1

I have been a victim of a phishing attack today, and the perpetrator stole my bitcoin hosted at coinbase.com. I have an IP address that the attacker used. Is there anything I can do? Any info would be helpful.

Nick ODell
  • 29,184
  • 11
  • 69
  • 129
user16992
  • 19
  • 1
  • 3
  • Does Coinbase show that your balance is 0 and a transfer out was done, e.g. "You sent bitcoin to an external account"? If Coinbase still shows your correct balance, then all that happened was that they moved money around. – Tim S. May 28 '14 at 15:37
  • 1
    Please explain how you got phished so that others are aware of the strategies people are using and can protect themselves. Did you click a link that brought you to a coinbase.com look a like website where you entered your password? – Fraggle May 28 '14 at 15:50
  • 1
    I clicked a link in an email that said "review user agreement." I then believe that I entered my username and password into a coinbase-like website, which was in retrospect not coinbase. However, it was so coinbase-like that I was fooled. – user16992 May 28 '14 at 16:11
  • 1
    Then the perpetrators were somehow able to add their adroid device and transfer the bitcoin within minutes. I don't know why they were able to get into my authy account, which has a different username and password. In any case, they were. Or coinbase did not properly require 2-factor authentication. They also did not wait even two minutes to transfer the bitcoin, which I find frustrating, because I noticed this within minutes, and the coin was already gone. I'm not sure exactly what happened, though, because coinbase is not responding to me. – user16992 May 28 '14 at 16:13
  • in your two factor settings there is a limit to what transactions require twofactor. maybe it was set higher than what was stolen? – Willem Hengeveld May 28 '14 at 17:27
  • In the future it would be a safer idea to set up an offline cold wallet. This prevents most attacks. – enigma May 28 '14 at 00:55
  • Yeah, that was what I learned from this experience. I actually only gained access too my bitcoin a day or two ago and hadn't gotten around to it (stupid, I realize). Thank you, though! – user16992 May 28 '14 at 02:49
  • No, it was not. It was set to $100 (the default) and they transferred one coin at the current value, which was around $575. – user16992 May 28 '14 at 19:15
  • Looks like they implemented new device confirmation today. Cold comfort to me now. – user16992 May 28 '14 at 19:16

1 Answers1

2

If you have the private keys for your addresses that were holding your bitcoin, transfer them immediately to a new address. On the compromised computer, cease all online work until you are certain the phishing malware has been removed.

If they have already been removed by the thief, then there is not much you can do. You can file a police report, but the likelihood of getting your coin back is about the same as if someone stole your physical wallet out of your pocket.

In theory, there is a lot more you can do, but the justice departments of the world have not laid down any protocols for bitcoin theft and are likely never really investigated (most cops probably don't know much more than the average person about bitcoin, anyway).

frеdsbend
  • 1,668
  • 3
  • 21
  • 39
  • I had the bitcoin in a digital wallet with coinbase.com. The perpetrators somehow circumvented that establishment's 2-factor authentication so I got no notice of it until minutes after the event, when I obviously changed all passwords, revoked their adroid's access to my account, etc. Is there nothing I can do with the IP address and/or info about the access to my account? – user16992 May 27 '14 at 22:51
  • @user Do you still have control of your coinbase.com account, is your coin still there, and can you withdraw your coin? Concerning the IP, you can see what you can do, maybe contact your local authorities, but it is likely that the perpetrators live outside of your local authorities' jurisdiction, and if the current value of the bitcoin stolen is less than $10K they will probably just make a report and leave it at that. With the data you do have, you might try asking what you can specifically do with it on [SuperUser.com](http://superuser.com/), a StackExchange site like this one. – frеdsbend May 27 '14 at 22:57
  • I do still have control of my coinbase.com account, but my coin was moved out without any 2-factor authentication (which shouldn't happen, but it did somehow). I don't think the authorities will care. I'm pretty sure the perpetrators are not in my area since the IPs they accessed the account with are in Germany and France. I'll look at superuser.com. Thank you so much. – user16992 May 28 '14 at 02:51
  • @user Too bad. Sorry you got hacked like this. I hope it wasn't too much coin. If coinbase.com screwed up, then I would say you are entitled to have them replace your stolen coins. Get the full story/explanation from them. They are reasonable people. [Their founder/CEO is actually a site user.](http://bitcoin.stackexchange.com/users/540/brian-armstrong) – frеdsbend May 28 '14 at 03:10
  • I am trying to get the full story from them, but they ceased responding to me for some reason. Thanks! – user16992 May 28 '14 at 16:06
  • It was one coin, which is disappointing, but at least not my life's savings. Thank you for your feedback. I do not understand how the perpetrator circumvented 2-factor authentication. They really should not be able to do that. But at least I hope this can be a warning to others. It is apparently pretty trivial to circumvent 2-fact auth on coinbase. – user16992 May 28 '14 at 16:20
  • @user I was thinking that maybe if you had not set up your two factor authentication yet, then once the hackers logged in they just made the authentication through their own phone. Unfortunately, that would make this a user error and coinbase would not compensate you. Had you set up your phone for the two factor authentication before the attack? – frеdsbend May 29 '14 at 18:13