About 6 weeks ago I installed a ledger chrome extension that turned out to be bogus – it was caught in my virus scan and removed pretty quickly but the incident had scared me so I have been running regular full (not quick) virus scans, with usually all clear or just minor things turning up.
On 20 May I installed the software for the Estonia eresidency program which includes software for a card reader. I’m not suggesting that has anything to do with what occured but it does explain why i didnt shut the laptop down and wipe everything sooner.
That same evening or possibly the next morning, there was a strange program I didn’t recognise open – I took a screenshot. Here it is:
Obviously somewhat freaked, I shut it down and disconnected from the internet and ran a full scan on Windows Defender. It came back all clear, no issues.
After a lot of googling I came to the conclusion that it was background software for the Estonian eresidency, which includes a smart card reader that would require some remote access.
To be safe, I invested in the paid full version of Malware Bytes, ran that, all clear again so I carried on. I set it to scan regularly from that period on.
Skip to the morning of 02 June, around 10am and the machine is making a lot of weird noise and is fucking slow. I start another full scan but the scan plus the lag that was there already is making the laptop unworkable, so I pause the scan and do what I can and then finish up for the day.
That night before going to bed I opened the laptop again and loaded up to do the full scan overnight. It was connected to the wifi for this. I screen locked it and left it running there.
When I woke up in the morning and checked it, the scan was all clear but I noticed it was set to ‘Quick Scan’ when I was sure I ran ‘Full Scan’. Everything seemed to be working at normal speed again anyway so I started working for the day, but i did notice that when I locked the screen now, Windows wasn’t asking for my password. The password prompt was gone, it just said ‘Sign In’ and you clicked it and were in my profile. I set a new password, still nothing on the virus scanners.
I then got an email from Kraken – « Kraken Alert: Username request » – the email states that someone has requested the username for my account. So they obviously have my email. The kraken email provides the requesters IP and it is in the same country as me, but its a VPN server.
I logged onto Kraken quickly, no issues, and decided to move what I had there over to Binance. Logged on to Binance and in a hurry got the deposit address and made the transfer. Then checked my spot wallet on binance and realised it was empty, totally cleaned out. At this point I panicked and diabled Binance immediately and reported it to support (in hindsight the first thing to do was to cancel the transfer from kraken but as I said I was now panicking).
I was pretty confused about how this was happening, because:
1) All my passwords are unique and kept secure in KeypassX
2) I have 2FA on everything, and all exchanges
3) I got no email notifications from Binance or anyone else until that Kraken email
Over the next few hours then, things start to unravel a bit. I checked the Trash in my gmail and it was totally empty, which would be unusual as I don’t empty it out by habit.
Then I checked my other, old gmail that I don’t really use anymore. Nothing there but then I checked the Trash folder and was greeted with this:[Imgur](https://imgur.com/pXMVn7n)
At this stage I’m pretty much freaking and it’s clear that someone has all my passwords, and is in my emails.
There is not a whole lot you can do in this situation, the horse has bolted. Assess and try and damage control:
KuCoin – they could not withdraw due to withdrawal pin
Kraken – they could not get in due to not having username. I think it’s still getting hammered, I have a video call with their support tomorrow. I have told them to disable account until they see me on video, which they have done.
Binance – cleaned out everything without issue. They traded all my tokens for USDT and withdrew the USDT and ETH to an ERC20 address. It was there for about 12 hours then was sent on and broken down.
and there was also BNB, which hasnt moved yet from the wallet it was withdrawn to:
Binance support have replied once, saying that they did email me. Which of course they did. I’m still hoping something can be done with the BNB if it’s a Binance wallet or goes back onto Binance at some point but support aren’t helping too much there.
Binfinex, it looks like they got access but the balance was very low and they just didn’t bother.
HitBTC and anywhere else the hacker looked would have been empty.
I have spent the last 36 hours or so getting a new laptop, changing every password, changing every 2FA, shutting account down, contacting support all over, etc. It’s a fucking nightmare.
Now how did it happen – I believe that I was remotely accessed from some point in May, on or before 20 May. The hacker watched and waited and would have seen me using KeypassX. They would have probably put a keylogger on as my password for KeypassX is only in my head, although I’m not sure why the virus scanners wouldnt find the keylogger, but they somehow definitely cracked by KeypassX.
As well as then having all my passwords, I had some seeds for 2FA (not all but some) in there. Binance was one, this would explain them having my 2FA. I actually think I was using Binance that day and possibly it did not log out as Binance seems to not auto-logout, but they still should have had to use 2FA on the withdrawal.
As the hacker has access to the my laptop and is doing everthing through my device, the exchanges security did not trigger for a new foreign IP. The accessing IP that made the withdrawals was my own (I beleive), and this then obviously creates a huge issue with support, as there is no sign of a hack.
As they were in my email too, they were able to delete almost all of the notifications. This happened at 3am, I didn’t even know about it until nearly 3pm.
So.. there you go. A disaster.
I’m not even sure what can be learnt from this – do not keep 2FA seeds on the device at all even behind a vault. Do not rely on Windows Defender or Malware Bytes, they didnt help here and still even now are giving the all clear. I’m getting a professional outfit to analyse the laptop, and/or police.
Funds not always safu.
Source : https://reddit.com/r/CryptoCurrency/comments/gws6hy/remote_access_hack_binance_cleaned_out/