Blockchain.info Roommate Fund Theft
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
A blockchain.info user reports that their wallet was emptied, and the transaction referenced has 40.416 BTC. The user sent password information to their email addresses, however they found no login history on the email. They received a transfer code to their phone, which they leave unlocked. They report some of their browser history is deleted. The user was drugged from surgery at the time. The prevailing theory is that one of their roommates took the funds. Another possibility is that they were another victim of the failures in the Blockchain.info random number generator, with the attack sending funds to a second address.
The country for this case study is not yet known.[1][2]
About Blockchain.info
"The world’s most popular crypto wallet. Over 80 million wallets created to buy, sell, and earn crypto." "As they say, not your keys, not your crypto. Blockchain.com Private Key Wallets are the most widely-used wallets for self-custody of your crypto. We make it easy for people who are ready to control their private keys to hold them with a Secret Private Key Recovery Phrase." "When it comes to ensuring that your crypto is secure, we think about every last detail so you don’t have to."
Third Party Review:[3]
Homepage:[4]
About voluntaryistimtch
voluntaryistmitch is a Reddit user[5].
The Reality
Using a web-based wallet leaves the user vulnerable to many additional attack vectors which don't exist in offline hardware-based solutions or even in software-based solutions. Being on a website, the user is subject to the potential for the source code to be modified live, while a software wallet would require them to at least download an updated version. Software offers the ability to verify the new versions before upgrading, while a web-based wallet would fundamentally be running within a browser, that doesn't run any additional checks on the new code. In addition, using a web-based wallet requires information to be sent to/from a third party during the normal process of using the wallet, which creates a large opportunity for abuse of the user's information in order to take the funds.
What Happened
"Today when I logged onto Blockchain.info, I noticed the 40+ BTC I had in my wallet were gone and had been sent to this address 1GvmpUY1RdR5zf7jDZnpjfuBnoCz3S2xSS at 12:20am Aug 2nd."
| Date | Event | Description |
|---|---|---|
| July 17th, 2013 | Different IP Address Sign-In | "On July 17th, somebody signed in by iPhone with a different IP address than what mine appears to be (an the site says it was a Verizon IP, though that is my provider). It is close to the city where I live, but probably 30 minutes away." |
| July 30th, 2013 | Logged In From Starbucks IP Address | "On July 30th, I was logged in from a Starbucks on the hospital's WiFi which I can see on the map. Besides that, the location on the map appears to be where my apartment is and have the same IP address (the first 11 characters are the same, but then they change - I don't understand what that means)." |
| August 1st, 2013 11:21:22 AM MDT | Blockchain Transaction | The transaction on the blockchain where 40.416 BTC of funds are taken from the wallet of the victim and transferred to the attacker[6]. |
| August 7th, 2013 1:52:00 AM MDT | Reddit Thread Started | voluntaryismitch starts a Reddit thread about their loss with details, attempting to understand what may have happened that allowed the loss to occur[2]. |
| November 4th, 2013 9:26:33 PM MST | Mention In Reddit Thread Comment | voluntaryistmitch posts in response to another user who reported losing 301 BTC to explain their story[1]. When asked whether or not they had confronted their roommates yet, they neglected to answer the question[1]. |
Technical Details
"I import the private key into blockchain.info." "I had previously used a paper wallet, but transferred my money back to Blockchain to enable easier transactions. I was using 2 factor authentication with an SMS code being sent to my phone to be able to access my wallet. I did not notice this at the time, but now that I checked, a wallet authentication code was was sent to my phone at 12:17am Aug 2nd. I do not recall ever seeing this until now." "[H]e was texted a confirmation code to enable the transaction, not a notice saying it had happened."
"I was once sent an email from Blockchain with a wallet backup saying the following, but that is all I'm aware of - "Attached to this email is an AES encrypted wallet backup which contains everything you need to restore your bitcoin balance. You can use it to restore the wallet at anytime at My Wallet or using the 3rd party MultiBit Desktop client."
"The password was not very strong at all..." "My password could probably be stronger, but it is one of the stronger ones I use. 5 letters and 6 numbers. I don't believe I use it anywhere else." "And as I mentioned earlier in this post, I stupidly sent myself and email with my username and password to my wallet when I first opened one at Blockchain." "It looks like I used the same one for Coinbase as well, but just those 2 locations."
"I don't have my phone locked."
"On July 17th, somebody signed in by iPhone with a different IP address than what mine appears to be (an the site says it was a Verizon IP, though that is my provider). It is close to the city where I live, but probably 30 minutes away."
"On July 30th, I was logged in from a Starbucks on the hospital's WiFi which I can see on the map. Besides that, the location on the map appears to be where my apartment is and have the same IP address (the first 11 characters are the same, but then they change - I don't understand what that means)."
"Just another piece of data. I ran a full Symantec scan and the only thing it found was a tracking cookie from quantserve.com. I'm assuming that is nothing, but I just wanted to mention it."
Malicious Transaction: [6]
Attacker Wallet Address: 1GvmpUY1RdR5zf7jDZnpjfuBnoCz3S2xSS
Total Amount Lost
The total transferred was 40.41600000 BTC. The total amount lost has been estimated at $4,000 USD[7].
Immediate Reactions
"Today when I logged onto Blockchain.info, I noticed the 40+ BTC I had in my wallet were gone and had been sent to this address 1GvmpUY1RdR5zf7jDZnpjfuBnoCz3S2xSS at 12:20am Aug 2nd."
"I checked my laptop browser history, and I do not see any activity during the time of the transfer. However, it looks like there is a gap in my history where I or somebody else cleared the history on my computer. 8/1 12pm to 8/2 11am is missing. The transfer happened at 12:20am on 8/2."
"I did not notice this at the time, but now that I checked, a wallet authentication code was was sent to my phone at 12:17am Aug 2nd. I do not recall ever seeing this until now." "The time between the two is 3 minutes. 12:17am the code was sent. 12:20am, the was the transaction that emptied the wallet." "I honestly do not remember seeing this text until right now (5 days later). I was quite out of it that day. I had a surgery for which I was put under, 10 hours earlier in the day and was basically a zombie. I do not recall seeing the message at the time, either when it was sent, or after the fact, but it is possible that I did see the message that day but didn't think much of it (again, I was very out of it)."
Ultimate Outcome
"I don't believe anybody could have borrowed my phone at that time. I was at home for a few days in my apartment because of a surgery. I may have turned on my wifi once (though I don't think so) if that could do something." "We've eliminated people without physical access to your phone and computer because your email wasn't accessed by someone else."
"I'd appreciate some help to understand what happened, and if possible, how I can get the BTC back. I'm not a tech person, so it's been a struggle to learn what I have about Bitcoin..."
"I followed the transactions and it looks interesting. The address it was sent to then sent that balance to two other addresses. If you track those addresses down, they also keep doing a forked balance split by sending to two other addresses. I am not very good at digging deep into this stuff though, so maybe someone else has an idea of what is happening."
"I do not have 2-factor for Gmail, but I'll do that now and change all my passwords to something much more robust."
Post On Another Loss Thread
voluntaryistmitch posted a comment on another thread regarding another user who lost a total of 301 bitcoin[1].
I'm sorry for your loss. Mine hurt, but I'm sure nowhere near as bad as yours.
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
The blockchain.info wallet is web-based, which makes it a form of hot wallet. Hot wallets are vulnerable to breach, and should not be used to store large sums of money. Always store the vast majority of funds offline in a cold storage medium which is not connected to the internet.
In general, it is not good practice to let anyone else know how many bitcoin you have, and to have a decoy wallet with less bitcoin more easily accessible. No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.0 1.1 1.2 1.3 voluntaryistmitch - "I had 40 BTC stolen despite having 2FA turned on at Blockchain" - Reddit (Accessed Mar 19, 2022)
- ↑ 2.0 2.1 40 BTC Gone - Please Help Me Understand What Happened - Bitcoin Reddit (Accessed May 16, 2022)
- ↑ Blockchain Wallet Review: Learn How To Buy Bitcoin On Blockchain - BitDegree (Accessed Dec 24, 2021)
- ↑ Blockchain.com Wallet - Store and Invest in Crypto (Accessed Dec 24, 2021)
- ↑ voluntaryistmitch Profile - Reddit (Accessed Sep 17, 2024)
- ↑ 6.0 6.1 Transaction Transferring 40.416 BTC from The Victim to the Attacker - Blockchain Explorer (Accessed May 17, 2022)
- ↑ Bitcoin Historic Pricing Data - CoinMarketCap (Accessed May 16, 2021)
Cite error: <ref> tag with name "blockchaindotcom-7710" defined in <references> is not used in prior text.