Cryptsy account got hacked

About 14 hours ago I had about 700 Cat coins and 500000 Doge coins on my Cryptsy account. I have sold 0.02725061 BTC worth of DOGE and withdraw it to another address. Soon after as expected I received an email to verify the withdrawal.

About 30 minutes later my account got hacked. All of my Doge coins ware withdrawn from my account, All of my Cat coins ware sold to BTC and then they were also withdrawn from my account.

All of this happened while I was using my PC, therefore it can't be a remote desktop program. Secondly, this account has two factor authentication which requires access to my phone, which means that simply having my user name and my password would not help in this case.

The most disturbing thing hare is that I did not receive a verification email for any of these 2 withdrawals. As far as I know after every withdrawal from Cryptsy I'm supposed to get a email to verify the withdrawal, which clearly did not happen. Whoever did this managed to withdraw from my account without needing to access to my email account, which indicates that there is a serious security hole in Cryptsy.

By the time I found out about this all of the transactions ware already confirmed. I opened a support ticket, but I did not receive an answer yet. I just can't wrap my mind around this. How on earth did this happen? He bypassed my two factor authentication, he did it while I way using my PC, and he did it without needing to access my email.

Any Ideas?

User2344452

Posted 2014-02-03T01:43:56.760

Reputation: 172

2Sounds like it's time for you to hit up the Cryptsy support. – John T – 2014-02-03T02:08:09.483

I opened a support ticket, but they will probably take their sweet time. Also, I'm having a hard time to believe they will compensate me in any way even if it's their fault, I just don't think they will admit it. – User2344452 – 2014-02-03T02:14:12.003

Yea, there's not much the bitcoin stackexchange community can do. We can suggest you did something silly (like revealing your password to someone), but it sounds like it's Cryptsy's fault more than anything. – John T – 2014-02-03T02:18:54.240

1As I had mentioned in the post I use a two factor authentication. In order to access my account you would need my username, my password, and a dynamic password which changed every 30 seconds from an app called Authy (which is on my cellphone). So yeah, I'm pretty sure it's their fault. – User2344452 – 2014-02-03T02:30:17.317

Do you have browser plugins installed? There is one that altered your deposit addresses: https://bitmymoney.com/news/all/83500762200 (in Dutch)

– Robert-Reinder Nederhoed – 2014-06-23T12:10:23.757

Have you checked on the filings against Cryptsy and the disposition of the coins you may still have posted with Cryptsy's receiver? Did you ever register with the receiver? http://cryptsyreceivership.com/

– Alfred Jordan – 2016-12-22T23:03:18.243

Answers

I figured this out a while ago. Couple of weeks after I got hacked I noticed an unknown process in the task manager. After googling the name of the file that was linked to that process (I don't remember the file's name) I found out it was a trojan horse. Afterwards I deleted it, changed my passwords, and checked out from time to time for unfamiliar processes.

I suspect that whoever did this, connected to my accounts through my session, thus bypassing my two factor authentication both on my Cryptsy account and my Gmail.

Update: After some digging I found an infected file named Bitcoin.Trading.Botv4.6.exe. This is probably what caused the Trojan to appear in some random temp folder. I don't remember where I downloaded this, or when I ran this, and I'm pretty sure that it wasn't identified as a threat back when I first ran it. I included a link to the scan results here.

User2344452

Posted 2014-02-03T01:43:56.760

Reputation: 172

1Can you find out which Trojan this was, so other users can be warned? – Mikko Ohtamaa – 2014-06-24T15:05:17.533

Yeah, like not knowing the name of the program totally sucks for the rest of us. – Fraggle – 2014-06-24T23:19:02.163

I've had a Trojan get remote access and change my Blockchain pwd. BTC still there but I'm interested to know what file it was too. How'd you id & fix it? I can't even run MBAM Chameleon so def infected :/ – Wizard Of Ozzie – 2014-09-08T06:38:39.053

I did this manually by checking all the running processes in the task manager looking for an unknown ones. Every time I found one I googled it to find out what it was. Once I identified the Trojan I removed the file associated with it (you can find file's location in the process's properties in the general tab). After that that process wasn't loading anymore in each startup. – User2344452 – 2014-09-09T08:21:11.910

If there were a serious vulnerability at Cryptsy end affecting all users the accounts were flushed in no time, so I doubt this is an issue with Crypty itself. Otherwise there were already 1000 posts on Reddit regarding it.

The malware targeting cryptocurrencies users is very, very, sophisticated due to high value of the users being targeted. Some real-life explanations

In-browser malware modiying pages in-fly. It modifies your withdraw requests and spoof the page you see. This also gets your entered two-factor codes, so it can make withdraw requests on behalf of you. Also available on Linux and OSX: http://thehackernews.com/2014/04/malicious-chrome-extension-hijacks.html - I have seen this live when a popular Bitcoin exchange site represented two different pages when accessed through Safari (compromised) and Firefox (not compromised) on the same computer.
Your phone is also compromised. If you have rooted phone (Android, iOS), your two-factor seed codes have been stolen. Not very common, but not unheard of.
If you are using the same computer to access your email, the attacker can simply interrupt your email, steal the confirmation link and delete the email before it reaches you

The questions remain

Which operating system you are using?
Have you installed any pirated software on your computer?
Have you installed any "Bitcoin open source software?"
Have you installed any browser extensions, tickers?
Have you rooted your phone?

Mikko Ohtamaa

Posted 2014-02-03T01:43:56.760

Reputation: 2 417