Blockchain.info Roommate Fund Theft: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
No edit summary
(COMPLETE 30 minutes. Created and expanded an initial section related to the reality of the situation. Reviewed information from the blockchain transaction and expanded source information and related sections of the article. Added information about the comment response to the other user who lost 301 BTC. Consolidated some of the prevention section information. Adding date/time for the wiki article itself. Prepared a promotional post for the wiki article.)
 
Line 3: Line 3:
[[File:Blockchaininfo.jpg|thumb|Blockchain.info Logo/Homepage]]A blockchain.info user reports that their wallet was emptied, and the transaction referenced has 40.416 BTC. The user sent password information to their email addresses, however they found no login history on the email. They received a transfer code to their phone, which they leave unlocked. They report some of their browser history is deleted. The user was drugged from surgery at the time. The prevailing theory is that one of their roommates took the funds. Another possibility is that they were another victim of the failures in the Blockchain.info random number generator, with the attack sending funds to a second address.
[[File:Blockchaininfo.jpg|thumb|Blockchain.info Logo/Homepage]]A blockchain.info user reports that their wallet was emptied, and the transaction referenced has 40.416 BTC. The user sent password information to their email addresses, however they found no login history on the email. They received a transfer code to their phone, which they leave unlocked. They report some of their browser history is deleted. The user was drugged from surgery at the time. The prevailing theory is that one of their roommates took the funds. Another possibility is that they were another victim of the failures in the Blockchain.info random number generator, with the attack sending funds to a second address.


The country for this case study is not yet known.<ref name="reddit-7471" /><ref name="reddit-7708" /><ref name="blockchaindotinfo-7709" /><ref name="coinmarketcap-623" /><ref name="blockchaindotcom-4728" /><ref name="bitdegree-4729" />
The country for this case study is not yet known.<ref name="reddit-7471" /><ref name="reddit-7708" />


== About Blockchain.info ==
== About Blockchain.info ==
"The world’s most popular crypto wallet. Over 80 million wallets created to buy, sell, and earn crypto." "As they say, not your keys, not your crypto. Blockchain.com Private Key Wallets are the most widely-used wallets for self-custody of your crypto. We make it easy for people who are ready to control their private keys to hold them with a Secret Private Key Recovery Phrase." "When it comes to ensuring that your crypto is secure, we think about every last detail so you don’t have to."
"The world’s most popular crypto wallet. Over 80 million wallets created to buy, sell, and earn crypto." "As they say, not your keys, not your crypto. Blockchain.com Private Key Wallets are the most widely-used wallets for self-custody of your crypto. We make it easy for people who are ready to control their private keys to hold them with a Secret Private Key Recovery Phrase." "When it comes to ensuring that your crypto is secure, we think about every last detail so you don’t have to."
Third Party Review:<ref name="bitdegree-4729" />
Homepage:<ref name="blockchaindotcom-4728" />
== About voluntaryistimtch ==
voluntaryistmitch is a Reddit user<ref>[https://old.reddit.com/user/voluntaryistmitch voluntaryistmitch Profile - Reddit] (Accessed Sep 17, 2024)</ref>.


== The Reality ==
== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
Using a web-based wallet leaves the user vulnerable to many additional attack vectors which don't exist in offline hardware-based solutions or even in software-based solutions. Being on a website, the user is subject to the potential for the source code to be modified live, while a software wallet would require them to at least download an updated version. Software offers the ability to verify the new versions before upgrading, while a web-based wallet would fundamentally be running within a browser, that doesn't run any additional checks on the new code. In addition, using a web-based wallet requires information to be sent to/from a third party during the normal process of using the wallet, which creates a large opportunity for abuse of the user's information in order to take the funds.
 
* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.


== What Happened ==
== What Happened ==
Line 34: Line 36:
|August 1st, 2013 11:21:22 AM MDT
|August 1st, 2013 11:21:22 AM MDT
|Blockchain Transaction
|Blockchain Transaction
|The transaction on the blockchain where the 40 BTC of funds are taken from the wallet.
|The transaction on the blockchain where 40.416 BTC of funds are taken from the wallet of the victim and transferred to the attacker<ref name="blockchaindotinfo-7709" />.
|-
|-
|
|August 7th, 2013 1:52:00 AM MDT
|
|Reddit Thread Started
|
|voluntaryismitch starts a Reddit thread about their loss with details, attempting to understand what may have happened that allowed the loss to occur<ref name="reddit-7708" />.
|-
|November 4th, 2013 9:26:33 PM MST
|Mention In Reddit Thread Comment
|voluntaryistmitch posts in response to another user who reported losing 301 BTC to explain their story<ref name="reddit-7471" />. When asked whether or not they had confronted their roommates yet, they neglected to answer the question<ref name="reddit-7471" />.
|}
|}


Line 55: Line 61:


"Just another piece of data. I ran a full Symantec scan and the only thing it found was a tracking cookie from quantserve.com. I'm assuming that is nothing, but I just wanted to mention it."
"Just another piece of data. I ran a full Symantec scan and the only thing it found was a tracking cookie from quantserve.com. I'm assuming that is nothing, but I just wanted to mention it."
Malicious Transaction: <ref name="blockchaindotinfo-7709" />
Attacker Wallet Address: 1GvmpUY1RdR5zf7jDZnpjfuBnoCz3S2xSS


== Total Amount Lost ==
== Total Amount Lost ==
The total transferred was 40.41600000 BTC. The total amount lost has been estimated at $4,000 USD.
The total transferred was 40.41600000 BTC. The total amount lost has been estimated at $4,000 USD<ref name="coinmarketcap-623" />.


== Immediate Reactions ==
== Immediate Reactions ==
Line 67: Line 77:


== Ultimate Outcome ==
== Ultimate Outcome ==




Line 72: Line 83:


"I'd appreciate some help to understand what happened, and if possible, how I can get the BTC back. I'm not a tech person, so it's been a struggle to learn what I have about Bitcoin..."
"I'd appreciate some help to understand what happened, and if possible, how I can get the BTC back. I'm not a tech person, so it's been a struggle to learn what I have about Bitcoin..."




"I followed the transactions and it looks interesting. The address it was sent to then sent that balance to two other addresses. If you track those addresses down, they also keep doing a forked balance split by sending to two other addresses. I am not very good at digging deep into this stuff though, so maybe someone else has an idea of what is happening."
"I followed the transactions and it looks interesting. The address it was sent to then sent that balance to two other addresses. If you track those addresses down, they also keep doing a forked balance split by sending to two other addresses. I am not very good at digging deep into this stuff though, so maybe someone else has an idea of what is happening."


"I do not have 2-factor for Gmail, but I'll do that now and change all my passwords to something much more robust."


"I do not have 2-factor for Gmail, but I'll do that now and change all my passwords to something much more robust."
=== Post On Another Loss Thread ===
voluntaryistmitch posted a comment on another thread regarding another user who lost a total of 301 bitcoin<ref name="reddit-7471" />.<blockquote>
I'm sorry for your loss. Mine hurt, but I'm sure nowhere near as bad as yours.</blockquote>


== Total Amount Recovered ==
== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?


== Ongoing Developments ==
== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
What parts of this case are still remaining to be concluded?
== General Prevention Policies ==
== Individual Prevention Policies ==
The blockchain.info wallet is web-based, which makes it a form of hot wallet. Hot wallets are vulnerable to breach, and should not be used to store large sums of money. Always store the vast majority of funds offline in a cold storage medium which is not connected to the internet.
The blockchain.info wallet is web-based, which makes it a form of hot wallet. Hot wallets are vulnerable to breach, and should not be used to store large sums of money. Always store the vast majority of funds offline in a cold storage medium which is not connected to the internet.


In general, it is not good practice to let anyone else know how many bitcoin you have, and to have a decoy wallet with less bitcoin more easily accessible.
In general, it is not good practice to let anyone else know how many bitcoin you have, and to have a decoy wallet with less bitcoin more easily accessible.
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}
{{Prevention:Individuals:Placeholder}}


Line 107: Line 119:
== References ==
== References ==
<references>
<references>
<ref name="reddit-7471">[https://www.reddit.com/r/Bitcoin/comments/1pxcif/comment/cd71v9c/ voluntaryistmitch - "I had 40 BTC stolen despite having 2FA turned on at Blockchain" - Reddit] (Accessed Mar 19, 2022)</ref>
<ref name="reddit-7471">[https://old.reddit.com/r/Bitcoin/comments/1pxcif/i_just_lost_301btc_70000_on_blockchaininfo_use/cd71v9c/ voluntaryistmitch - "I had 40 BTC stolen despite having 2FA turned on at Blockchain" - Reddit] (Accessed Mar 19, 2022)</ref>
<ref name="reddit-7708">[https://www.reddit.com/r/Bitcoin/comments/1jvd57/40_btc_gone_please_help_me_understand_what/ 40 BTC Gone - Please Help Me Understand What Happened - Bitcoin Reddit] (Accessed May 16, 2022)</ref>
<ref name="reddit-7708">[https://www.reddit.com/r/Bitcoin/comments/1jvd57/40_btc_gone_please_help_me_understand_what/ 40 BTC Gone - Please Help Me Understand What Happened - Bitcoin Reddit] (Accessed May 16, 2022)</ref>
<ref name="blockchaindotinfo-7709">[https://blockchain.info/tx/3ea2a7343d5623058ac7cc403d82e4fc9a351ef0e8818f1fe0d1b3351e6ad434 Transaction 3ea2a7343d5623058ac7cc403d82e4fc9a351ef0e8818f1fe0d1b3351e6ad434 - Blockchain Explorer] (Accessed May 17, 2022)</ref>
<ref name="blockchaindotinfo-7709">[https://blockchain.info/tx/3ea2a7343d5623058ac7cc403d82e4fc9a351ef0e8818f1fe0d1b3351e6ad434 Transaction Transferring 40.416 BTC from The Victim to the Attacker - Blockchain Explorer] (Accessed May 17, 2022)</ref>
<ref name="blockchaindotcom-7710">[https://www.blockchain.com/btc/tx/3ea2a7343d5623058ac7cc403d82e4fc9a351ef0e8818f1fe0d1b3351e6ad434 Transaction: 3ea2a7343d5623058ac7cc403d82e4fc9a351ef0e8818f1fe0d1b3351e6ad434 | Blockchain Explorer] (May 18, 2022)</ref>
<ref name="blockchaindotcom-7710">[https://www.blockchain.com/btc/tx/3ea2a7343d5623058ac7cc403d82e4fc9a351ef0e8818f1fe0d1b3351e6ad434 Transaction: 3ea2a7343d5623058ac7cc403d82e4fc9a351ef0e8818f1fe0d1b3351e6ad434 | Blockchain Explorer] (May 18, 2022)</ref>
<ref name="coinmarketcap-623">[https://coinmarketcap.com/currencies/bitcoin/historical-data/ Bitcoin Historic Pricing Data - CoinMarketCap] (Accessed May 16, 2021)</ref>
<ref name="coinmarketcap-623">[https://coinmarketcap.com/currencies/bitcoin/historical-data/ Bitcoin Historic Pricing Data - CoinMarketCap] (Accessed May 16, 2021)</ref>

Latest revision as of 19:20, 17 September 2024

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Blockchain.info Logo/Homepage

A blockchain.info user reports that their wallet was emptied, and the transaction referenced has 40.416 BTC. The user sent password information to their email addresses, however they found no login history on the email. They received a transfer code to their phone, which they leave unlocked. They report some of their browser history is deleted. The user was drugged from surgery at the time. The prevailing theory is that one of their roommates took the funds. Another possibility is that they were another victim of the failures in the Blockchain.info random number generator, with the attack sending funds to a second address.

The country for this case study is not yet known.[1][2]

About Blockchain.info

"The world’s most popular crypto wallet. Over 80 million wallets created to buy, sell, and earn crypto." "As they say, not your keys, not your crypto. Blockchain.com Private Key Wallets are the most widely-used wallets for self-custody of your crypto. We make it easy for people who are ready to control their private keys to hold them with a Secret Private Key Recovery Phrase." "When it comes to ensuring that your crypto is secure, we think about every last detail so you don’t have to."

Third Party Review:[3]

Homepage:[4]

About voluntaryistimtch

voluntaryistmitch is a Reddit user[5].

The Reality

Using a web-based wallet leaves the user vulnerable to many additional attack vectors which don't exist in offline hardware-based solutions or even in software-based solutions. Being on a website, the user is subject to the potential for the source code to be modified live, while a software wallet would require them to at least download an updated version. Software offers the ability to verify the new versions before upgrading, while a web-based wallet would fundamentally be running within a browser, that doesn't run any additional checks on the new code. In addition, using a web-based wallet requires information to be sent to/from a third party during the normal process of using the wallet, which creates a large opportunity for abuse of the user's information in order to take the funds.

What Happened

"Today when I logged onto Blockchain.info, I noticed the 40+ BTC I had in my wallet were gone and had been sent to this address 1GvmpUY1RdR5zf7jDZnpjfuBnoCz3S2xSS at 12:20am Aug 2nd."

Key Event Timeline - Blockchain.info Roommate Fund Theft
Date Event Description
July 17th, 2013 Different IP Address Sign-In "On July 17th, somebody signed in by iPhone with a different IP address than what mine appears to be (an the site says it was a Verizon IP, though that is my provider). It is close to the city where I live, but probably 30 minutes away."
July 30th, 2013 Logged In From Starbucks IP Address "On July 30th, I was logged in from a Starbucks on the hospital's WiFi which I can see on the map. Besides that, the location on the map appears to be where my apartment is and have the same IP address (the first 11 characters are the same, but then they change - I don't understand what that means)."
August 1st, 2013 11:21:22 AM MDT Blockchain Transaction The transaction on the blockchain where 40.416 BTC of funds are taken from the wallet of the victim and transferred to the attacker[6].
August 7th, 2013 1:52:00 AM MDT Reddit Thread Started voluntaryismitch starts a Reddit thread about their loss with details, attempting to understand what may have happened that allowed the loss to occur[2].
November 4th, 2013 9:26:33 PM MST Mention In Reddit Thread Comment voluntaryistmitch posts in response to another user who reported losing 301 BTC to explain their story[1]. When asked whether or not they had confronted their roommates yet, they neglected to answer the question[1].

Technical Details

"I import the private key into blockchain.info." "I had previously used a paper wallet, but transferred my money back to Blockchain to enable easier transactions. I was using 2 factor authentication with an SMS code being sent to my phone to be able to access my wallet. I did not notice this at the time, but now that I checked, a wallet authentication code was was sent to my phone at 12:17am Aug 2nd. I do not recall ever seeing this until now." "[H]e was texted a confirmation code to enable the transaction, not a notice saying it had happened."

"I was once sent an email from Blockchain with a wallet backup saying the following, but that is all I'm aware of - "Attached to this email is an AES encrypted wallet backup which contains everything you need to restore your bitcoin balance. You can use it to restore the wallet at anytime at My Wallet or using the 3rd party MultiBit Desktop client."

"The password was not very strong at all..." "My password could probably be stronger, but it is one of the stronger ones I use. 5 letters and 6 numbers. I don't believe I use it anywhere else." "And as I mentioned earlier in this post, I stupidly sent myself and email with my username and password to my wallet when I first opened one at Blockchain." "It looks like I used the same one for Coinbase as well, but just those 2 locations."

"I don't have my phone locked."

"On July 17th, somebody signed in by iPhone with a different IP address than what mine appears to be (an the site says it was a Verizon IP, though that is my provider). It is close to the city where I live, but probably 30 minutes away."

"On July 30th, I was logged in from a Starbucks on the hospital's WiFi which I can see on the map. Besides that, the location on the map appears to be where my apartment is and have the same IP address (the first 11 characters are the same, but then they change - I don't understand what that means)."

"Just another piece of data. I ran a full Symantec scan and the only thing it found was a tracking cookie from quantserve.com. I'm assuming that is nothing, but I just wanted to mention it."

Malicious Transaction: [6]

Attacker Wallet Address: 1GvmpUY1RdR5zf7jDZnpjfuBnoCz3S2xSS

Total Amount Lost

The total transferred was 40.41600000 BTC. The total amount lost has been estimated at $4,000 USD[7].

Immediate Reactions

"Today when I logged onto Blockchain.info, I noticed the 40+ BTC I had in my wallet were gone and had been sent to this address 1GvmpUY1RdR5zf7jDZnpjfuBnoCz3S2xSS at 12:20am Aug 2nd."

"I checked my laptop browser history, and I do not see any activity during the time of the transfer. However, it looks like there is a gap in my history where I or somebody else cleared the history on my computer. 8/1 12pm to 8/2 11am is missing. The transfer happened at 12:20am on 8/2."

"I did not notice this at the time, but now that I checked, a wallet authentication code was was sent to my phone at 12:17am Aug 2nd. I do not recall ever seeing this until now." "The time between the two is 3 minutes. 12:17am the code was sent. 12:20am, the was the transaction that emptied the wallet." "I honestly do not remember seeing this text until right now (5 days later). I was quite out of it that day. I had a surgery for which I was put under, 10 hours earlier in the day and was basically a zombie. I do not recall seeing the message at the time, either when it was sent, or after the fact, but it is possible that I did see the message that day but didn't think much of it (again, I was very out of it)."

Ultimate Outcome

"I don't believe anybody could have borrowed my phone at that time. I was at home for a few days in my apartment because of a surgery. I may have turned on my wifi once (though I don't think so) if that could do something." "We've eliminated people without physical access to your phone and computer because your email wasn't accessed by someone else."

"I'd appreciate some help to understand what happened, and if possible, how I can get the BTC back. I'm not a tech person, so it's been a struggle to learn what I have about Bitcoin..."


"I followed the transactions and it looks interesting. The address it was sent to then sent that balance to two other addresses. If you track those addresses down, they also keep doing a forked balance split by sending to two other addresses. I am not very good at digging deep into this stuff though, so maybe someone else has an idea of what is happening."

"I do not have 2-factor for Gmail, but I'll do that now and change all my passwords to something much more robust."

Post On Another Loss Thread

voluntaryistmitch posted a comment on another thread regarding another user who lost a total of 301 bitcoin[1].

I'm sorry for your loss. Mine hurt, but I'm sure nowhere near as bad as yours.

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

The blockchain.info wallet is web-based, which makes it a form of hot wallet. Hot wallets are vulnerable to breach, and should not be used to store large sums of money. Always store the vast majority of funds offline in a cold storage medium which is not connected to the internet.

In general, it is not good practice to let anyone else know how many bitcoin you have, and to have a decoy wallet with less bitcoin more easily accessible. No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

Cite error: <ref> tag with name "blockchaindotcom-7710" defined in <references> is not used in prior text.