$20,000 (7BTC) Stolen from Bittrex (captured live on video) Huge lesson learned

in #bitcoin8 years ago

If you're a trader and you have lost money I am sure you can understand how I feel.

Early this morning after talking with @brandon and @cordjackman on live chat, I logged into my Bittrex account at 2:32 am.

As soon as I open the wallets tab I saw my total was only 4.1 BTC when it should be approximately 11 BTC.

At first, i thought it must be an error or maybe something hadn't updated, but then I realized there were transactions just gone out that I didn't authorize.

The shock hit me and I almost went into an extreme panic mode which never happens.

The first thing I thought about was to record while this was happening to make sure if I needed it for evidence with Bittrex.

This has been such a huge shock I really thought with all my security (2fa, 30 character password) that this wouldn't happen.

What made this situation worse, was not the fact it got stolen but the fact I was in the account while they were doing it, and I was in a panic to try and stop them stealing the rest of the funds.

I have been working night and day to try and get ahead to give me son a better life. I do get a bit emotional in the video but understand that is because of what I have sacrificed to try and get ahead for my family.

I think if maybe the person/people involved new about the person behind the account they may not have stolen this. But then again I guess people that do this don't care they just want to steal people's money regardless of who they are.

I think sometimes these things happen to make us stronger and to be very well prepared to help prevent it happening again.

I know now I will never leave any large amounts on any exchange ever again. This lesson has been a very hard one and one I will never forget, but I will not give up and I will come back even stronger again.

This has now lit a fire under my ass and I will not let this beat me mentally.

I hope you watch the video and you can take something from it and it makes you aware of how dangerous holding any coins on any exchange can be.

Summary 32:25


Sort:  

Thats what i cant understand..and whats even stranger is how 2 of the amounts they withdraw were exactly the same 2.1990000 ...you can see here http://prntscr.com/fn3ugf it almost seemed like it was a bot doing it.

It probably was a bot. You have heard of ransomware - they operate by encrypting your profile and then demanding you pay bitcoins to clear it - these are malware infections, and you probably just suffered such a robbery... Bank robbers don't need guns anymore...

I run windows, but I am something of an IT expert, and I just basically don't run anything or visit sites that would have malware payloads. This is the real reason why you should be running adblockers, because, unfortunately, and a big fuck you to the advertising user-as-product business model who claim that there isn't a way to monetise digital content and services without advertising cough cough... Most such malwares arrive either in some crappy pirate software, or, more commonly now, injected into your web browser. It doesn't even have to escape the browser box to pull this off, though it has to hijack the pipe that connects each web page to the controlling application.

After such a horrible loss, I would suggest that you up your security and segregate either a computer, or an operating system, that is not used for general tasks or whatnot, just for money, and lock it down tight, strong password, and don't install anything more than the browser and cryptocoin wallets you need.

I am in the hole at the moment with poloniex to the tune of 1233 steem... I am kicking myself for using poloniex again, it's almost never been smooth or pleasant working with that site, and if I had just waited another 5 minutes for blocktrades.us to come back online, (and it did, directly afterwards), a little tiny bit more patience, I would not be in this situation...

I still want to go visit poloniex's offices and personally slap everyone who works there, and for good measure, I want the CEO's luxury car for my trouble.

Fucking criminals >_<

Excellent instruction, thanks! But:

After such a horrible loss, I would suggest that you up your security and segregate either a computer, or an operating system, that is not used for general tasks or whatnot, just for money, and lock it down tight, strong password, and don't install anything more than the browser and cryptocoin wallets you need.

But what if bittrex himself is infected??

And I think this 7BTC was stolen by bittrex, Not by malware bot.

The thing is, you need to have a lot more than adblockers, antiviruses and so on in order to beat the hackers... First of all common sense, which is hard to achieve. Secondly you need to know the way things can go wrong / malware can reach your computer or how phishing is able to mislead you. This knowledge is even harder to achieve... Funny things is, I'm an IT expert as well and Data Security specialist and even I have been hacked by a phishing website, which was a perfect https enabled secure certificate fake Ether Delta copy. So yes even the best most secure guys out there can be hacked in a matter of seconds when they make one tiny mistake.
I can guide you in a good direction by advising you to block http websites, check certificates, block plugins or other web services from running outside their virtual sandbox, disable flash player (for sure), keep your browser up to date... As you can see these ar all things you can change by simply setting up your browser correclty :)

mostly agree

What does Bittrex say? To get 2FA verified they would need to be on your phone

I havent heard back from them yet. I was using my Ipad mini.

Edit now i hear from hilarski that this video is actually fake.

Well he jumped the gun on that..he should have got his facts straight before he went around telling people that false information. He said that because apparently he checked with Bittrex and they didnt know anything at the time. But i had already sent the first email and they requested more info, i just hadnt had the time to actually submit the ticket at that stage because i was homeschooling my son. But if you check my latest post you can clearly see Bittrex has given me the info and it looks like it may have been my fault they were able to get my API keys.

can't you see your APIs in the previous video?

Take one second to actually think about this man's struggle, and take your own subjective apathy out of this. You may not understand the gravity of this theft, but Shayne is a friend of mine and lying, let alone lying about something like isn't even in his plane of thought. You are offending me and others who know this is truth, imagine losing half of the savings you've built up just to have it stolen. In a time where this guy can use some sympathy, you and some others only accost him. Maybe you just want upvotes and attention, but saying an innocent man is a liar (and in essence a thief) falls more on you than it does on him.

Thieves and charlatans can do far more than $20,000 damage to this platform.
Any time there's money involved, there are going to be liars.
If your friend is on the level, then ignore it or by all means defend the accusations with facts; but if we don't call attention to potential fraud when we see it, we'll be overrun in a heartbeat.
I realise it's a bitter pill, at a terrible time, but it's not personal.
My sympathies to your friend.

@cryptoiskey do you ever access Bittrex on your phone???? which 2FA do you have? Googles or SMS??? I'm studying this trying to figure out how they did it... You are right to assume its a Bot

No i only ever use my ipad mini Picture 2.jpg what makes me think it was a bot is the transactions being the same

@cryptoiskey..Before I get to excited.... 1. That notification at the beginning of your video... Is that the first notification you received about someone else logging into your account? If not could you give me the info on that notification? Or is that your notification of you logging in? I looked up the Ip and found a location in Cali but that might be you (see you from Cali) If its the 1st notification you got about the hack... then you have a trojan on a system and they have a backdoor on one of your computers in your house... i traced the IP shown in the video... thats why i ask

no that was me showing i logged in....the 4 withdraws had alredy been made before i logged in, so maybe Bittrex can track them somehow

damn it... :/ never got a notification for that login? the hackers login? hmm that makes it even weirder

perhaps the hacker deleted the email notification

Possibly it was email - so email was hacked.

@cryptoisky - thats what im thinking... with Google Authority.. Im thinking if someone got my google account they could get the same 2FA codes that I get if they downloaded the program... (I'm gonna do a test of it)

@cryptoisky Yes In Google Account Settings you can simply change you phone 2 factor Authentication to new phone..If you are not using same 2 factor authentication is not using to open Gmail Account (At least through SMS)

That is why I use different email service because 2FA is on Google authenticator.

kingscrown, I am counting on you to get to the bottom of this! You are one of the most esteemed members here.

apparently 2FA is not enough

I've seen it before, if they crack into your gmail account and know your online with bittrex its an open door for them. That's in spite your 2FA was sent to your gmail account as normally happens.

I'm not saying this is what happened but the API doesn't need Two Step verification once it is enabled. It also appears that Withdrawal Whitelist wasn't used and could have been an option to use during the video. I'm sorry to hear of the loss. Please reach out to me as I'm happy to help assist with your cyber security.

Did you enabled your API?, maybe the hacker got your API code.
or your PC infected by trojan virus?

Yeah my API was enabled i had it hooked into Coinigy, but that doesn't allow withdraws i don't think. PC is a very good security suite on it "Eset" that i have faith in and nothing has ever got through.

API part is interesting- check if it doesnt allow withdrawals

Wow, I am really, really sorry man. My heart goes out to you and your family. Upvoted. Coinigy does not allow deposits or withdrawals, they must be done directly through the exchange.

Rotten theives, this is immoral and absolutely ridiculous! I don't want to say anything which would keep you stressed out and worried but if you can't do anything then you can't!

If there was something like a decentralised insurance platform which covers us for our losses on exchanges like Bittrex or Poloniex then that would make life so much easier.

Yeah tbh it hurts me to know these people can do it to others. I wouldnt' want this nightmare to hit anyone else, its a horrible feeling. When things are handed to you it doesn't sting. But when you grind on the stone for every penny it makes it kick very hard. But we live and we learn and we have to keep positive.

When under the immense circumstances the one victim replies in this manner!

It truly motivates us all.

Keep striving, but I guess I don't have to tell you that!

Respect!

💪

I guess these things can happen to anyone. I must say though posting publicly about your crypto holdings makes you a target for these sorts of things.

Some journalist posted on twitter about how he bought a bunch of Btc or Eth only to have it stolen a few days later.

Always keep quiet about how much you have and store anything you're not willing to lose in a cold storage/paper wallet.

Yeah i was trying to be helpful, i guess even that bites you in the butt sometimes. Yeah its a hard lesson for sure.

I feel for you, I really do. I lost 0.15btc by sending it to the wrong address once, I was devastated and extremely annoyed at myself. But the fault was mine and I've always been slow and cautious when making transactions in the future.

I can't imagine losing 7Btc and all because of someone else's malicious act. That'd make me mad as hell.

Keep your head up, your posts on steemit are getting good traction and spike my interest throughout the day, hopefully they can earn you back a fraction of what was lost.

Wow that's rough. I'm sorry man.

That's why I always tell people to buy in exchanges and store on external wallets. I wrote a post about it just a couple days ago but not many people viewed it. I've told close friends about it but they don't budge. I guess it's because keeping it on exchanges is so much easier to do than depositing it into a whole separate wallet.

Hope you stick with it and get through it though.

Yeah the only reason i kept anything on the exchange is because i have been full time trading, so to move it back and forth would be a pain in the butt...but at the end of the day any pain in the butt is worth doing to protect your funds.

Ya I feel you on that. It is annoying going through different addresses, I admit I do that too sometimes if I know I'm going to be trading something soon. Either way hopefully Bittrex does something about it. Will be following you and expecting an update!

Hey Stephcurry, I'm new to the whole crypto thing and just learning for now. Thanks for the tip. So the thing is to buy in exchanges and store on an external wallet ? I'll remember that one. Thanks. Phil

Yup its essential because exchanges don't personally store the crypto you purchase unlike external wallets. I wrote a post on the Exodus Wallet which I personally use along with two others, you can read more there.

Do you mine sharing that post about storing cryptocurrencies on external wallets? I would like to read it.

Im sorry for your loss. This is just a a bump in the road and you will play a smarter game moving forward. I go by the saying, if you're flashing it, you must not want it. People dont need to know your cards. Best of luck brother!

I feel so uncomfortable and afraid that even we use 2FA and the hacker still can stole our BTC! As poloniex cannot cash out SBD not, what we earn in steemit is not under well production and no guarantee. We cannot cash out them into bittrex as they we stole by people!

What do you think will happen when India with more than a billion people wants a slice of the 16 million Bitcoins that have already been mined? You're right... The price is going to shoot through the moon!

Comment below if you would like to know how I capitalize on this and how I create wealth with using Bitcoins as my vehicle!

I don't much about programming and but it looks like your API key was somehow compromised. If someone gets your API key then it is possible they can program a bot to automatically do this. I don't think it is just Bittrex but can maybe happen on all exchanges as they also allow bot trading.

Wow i dint know they could actually withdraw..

Go to settings and under API key you can see whether you have an API key set. If you have set a API key then there a set of numbers should be seen otherwise no keys should be seen. This how I think your account has been compromised. I may be wrong. Will be good to know if you have or not have have a API key and whether you set this key yourself.

I really sorry mr. I just like to say, with my respect sir, that maybe for a computer that manage bitcoin is better to use a linux version instead of windows. best regards from here sir.

You are probably right.


After reading this blog I am going to download the Linux Tails distro. It is the most private and secure of all Linux distros. You do not load it onto your computer. It runs off of a USB stick, therefore, it is ROM so a hacker can't make any changes to it. When I want to make transactions I will run my computer off of the USB stick.

https://tails.boum.org/


Thanks for the info i will check it out.

Hi @catto000 I am new here with 35 posts (comments) but you are my very first follow. Why is linux better than mac or windows for managing crypto?

well.. i don't know about mac... but more secure than win is an old fact...

Agreed ... Linux is a must to even have a semblance of net security.
Windows is nothing but bloated control/spyware.