Bittrex - Update - Probably my Fault.

in #bitcoin8 years ago

It has been a very rough 24 hours. No sleep and the not knowing how this happened has been driving me up the wall.

I want you all to know I appreciate the support you have all been awesome. Love Steemit

I have been on a mission

I have been in the Coinigy slack to ask for advice etc. Willaim was kind enough to help and mentioned that Bittrex should be able to see if they made the withdraws using the API or the UI.

Another factor is the withdraws were already made before I logged in at 2:32 am so I am sure they should be able to see where and what IP was used for this.

I am not expecting to get the funds back, but I really want to know how I was compromised. If it was a mistake I made then I want to know so I can fix it. if nothing else comes out of this maybe it will help people not make any of the potential mistakes I made if I did.

I want to thank everyone for the messages and kind words, you all on steemit rock and I am so happy I am still here and part of the community.

I also want to thank Jona Derks (Partner in the account) who has been awesome through all this and helped me tough it out and help make sure the other 4btc wasn't taken.

I will keep everyone updated on whats going on and hopefully, I can find out exactly what happened.




UPDATE: We now know how it was executed.

I am being 100% transparent here so I want you to see what I see so it makes it better for all of us. It is quite possible it was a mistake made on my part and I am willing to take the blame.

Bittrex has just got back to me after I submitted all the details they needed to investigate. Thanks to Niri and the fast response


Here is my submitted ticket to them and all their responses:

REQUEST #98214 WITHDRAWS NOT AUTHORIZED

Shayne Rivas-Shiells Today at 22:48

Early this morning between the hours of 1 am and 3 am my account was compromised and I lost 5.397 BTC and 1899 PIVX. I was fortunate enough to log in at 2:32 am and stop them from stealing the rest of the funds. I also have captured this on video so I can show you what was happening. It was the hardest thing I have ever had to go through. I worked hard every day and made sacrifices for my family to try and provide a better life.
here is a link to the video

Here are the transactions in question:

Address: 1AjLk3BDEkFtv3nVYeKokPZAtq9YAs3JYa
TxId: 94a71d358f412eed3da37e84b02a0a631b2f927cb5beb79094f254b83ba2fcae
Address: 1AjLk3BDEkFtv3nVYeKokPZAtq9YAs3JYa
TxId: c25dd79f093dbf5c1fe4104624172f45d17a9824d85d778ece1c002b5dd82f05
Address: 1LX2idYnKAAXFA683xvcRu7wsgGePKszWb
TxId: 7bc54259eb529af48a518870041c3d6235f41f04d3e50114e8db693eb31644ef
Address: DBv2NRC3u9xH2uWjLKfVEzKN8rPPjWpwsL
TxId: cb3f82abb71054d5e6bec112d9865ae21b0aa0707660e8463756f6499a996182

Also maybe you can track them by the times they were using the account. I logged in at 2:32 am and the 4 transactions had already been made, I was fortunate enough to quickly cancel an XEM withdraw they were attempting. They were in the account the same time as I was as you can see in the video. I also have the full-length 2-hour video I captured through all the drama, but didn't obviously upload the full video to youtube. I can provide that if you need it ill attach a screenshot. Also, Willaim from Coinigy mentioned you maybe able to see if they used the API or UI to make the 4 transactions. http://prntscr.com/fn51tz Anything you need to assist you I am here, I haven't slept since this happened so I I am here if you need me...thanks...Shayne.

BITTREX RESPONCE

Niri Yesterday at 23:19

Hi Shayne,

I had a chance to watch your video. It was really tough to see your account get drained like that. It's obvious from your story that you've worked hard on building up your account. Bittrex takes the security of your account very seriously, offering Two-Factor verification, login notifications with Account Disable link and IP Whitelisting to prevent unauthorized access.

Checking your account history we can see however that these sales are happening through API calls.

Time Stamp
Address
User Agent
Activity
06/22/17 09:55:37
78.129.186.234

WITHDRAWAL_APIV1_SUCCESS
06/22/17 09:45:17
78.129.186.234

WITHDRAWAL_APIV1_SUCCESS
06/22/17 09:11:57
78.129.186.234

WITHDRAWAL_APIV1_SUCCESS
06/22/17 09:07:06
78.129.186.234

WITHDRAWAL_APIV1_SUCCESS
06/22/17 08:58:33
78.129.186.234

WITHDRAWAL_APIV1_SUCCESS
06/22/17 08:32:42
78.129.186.234

WITHDRAWAL_APIV1_SUCCESS

The IP address appears to originate from London, UK.

Is it possible your API key was compromised?

Thank you,

Niri @ Bittrex

Follow us on Twitter @ https://twitter.com/BittrexExchange

Shayne Shiells Yesterday at 23:27

Heya, thanks for the speedy reply

It maybe possible I made many video tutorials showing Bittrex and Coinigy using the keys, but I was positive I always deleted any keys that I used in the videos. Is it possible to know what keys were used in the calls?

Niri Yesterday at 23:50

Hi Shayne,

Thanks for updating the ticket.

For security reasons we do not store and display the API keys, you are using to our Support agents.

I would recommend revoking and removing your API keys considering what you have been through today. You have taken great measures protecting your account but unfortunately one of your API keys got in the wrong hands. Hackers write bot programs around API keys and can quickly drain an account of all coin.
Thank you,

Niri @ Bittrex

Follow us on Twitter @ https://twitter.com/BittrexExchange



So it seems somehow my API keys were stolen. Now, this could have quite possibly been my fault as I have used API keys in video tutorials before and may have somehow deleted the wrong ones and not double checked before I uploaded the video. You can see in this particular video below. I take full responsibility for my actions if this is the case.


time: 3:10


If you read the Bittrex first response from Niri you can see they found the transactions and they were in fact executed through the API and it was from an IP Address in the UK.

I have always tried to be as careful as possible when it comes to security but no one is perfect and this has been a valuable lesson to me.

And Finally

Thanks to everyone that supported me and knows me as a person inside and outside of steemit and knows I would never create something fake or deceive anyone like some people have stated in various places. I am here to help people and have been doing so all my life.

Thanks to @bittrex for responding so fast and letting me know how they took the funds, I am glad I at least know now the mistakes that were made.

Peace everyone!

Sort:  

Dude, I am so freakin sorry to hear that. It just makes me sick to my stomach. I'm glad to hear they didn't get everything at least, a small crumb of comfort I know. I'm so sorry.

Thanks man...TBH ive been thinking about it alot today and iam really lucky that i decided to go into the account at that moment, i think i should be counting my lucky stars i came out with anything. When the bot was working my sales it was incredibly fast, so i think maybe another 30-40 minutes and the account would have been empty.

I'm so sorry man, you are so lucky to have caught it when you did.

im sorry to hear this! I am new to steemit and can't even imagine how you felt! Thanks to dexter-k I read about your story. I hope you manage to redeem your hard earned cash soon.

This sucks that it happened. If anyone ever finds themselves in a situation like this, go to your email and click on the disable account link in the login mail you received. There is no reason to sit around and try to out think/out speed the attacker. Disable the account, cut a support ticket, and we'll work with you to get it sorted out.

Good advice.

But he said in the video he got no e-mail for other logins... where can you do that in that case?
In other old login e-mails is the same link to can lock it down (from what i see is a different link every time)?

Why isn't a way from the account to cancel all current transactions and lock account?
Anyway, to have locked account and don't know what is happening there is still bad, in a way. It could be ok to have at least a just viewer to your account to be able to see what's happening.

Eh... hope it's not happening again.
Watch what you share.

Sure you would sort it out, except returning his 20k loss - because your poor security ! Oh but it was his fault - I hear you say,
sure Richie, maybe one day it will happen to you!

Oh man, fuck those people really. Since the Hardfork 19 from Steemit you can earn a lot more with your posts. Just keep posting everyday and you will be back in no time. Steem community will support you with 100% votes :)

Yeah people that do this sort of thing to others are the bottom of the barrel, scum of the earth in my eyes. And if they get caught they should get punished hard.

Yes. But life not always do that.
That's why we must realize that not everybody is our friend or want us good.
So, better not showing personal or sensitive things in public. Is the best option to secure a little bit our life.
Life in a way or another will punish everybody, but not when we think it does... So, we must go on and some support from our beloved is welcomed to strengthen us.
Cheers man and best wishes

Sorry about your losses, and thanks for sharing your story so others can learn from it.

I'm so sorry this happened to you.
As far as I understand, you can create API Keys that are good for trading only, but revoque the right to withdraws any fund from your bittrex account. Can this kind of keys still be used to steal your coins?

You are correct, you can simply leave the 'withdraw' function disabled, and then there is noway for a hacker to gain access to your funds. That coupled with whitelisting your ip and whitelisting withdraw addresses is the way to maximize your security....i have just learnt all this actually, made a video about it. https://steemit.com/bitcoin/@cryptoiskey/bittrex-how-to-make-sure-your-bittrex-account-is-secured-as-much-as-possible

I saw now about white list. But they say if you have for one, you should have then for all of them:

Warning: If you have this enabled on any currency, all currencies need to have a specified withdrawal address.

I don't believe will retrieve other than main 4-5 coins in personal wallets. The rest, only through conversion in market.
But, that is what they say there.

I have whitelist addresses for all my coins.

This really sucks man!

I hope you make all your money back x 10. best of luck in the future!

Sorry to hear this man, i had a small amount hacked nothing along these lines. this is one iss that has to be fixed before crypto can hit the masses

To be honest it was my fault. I should have not enabled the 'withdraw' function in the API and should have been alot more careful when making video tutorials and using the API keys. So it has been a huge lesson.

Congratulations @cryptoiskey! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes received

Click on any badge to view your own Board of Honnor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

Not the ideal timing for this post from @steemitboard. I think @cryptoiskey has bigger issues to think about, I can only assume that a badge isn't high on his priority list right now.

Good news is sometimes welcome, even in worst situations.
And if @cryptoiskey has other priorities (wich is perfectly understandable), he can simply ignore this notification.

This post received a 1.0% upvote from @randowhale thanks to @dexter-k! For more information, click here!