FREE Newsletter for People High On Coins!

Stay ahead of the pack with our newsletter and receive "RIG of the Month", get free help from author, get FREE tips/tricks for your litecoin rig, stay updated on what's HOT with Litecoin rigs right now.



Get your Copy of "Rig of the Month!" Today!



No spam. We promise.

Do Not Use Two Factor Authenticatoin with Bittrex!

My friend recently lost over 2.7 BTC on Bittrex.com due to what we think is a vulnerability of TFA (Two Factor Authentication) system on Bittrex or possibly an insider job.

Here’s the story:

Hacker takes a total of 2.7 BTC, 1999 Supercoins, and 45416 Vootcoins out using TFA near midnight July 2nd.

Now, when you have TFA enabled on Bittrex, it does not send you an e-mail confirmation unlike when you have it disabled.  If someone withdraw money, that’s it, it’s gone!

Somehow, the hacker was able to get the password of my friend’s account to get access to his Bittrex account.  Then, somehow he was able to get the correct code of TFA to withdraw all the money.

If my friend had not enabled TFA, his money would have been safe as the Bittrex will send an e-mail confirmation that must be confirmed by my friend logging into his GMail account.

What’s funny is that Bittrex has sent out a warning tweet couple days ago about Phishing e-mails to watch out for.  It’s coincides right before my friend’s account got hacked.  And we aren’t like stupid people and enter id/passwords at phishing e-mails, we are all pretty smart about that.

The reason why my friend’s account could not have been compromised?

He has not withdrew any money since June 7th 2014, which is almost a month ago.  Plus, he had uninstalled his TFA app on his Android phone about 7 days ago.

Also, he does not use Bittrex on his phone, only to use TFA when withdrawing money.  He uses his desktop PC to trade on Bittrex.com.

There’s TWO different devices for TFA and trading.  This seems impossible the hacker can attack both at the same time. 

Could it be possible Bittrex.com is holding information from users because they DO HAVE some kind of vulnerability?  That’s what every company would do (even Mt. Gox denied any problems until the end) to protect their PR.  But that’s not good for the users like us who sell our cars/houses to invest in cryptocurrency.  We won’t know for sure until next month!

Now, that probably is pretty solid argument that hacker could not have hacked his TFA app as it wasn’t even on his phone recently.  The attacker would have to have hacked both my friend’s PC and his Android phone, which is near impossible.  That would mean my friend’s PC had a virus and the hacker knew how to hack Android phones.  I personally hack Android phones for a living so I know if it was hacked.  I did an investigation on his phone, he has minimal number of Android apps, there’s no compromise there as far as I can tell.

So, the only thing that I can think of that caused this?

It must be an inside job or Bittrex.com TFA has been compromised.  I don’t know how they do it right now but Bittrex.com needs logging of all activity of their employees.  This could easily be done by someone who works at Bittrex, although I cannot prove it since I don’t work there nor have access to their system.  I have no idea what their system is but these new exchanges probably are just start-up companies with lack of security unlike bigger companies like Google.

Bittrex.com has the IP address of the attacker.  They should cross-reference with all of the IPs on their network and find the attacker.  And hopefully, my friend will get his BTCs back.

But definitely something is really wrong at Bittrex.com, I would surely not use their TFA at least.

We’ve been through this before with Mtgox.com.  You can trade your money at an exchange but don’t keep your money in it!  There’s no reason why you keep your money at exchanges as you can take the time to make wallets and keep ’em there instead.

Lastly, have a great July 4th!  I hope Bittrex.com figures this out soon but to me, it seems like an inside job OR it could be their TFA having vulnerabilities.

Here’s where all of the funds went to, it’s still showing on blockchain if you can figure it out or if you ever see the money going to a known wallet, we will be able to catch the attacker:

2.7 BTC stolen by attacker on Bittrex:  132Dnh1T3fccZPP5ksrDMEnudZGRWd7y4S

1,999.98  Supercoins stolen by attacker on Bittrex: SPF2uprXvGbYRWPfo5yJDuZBtdPYGvFotm

45416 Vootcoins stolen by attacker on Bittrex:  VRZqxBjcyypUvb73oLxjwmm5bVzWgetYSc

If you have any information that could be helpful in finding the bandits, please e-mail zedomax@gmail.com thx!

Do I think Bittrex.com is still safe?  Not sure but you should always keep your money in your wallet, not on exchanges, it’s my friend’s fault for leaving his money there in the end.  Do not trust exchanges with your money, there’s always a way to hack exchanges like we’ve seen with Mt. Gox.  Bitcoins are secure but exchanges are vulnerable as they are NOT part of the blockchain and also have proprietary PHP code that made be vulnerable.  Hence, my only conclusion here is that Bittrex.com has some kind of vulnerability.

My last word to Bittrex.com, please cross-reference the IP address to every user on your site, there should be a match to someone’s ID.  Thanks.

These are my honest opinions on what my friend had just gone through of losing over 2.7 BTC (or around $2000 US).  It sucks but it happened right in front of my nose!

Note: I am just a regular miner/trader as you well know, I do not condone any exchanges specifically.  I actually promoted Bittrex as one of the best exchanges to use (see my blog posts) but this happened.  I also want to note time for support at Cryptsy.com (when my deposits got lost!) was much better than 14 hours my friend had to wait for an answer at Bittrex.com.

Like my tutorial? You can send me coins!
LTC: LVvcUvmkXGnDGzEod2zVXfwb7b3C76fD4L
DOGE: D6f3F8ohqGq9dpouS66mkNLeSFpt4RtT6h


Need Help? Follow/add me on Google+, Facebook, or Twitter!
GooglePlus
Facebook
Twitter
Want to stay updated on latest Litecoin rig news?
Sign up for our High On Coins Newsletter here so you get Rig of the month and more!
First time to digital currency?
Please see What is a Litecoin? FIRST!!!

17 thoughts on “Do Not Use Two Factor Authenticatoin with Bittrex!

  1. jacob

    This doesnt make any sense. You said he had 2fa disabled. Then you said if hadn’t enabled it. So he has a shitty password and someone got it and logged in and turned 2fa on to withdraw his funds…..and somehow this Bittrex fault?

    Your entire post contradicts itself

    Reply
    1. Max Lee Post author

      No someone used 2FA to withdraw then turned off 2FA just before leaving, which means hacker already took the money out then turned off 2FA, which then alerts the user via e-mail. But having 2FA off is safer because user must confirm his email before any money can be withdrawn.

      Reply
      1. jacob

        Obviously you have no idea about security things. If you had enabled 2fa in the first place the attacker never would have gotten into your account. Without 2fa some dude could get into your account and sell all of your coins away anyways.

        Smart people enable 2fa from the start.

        Reply
        1. CCCLLC

          Obviously you can’t read Jacob, enabling 2fa is what created the vulnerability, Max was saying he wished he hadn’t enabled 2fa because without 2fa they send out a confirmation email which would have prevented this theft. Do NOT enable 2fa is what Max is saying, he isn’t saying if he had enabled 2fa earlier it would have prevented the theft NOPE he said exactly the opposite, enabling 2fa made his account vulnerable, Do NOT enable 2fa so you will receive an email to confirm, 2fa removes the email confirmation safety net so had he NOT enabled 2fa he would have actually be better off… Get It Jacob??? Read and be sure you UNDERSTAND before you post a comment buddy cause your comment just sounds stupid… No offense 🙂 LoL

          Reply
    2. webprods

      Warning for everybody.I like to warning you to use Bittrex Exchange.Yesterday Bittrex stolen my coins.
      Over 100,000 Cammoracoins worth 0.80 BTC. They did that procedures for many peoples and blame hackers what isn’t truth.Coins was withdraw without my knowledge ,without verification e-mail .I got every security protection at Bittrex .Long password,two authentication and e-mail verification.But my coins was stolen.I’d send several e-mails to
      Bittrex support but so far I didn’t got any answer.If somebody got ripped of by Bittrex please contact me and we can try take Bittrex to court.This is shame and together we can fight with those individuals.

      Reply
  2. CCCLLC

    Crypto currency is the new “Wild West” ive had pools redirect my hashrate to their wallet aor just flat out never release my coins and exchages are just as easy to manipulate. If a pool requires a http:// link and your not positive you know why they are probably redirecting your hashrate for their own use.stratum+tcp:// seems safer but ultimately we miners place our faith in these pools/exchanges without a clue who is really in the drivers seat. i agree cryptsy has qiuck response time but who can fully trust a complete stranger with thousands of dollars

    Reply
  3. CCCLLC

    Figured a BS in computer science would help but the real work isn’t building/compiling the rig its guessing if I should hold or sell so miners with financial degrees would probably be better off lol

    Reply
  4. Kevin

    Hi,
    I know this is off topic, but Im in a crisis right now. Dogecoin price is going down and my Dogecoin pool just closed. I have scrypt asics but i was wondering what pool should i mine from. Some people are recommending me to join a multi pool.
    but what coin should i pay out of and where do i find the pool? Thanks!

    Reply
    1. Max Lee Post author

      I shut my rigs off, it’s not really worth mining scrypt nevermind X11/X13 atm. I am only turning on my rigs when coins worth mining are launched. “Right now”, it looks bad, I would turn rigs off until prices rise and it’s profitable to mine. But you can try Multipools although their payouts are so bad lately.

      Reply
  5. CCCLLC

    We run many bitcoins asics also and this is the first time in as long as I can recall that they are more profitable than our gpu farm which is breaking even with the power bill right now which means I’m losing money from them until coin prices climb if they ever do

    Reply
  6. CryptoCrackaz LLC

    Another off subject matter if your x anything mining upgrade to amd 14.6 it literally added 50%+ to each cards hashrate at only 2 extra watts per card if your using 14.4 or below upgrade now I wish I hadn’t waited this long I know 14.6 drivers have been available a while just an fyi 🙂

    Reply
  7. Chad Lee

    KNC Miners just announce that they will not be selling any miners, if you check KnC Miners it is true all their product s are unavailable. The CEO Sam Cole just announce “we are not selling miner anymore because the price of Bitcoin have gone down, and customers are asking for their money back”. He announce that he’s building a Mining Farm to mine all the Bitcoin he can with his Mining.

    Last I heard he said he was going to only mine 5% of Bitcoin, so that other miner would make some profits; now he decided he want most of the PIE.

    Reply
  8. A

    im a dev
    been in many coins

    bittrex is criminal
    they inside trade their weekly scam coins on you

    criminals make the altcoin world look very bad.

    true

    Reply
  9. imgur

    When you make a website, all your web pages are served from the server residing somewhere on the internet.
    They offer so many extras that make starting up a new website so simple that even a complete
    novice could get a website up and running. Just – Host is loaded with tools that will help you with
    every need you have.

    Reply
  10. WatchDog

    Another bothered hacker with the 2FA because of he/she (or it) can’t steal coins. I won’t never read this webpage again.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *