Valid point and wifi can definitely be sketchy but this was with the latest xfinity router and a non-default password. I am not a wifi hacking expert but I think you need proximity to the wifi in order to hack it. This was in the suburbs with zero foot or car traffic and there might have been two houses in wifi range. The chance that one of those houses had some hacker in it sniffing packets at 8:30 on a Sunday morning seems very very low.

Im much aware about snipping out Wifi but bypassing the router without having that default password or lets say that it is a string of alpha numeric then its really hard to
hack someones internet or router this is why i do ruled out the possibility unless if someone do really knows your password then its really a game over thing.
When accessing some sensitive information in my mobile then i do just simply make use of my own date than on accessing public wifi's anywhere.

[nc50lc]

My phone is updated with the latest security patches and I don't have Russian or Chinese ringtone apps on my phone.

How about "cleaner", "helper", "booster", "File/APK Sharing" apps? Even not Russian, Chinese or Khajiit.
From what happened, it looks like 'remote desktop-like malware' (RAT) rather than a login credentials hack since Blockchain will require 2FA/email verification upon detecting another device/IP.
It wont for a few minutes if it's the same device and IP.

[healimonster]

My phone is updated with the latest security patches and I don't have Russian or Chinese ringtone apps on my phone.

How about "cleaner", "helper", "booster", "File/APK Sharing" apps? Even not Russian, Chinese or Khajiit.
From what happened, it looks like 'remote desktop-like malware' (RAT) rather than a login credentials hack since Blockchain will require 2FA/email verification upon detecting another device/IP.
It wont for a few minutes if it's the same device and IP.

My phone has a ton of apps but none of those types of apps. No "antivirus" apps. It's a pixel 3a and runs great on its own.

[nc50lc]

If it's not "RAT", the other possible scenario is your "Recovery Phrase" being compromised (your 12-word backup from security settings).
It only takes a few seconds to restore it to a non-custodial light wallet and spend the funds.

Have you stored it in your phone?