Okay, so I got hacked. A whole month ago and I didn't notice until now. Both my Bittrex and my MEW accounts and a total of 0.9 eth was stolen. My security practices were not the best (I accessed both accounts at work from time to time) but I still don't get something.
I had 2FA enabled on bittrex. How did they get around that? I also did not receive a withdrawal confirmation email like I did the one time I withdrew some ether to my MEW before this incident. I didn't log in around that time so they couldn't have used the same 2fa even if I had some sort of keylogger or something installed.
They withdrew 0.195 eth from bittrex even though I had 0.7. I guess there's some kind of threshold for withdrawal emails being triggered or something? I though each withdrawal had to be confirmed by email.
Both transaction went to https://etherscan.io/address/0x1e8e56ee30095c1ef2fafbf431d9f06753bb79d4, a few minutes apart. As you can see, they go from there to another address which you can see was used in other hacks yadda yadda yadda I know I'm not getting my money back.
Okay, so, MEW I somewhat get, they got my password somehow (which is different from by bittrex password and neither one is used for any other account) and just transferred the funds out, but this Bittrex shit I just don't get and seems really fucky to me.
Hello, how can we help you sir?
t.bittrex support
Bittrex inside job.
>>3396926
nice, just received 100K
>>3396962
Fucking knew it. I'll sell all of my 100k bittrexes.
Honestly though, how did this not happen to anyone else?
>>3396926
If they have malware on your computer, they can just do it remotely from your computer, or steal your session cookies after you log in.
>>3396926
Use a 128 bit randomized password and dont ever log onto an exchange from anywhere but your home
>>3396962
I know you´re joking but it might be close to the truth. We already had several posts on biz about buttrex accounts being drained even with 2FA enabled, stuff is fishy
>>3397810
its user error. they logged in thru a phishing site.
>>3397861
if you dont have 2 factor enabled you are mentally handicaped
>>3397857
I was nowhere near a computer at that time. If I had logged in through a phishing site the 2fa would have expired by the time the account was accessed.
>>3397861
Heres two things that get me;
1. If you logged into a phishing site, wouldn't you immediately realise? Like if you checked your wallets or whatever? And if it does that part where people say 'pending login' or whatever then you also know right away.
2. If you log into a phising site with 2FA and enter your password and 2FA code, don't they literally have about 10 seconds to log into the real bittrex with your 2FA code until it changes?
>>3397861
>significant amount of money
>0.7 eth
Pick one.
I have around 50k sitting on Bittrex for day-trading and I've never had these issues. It's usually people doing something retarded security wise. 90% of all the Bittrex "I've been hacked" posts have been people getting phished.
>>3397921
It does it automatically, literally within milliseconds of you logging in.
>>3396926
Top kek
>>3397861
If you were infected, they can steal your 2fa whenever you use it, and just block whatever you were doing and transfer eth instead.
Bittrex forces a delay between login and transfer IIRC, so people can't phish your 2fa.