A cryptocurrency trader claims he watched live as thieves took 7 BTC in value (almost $20,000 USD) from his account at Bittrex. This was despite having a strong password and two-factor authentication enabled.
If true, the incident highlights the dangers of keeping large amounts of value on online exchanges that may have security vulnerabilities — and do not insure or guarantee balances. However, for serious day traders, having large balances readily available is a vocational necessity.
Trader “CryptoIsKey”, who appears to be in New Zealand, posted about the incident on Steem. He said he logged into his Bittrex account early in the morning (local time) expecting to find 11 BTC in various cryptocurrencies. Instead, his balance read 4.1 BTC.
Things turned worse when he noticed someone was selling his various coins for BTC and submitting withdrawal requests. While still logged into his account, he watched in horror as the BTC balance declined even further.
He tried to beat the thieves by canceling the orders and making his own withdrawal requests, and changing his password. However the hacker canceled those requests too, and continued to sell coins for BTC.
“It has to be a bot,” he said, noting the attacker’s immediate responses to his orders and withdrawals.
Traders Watch Live as Account Is Hijacked
CryptoIsKey began a screen recording that shows his and friends’ reactions as the theft occurred. As the theft progresses, his anguish is clear. Calling himself a 24/7 trader using his life savings, he also wrote:
“I have been working night and day to try and get ahead to give me son a better life. I do get a bit emotional in the video but understand that is because of what I have sacrificed to try and get ahead for my family.”
He concluded that his experience should be a lesson for others, and hoped it could prevent someone else suffering a similar fate.
But how did this happen? It raises serious questions over if and why an exchange would allow two logins from two different locations. This would be a definite security no-no. It’s also unclear how the thieves gained account access if 2FA was enabled. CryptoIsKey said his iPad Mini was the 2FA device, but didn’t specify what method.
He also said he usually receives email notifications of account logins, but did not receive one this time.
Bitsonline has reached out to both CryptoIsKey and Bittrex to confirm the details of the hacking claims, and for further comment.
Using Two-Factor Authentication
Activating two-factor authentication (2FA) is a must for any online account that holds value. This applies to logging in and (if available) approving withdrawals.
While 2FA is an extra layer of security, unfortunately it’s still not 100 percent safe. It may depend on the type of 2FA used.
2FA authentication by email or text message is generally not advisable as those can also be hijacked. Mobile account spoofing has occurred in the Bitcoin industry previously. Local 2FA key generators like Google Authenticator and Authy are more useful, though Authy’s multi-device feature has vulnerabilities of its own. Hardware devices like Yubikey are also available.
Publicly Identifying as a Cryptocurrency User
One other key OpSec consideration for cryptocurrency traders is public profile. CryptoIsKey describes himself as an “Editor/Writer/Digital Artist” and is a regular poster and commentator on social media, especially YouTube and Steem.
Broadcasting any detail about your life and/or trading activity publicly is a risk, as hackers are capable of deducing key details about your identity that could be useful in thwarting security measures.
This is possible even if you keep your real name secret. Your location, associates and behavior patterns may provide clues of use to experienced identity thieves.
Do you use online exchanges? Have any security practices to share? Let us know.
Images via Bittrex, Pixabay