My friend recently lost over 2.7 BTC on Bittrex.com due to what we think is a vulnerability of TFA (Two Factor Authentication) system on Bittrex or possibly an insider job.
Here’s the story:
Hacker takes a total of 2.7 BTC, 1999 Supercoins, and 45416 Vootcoins out using TFA near midnight July 2nd.
Now, when you have TFA enabled on Bittrex, it does not send you an e-mail confirmation unlike when you have it disabled. If someone withdraw money, that’s it, it’s gone!
Somehow, the hacker was able to get the password of my friend’s account to get access to his Bittrex account. Then, somehow he was able to get the correct code of TFA to withdraw all the money.
If my friend had not enabled TFA, his money would have been safe as the Bittrex will send an e-mail confirmation that must be confirmed by my friend logging into his GMail account.
What’s funny is that Bittrex has sent out a warning tweet couple days ago about Phishing e-mails to watch out for. It’s coincides right before my friend’s account got hacked. And we aren’t like stupid people and enter id/passwords at phishing e-mails, we are all pretty smart about that.
The reason why my friend’s account could not have been compromised?
He has not withdrew any money since June 7th 2014, which is almost a month ago. Plus, he had uninstalled his TFA app on his Android phone about 7 days ago.
Also, he does not use Bittrex on his phone, only to use TFA when withdrawing money. He uses his desktop PC to trade on Bittrex.com.
There’s TWO different devices for TFA and trading. This seems impossible the hacker can attack both at the same time.
Could it be possible Bittrex.com is holding information from users because they DO HAVE some kind of vulnerability? That’s what every company would do (even Mt. Gox denied any problems until the end) to protect their PR. But that’s not good for the users like us who sell our cars/houses to invest in cryptocurrency. We won’t know for sure until next month!
Now, that probably is pretty solid argument that hacker could not have hacked his TFA app as it wasn’t even on his phone recently. The attacker would have to have hacked both my friend’s PC and his Android phone, which is near impossible. That would mean my friend’s PC had a virus and the hacker knew how to hack Android phones. I personally hack Android phones for a living so I know if it was hacked. I did an investigation on his phone, he has minimal number of Android apps, there’s no compromise there as far as I can tell.
So, the only thing that I can think of that caused this?
It must be an inside job or Bittrex.com TFA has been compromised. I don’t know how they do it right now but Bittrex.com needs logging of all activity of their employees. This could easily be done by someone who works at Bittrex, although I cannot prove it since I don’t work there nor have access to their system. I have no idea what their system is but these new exchanges probably are just start-up companies with lack of security unlike bigger companies like Google.
Bittrex.com has the IP address of the attacker. They should cross-reference with all of the IPs on their network and find the attacker. And hopefully, my friend will get his BTCs back.
But definitely something is really wrong at Bittrex.com, I would surely not use their TFA at least.
We’ve been through this before with Mtgox.com. You can trade your money at an exchange but don’t keep your money in it! There’s no reason why you keep your money at exchanges as you can take the time to make wallets and keep ’em there instead.
Lastly, have a great July 4th! I hope Bittrex.com figures this out soon but to me, it seems like
an inside job OR it could be their TFA having vulnerabilities.
Here’s where all of the funds went to, it’s still showing on blockchain if you can figure it out or if you ever see the money going to a known wallet, we will be able to catch the attacker:
2.7 BTC stolen by attacker on Bittrex: 132Dnh1T3fccZPP5ksrDMEnudZGRWd7y4S
1,999.98 Supercoins stolen by attacker on Bittrex: SPF2uprXvGbYRWPfo5yJDuZBtdPYGvFotm
45416 Vootcoins stolen by attacker on Bittrex: VRZqxBjcyypUvb73oLxjwmm5bVzWgetYSc
If you have any information that could be helpful in finding the bandits, please e-mail firstname.lastname@example.org thx!
Do I think Bittrex.com is still safe? Not sure but you should always keep your money in your wallet, not on exchanges, it’s my friend’s fault for leaving his money there in the end. Do not trust exchanges with your money, there’s always a way to hack exchanges like we’ve seen with Mt. Gox. Bitcoins are secure but exchanges are vulnerable as they are NOT part of the blockchain and also have proprietary PHP code that made be vulnerable. Hence, my only conclusion here is that Bittrex.com has some kind of vulnerability.
My last word to Bittrex.com, please cross-reference the IP address to every user on your site, there should be a match to someone’s ID. Thanks.
These are my honest opinions on what my friend had just gone through of losing over 2.7 BTC (or around $2000 US). It sucks but it happened right in front of my nose!
Note: I am just a regular miner/trader as you well know, I do not condone any exchanges specifically. I actually promoted Bittrex as one of the best exchanges to use (see my blog posts) but this happened. I also want to note time for support at Cryptsy.com (when my deposits got lost!) was much better than 14 hours my friend had to wait for an answer at Bittrex.com.Like my tutorial? You can send me coins!
Need Help? Follow/add me on Google+, Facebook, or Twitter!
Want to stay updated on latest Litecoin rig news?
Sign up for our High On Coins Newsletter here so you get Rig of the month and more! First time to digital currency?
Please see What is a Litecoin? FIRST!!!