Hurts so good: Hacked for $30,000 USD

in #cybersecurity7 years ago (edited)

This post was written by a community member. ADSactly was not hacked. The post is purely educational in value and to let the crypto community know the importance of their privacy, cyber security and serves as a reminder of how vulnerable we are to nefarious individuals.
100% of this post payout will go to the user who was victim of this hack!

Let's get straight to The Cryptocurrency Carnage

Here is a rundown of the $30,000 (that's right: thirty-thousand dollars) that the hacker relieved me of:

.25 BTC Stolen from my 1Broker account ($1,250 USD)

ouch
was sent to
1Km6Q7BuW6R42XKDJrCyTcqo2wrfh5m3hx

20 BCC Stolen ($1,600 USD)

the agony
was sent to:
8GrJvV8pjp6CuqakoosGejHKjQERdGg55D

10,990 Pura Stolen ($5,000 USD)

I cant take it anymore
was sent to:
PVGA6ZuBM4uGyE59AY5DkMtH21M6TzL2kb

Exodus wallet for 1 BTC, 187 Salt, and 45 LTC (USD 8,000)

I am unable to get into my Windows VPS and take this screenshot. The
hacker removed RDP access for the account.

Say Sayonara to 117,000 OKCash (USD 16,000)

Man this hurts
was sent to PTY47KXWfcJisiJwMuacGUSc4pwKPY9sLg
and losing the OKCash was the most painful. Because I had been buying OKCash for the last 2 years.

How was I found?

I still recall logging into my Windows VPS and seeing someone moving the mouse around and then I began to move the mouse around as well... imagine that - almost like walking in on a thief who has robbed your home, virtual-style.

I don't know how the hacker did his dirty deed. I can only guess.

The hack occurred a few hours after I sent this message sent to a Discord channel:

I sent bitcoin from my Exodus wallet 2 hours ago and it still has not arrived at Bittrex. It shows as pending with 0/2 confirmations there... why is it taking so long... here is the transaction - https://blockchain.info/tx/a18f06e5f59b5b3840c208e22c5007a7ecc643ccb58ab865166498a2d8810876
(i'm trying to get into this IOP trade and good ol' bitcoin is taking it's jolly sweet time going from point A to point B)

Monosnap?

By default, the screenshot tool Monosnap lists the title of the window. And I have taken plenty of screenshots that advertised the IP of my Windows VPS such as this one and posted them publicly.

Since this hack, I altered the default settings of Monosnap to remove the option of showing the window title.

Exodus? Jaxx?

In preparation for the 2 coming hard forks, and only 1 day before this hack, I downloaded a few desktop
wallets. Exodus was kind enough to prompt me to back up my wallet. But oddly enough, it did not prompt me to "encrypt my wallet" - which is a fancy term for requiring a password before making any transactions.

Random port scanning?

While IP addresses are not stored in the blockchain, there are some
ways to locate the IP that a transaction originated from
. This, and/or random port scanning was a definite part of the hack, because I changed my password for my Windows VPS to something very simple about 3 days ago:

money1

That's right. Once someone had my IP, all they had to do was guess a username of "Administrator" and a password of "money1" and they had access to $30,000 in funds. No, I don't enjoy looking like an idiot in public, but if it will snap even one person out of the delusion that this is all fun-and-games, then I have done my job.

Reflections

Centralized security isnt so bad

I have all the addresses that my coins were sent to. But
because crypto can be sent anonymously and there is no central
authority, there is no registry connecting identities to addresses.

I guess if you want total freedom and autonomy you better be ready to
defend against those who want to misuse it.

Back up your wallet frequently

Apparently when you restore from a wallet file, the wallet needs to
reply the blockchain from that point to present. So, presumably, the
more recent your wallet backup, the less time it takes to recover your
funds? Please correct me if I'm wrong here.

Suggestions for Security

Diversification

I'm a firm believer in not putting all your eggs in one basket. But I
did get caught with quite a few of my funds in one place in the
interest in having all of my desktop wallets in one place.... and
saving on monthly server costs.

If I had used 4 remote servers and distributed my wallets to those 4
places, then I would be reporting a loss of just 6 or 7 grand
instead of this major setback.

ENCRYPT YOUR WALLET

If you take nothing else from this post remember to encrypt your
wallet
... don't be intimidated by that term. It simply means that a
password is needed before you can access funds or see the transaction
overview.

None of these wallets require a passcode to withdraw funds. No bank or
ATM on this planet would allow funds to move without verifying the
identity of the mover in at least 2 ways.

Don't wait for the crypto-world to upgrade to bank-level security. Do
as much as you can TODAY!

Harden your Windows remote server

I had all my funds on a Windows VPS (Virtual Private Server). I am
lucky that the server farm that I use has 24/7 customer support. They
were very responsive via live chat. That being said, I will never use them for cryptobanking because they dont have an an easy way for me to harden my VPS server in the ways I discuss below.

Idle Timeout Screen Lock

Do you want to wake up in the morning to all your funds gone? Me
either. Having to enter your password every time you see an idle
screen timeout may be a pain, but I can tell you: waking up to losing
$27,000 is way more painful.

2-Factor Authentication is a MUST

2-Factor Authentication, 2FA for short, just means that there are additional layers of security besides just your username and password. Notice how you have to have a debit card AND your PIN before you can withdraw money from an ATM? Just having your debit card is not enough. Unfortuntely, my windows server did not have 2FA enabled.

Once the hacker guessed username/password combination of
Administrator/money1, he (or she!) was in. No need to enter a code from my cell phone, nothing. And this drag-ass security model that is what you need to change if you do decide to use a remote windows server to store your funds. Speaking of drag-ass, why was Windows Server 2012 so adamant that it was time to change my password yet not so adamant about enforcing some rigor on the difficulty of the password?

While it does seem tortuous to setup 2-Factor Authentication on Windows certain
VPS providers have made it easy. For instance, you can be done with the process in
a few easy steps at ServerIntellect. And if I return to using a remote Windows server for cryptobanking, I will require at the very least what ServerIntellect is offering and will never accept anything less as legitimate for cryptobanking.

Restrict IP access

If you are the only one accessing your machine, do not allow any and all IP addresses to access your machine

Change the administrator username

On a daily basis, my wordpress site receives about 5-10 attempts to break-in using the admin username.

That's right. A measly wordpress site with a bunch of meaningless posts. So if there is that much interest in wrongdoing for a measly wordpress site, imagine how many more bad guys must be out for my money! Actually they are out for my currency, not my money, but we dont need to get into the differences now.

So yes, change the username from Administrator.

Conclusion

  • You are running your own bank. Treat it like one. Seriously. Whenever you login to your online banking service, take note of the hoops of fire they require you to burn your ass on before you get access to your funds. And then make sure you have just as many hoops of fire on your funds. Either that or you may be the next guest star on "Cryptocurrency Carnage: How Much Money Did The Next Fool Lose and How?!".

  • There are no mistakes in this universe. Everyone gets what they deserve. At least I would like to think so. What do you feel? Do you think this is karmic retribution for something I did in the past? Please share in the comments whether I am a poor innocent victim of a ruthless thief. Or whether I am getting what I deserve for past violations of The Golden Rule.

Sort:  

Sorry to hear about this @adsactly. I think you have a very healthy response and appreciate your efforts to educate others. I hope that your mindset and attitude even in bad situations will help you earn much more than was stolen from you in the long run!

This type of thing is one of the main reasons I think that Steem has really big potential to become a mainstream cryptocurrency. It's the only one I know of that has both a vesting option where you can effectively lock up your tokens and an account recovery system which allows you to regain control of your account if your owner keys are stolen.

These things will be absolutely necessary for mainstream adoption of any cryptocurrency.

damn - that sounds painful...

The last time I "nearly" f*ed up was when I reseted my browser cache before realising that this would also clear my BitShares Wallet. Thankfully I've downloaded the backup. But still... mistakes happen..

I was in pain reading this, I am sorry for what this hacker did.

I profoundly appreciate the empathy @abcasper. It does lessen my burden. Thank you for your kind thoughts.

Holy**** Thats really bad ... I'm thinking if all this had happened to me man I wouldn't have taken it like you did ... You really have the heart of a lion

The experience you wrote in this blog is very useful for us who just started in that field. so, thanks for sharing and I'm asking permission to reblog your posting

oh yes, RESTEEM to your heart's content and link far and wide!

you are very brave to share it, it is truly very nice of you to do so ! I will definitely make sure to get 2factor authentication. This can happen to just anyone so we should not be naive.

Like you say, if we want to be our own bank than we should also realize that we carry the responsibility ourselves to make sure that our money is safe.

Thanks for sharing and really so sorry to hear that this happened to you !

Thank you @dandesign86 - everything is a part of our evolution as a species. I firmly believe that everything is co-created, including this. Think how boring life would be without cops and robbers, cowboys and indians. The truly aware person is aware that: the world is in them. They are not in the world.

Very nice comment and I understand your point; there has to be this balance, this struggle, in order for further development!

No, I think that the truly true truth is that the world is outside us, and we are physical beings that exist inside reality.

The universe is outside us, and we are made of the universe, and our minds are like a computer.

The computer thinks thoughts inside of its CPU.

We think thoughts inside of our brain.

But outside our brain is true, raw reality. It is beyond our mortal senses often, thus we might think that the world is within us. But it is not.

There is not a matrix reality running inside our head.
We live in the real thing. The true reality is outside us, and we are part of it, but we do not create it.

We are mere animals, evolved chemical-reactions that have become intelligent, but not intelligent enough to truly comprehend the reality of reality.

Wow... so so sorry for your loss @adsactly this is truly eye opening. I'll begin to pay more attention to my own online security because these days, security can easily be breached.. this quite heart breaking, i dont even know what I'll do if this happens to me, thank you so much for sharing. All your security advice has been fully noted, take care

Thanks @evelynbelle, it was me, a Grand Founder and Overseer within ADSactly, that got hacked. Not ADSactly itself.

Oh... forgive my misinterpretation, but still its sad... i hope your able to completely recover from your loss soon... cheers!

Painful to say the least.
IMO, you should consider to setup a dedicated hardened computer just for that + cold wallet

yeah, $30,000 in crypto... devote $5,000 to a local computer instead of risking 30k out in the wild .. not a bad idea ;)

It's my understanding that you could live for 2 years or more in many parts of the world on that type of money.

30k is certainly a sizeable sum of money, but you cant live comfortably in the USA on that sort of bread for more than 3-6 months in general.

It's my understanding that you could live for 2 years or more in many parts of the world on that type of money.

Yes, you could. $5k would allow somebody to live for 2 years in the Philippines. They would need a room with shared internet though because that wouldn't fit in the budget.

$30k? A family could live for multiple years of that,.2 years? You must be kidding. ;)

Sorry to hear about your loss. It's a big price to pay for a #flearn (fail ∓ learn). But ultimately, it all makes us smarter.

Great article, cybersecurity cannot be taken lightly. I've been doing a much better job recently with storing my coins in hardware wallets. This article is really informative, and definitely should be read by everyone in crytpocurrency.

If you don't mind checking out my article I wrote yesterday, I covered the difference in SMS and App based 2FA:

https://steemit.com/cybersecurity/@investoranalysis/sms-two-factor-authentication-is-very-unsecure

Wow. That is a wake-up call for all of us. I am sorry you lost so much money. That really sucks.

Thank you for sharing this. Hopefully your purpose of sharing your misfortune will help the rest of us avert one.

Thank you @mgood. You made my day by saying that you received a wakeup call. I'm glad my efforts paid off. This is the article that I wish I had seen when I started in cryptocurrency seriously 1 year ago.