Account Hacked then All Coins transferred to another Cryptopia Account!


AlainBKK
Gender: Unknown
Country: Unknown
Threads: 1, Posts: 9
#0

Hello,

All my coins have been sold then transferred to another Cryptopia account named "jhw86525"

My 2FA was activated for LOGIN + WITHDRAWAL.

Any one can help to find who own this account "jhw86525", since official documents should have been communicated to signup an Cryptopia account?

Now, I have loose all my investment and 4 month of hard working - Until now no help from Cryptopia support.

Thanks.



Posted: 9/20/2017 2:26:12 AM
shyamv
Gender: Unknown
Country: Unknown
Threads: 0, Posts: 1
#1

Same thing happened to me. So ridiculous. How does this even happen lol. Mine was sent to user mingsandwordre197. We need justice!!!



Posted: 9/20/2017 9:39:44 PM
AlainBKK
Gender: Unknown
Country: Unknown
Threads: 1, Posts: 9
#2

Yes, we are not the only ones.... then no action from Cryptopia~!!!! I start to have huge doubt about Cryptopia reliability to secure our accounts...



Posted: 9/25/2017 12:03:11 PM Edited: 9/25/2017 12:04:13 PM
Mriennn
Gender: Unknown
Country: Unknown
Threads: 0, Posts: 3
#3

My the same all gone



Posted: 9/25/2017 3:31:33 PM
stevemac32
Gender: Unknown
Country: Unknown
Threads: 2, Posts: 14
#4

Guys this is clearly not acceptable.

I strongly suggest you log a complaint to the FMA; https://fma.govt.nz/contact/make-a-complaint/ 

I have done this, purely because Cryptopia wont help me, and the FMA have emailed back saying they are considering looking into my case.

 



Posted: 9/27/2017 6:19:06 PM Edited: 9/27/2017 6:20:20 PM
stephenivan
Gender: Unknown
Country: Unknown
Threads: 0, Posts: 1
#5

my account is totally BLANK... NOTHING THERE

thankfully NOT too much invested there...BUT how does this happen on on exchange to so many users?

Is there anything

to be done???



Posted: 9/28/2017 1:53:26 AM
AlainBKK
Gender: Unknown
Country: Unknown
Threads: 1, Posts: 9
#6

Guys this is clearly not acceptable.

I strongly suggest you log a complaint to the FMA; https://fma.govt.nz/contact/make-a-complaint/ 

I have done this, purely because Cryptopia wont help me, and the FMA have emailed back saying they are considering looking into my case.

stevemac32: 9/27/2017 6:19:06 PM

 Thanks for the link, I will do it since no help at all from Cryptopia. I have informed them just a hour (or less) after hacking so it was maybe not too late to act from their side in order to block (or to investigate) the cryptopia account from the hacker! They did a week to answer me with very basic words. :-(



Posted: 9/28/2017 8:52:31 PM
AlainBKK
Gender: Unknown
Country: Unknown
Threads: 1, Posts: 9
#7

I have 2FA activated for LOGIN + SETTING + LOCKOUT + WITHDRAW + TRANSFER + TIP

I have just tested to change a setting in my profile..... what's surprise!!! I just saved and that's it. No message to request 2FA Authenticator !!!

Doe it mean there is failed in Cryptopia 2FA?

 



Posted: 9/28/2017 9:25:36 PM
monjere
Gender: Unknown
Country: Unknown
Threads: 1, Posts: 15
#8

I have 2FA activated for LOGIN + SETTING + LOCKOUT + WITHDRAW + TRANSFER + TIP

I have just tested to change a setting in my profile..... what's surprise!!! I just saved and that's it. No message to request 2FA Authenticator !!!

Doe it mean there is failed in Cryptopia 2FA?

 

AlainBKK: 9/28/2017 9:25:36 PM

 

I am pretty sure that applies to SECURITY SETTINGS. Cant change much in the actual SETTINGS area that will get to your coins.

 LOGIN + SETTING + WITHDRAW + TRANSFER  are the important ones.

From what ive heard many people are only using 2FA on Login and Withdraw which leaves open a window to Transfer the coins somewhere before withdrawing them.

 

I think Cryptopia security is pretty good personally...

 

regards

 

monjere



Posted: 9/28/2017 11:44:21 PM
AlainBKK
Gender: Unknown
Country: Unknown
Threads: 1, Posts: 9
#9

I have 2FA activated for LOGIN + SETTING + LOCKOUT + WITHDRAW + TRANSFER + TIP

I have just tested to change a setting in my profile..... what's surprise!!! I just saved and that's it. No message to request 2FA Authenticator !!!

Doe it mean there is failed in Cryptopia 2FA?

 

AlainBKK: 9/28/2017 9:25:36 PM

 

I am pretty sure that applies to SECURITY SETTINGS. Cant change much in the actual SETTINGS area that will get to your coins.

 LOGIN + SETTING + WITHDRAW + TRANSFER  are the important ones.

From what ive heard many people are only using 2FA on Login and Withdraw which leaves open a window to Transfer the coins somewhere before withdrawing them.

 

I think Cryptopia security is pretty good personally...

 

regards

 

monjere

monjere: 9/28/2017 11:44:21 PM

 

"Settings TwoFactor" is very important since you can removed 2FA, then changed "Withdraw Settings' as well as "Withdraw Address Book".

Cryptopia also doesn't not offering any "Whitelist IP" to protect login. That is a huge lack of securiity and another open door to hackers!




Posted: 10/3/2017 12:02:35 AM
stevemac32
Gender: Unknown
Country: Unknown
Threads: 2, Posts: 14
#10

Guys this is clearly not acceptable.

I strongly suggest you log a complaint to the FMA; https://fma.govt.nz/contact/make-a-complaint/ 

I have done this, purely because Cryptopia wont help me, and the FMA have emailed back saying they are considering looking into my case.

 

stevemac32: 9/27/2017 6:19:06 PM

FMA came back to me and said they do not regulate Cryptopia so as it stands they cannot take action. 

However they did note that due to a number of complaints they have refered it to law enforcement for investigation.  Not sure if this is a fob off, i hope not.  

Wouldnt surprise me if this whole thing folded soon and they dissapeared off into the sunset with everyones money...



Posted: 10/6/2017 9:48:32 AM
bobthebomb
Gender: Unknown
Country: Unknown
Threads: 0, Posts: 10
#11

@stevemac32 - your actual complaint appears to be due to sending some of your tokens to the wrong address, we don't even list the coin that you sent. Retrieving these can be extremely time-consuming and expensive for us to do, we have a policy around retrieval of these when it is your mistake, and the value that it is worth retrieving, which I'm assuming was sent to you, if not please feel free to PM me. To report us to the FMA for your mistake does not help the industry at all and frankly I'm not impressed. We do not have your coins, and to retrieve them will cost us more than they are worth.

We are a NZ registered company, one of the few exchanges in the business that actually freely says who we are and where we are, we are not going to take off with user funds ever. Our founders set up the company specifically to be an exchange that is above board and does things the right way, after one of the ones they used disappeared. They have worked extremely hard to get where we are and looking after customer funds is an absolute priority.



Posted: 10/7/2017 9:20:36 AM
bobthebomb
Gender: Unknown
Country: Unknown
Threads: 0, Posts: 10
#12

There was a significant increase in suspicious login attempts on Cryptopia around the time this happened to you. As the vast majority of these attempts fail this indicates our account level security measures have not been breached. The systems we have in place to protect user accounts do not allow for passwords to be accessed, shown, retrieved or otherwise displayed in any form which includes internal sources. Nobody can ever retrieve your password from our system, even if we went and gave them the database, this includes Cryptopia staff members.

In almost every case of login attempts we are seeing the corresponding email address showing up on reported data leaks, and/or is being used for other internet services. You can check your email address which is registered with us at sites such as: https://hacked-emails.com/ and https://haveibeenpwned.com/. This can give you an indication to the level of exposure your address has to unwanted attention. The best practice for Cryptopia users is to have an address used exclusively for Cryptopia to reduce potential exposures, and use 2FA.

Note I have checked the users posting on this forum thread, and all of you appear to have had your details compromised on other sites.  There are typically two main ways that nefarious users can gain access to your accounts (there other others but these are the most likely):
1) Another site where you used the same login credentials (email/pwd) has been compromised (some of these can appear in the sites above)
2) You have fallen victim to a phishing attempt. This may seem unlikely, however recently a number of very clever attempts started. This covered a lot of the main Crypto exchanges where someone has fully replicated the main site and login section, and put Google and Bing ads in so their site becomes at the top of any search.  When these are active, if you just type "cryptopia" or "bittrex" into the address bar, then click on the top link, you will come to the login page that looks exactly the same as you are used to but is NOT us. You should never use a link to login to Cryptopia or other sites, always bookmark the correct page and use this, and check the green bar for the proper SSL certificate (Cryptopia is possibly the only in the industry with a fully address verified SSL certificate and full green bar). We get these shut down as soon as we know they exist, by reporting them to Google, Bing, the domain registrars, and the website hosts, but unfortunately none of them act particularly quickly and it usually takes 24-48 hours for any action removing them.

Example of phishing site with google ad:

Phishing example

Please ensure you follow basic personal security policies by having Two-factor authentication (2FA) turned on for login at the very least, and do not re-use the same password you use on any other site. Cryptopia has a large number of 2FA options available including the industry's first and currently only bank-level personalized hardware device. Ensure you use only trusted devices and networks and keep your devices clean. It is also very important to ensure your browser is not saving logon information and you LOGOUT at the end of your activities. Be vigilant with any emails / messages received, bookmark the correct site and use this to navigate to us and check the site certificate.  Please also note that a quicker response to your support tickets would not have helped, as soon as an attacker breaches your account, the funds are transferred out and withdrawn within minutes.

Due to all of this we have recently forced email 2FA on all our users that didn't have any 2FA set up. I notice one of the posters on this thread has actually gone to the extent of removing this and still has no 2FA set on their account. You can not hold Cryptopia responsible for your account security when the fault lies with your own poor security and password practises. That said, we fully sympathise with users that have lost funds due to these attacks, and we are doing all we can to prevent any further attacks and follow these up, including reporting the thefts to the police ourselves.



Posted: 10/7/2017 9:25:39 AM Edited: 10/7/2017 10:09:02 AM
campeck
Gender: Unknown
Country: Unknown
Threads: 0, Posts: 1
#13

mingsandwordre197 also stole from me. 8/30/2017



Posted: 10/8/2017 7:23:14 PM
morridal
Gender: Unknown
Country: Unknown
Threads: 0, Posts: 1
#14

BobTheBomb, I take it you work for Cryptopia, thank you for your explanation. It was extremely reassuring. May I suggest that Cryptopia Customer Service respond in a more prompt manner when issues such as those previously posted appear? The first post was on 9/20 and the last post on 10/06 before you offered your explanation on 10/07. Reassuring customers of your site will go a long way in goodwill. I have just registered with your site today, and after reading the posts and seeing that there was no response from Customer Service, I was just about to close my account. But then I read your informative explanation. Sincerely, Morridal

 



Posted: 10/9/2017 10:07:34 AM
stevemac32
Gender: Unknown
Country: Unknown
Threads: 2, Posts: 14
#15

@stevemac32 - your actual complaint appears to be due to sending some of your tokens to the wrong address, we don't even list the coin that you sent. Retrieving these can be extremely time-consuming and expensive for us to do, we have a policy around retrieval of these when it is your mistake, and the value that it is worth retrieving, which I'm assuming was sent to you, if not please feel free to PM me. To report us to the FMA for your mistake does not help the industry at all and frankly I'm not impressed. We do not have your coins, and to retrieve them will cost us more than they are worth.

We are a NZ registered company, one of the few exchanges in the business that actually freely says who we are and where we are, we are not going to take off with user funds ever. Our founders set up the company specifically to be an exchange that is above board and does things the right way, after one of the ones they used disappeared. They have worked extremely hard to get where we are and looking after customer funds is an absolute priority.

bobthebomb: 10/7/2017 9:20:36 AM

 

I am sorry you are not impressed Bob but I am not impressed with your teams persistant lies. You should just be honest and say 'its your mistake, Cryptopia have no intention of helping you, go away'- that is better than lying. Lying makes people angry and is not good for the industry.

Lets do some anaylsis - "...we dont even list the coin you sent. Retrieving these can be extremely time-consuming and expensive for us to do..." - All of your erc20 wallets exist on the Ethereum blockchain. You hold the private keys.  As you hold the private key you could log in via MEW using the private key and send the tokens back to the address I sent it from.  This could be done in under 60 seconds with only the persons time as cost.  I even offered to send the $3 gas to the address. It is irrelevant that you do not list the token. 

This is what I sent to you guys on 24/9/17 and you just ignored me, hence me reporting you to the FMA;

Thank you for your reply. I would certainly not expect you to add another coin just for my 500 BMC, that would be disspraportionate.  

The way you can send my BMC tokens back to me is as follows;

  1. Obtain the private key for my CTR wallet which you hold. 
  2. Enter it into Myetherwallet.
  3. Use the TransactionID i sent in my support request to find my ETH/MEW address I sent it from.
  4. Add gas and hit send.

This can be done as the coin is erc20 and your wallets run on the ethereum blockchain (I know this because this is why I and everyone else can see it on Ethplorer). 

https://ethplorer.io/address/0x037a7a8982d3d0445bc6a3cbfe50f33139ea9cc2 

A lot of us use MEW, we know how to do this and have done it multiple times.  There is zero chance that you guys dont know this also as your exchange runs on this freeware. Lying is not doing things the right way, period. 



Posted: 10/9/2017 11:18:35 AM Edited: 10/9/2017 1:14:52 PM
bobthebomb
Gender: Unknown
Country: Unknown
Threads: 0, Posts: 10
#16

BobTheBomb, I take it you work for Cryptopia, thank you for your explanation. It was extremely reassuring. May I suggest that Cryptopia Customer Service respond in a more prompt manner when issues such as those previously posted appear? The first post was on 9/20 and the last post on 10/06 before you offered your explanation on 10/07. Reassuring customers of your site will go a long way in goodwill. I have just registered with your site today, and after reading the posts and seeing that there was no response from Customer Service, I was just about to close my account. But then I read your informative explanation. Sincerely, Morridal

 

morridal: 10/9/2017 10:07:34 AM

 

Hi morridal, thanks for your message. Please note that the forums are NOT considered customer support area. They are public and for people to talk about things related to Crypto. We have customer support tickets and systems in place for customer support that any user can find at the bottom of our pages under the heading "Support". Random forum messages/posts are not closely monitored by staff hence the delay replying to this thread.



Posted: 10/11/2017 4:04:13 AM
bobthebomb
Gender: Unknown
Country: Unknown
Threads: 0, Posts: 10
#17

@stevemac32 - your actual complaint appears to be due to sending some of your tokens to the wrong address, we don't even list the coin that you sent. Retrieving these can be extremely time-consuming and expensive for us to do, we have a policy around retrieval of these when it is your mistake, and the value that it is worth retrieving, which I'm assuming was sent to you, if not please feel free to PM me. To report us to the FMA for your mistake does not help the industry at all and frankly I'm not impressed. We do not have your coins, and to retrieve them will cost us more than they are worth.

We are a NZ registered company, one of the few exchanges in the business that actually freely says who we are and where we are, we are not going to take off with user funds ever. Our founders set up the company specifically to be an exchange that is above board and does things the right way, after one of the ones they used disappeared. They have worked extremely hard to get where we are and looking after customer funds is an absolute priority.

bobthebomb: 10/7/2017 9:20:36 AM

 

I am sorry you are not impressed Bob but I am not impressed with your teams persistant lies. You should just be honest and say 'its your mistake, Cryptopia have no intention of helping you, go away'- that is better than lying. Lying makes people angry and is not good for the industry.

Lets do some anaylsis - "...we dont even list the coin you sent. Retrieving these can be extremely time-consuming and expensive for us to do..." - All of your erc20 wallets exist on the Ethereum blockchain. You hold the private keys.  As you hold the private key you could log in via MEW using the private key and send the tokens back to the address I sent it from.  This could be done in under 60 seconds with only the persons time as cost.  I even offered to send the $3 gas to the address. It is irrelevant that you do not list the token. 

This is what I sent to you guys on 24/9/17 and you just ignored me, hence me reporting you to the FMA;

Thank you for your reply. I would certainly not expect you to add another coin just for my 500 BMC, that would be disspraportionate.  

The way you can send my BMC tokens back to me is as follows;

  1. Obtain the private key for my CTR wallet which you hold. 
  2. Enter it into Myetherwallet.
  3. Use the TransactionID i sent in my support request to find my ETH/MEW address I sent it from.
  4. Add gas and hit send.

This can be done as the coin is erc20 and your wallets run on the ethereum blockchain (I know this because this is why I and everyone else can see it on Ethplorer). 

https://ethplorer.io/address/0x037a7a8982d3d0445bc6a3cbfe50f33139ea9cc2 

A lot of us use MEW, we know how to do this and have done it multiple times.  There is zero chance that you guys dont know this also as your exchange runs on this freeware. Lying is not doing things the right way, period. 

stevemac32: 10/9/2017 11:18:35 AM

 

@stevemac32, nobody is lying to you.

Cryptopia and other exchanges run and maintain nodes on blockchains.  We do NOT interface with these nodes by using freeware (like Myetherwallet) but by using proprietary software.  This is because exchanges require enterprise level software due to the security concerns of holding customer funds and also our need to automate the wallet functionality that makes an exchange work.

Due to these security and enterprise level restrictions, retrieving tokens and private keys is not anything like the process of doing so for a wallet that an individual would use such as MEW.

You will note that other exchanges have much the same issues and policies. For example Bittrex recovery attempt limit is minimum value $5000, and they will also not recover funds for any coins that they do not list regardless of value.  This will be for exactly the same reasons I have just outlined. Ref: https://support.bittrex.com/hc/en-us/articles/115000961172-Bittrex-s-Crosschain-Recovery-Policy



Posted: 10/11/2017 4:11:12 AM Edited: 10/11/2017 6:49:19 AM
AlainBKK
Gender: Unknown
Country: Unknown
Threads: 1, Posts: 9
#18

One of the main problems is Cryptopia accepting new registration without any verified documents, so that's very easy for hackers to enter in the platform. If they can hacked an account, so no need to withdraw coins but just transferring easely to their own account. Even, we are understand our accounts are hacked and informing immediatly Cryptopia support, no action they hacker can follow-up their job without any problem!!! We know well some of those accounts, "jhw86525", "mingsandwordre197", etc and their IP addresses but again no action from Cryptopia. Now, more and more traders are hacking in Cryptopia and they know there are many doors open to steal coins and especially as no action from admin/devs.

By the way, we know now that 2FA is not saved 100%, so stop blaming people hacked with their 2FA not actvated - Yes pishing/malware is probably the main way of hacking trader computers, but the platform must also protecting their trader account and be more reactive when someone contact support on time to take action... not aotomatic reply, then waiting several days to finaly getting a feedback without any interest.



Posted: 10/19/2017 7:54:14 AM Edited: 10/19/2017 7:56:01 AM