Hi everyone. I just wanted to send a reminder to the community to 2FA everything you have on your phone and PC. I got hacked on my coinbase account last week.
Using these compromised credentials, they were able to initiate the following external send:
2021-10-21, 03:43:48 PDT // 0.00035700 BTC // Blockchain.com Explorer | BTC | ETH | BCH
2021-10-21, 03:41:57 PDT // 0.00150317 BTC // Blockchain.com Explorer | BTC | ETH | BCH
The above was from coinbase. I have everything 2FA except my AOL account. Needless to say, it is now 2FA. Something so simple allowed this jerks to take everything (only $150) but they started at $500 and kept going down until they had everything they had.
You would think that with the blockchain, you could go after the address where I was stolen from, but coinbase said it is irreversible.
This makes me really wonder how safe is our wallet on Chia and how can we truly protect ourselves? I have seen articles on hot and cold wallets, but nothing seems bulletproof.
Anyway, I just wanted to get this out there and hopefully, someone does not assume something as I did. Eventhough it was a small amount, the feeling of being violated truly plays with your mind and can work you up. Do not do what I accidentally did and 2FA EVERYTHING!
Did they hack coinbase to get your credentials, or rather lifted it from your computer/phone?
I am sorry to hear of your loss. Glad it was only a small amount.
It wasn’t that long ago that somebody on here reported 40 XCH (I think it was) stolen from their hot wallet.
Cold wallet is the way to go: Every day companies lose our personal data to hackers. I just got one of those apology letters from T-Mobile, whom I haven’t used in years, yet they still had my driver’s licence and other info on file - and lost it to hackers. 2 years of McAfee credit monitoring, gee thanks
With a cold wallet, there is nothing that ties you to your crypto.
Create a new wallet on a clean computer or VM with NO internet access (the new wallet does NOT need to sync to the blockchain).
Note down the 24-word mnemonic AND the receive address of the new wallet on paper. This is your cold wallet.
Delete the new wallet from Chia client, and ideally wipe that computer/VM.
Transfer all XCH from your hot wallet to the cold wallet. Do a small test transfer first. Then check with Chia explorer that it is received.
Change your farming rewards addresses (Farm tab in the Chia GUI) to the cold wallet. There are two: One for 2 XCH OG block rewards, and one for 0.25 XCH NFT block rewards.
Change your pool payout address under the NFT (Pool tab in GUI) to the cold wallet.
All farming income should now go to cold wallet. Exception is 1.75 XCH self-pooling NFT block rewards: Those will always go to your hot wallet (baked into the NFT) and must be claimed manually and transferred to the cold wallet.
If you ever need some of it, you have to add the wallet using your mnemonic and let it sync, then transfer what you need. THEN create a new cold wallet and transfer the remainder to it.
It is a hassle, but the only way to be safe.
I believe they got in through my mail account, however what is perplexing, I had 2FA turned on with coinbase and I have my phone. How did they pull that one off without having my phone. I scanned everything and all devices are clean. I work for HP and we have very tight security on our devices and everything we click on is opened in a VM and neutralized so no harm is done, so I’m still perplexed. I love the thoughts above on the cold wallet, my fear is jacking something up as I do the steps and I lose everything. LOL I don’t trust myself. LOL.
I understand the apprehension.
I just updated my post to say make a small test transfer first, then verify it’s receipt by the cold wallet using Chia explorer.
It feels a bit nerve wracking to just let your crypto float out there with no synced wallet connection. But all crypto does that. It’s just that with a cold wallet there is nothing tying you to it, so it’s almost impossible to steal.
The main reason to use a cold wallet is to protect yourself from your devices being compromised. Therefore, asking to use a “clean” device is just kicking the can a bit farther. (If your computer was not clean, then you should also assume that your keys were saved, and will be xfrd to the malware owner the minute your box is connected, so for instance deleting Chia doesn’t do much good.)
Also, I would not put too much trust in VMs. You should assume that a good written malware may/will have host/guest channel, so even if you install a new VM, whatever you do on it may be observed by the host residing malware.
Therefore, I would stress that your “computer” needs to be more or less a one-time-thing. As people suggested, one option is to have a box that never connects to the Internet or your home network. Another is to run a LiveCD on a non-connected computer, and store that Live USB stick for the next time. To me, such LiveCD is secure enough at least for now. Although, one may argue that it potentially it could be also compromised during creation.
If you had 2FA enabled, than maybe that was not really your email? Maybe it means that Coinbase was hacked, and your 2FA was either disabled or bypassed (at least for the time when they were operating on your account).
Assuming that someone wants to lift crypto, I would think it is easier to focus on coinbase, as all the traffic is potentially about accounts that can be hacked. On the other hand, trying to hack email implies that chances of getting someone with coinbase account is rather slim (but maybe slim is still better than nothing, though). Although, it may be that some hackers are just harvesting emails in bulk, and selling “packages” that are related to banks, crypto, … That would make it easier for such crypto hacker to operate.
To me, I would avoid having anything that has security implications from a phone. My understanding is that malware protection is better on computers than on phones (although, maybe I am wrong here).
Maybe you can go back to Coinbase, and ask them how or if 2FA can be bypassed.
Sorry to hear that, but as you said, good thing it that they just got you when your account was on a low side.
“In order to access your Coinbase account, these third parties first needed prior knowledge of the email address, password, and phone number associated with your Coinbase account, as well as access to your personal email inbox. While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor. We have not found any evidence that these third parties obtained this information from Coinbase itself.”
“Once they had a user’s login and password, Coinbase says the hackers “took advantage of a flaw in Coinbase’s SMS Account Recovery process to receive an SMS two-factor authentication token and gain access” to the account. Once they were in, the hackers simply transferred the funds to wallets off the Coinbase platform.”
Sounds to me like this hack has not been stopped. A more simple explanation than Coinbase gave would be a coinbase employee is the hacker and/or coinbase has been hacked for email/password combos.
If it was Coinbase that was hacked for email/password combos, any Coinbase user who used the same password for Coinbase as they did for their email would be instantly vulnerable.
Absolutely. A clean computer means a clean computer, not a dirty one
But seriously, it goes without saying that you have to assume that your current “hot” computer might be compromised.
A LiveCD is a great idea. I agree better than a VM. It doesn’t have persistent storage, so you can safely boot it again later to create another cold wallet.
So, potentially there is a light there. Maybe Conibase will reimburse @Lsherring .
Great find that article. Here is what doesn’t jive:
“We immediately fixed the flaw and have worked with these customers to regain control of their accounts and reimburse them for the funds they lost,” a Coinbase spokesperson said on Friday.
"The hackers needed to know the email addresses, passwords and phone numbers linked to the afected Coinbase accounts, and have access to personal emails, the company said.
Coinbase said there was no evidence to suggest the information was obtained from the company."
Yeah, right… There is also no evidence to suggest the information was obtained from @Lsherring , I guess…
As I mentioned above, it is easier to focus on one entity and hack it completely (i.e., Coinbase), than trying to fish for individual users.
Also, if individual accounts are hacked, than the pattern is spread over long time with accounts being hacked one at a time. If they hacked Coinbase, that would be a burst of hacking, what apparently happened.
I hope you got your money back from the coinbase?
In theory coinbase should be insured for this just like binance and other moguls are in the cryptosphere.
I personally dropped a few years ago Coinbase due to similar issues , which in theory are impossible.
Sticking with Binance mainly and so far no issues there …
I so wonder what the next audit of coinbase will bring to light, what is it 3y till they have to do next one by law…
No not a damn dime. I brought up their previous issues. All they said was to work with the IC3 group which is the Cyber unit for the FBI and they would fully cooperate. I thought with the blockchain you could see where everything went and get the bastards that did this as I found out later they tried to get $600 out of my bank account and buy 6 $100 increments in BTC! If that does not set off alarms I don’t know what does. I’m moving everything out of coinbase and closing my account. They cannot be trusted. If I had a large sum, I would have had a heart attack. It seems too easy to hack.
Becsuse of this fear I have not connected my bank account with them so far.
The only way to have your account be compromised (the way you described) is to re-route those SMS messages. There is only one place where that can be done, it is the place where it is originated (coinbase code), so that has nothing to do with “your side” being hacked. Therefore, by them saying that it is not their problem, the next thing is that they can do this themselves, and blame it on everything but them.
Again, their statement “Coinbase said there was no evidence to suggest the information was obtained from the company.” is just stating that the absence of evidence is not the evidence of absence. They were hacked, and potentially are still being hacked.
I would pursue that IC3 lead.
Lsherring, becoming a documented part/member of the IC3/FBI investigation may well end up putting you into the category of people being re-reimbursed by Coinbase.
Is that a good thing or a bad thing as this has been a flipping nightmare? TY as always my friend
The equation to answer that question is what is the value of your loss of money and your further loss of time end energy against your wish for compensation and your wish for a little justice.
Brings up a great film quote.
Chidduck, “Do you believe in Karma?”
Sarno, " Karma is justice without the satisfaction. I don’t believe in justice ."
Way of the Gun
Scott Wilson - Hale Chidduck
James Caan - Joe Sarno
I guess, all of us on this forum are already put on a similar list You may be underestimating those activities
I would probably want to stay off any government lists for crypto trading activities