FREE E-Mail Alerts for Daily Coin Picks HERE!

Stay ahead of the pack with our newsletter and receive "Daily Coin Picks" in your e-mail inbox before everyone else. As coin investment is very time-sensitive, you will want to get the news as quickly as possible so you do not miss out on the next wave.

Do Not Use Two Factor Authenticatoin with Bittrex!

UPDATE: This is very old news, Bittrex working pretty good now.  I would still not put all your money on one exchange, always diversify your money in several exchanges and wallets!

My friend recently lost over 2.7 BTC on Bittrex.com due to what we think is a vulnerability of TFA (Two Factor Authentication) system on Bittrex or possibly an insider job.

Here’s the story:

Hacker takes a total of 2.7 BTC, 1999 Supercoins, and 45416 Vootcoins out using TFA near midnight July 2nd.

Now, when you have TFA enabled on Bittrex, it does not send you an e-mail confirmation unlike when you have it disabled.  If someone withdraw money, that’s it, it’s gone!

Somehow, the hacker was able to get the password of my friend’s account to get access to his Bittrex account.  Then, somehow he was able to get the correct code of TFA to withdraw all the money.

If my friend had not enabled TFA, his money would have been safe as the Bittrex will send an e-mail confirmation that must be confirmed by my friend logging into his GMail account.

What’s funny is that Bittrex has sent out a warning tweet couple days ago about Phishing e-mails to watch out for.  It’s coincides right before my friend’s account got hacked.  And we aren’t like stupid people and enter id/passwords at phishing e-mails, we are all pretty smart about that.

The reason why my friend’s account could not have been compromised?

He has not withdrew any money since June 7th 2014, which is almost a month ago.  Plus, he had uninstalled his TFA app on his Android phone about 7 days ago.

Also, he does not use Bittrex on his phone, only to use TFA when withdrawing money.  He uses his desktop PC to trade on Bittrex.com.

There’s TWO different devices for TFA and trading.  This seems impossible the hacker can attack both at the same time. 

Could it be possible Bittrex.com is holding information from users because they DO HAVE some kind of vulnerability?  That’s what every company would do (even Mt. Gox denied any problems until the end) to protect their PR.  But that’s not good for the users like us who sell our cars/houses to invest in cryptocurrency.  We won’t know for sure until next month!

Now, that probably is pretty solid argument that hacker could not have hacked his TFA app as it wasn’t even on his phone recently.  The attacker would have to have hacked both my friend’s PC and his Android phone, which is near impossible.  That would mean my friend’s PC had a virus and the hacker knew how to hack Android phones.  I personally hack Android phones for a living so I know if it was hacked.  I did an investigation on his phone, he has minimal number of Android apps, there’s no compromise there as far as I can tell.

So, the only thing that I can think of that caused this?

It must be an inside job or Bittrex.com TFA has been compromised.  I don’t know how they do it right now but Bittrex.com needs logging of all activity of their employees.  This could easily be done by someone who works at Bittrex, although I cannot prove it since I don’t work there nor have access to their system.  I have no idea what their system is but these new exchanges probably are just start-up companies with lack of security unlike bigger companies like Google.

Bittrex.com has the IP address of the attacker.  They should cross-reference with all of the IPs on their network and find the attacker.  And hopefully, my friend will get his BTCs back.

But definitely something is really wrong at Bittrex.com, I would surely not use their TFA at least.

We’ve been through this before with Mtgox.com.  You can trade your money at an exchange but don’t keep your money in it!  There’s no reason why you keep your money at exchanges as you can take the time to make wallets and keep ’em there instead.

Lastly, have a great July 4th!  I hope Bittrex.com figures this out soon but to me, it seems like an inside job OR it could be their TFA having vulnerabilities.

Here’s where all of the funds went to, it’s still showing on blockchain if you can figure it out or if you ever see the money going to a known wallet, we will be able to catch the attacker:

2.7 BTC stolen by attacker on Bittrex:  132Dnh1T3fccZPP5ksrDMEnudZGRWd7y4S

1,999.98  Supercoins stolen by attacker on Bittrex: SPF2uprXvGbYRWPfo5yJDuZBtdPYGvFotm

45416 Vootcoins stolen by attacker on Bittrex:  VRZqxBjcyypUvb73oLxjwmm5bVzWgetYSc

If you have any information that could be helpful in finding the bandits, please e-mail zedomax@gmail.com thx!

Do I think Bittrex.com is still safe?  Not sure but you should always keep your money in your wallet, not on exchanges, it’s my friend’s fault for leaving his money there in the end.  Do not trust exchanges with your money, there’s always a way to hack exchanges like we’ve seen with Mt. Gox.  Bitcoins are secure but exchanges are vulnerable as they are NOT part of the blockchain and also have proprietary PHP code that made be vulnerable.  Hence, my only conclusion here is that Bittrex.com has some kind of vulnerability.

My last word to Bittrex.com, please cross-reference the IP address to every user on your site, there should be a match to someone’s ID.  Thanks.

These are my honest opinions on what my friend had just gone through of losing over 2.7 BTC (or around $2000 US).  It sucks but it happened right in front of my nose!

Note: I am just a regular miner/trader as you well know, I do not condone any exchanges specifically.  I actually promoted Bittrex as one of the best exchanges to use (see my blog posts) but this happened.  I also want to note time for support at Cryptsy.com (when my deposits got lost!) was much better than 14 hours my friend had to wait for an answer at Bittrex.com.

Like my stuff? You can send me coins!
BTC: 15ZgN5mFaK2cK2wbR6yAm2CvdWZu3xmXmU

Want to Contact Me? I am on Twitter 24/7!
First time to digital currency?
Please see What is a Litecoin? FIRST!!!

35 thoughts on “Do Not Use Two Factor Authenticatoin with Bittrex!

  1. jacob

    This doesnt make any sense. You said he had 2fa disabled. Then you said if hadn’t enabled it. So he has a shitty password and someone got it and logged in and turned 2fa on to withdraw his funds…..and somehow this Bittrex fault?

    Your entire post contradicts itself

    1. Max Lee Post author

      No someone used 2FA to withdraw then turned off 2FA just before leaving, which means hacker already took the money out then turned off 2FA, which then alerts the user via e-mail. But having 2FA off is safer because user must confirm his email before any money can be withdrawn.

      1. jacob

        Obviously you have no idea about security things. If you had enabled 2fa in the first place the attacker never would have gotten into your account. Without 2fa some dude could get into your account and sell all of your coins away anyways.

        Smart people enable 2fa from the start.

        1. CCCLLC

          Obviously you can’t read Jacob, enabling 2fa is what created the vulnerability, Max was saying he wished he hadn’t enabled 2fa because without 2fa they send out a confirmation email which would have prevented this theft. Do NOT enable 2fa is what Max is saying, he isn’t saying if he had enabled 2fa earlier it would have prevented the theft NOPE he said exactly the opposite, enabling 2fa made his account vulnerable, Do NOT enable 2fa so you will receive an email to confirm, 2fa removes the email confirmation safety net so had he NOT enabled 2fa he would have actually be better off… Get It Jacob??? Read and be sure you UNDERSTAND before you post a comment buddy cause your comment just sounds stupid… No offense 🙂 LoL

    2. webprods

      Warning for everybody.I like to warning you to use Bittrex Exchange.Yesterday Bittrex stolen my coins.
      Over 100,000 Cammoracoins worth 0.80 BTC. They did that procedures for many peoples and blame hackers what isn’t truth.Coins was withdraw without my knowledge ,without verification e-mail .I got every security protection at Bittrex .Long password,two authentication and e-mail verification.But my coins was stolen.I’d send several e-mails to
      Bittrex support but so far I didn’t got any answer.If somebody got ripped of by Bittrex please contact me and we can try take Bittrex to court.This is shame and together we can fight with those individuals.

    3. Rich Kirby

      Hi,are you sure bitcoin hasn’t gone into a forgotten wallet. People sometimes apply for wallets twice by accident.then its lost.


    Crypto currency is the new “Wild West” ive had pools redirect my hashrate to their wallet aor just flat out never release my coins and exchages are just as easy to manipulate. If a pool requires a http:// link and your not positive you know why they are probably redirecting your hashrate for their own use.stratum+tcp:// seems safer but ultimately we miners place our faith in these pools/exchanges without a clue who is really in the drivers seat. i agree cryptsy has qiuck response time but who can fully trust a complete stranger with thousands of dollars


    Figured a BS in computer science would help but the real work isn’t building/compiling the rig its guessing if I should hold or sell so miners with financial degrees would probably be better off lol

  4. Kevin

    I know this is off topic, but Im in a crisis right now. Dogecoin price is going down and my Dogecoin pool just closed. I have scrypt asics but i was wondering what pool should i mine from. Some people are recommending me to join a multi pool.
    but what coin should i pay out of and where do i find the pool? Thanks!

    1. Max Lee Post author

      I shut my rigs off, it’s not really worth mining scrypt nevermind X11/X13 atm. I am only turning on my rigs when coins worth mining are launched. “Right now”, it looks bad, I would turn rigs off until prices rise and it’s profitable to mine. But you can try Multipools although their payouts are so bad lately.


    We run many bitcoins asics also and this is the first time in as long as I can recall that they are more profitable than our gpu farm which is breaking even with the power bill right now which means I’m losing money from them until coin prices climb if they ever do

  6. CryptoCrackaz LLC

    Another off subject matter if your x anything mining upgrade to amd 14.6 it literally added 50%+ to each cards hashrate at only 2 extra watts per card if your using 14.4 or below upgrade now I wish I hadn’t waited this long I know 14.6 drivers have been available a while just an fyi 🙂

  7. Chad Lee

    KNC Miners just announce that they will not be selling any miners, if you check KnC Miners it is true all their product s are unavailable. The CEO Sam Cole just announce “we are not selling miner anymore because the price of Bitcoin have gone down, and customers are asking for their money back”. He announce that he’s building a Mining Farm to mine all the Bitcoin he can with his Mining.

    Last I heard he said he was going to only mine 5% of Bitcoin, so that other miner would make some profits; now he decided he want most of the PIE.

  8. A

    im a dev
    been in many coins

    bittrex is criminal
    they inside trade their weekly scam coins on you

    criminals make the altcoin world look very bad.


  9. imgur

    When you make a website, all your web pages are served from the server residing somewhere on the internet.
    They offer so many extras that make starting up a new website so simple that even a complete
    novice could get a website up and running. Just – Host is loaded with tools that will help you with
    every need you have.

  10. WatchDog

    Another bothered hacker with the 2FA because of he/she (or it) can’t steal coins. I won’t never read this webpage again.

  11. Mark Fischer

    My coins were just stolen minutes ago. I think bittrex is a scam or has severe security issues.

    1. Oheneba

      So i was not crazy after all. Hi Mark…the same thing happened to me yesterday (19th June, 2017) night too (close to midnight) although i have 2FA enabled with a verified account. I posted in a group to warn members of my plight so they atleast move their hard earned money to their offline wallets and they laughed at me, and blamed for my loss 🙁

      i wished i did not have 2FA enabled so i would have received a confirmation mail in my email account so i could have had a chance against the heartless hacker. During the act the hacker automatically logged me out of my account, closed my browser and prevented me access into the bittrex website untill the crime was done and all my coins converted into BTC and withdrawn. The worst part all i have done thus far is deposit BTC and purchasing altcoins, and have never made any withdrawals before 🙁

  12. Penyo

    Hi I got hacked today I lost 2 BTC I had enabled 2FA and I don’t know how he had access on my account same thing whatss happening with bitrex guys

  13. paul

    on Aug 15 I got hacked tooo!! lost all my money, over 2g!!!
    I figured out what happened! The hackers created a website that looks just like the real one! login page looks exactly the same!!
    And they will get your password and authenticator code once you try to log in on their website! It all happens in less then five minutes!
    I try to contact bittrex but so far didn’t receive any reply!
    after 1 day I got hacked their website is gone! The website I spotted is “www.blttrex.com”
    I’m sure the hackers will create more fake website so please be careful! Hope no one has gone thru what happen to me.

  14. shahid

    i lost over $2000 worth of different coin neo, lisk, Edx , dgb, bts etc…………..on 30 th August 2017. i feel like jumping from the roof now and
    the hacker sold the coin cheap and withdrawn BTC from bittrex without even email confirmation!!

    i have the hacker ip address is (who tried to access my email too)

    here is following wallet and txid where my btc withdrawn to

    Address: 1Pe5rSAwka43CZNwWrg8Y5uB7DfWpoxSs7
    TxId: 23f4fcd33a2fa51fee6a6db7f8b5b075268505ff6429acc21f2fc87012fc08e6

    now i will see what bittrex will do. I do believe now someone is involved within the bittrex

    please advise me how to recover my loss…………..

  15. ινοκυστικη νοσος

    Fine way off describing, and good post tto get facts about my presentation focus, which i am going to convey in institution of higher

  16. اغاني 2017

    What’s up,I read your blog named “Do Not Use Two Factor Authenticatoin with Bittrex! | HighOnCoins.com” daily.Your humoristic style is witty, keep doing what you’re doing! And you can look our website about اغاني 2017.

  17. Dave

    I find it strange Bittrex does not use two factor authentication along side email confirmation as a default for withdrawing funds, that’s pretty slack security if it’s still the case. I know people get hacked with the api keys allowing withdraw without email confirmation.

  18. Johnolithic

    If you’ve got a lot of bitcoin worth of anything, don’t leave it on the exchange.
    Don’t leave more than 100 bucks on an exchange.

  19. Thanh Nguy

    I had been hacked and lost $11k USDT on bittrex even i have use 2FA for bittrex account and my gmail too…how that posible i send ticker but it don’t help any thing… and hacked used my USDT buy BTC and withdraw that…how that possible (im not access wrong wwebsite or some thing like that)….

  20. Ridwan

    I have been hacked too… too late not read this article earlier. Have enabled 2FA and I am super secure IT head in financial institution… guess this insider job

  21. Sandra Tate

    I’ve made some amout with BTCPeek but I found on google that up and coming cryptocurrency reddit


Leave a Reply

Your email address will not be published. Required fields are marked *