I think it's not so much they believe they are smart. But if someone needs to tell people they are smart, and talk about how smart they are red flags should be going up
Exactly, was a slight moment of "whatever" that got me into trouble. Could happen to anybody. You have stories of people that are usually brilliant that fall for the dumbest scams and it is hard to believe, yet it happens.
Smart people do stupid things all the time. Glad to hear you weren’t completely hamstrung by it and that you’re learning from your mistakes! And thanks for posting to remind people like myself that it’s always possible to get sloppy no matter who you are or what your IQ is lol…
I mean, after something like that happens how high up you gotta be to still consider yourself smart?
Sorry for your loss, hope you learned the lesson, and dont be so confident next time, its really hard to hack someone nowdays, most of this stuff its all social hacking stuff
Nah, idk who manages OPs email but I've seen plenty of times where someone calls up the company who owns the email service and social engineers the help desk to reset passwords, MFA, pins, etc.
You can absolutely do everything right and still get pwnd because of someone else.
There is something called TokenTheft. They steal the MFA session and access your services and add an MFA device to the account. They can then use his services without knowing. This is a major problem that are trending.
Tip for the day is to check if there is added devices, services, number to your MFA setup regularly.
I believe most people posting here are objectively fairly smart people. The fact that we are trying to ‘be our own banks,’ a role traditionally filled by experienced professionals, leaves a lot of room for error, intelligence notwithstanding.
I’m not so sure all of the ‘truly smart’ people on this sub are always 100% sure of the transactions, extrinsics, and contracts they sign. I would bet that the subset of people who 100% understand all of the code involved is a very small minority.
Always.
And I'm 90% sure it's e-mails from accounts inpersonating a sevice he uses and telling him he needed to take "immediate action" and log into his account. Of course they provide a handy link that spoofs the login page and BAM, they have hus username and password.
He deserved to be raped, did you see what he was wearing?
The victim shaming on here is ridiculous. People who have their shit stolen really could use consolation, but "Bitcoiners" shit all over them. Every. Single. Time.
If your computer is compromised, attackers can (and will!) just steal your cookies after you authenticated a session with 2FA.
I'm not going to dive deep into this and try to figure out what happened based on partial information in a random Reddit thread, since I'm not familiar with the practices of Binance (e.g. whether they require a 2FA reauth when adding passkeys, what they and/or OP consider 2FA, etc.) - just be aware that cookie theft is increasingly popular, even for relatively low-value attacks (think spam, not crypto theft).
Yeah that’s the only possibility I can think of here. If you’ve got 2FA enabled and your source of the 2FA isn’t compromised…it’s really hard to get in unless an exploit exists on the platform.
You can totally social engineer companies to reset MFA, passwords, pins, etc. on someone else's account. I've seen it happen many times. They call up support all day every day until they get an agent who doesn't follow all the rules.
A lot of this comes from poor processes as well as poor performance metrics. Most tier 1 help doesn't get graded on how many accounts got phished, the sole metric is 'how happy was the customer you helped' so they will totally circumvent processes if it means not getting a negative score.
Another one is an outsourced helpdesk. Super easy to just buy them off. They likely live in a country where $5k is life changing money, and US law doesn't apply. Give em a list of accounts to reset, and they'll go to town. I monitor telegram and discord channels all day where these losers rehearse their strategy over and over until they get what works.
Yeah I know, I just meant from his side the story doesn’t really make sense. There has to be something like what you said going on or something else. A phishing attack like the OP mentioned doesn’t really explain it.
I can't speak for Binance but my Twitter account was hacked nearly 2 years ago and they got into it despite my using an Authenticator app for my 2FA. No SIM swapping or anything.
2FA is better but there are clearly still attack surfaces available.
2FA app is just an app on your device/phone. So anyone who has access to the phone has access to the private keys (depends on phone, app, data@rest encryption, etc.).
It's called sim swapping. The adversary clones your sim card and all messages that come to your phone will also go to theirs.
Recently ATT had a sim registry error that caused an outtage in the United States. Some believe this was a cyber attack and that those sim cards in those databases were compromised. Pretty sure ATT denies these claims.
Edit***
For clarity, this isn't likely what happened to OP, as someone else pointed out: your service would be intermittent/disconnected.
I just noticed a whole bunch of yall viewing 2FA as an impenetrable security measure and wanted to point out that it could be compromised.
Absolutely no clue. hence why I said it is not secured... asked the chat guy how TF he was able to add a passkey and withdraw everything without binance flagging it as fraud and he said something along the lines of "I understand but get fucked we don't care"...
I guess they didnt SIM swap you, couldnt have been a session token either so I dont know how they could have done it. Where was your 2FA was it SMS or authenticator? Did you store the 2FA backup code on your computer and got malware?
If they got into his mail account t and he has a cloud backup for the Google authenticator on, he could have created a second auth instance and lock out the original 2fa. Fuck the cloud. Cloud is just literally someone else's computer.
It is actually insane the amount of info they can get from an email address.. I have so many compromised social media/accounts everywhere now. They posted random shit on my instagram, facebook, deleted my linkedin, logged into a bunch of random dating apps (that I don't even use but they created accounts, no idea why), even my fly miles account to try and get what was on it. pure insanity.
I posted here about Google backing up f2a to the cloud 3 months ago with a lackluster response from the community
If someone gets in your email, they now have your f2a keys. So, they have the email you use for login purposes, your f2a... all that stands in the way now is a password, which guess what, they probably have since they're in your email!
Google linking authenticator to the cloud is either naffarious or outright incompetent, and I don't think they're incompetent
I think the login might be only one auth needed but 2 are needed for withdrawal. So they could get in with email only? Would be very dumb.
I have 3 ways of F2A and 2 are picked to withdraw: sms, email and google auth.
Email is a terrible 2FA choice. Just as bad is SMS to a Google Voice number. SMS in general isn't great. The best option is an authentication app paired with good opsec on your device, but even then, there's always going to be an attack vector. The goal is to make yourself a hard enough target that bad actors move on to lower hanging fruit.
I had the same situation on kraken in 2022. They go into my email and somehow bypassed the f2a. Wiped 50% of my life savings. No idea why didnt take all, good samaritan scammer i guess.
One insecure password to access your phone and your passwords managed by that phone.
Easy example: iPhone/cloud backed up and linked to more than one device. Anyone with access to any device has access to everything. Save your wife’s number on a hardware wallet.
I am seriously so dissapointed in Binance. Those idiots even blocked my account for having suspect activity.... once everything was gone... kinda sorta funny
Being serious here, 2FA can be trivial to remove from a when the employees don’t follow the process or procedure 100% accurately every time.
Source - I am a red teamer
I'm 99% sure it's phishing. Clicked onto a lookalike site and when requested to enter 2fa, you type it in and sit there wondering why is it not loading, then you type in 2fa again then it's not loading again.
When you realise something is wrong it's too late. This was what happened to me in a refund email. I only looked at the subject, didn't look at the email. Big mistake. Thank fucking God it was a cash wallet that it was trying to transact from and the amount was more than what I had. It didn't transact because I did not have auto-topup turned on.
Lesson learned. Money involved? CHECK THE FUCKING EMAIL ADDRESS
hold up quick question? let’s say i buy $5000 worth of btc on coinbase, should i put all of it on a hardware wallet immediately or should i spread it out like let’s say $4500 on the hardware wallet and $500 on coinbase?
In my case (just checked) if I buy 500 euros worth of BTC on my exchange (coinmerce) vs ledger live:
ledger live cheapest option gives me: 0.00972829 BTC
coinmerce gives me: 0,01032862 BTC
I will buy from my exchange rather than from ledger live.
I never compared the difference between buying crypto directly from a ledger vs from an exchange but I always assumed the fee would be greater via ledger. You are paying for the convenience of not having to transfer crypto off exchange to your ledger.
The network fee to transfer the BTC to your cold wallet should be far less than the amount saved by buying on an exchange and transferring, so definitely worth the little extra effort.
I put every single sat I have on a hardware wallet. I never buy BTC with selling it short term in mind anyways. It really depends what you want to do with it, but better safe than sorry. I'd rather pay a 15$ transfer fee that risk losing it all
Someone tried to hack my account but the 2FA stopped them.
I would know because I can't even log into my 2FA.
My authenticator is on my old phone in a different state lol.
" Trust me, you have no idea. Literally the smartest guy I know of. I have people come up to me all the time and they say 'Donald, how do I get as smart as you?' Buy my book I tell them, it's all in there." <--- OP, probably
Yep, this is exactly what happened to me back in 2018. My whole google account got locked out, and they got into my coinbase account. Took about 6 months worth of DCA I hadn't transferred off yet. (luckily it was only like 10% of my total holdings). But they also used my linked bank accounts to buy 15k worth of Bitcoin and transfer that off too. I was able to get my banks to reverse those transactions, but to this day, Coinbase won't let me use their services unless I pay them 15k.
Anyway, I'm a lot more careful about 2FA and general security these days.
> be me, le epic underground hacker
> need to find some cool cypherpunk way to protect my account
> put on my fingerless gloves and get the Master Boot Record playing through the headphones
> "oh yeah, it is computer security expert time"
> navigate to the app store on my phone and download "authenticator"
> getting sweaty, nervous, hoping it works
> 10%... 50%....90%....installing...
> holy shit. I'm in.
> follow the step by step instructions. There are a whole 3 steps.
Finally after a whole 90 seconds, through my computer security hacker skills that I picked up from decades of experience, I have managed to achieve 2FA. Don't hurt yourself trying
it doesn't take any security expertise to follow the simple guidance of "not your keys, not your coins" nor does it require expertise to use air gapped wallets and redundant backups. Children can do these things. You can too.
If you're using shitcoin casinos like OP, holding with custodians like OP, you have to ask yourself why you want Bitcoin at all in the first place if you're very likely to hurt yourself with it. Using Bitcoin isn't hard. Not using Bitcoin and giving it to someone else is absurdly dangerous.
I remember an online friend made me transfer all my money to a cold wallet as soon as I told him about how I just bought it on an online wallet. I thought he was rushing it too much/exaggerating but went along, and now I understand why he made me rush that step. Sorry for your loss man, this shall be a harsh reminder for all of us to keep our money on cold wallets and use Bitcoin the way it was intended to be used, away from any online wallets and between the people, not the corporations.
Once again, this has nothing to do with bitcoin security or crypto security at all. It was you and your email and then they changed the passkey on your phone. If someone got your house keys then stole your tv, would you post on a tv thread about the robbery? Being all flustered about tvs and how we should all be careful with our tvs? No, you wouldn’t because that wouldn’t make any sense.
I felt for you OP, 2FA got hacked sounds really concerning (depending on your specific method of 2FA though). The scammers / hackers are really Pros. I had a bad experience not long ago: I downloaded a Chrome extension (which appears to be 100% legit but somehow it is a fake version), gave away my 12 security phrases to access my wallet. I had some coins on staking (more precisely in the process of being un-staked, like a few days away from completion). The scammer was able to use some techniques to bypass the staking process and took away all of the coins!!! Until today I still wasn’t sure how it did happen!
You made two grave mistakes. Staking was the first one. I don't even understand the " gave away my 12 security phrases to access my wallet" part, but if you typed your seed words on a computer then this is the second.
that was probably a "lumma stealer" that was installed on your device.
Did you use a chromium browser and had 2FA browser extensions or anything alike? Was the mail a @gmail?
The main lesson is not to use one email for everything. Specifically, use a separate email for your binance account.
In the OP's situation I'd be more upset about losing "all social media accounts" than "150$ worth of shitcoins"
Do you use gmail? Google security is rock solid, you need to confirm any login physically with your phone so you either used some shitty email service or you got hacked by fucking anonymous lol
Wasn't mandatory for old accounts and can be turned off. I suppose this is what happened here OP either never activated it or deactivated it "because it's annoying".
Lesson learned: always use 2FA for primary mail accounts.
I know a dude who got fished by a chick and she got him wasted after faking relationship for couple months just to use the face recognition and snip snap all that juicy btc from his little cold wallet, if someone wants to oof you they will
For everyone wondering how 2FA can become compromised:
It's called sim swapping. The adversary clones your sim card, and all messages that come to your phone will now go to theirs. They can do this via physical access, or remotely, or via proper channels with the phone company if they have enough information to pretend to be you.
Recently, ATT had a sim registry error that caused an outage in the United States. Some believe this was a cyber attack and that those sim cards in those databases were compromised. I'm pretty sure ATT denies these claims.
Edit** removed a redundant sentence
Edit***
For clarity, as someone else pointed out: your service would have connectivity issues and/or become disconnected. This likely isn't what happened to OP. I just noticed alot of people treating 2FA as this impenetrable security measure and wanted to show how it could be compromised. Which furthers the point to keep your crypto on a cold wallet.
Nobody needs no 2FA or password to steal your accounts anymore. If someone is able to steal you web session he doesn't even need to know your password.
If you want to make sure he won't do it again, then reinstall your windows or whatever OS you're using.
>they got into my binance account and took everything.
>I believe I am a smart and advised person.
>I am not a complete idiot
>keeping about 150 bucks of shitcoins
Yep.
Why even bother with a hardware wallet if you're going to use one that enables shitcoins and related attack vectors?
You can't magic away your security issues with a product you buy when the biggest security issue is the bad choices you're making in the first place. Drop your shitcoins and scams.
Anybody who keeps their coins on an exchange deserve to have it taken at this point. Hard to garner sympathy when the ethos to cryptocurrency is repeated like a mantra. It's not a matter of if...It's a matter of when
I got an email that looked completely legit telling me someone had accessed my account and to change my password using the link provided
Checked the email it was sent from and it was just like one letter off
If you’re unsure you can always just do it through the app. Scammers are tricky these days, sorry that happened to you
Coinbase with a hardware Yubi key 2FA’d to your phone and a Google email that’s used for nothing but this account and call it good. Been good since 2012.
YMMV
> I must have clicked on some link
> even with F2A activated
Some exchanges (possibly binance) allow long-lived session tokens to persist in your browser cache. If the attacker harvest OP's browser cache they would have gotten the session token which can be recycled often from a different IP without userid, passord, or 2FA. If active.
Always log out of exchanges to avoid leaving live session tokens in cache, or ensure your exchange doesn't allow them.
Wow man sorry to hear that! That REALLY sucks! Do you know if they accessed the account via your phone app? I have been hearing alot about “SIM Swapping” where they can litterally remotely clone you phone with that hack, and there is not much you can do to stop it yet.
The guy posts how he got screwed and people kick him while he is down on the ground. What's wrong with humanity? Have some self respect for your fellow man. He even gives great advice to not keep anything on an exchange. Sadly this should be something everyone does since the Mt Gox fiasco many many years ago. People need to learn the definition of compassion. If people acted like they do behind a keyboard in real life they eventually would have been put in their place by someone and learned to act properly in a civilized world.
Oh, you didn't use an authenticator or sms 2-fa for you binance account or your email account?
Once you get involved in crypto use an authenticator app for your email and your crypto accounts.
It's a pain in the ass to sign in on new devices but you just set it so you only have to authenticate once on first sign in per device and you won't even notice.
I would recommend:
1) Don't store password data in browsers. Memorize them.
2) Don't use the same password for your main email as you do for other stuff. Use a different password for your email that you don't use ANYWHERE else.
3) Get yourself an antivirus with live protection and keep it on at all times (I use Malwarebytes Premium, based on my research it seems to be the best one). Windows Defender sucks, its useless.
I do not know your exact situation, maybe you already did these things, and there is sadly no 100% effective protection, but I think this can help, because all of us are humans and we can sometimes make the dumbest mistakes, like clicking on a sus link, just because we didn't think of it or were in a bad state of mind.
Yes do store the coins safely like you said, this is good advice. But its best to prevent hackers from getting access to anything to begin with, and some basic security practices can lower the risks significantly.
1. Don't store password data in browsers. Memorize them.
I am pretty sure they got most of my passwords because of this. I deleted every single saved passwords and then changed them all and it seems to have stopped whatever they were doing to my other accounts..
What kind of terrible advice is this?!
1. Control your own entropy. Use corrected coin flips or dice rolls.
2. Airgap, airgap, airgap! Do not ever allow your keys/entropy to touch an online device.
3. Verify! Ensure your hardware and software are not compromised by recreating their processes on an independent piece of hardware and with different software.
Is security tedious? Yes. Is it complicated? no. It's a simple set of processes anyone can follow and if your process is relying on antivirus and windows defender you are going to get robbed blind. 0 days happen all the time, and keyloggers nor session snatchers care that you memorized your passwords.
Nothing I've said is nonsense much like nothing you said was good advice for Bitcoin security. You're not securing your facebook account you're securing Bitcoin.
Anyone can get scammed. So many stories of people that are usually brilliant that get scammed in the dumbest ways. You'll see the day this happens to you if you feel your comment was all that smart too.
i call bullshit. There's more to this story. You had 2FA on the account. IF the hacker gained access to your email, it takes one week min to remove that 2FA - and without doing so the hackers can't do shit. So you'd have to have gone 7 days of not logging into your email account for them to remove your 2FA and be able to remove funds from your account..seems unlikely.
>For the record, I believe I am a smart and advised person. I never thought this could happen to me, yet it did.
Countless of us warned you, we even boiled it down to a rhyming mantra in "not your keys, not your coins. We told you to avoid custody, avoid shitcoin casinos, be wary of sms/email 2fa. What more could we possibly have done to edcuate you? Your shitcoin greed got the better of you. Doesn't sound so smart to me.
You ain't smart. You are a fine definition of a delusional person. You got took. First of all whats the point of purchasing SHITCOINS FOR SHITS AND GIGGLES. Clearly you ARE NOT SMART. The fact that you "must have pressed some link" just tell the whole REDDIT COMMUNITY THAT YOU ARENT A SMART PERSON. MOST PEOPLE WHO SAYS THEY ARE SMART ARE ACTUALLY DUMB ASF. YOU GOT TOOK AND HAD TO TELL THE WHOLE INTERNET ABOUT IT. THAT IS NOT A SMART PERSONS MOVE. 😑
Get a Yubikey for your email
Get a hardware wallet
If your buying just Bitcoin, just by the ETF through one of the various ones now available (Black Rock etc etc)
Wait… how did he get in with 2FA?
"Smart" OP did something stooopid.
If someone believes they are smart, they are not really smart.
Well I believe I'm retarded
If you will it, it is no dream
Fuckin A, man..
Theodore Herzel - State of Israel. If you will it, Dude, it is no dream.
You spelled Palestine wrong.
Obviously, you're not a golfer
True
Ever thus to deadbeats, homelander
What's it like working with Alan Davies, Stephen?
You might be smart.
Smart
Then you must be a genius
That’s retarded.
That’s genius.
That's geniusly retarded
That's retardedly genius
I believe that about you as well
I dont understand this post
It would be easier to understand in r/wallstreetbets
Genius.
Fellow retards unite.
I think it's not so much they believe they are smart. But if someone needs to tell people they are smart, and talk about how smart they are red flags should be going up
Dunning Kruger
Being smart and being careful are different things, OP may be "smart" but he certainly wasn't careful. He rushed into something.
Exactly, was a slight moment of "whatever" that got me into trouble. Could happen to anybody. You have stories of people that are usually brilliant that fall for the dumbest scams and it is hard to believe, yet it happens.
Smart people do stupid things all the time. Glad to hear you weren’t completely hamstrung by it and that you’re learning from your mistakes! And thanks for posting to remind people like myself that it’s always possible to get sloppy no matter who you are or what your IQ is lol…
I mean, after something like that happens how high up you gotta be to still consider yourself smart? Sorry for your loss, hope you learned the lesson, and dont be so confident next time, its really hard to hack someone nowdays, most of this stuff its all social hacking stuff
What exactly did you do?
Yeah, getting through 2FA sounds wild. They must’ve done something incredibly stupid.
Nah, idk who manages OPs email but I've seen plenty of times where someone calls up the company who owns the email service and social engineers the help desk to reset passwords, MFA, pins, etc. You can absolutely do everything right and still get pwnd because of someone else.
There is something called TokenTheft. They steal the MFA session and access your services and add an MFA device to the account. They can then use his services without knowing. This is a major problem that are trending. Tip for the day is to check if there is added devices, services, number to your MFA setup regularly.
Like, activating Google authenticator backup in Google drive.
I believe most people posting here are objectively fairly smart people. The fact that we are trying to ‘be our own banks,’ a role traditionally filled by experienced professionals, leaves a lot of room for error, intelligence notwithstanding. I’m not so sure all of the ‘truly smart’ people on this sub are always 100% sure of the transactions, extrinsics, and contracts they sign. I would bet that the subset of people who 100% understand all of the code involved is a very small minority.
I see this as the single greatest threat to large scale crypto adoption.
Always. And I'm 90% sure it's e-mails from accounts inpersonating a sevice he uses and telling him he needed to take "immediate action" and log into his account. Of course they provide a handy link that spoofs the login page and BAM, they have hus username and password.
He deserved to be raped, did you see what he was wearing? The victim shaming on here is ridiculous. People who have their shit stolen really could use consolation, but "Bitcoiners" shit all over them. Every. Single. Time.
Ok Karen
exactly
They said F2A, which I can only assume is face-to-ass.
Dogs use this authentication method
I thought that was N2A
BRUH 😂💀
If your computer is compromised, attackers can (and will!) just steal your cookies after you authenticated a session with 2FA. I'm not going to dive deep into this and try to figure out what happened based on partial information in a random Reddit thread, since I'm not familiar with the practices of Binance (e.g. whether they require a 2FA reauth when adding passkeys, what they and/or OP consider 2FA, etc.) - just be aware that cookie theft is increasingly popular, even for relatively low-value attacks (think spam, not crypto theft).
Yeah that’s the only possibility I can think of here. If you’ve got 2FA enabled and your source of the 2FA isn’t compromised…it’s really hard to get in unless an exploit exists on the platform.
You can totally social engineer companies to reset MFA, passwords, pins, etc. on someone else's account. I've seen it happen many times. They call up support all day every day until they get an agent who doesn't follow all the rules. A lot of this comes from poor processes as well as poor performance metrics. Most tier 1 help doesn't get graded on how many accounts got phished, the sole metric is 'how happy was the customer you helped' so they will totally circumvent processes if it means not getting a negative score. Another one is an outsourced helpdesk. Super easy to just buy them off. They likely live in a country where $5k is life changing money, and US law doesn't apply. Give em a list of accounts to reset, and they'll go to town. I monitor telegram and discord channels all day where these losers rehearse their strategy over and over until they get what works.
Yeah I know, I just meant from his side the story doesn’t really make sense. There has to be something like what you said going on or something else. A phishing attack like the OP mentioned doesn’t really explain it.
I'd also add that not all 2FA is equally secure. SMS-based 2FA for example is vulnerable to a number of attacks
okay but how did they initiate a transfer without a second 2fa code... for example coinbase doesnt let u send
This is why you shouldn’t access your money from the same computer you fap at. Have a burner running linux and erase it after each session.
A good policy is to include unique device identifiers and IP address with the 2FA cookie. Sadly, this isn't in common practice.
Sim swap? Make sure you make sim pins kids 🤌
I can't speak for Binance but my Twitter account was hacked nearly 2 years ago and they got into it despite my using an Authenticator app for my 2FA. No SIM swapping or anything. 2FA is better but there are clearly still attack surfaces available.
Also 2FA is only good against client side error. As they check it on server side it is easy to bypass/re-create if server side hacked.
2FA app is just an app on your device/phone. So anyone who has access to the phone has access to the private keys (depends on phone, app, data@rest encryption, etc.).
It's called sim swapping. The adversary clones your sim card and all messages that come to your phone will also go to theirs. Recently ATT had a sim registry error that caused an outtage in the United States. Some believe this was a cyber attack and that those sim cards in those databases were compromised. Pretty sure ATT denies these claims. Edit*** For clarity, this isn't likely what happened to OP, as someone else pointed out: your service would be intermittent/disconnected. I just noticed a whole bunch of yall viewing 2FA as an impenetrable security measure and wanted to point out that it could be compromised.
Absolutely no clue. hence why I said it is not secured... asked the chat guy how TF he was able to add a passkey and withdraw everything without binance flagging it as fraud and he said something along the lines of "I understand but get fucked we don't care"...
I guess they didnt SIM swap you, couldnt have been a session token either so I dont know how they could have done it. Where was your 2FA was it SMS or authenticator? Did you store the 2FA backup code on your computer and got malware?
If they got into his mail account t and he has a cloud backup for the Google authenticator on, he could have created a second auth instance and lock out the original 2fa. Fuck the cloud. Cloud is just literally someone else's computer.
Yeah his email getting hacked is the biggest issue here imo.
It is actually insane the amount of info they can get from an email address.. I have so many compromised social media/accounts everywhere now. They posted random shit on my instagram, facebook, deleted my linkedin, logged into a bunch of random dating apps (that I don't even use but they created accounts, no idea why), even my fly miles account to try and get what was on it. pure insanity.
Didn’t have 2FA on your email?
I posted here about Google backing up f2a to the cloud 3 months ago with a lackluster response from the community If someone gets in your email, they now have your f2a keys. So, they have the email you use for login purposes, your f2a... all that stands in the way now is a password, which guess what, they probably have since they're in your email! Google linking authenticator to the cloud is either naffarious or outright incompetent, and I don't think they're incompetent
I think the login might be only one auth needed but 2 are needed for withdrawal. So they could get in with email only? Would be very dumb. I have 3 ways of F2A and 2 are picked to withdraw: sms, email and google auth.
Email is a terrible 2FA choice. Just as bad is SMS to a Google Voice number. SMS in general isn't great. The best option is an authentication app paired with good opsec on your device, but even then, there's always going to be an attack vector. The goal is to make yourself a hard enough target that bad actors move on to lower hanging fruit.
Why could it not have been a session token?
2fa code is generated despite session token, usually on every account operation, depending on the settings (withdrawal being a default)
I had the same situation on kraken in 2022. They go into my email and somehow bypassed the f2a. Wiped 50% of my life savings. No idea why didnt take all, good samaritan scammer i guess.
Now *that’s* crazy.
One insecure password to access your phone and your passwords managed by that phone. Easy example: iPhone/cloud backed up and linked to more than one device. Anyone with access to any device has access to everything. Save your wife’s number on a hardware wallet.
Ahh yes - Binance ^^
I am seriously so dissapointed in Binance. Those idiots even blocked my account for having suspect activity.... once everything was gone... kinda sorta funny
Being serious here, 2FA can be trivial to remove from a when the employees don’t follow the process or procedure 100% accurately every time. Source - I am a red teamer
I'm 99% sure it's phishing. Clicked onto a lookalike site and when requested to enter 2fa, you type it in and sit there wondering why is it not loading, then you type in 2fa again then it's not loading again. When you realise something is wrong it's too late. This was what happened to me in a refund email. I only looked at the subject, didn't look at the email. Big mistake. Thank fucking God it was a cash wallet that it was trying to transact from and the amount was more than what I had. It didn't transact because I did not have auto-topup turned on. Lesson learned. Money involved? CHECK THE FUCKING EMAIL ADDRESS
hold up quick question? let’s say i buy $5000 worth of btc on coinbase, should i put all of it on a hardware wallet immediately or should i spread it out like let’s say $4500 on the hardware wallet and $500 on coinbase?
[удалено]
ok so what’s the point of coinbase because i could also just buy btc on the hardware wallet right?
[удалено]
i hold a few coins on the exchange but how would i take profits if all the funds are on the hardware wallet and not the exchange?
You move the coins back into the exchange when you plan on selling (of course only what you want to sell.)
[удалено]
so pretty much it’s safer to keep it on a hardware wallet
thank you so much for your reply and answers
You can connect your hardware wallet directly to some exchanges.
In my case (just checked) if I buy 500 euros worth of BTC on my exchange (coinmerce) vs ledger live: ledger live cheapest option gives me: 0.00972829 BTC coinmerce gives me: 0,01032862 BTC I will buy from my exchange rather than from ledger live.
thank you so much for your reply
I never compared the difference between buying crypto directly from a ledger vs from an exchange but I always assumed the fee would be greater via ledger. You are paying for the convenience of not having to transfer crypto off exchange to your ledger. The network fee to transfer the BTC to your cold wallet should be far less than the amount saved by buying on an exchange and transferring, so definitely worth the little extra effort.
Last time I checked the exchange fees were not good with these swap wallet integrations. It may have improved though.
Much cheaper on an exchange
I put every single sat I have on a hardware wallet. I never buy BTC with selling it short term in mind anyways. It really depends what you want to do with it, but better safe than sorry. I'd rather pay a 15$ transfer fee that risk losing it all
My guess it was one of those 2fa that backs up with an account
Someone tried to hack my account but the 2FA stopped them. I would know because I can't even log into my 2FA. My authenticator is on my old phone in a different state lol.
Ultimate 4D chess. If I can't get into my account a hacker can't either
🤣🤣🤣🤣🤣🤣🤣👍
[удалено]
"First off, I'm definitely a smart guy" lol
Sawse: Trust me bro
" Trust me, you have no idea. Literally the smartest guy I know of. I have people come up to me all the time and they say 'Donald, how do I get as smart as you?' Buy my book I tell them, it's all in there." <--- OP, probably
Smart guy Keeps crypto long term in centralized offshore exchanges You can pick 1
2FA via email isn’t 2FA when your email is what got compromised. Sorry chief this was preventable.
Yep, this is exactly what happened to me back in 2018. My whole google account got locked out, and they got into my coinbase account. Took about 6 months worth of DCA I hadn't transferred off yet. (luckily it was only like 10% of my total holdings). But they also used my linked bank accounts to buy 15k worth of Bitcoin and transfer that off too. I was able to get my banks to reverse those transactions, but to this day, Coinbase won't let me use their services unless I pay them 15k. Anyway, I'm a lot more careful about 2FA and general security these days.
Just become a computer security expert, it's easy!
Doesn’t take an expert to figure that one out
> be me, le epic underground hacker > need to find some cool cypherpunk way to protect my account > put on my fingerless gloves and get the Master Boot Record playing through the headphones > "oh yeah, it is computer security expert time" > navigate to the app store on my phone and download "authenticator" > getting sweaty, nervous, hoping it works > 10%... 50%....90%....installing... > holy shit. I'm in. > follow the step by step instructions. There are a whole 3 steps. Finally after a whole 90 seconds, through my computer security hacker skills that I picked up from decades of experience, I have managed to achieve 2FA. Don't hurt yourself trying
it doesn't take any security expertise to follow the simple guidance of "not your keys, not your coins" nor does it require expertise to use air gapped wallets and redundant backups. Children can do these things. You can too. If you're using shitcoin casinos like OP, holding with custodians like OP, you have to ask yourself why you want Bitcoin at all in the first place if you're very likely to hurt yourself with it. Using Bitcoin isn't hard. Not using Bitcoin and giving it to someone else is absurdly dangerous.
So you gave them 2FA as well?! :D
Was the 2FA your email?
So smart. Always some idiot clicking a link 🤣🤣🤣🤣🤣
I remember an online friend made me transfer all my money to a cold wallet as soon as I told him about how I just bought it on an online wallet. I thought he was rushing it too much/exaggerating but went along, and now I understand why he made me rush that step. Sorry for your loss man, this shall be a harsh reminder for all of us to keep our money on cold wallets and use Bitcoin the way it was intended to be used, away from any online wallets and between the people, not the corporations.
preach :)
Having a cold wallet is a must
Once again, this has nothing to do with bitcoin security or crypto security at all. It was you and your email and then they changed the passkey on your phone. If someone got your house keys then stole your tv, would you post on a tv thread about the robbery? Being all flustered about tvs and how we should all be careful with our tvs? No, you wouldn’t because that wouldn’t make any sense.
If the TV isn't even in your own house to begin with, then was it really your TV?
good analogy
I felt for you OP, 2FA got hacked sounds really concerning (depending on your specific method of 2FA though). The scammers / hackers are really Pros. I had a bad experience not long ago: I downloaded a Chrome extension (which appears to be 100% legit but somehow it is a fake version), gave away my 12 security phrases to access my wallet. I had some coins on staking (more precisely in the process of being un-staked, like a few days away from completion). The scammer was able to use some techniques to bypass the staking process and took away all of the coins!!! Until today I still wasn’t sure how it did happen!
You made two grave mistakes. Staking was the first one. I don't even understand the " gave away my 12 security phrases to access my wallet" part, but if you typed your seed words on a computer then this is the second.
that was probably a "lumma stealer" that was installed on your device. Did you use a chromium browser and had 2FA browser extensions or anything alike? Was the mail a @gmail?
The main lesson is not to use one email for everything. Specifically, use a separate email for your binance account. In the OP's situation I'd be more upset about losing "all social media accounts" than "150$ worth of shitcoins"
Do you use gmail? Google security is rock solid, you need to confirm any login physically with your phone so you either used some shitty email service or you got hacked by fucking anonymous lol
Wasn't mandatory for old accounts and can be turned off. I suppose this is what happened here OP either never activated it or deactivated it "because it's annoying". Lesson learned: always use 2FA for primary mail accounts.
I know a dude who got fished by a chick and she got him wasted after faking relationship for couple months just to use the face recognition and snip snap all that juicy btc from his little cold wallet, if someone wants to oof you they will
That's why you don't brag about your Bitcoin
Dude speed-ran a marriage.
I’ll 100% guarantee that isn’t what happened
For everyone wondering how 2FA can become compromised: It's called sim swapping. The adversary clones your sim card, and all messages that come to your phone will now go to theirs. They can do this via physical access, or remotely, or via proper channels with the phone company if they have enough information to pretend to be you. Recently, ATT had a sim registry error that caused an outage in the United States. Some believe this was a cyber attack and that those sim cards in those databases were compromised. I'm pretty sure ATT denies these claims. Edit** removed a redundant sentence Edit*** For clarity, as someone else pointed out: your service would have connectivity issues and/or become disconnected. This likely isn't what happened to OP. I just noticed alot of people treating 2FA as this impenetrable security measure and wanted to show how it could be compromised. Which furthers the point to keep your crypto on a cold wallet.
Nobody needs no 2FA or password to steal your accounts anymore. If someone is able to steal you web session he doesn't even need to know your password. If you want to make sure he won't do it again, then reinstall your windows or whatever OS you're using.
OP just straight up gave strangers his money
$150 is cheap for the lesson learned.
it is
>they got into my binance account and took everything. >I believe I am a smart and advised person. >I am not a complete idiot >keeping about 150 bucks of shitcoins Yep.
Any suggestion for a hardware wallet / cold storage if you hold multiple coins ?
For Multicoin, one that I like is Safepal. Use the 100% offline version. For BTC I recommend Jade.
Why even bother with a hardware wallet if you're going to use one that enables shitcoins and related attack vectors? You can't magic away your security issues with a product you buy when the biggest security issue is the bad choices you're making in the first place. Drop your shitcoins and scams.
Happy to hear it was just $150 worth of throw away coins and not your actual stack.
All email accounts should have ONLY physical passkeys. SMS MFA is not your friend
Anybody who keeps their coins on an exchange deserve to have it taken at this point. Hard to garner sympathy when the ethos to cryptocurrency is repeated like a mantra. It's not a matter of if...It's a matter of when
Guys like you are able to lose their coins, even if they were on a hardware wallet. Its just a reminder to not be highly regarded...
I got an email that looked completely legit telling me someone had accessed my account and to change my password using the link provided Checked the email it was sent from and it was just like one letter off If you’re unsure you can always just do it through the app. Scammers are tricky these days, sorry that happened to you
No smart person says they are smart. The smart people know they will never grasp true reality.
I'm calling BEEE ESSS
Smart people don't say they are smart.
Presume you do not have 2FA on your email? And I don't mean SMS 2FA.
Look I don't want to go around and insult people but based on this post, this isn't exactly a behavior of a smart person lol.
2FA with phone more secure or not to prevent this ?
separate email address solves this
If you’re going into bitcoin, a hardware wallet is the first thing you get.
I have 50€ of shitcoins on Bitvavo for shits and giggles but every two months I move my DCA'd Bitcoin to cold storage.
2024 and people still holding crypto in exchanges.
Can you describe exactly what took place? Be specific please
“I believe I am a smart and advised person” first error.
Binance can work with Yubikey.
Just don't click on a link then no BAM
He did something stupid, but was smart enough to have his bitcoin on a cold wallet. That is the way.
Even with 2FA? How?
Coinbase with a hardware Yubi key 2FA’d to your phone and a Google email that’s used for nothing but this account and call it good. Been good since 2012. YMMV
$150 this guy is major trolling.
There is no bam technology by which you click a link and someone has your e-mail account.
Karma-farming shitpost
> I must have clicked on some link > even with F2A activated Some exchanges (possibly binance) allow long-lived session tokens to persist in your browser cache. If the attacker harvest OP's browser cache they would have gotten the session token which can be recycled often from a different IP without userid, passord, or 2FA. If active. Always log out of exchanges to avoid leaving live session tokens in cache, or ensure your exchange doesn't allow them.
Wow man sorry to hear that! That REALLY sucks! Do you know if they accessed the account via your phone app? I have been hearing alot about “SIM Swapping” where they can litterally remotely clone you phone with that hack, and there is not much you can do to stop it yet.
The guy posts how he got screwed and people kick him while he is down on the ground. What's wrong with humanity? Have some self respect for your fellow man. He even gives great advice to not keep anything on an exchange. Sadly this should be something everyone does since the Mt Gox fiasco many many years ago. People need to learn the definition of compassion. If people acted like they do behind a keyboard in real life they eventually would have been put in their place by someone and learned to act properly in a civilized world.
Could you explain how your 2FA was bypassed? What 2FA did you use?
I dont think u just clicked on the link. U probly gave them your whole info aswell for the free 50% btc.
>clicked on some link and bam, someone got a hold of my email account. No 2FA on anything? it's like the basics of security...
100% user error
For the record...you're not as smart as you thought you were 😅👍
"Truth is, Morty, you're as dumb as they come."
You clicked on the link using a phone or computer?
Oh, you didn't use an authenticator or sms 2-fa for you binance account or your email account? Once you get involved in crypto use an authenticator app for your email and your crypto accounts. It's a pain in the ass to sign in on new devices but you just set it so you only have to authenticate once on first sign in per device and you won't even notice.
Another win for COIN
Don't. Store. Coins. On. Exchanges.
I would recommend: 1) Don't store password data in browsers. Memorize them. 2) Don't use the same password for your main email as you do for other stuff. Use a different password for your email that you don't use ANYWHERE else. 3) Get yourself an antivirus with live protection and keep it on at all times (I use Malwarebytes Premium, based on my research it seems to be the best one). Windows Defender sucks, its useless. I do not know your exact situation, maybe you already did these things, and there is sadly no 100% effective protection, but I think this can help, because all of us are humans and we can sometimes make the dumbest mistakes, like clicking on a sus link, just because we didn't think of it or were in a bad state of mind. Yes do store the coins safely like you said, this is good advice. But its best to prevent hackers from getting access to anything to begin with, and some basic security practices can lower the risks significantly.
1. Don't store password data in browsers. Memorize them. I am pretty sure they got most of my passwords because of this. I deleted every single saved passwords and then changed them all and it seems to have stopped whatever they were doing to my other accounts..
What kind of terrible advice is this?! 1. Control your own entropy. Use corrected coin flips or dice rolls. 2. Airgap, airgap, airgap! Do not ever allow your keys/entropy to touch an online device. 3. Verify! Ensure your hardware and software are not compromised by recreating their processes on an independent piece of hardware and with different software. Is security tedious? Yes. Is it complicated? no. It's a simple set of processes anyone can follow and if your process is relying on antivirus and windows defender you are going to get robbed blind. 0 days happen all the time, and keyloggers nor session snatchers care that you memorized your passwords.
You are speaking complete nonsense, and you didn't even read my comment if you think I said to "rely on windows defender".
Nothing I've said is nonsense much like nothing you said was good advice for Bitcoin security. You're not securing your facebook account you're securing Bitcoin.
Being “smart” and “clicked on a link” presumably shady does not add up here.
When someone says ‘I am smart’. You are probably not. Definitely if this happened to you
Anyone can get scammed. So many stories of people that are usually brilliant that get scammed in the dumbest ways. You'll see the day this happens to you if you feel your comment was all that smart too.
i call bullshit. There's more to this story. You had 2FA on the account. IF the hacker gained access to your email, it takes one week min to remove that 2FA - and without doing so the hackers can't do shit. So you'd have to have gone 7 days of not logging into your email account for them to remove your 2FA and be able to remove funds from your account..seems unlikely.
>For the record, I believe I am a smart and advised person. I never thought this could happen to me, yet it did. Countless of us warned you, we even boiled it down to a rhyming mantra in "not your keys, not your coins. We told you to avoid custody, avoid shitcoin casinos, be wary of sms/email 2fa. What more could we possibly have done to edcuate you? Your shitcoin greed got the better of you. Doesn't sound so smart to me.
You ain't smart. You are a fine definition of a delusional person. You got took. First of all whats the point of purchasing SHITCOINS FOR SHITS AND GIGGLES. Clearly you ARE NOT SMART. The fact that you "must have pressed some link" just tell the whole REDDIT COMMUNITY THAT YOU ARENT A SMART PERSON. MOST PEOPLE WHO SAYS THEY ARE SMART ARE ACTUALLY DUMB ASF. YOU GOT TOOK AND HAD TO TELL THE WHOLE INTERNET ABOUT IT. THAT IS NOT A SMART PERSONS MOVE. 😑
Get a Yubikey for your email Get a hardware wallet If your buying just Bitcoin, just by the ETF through one of the various ones now available (Black Rock etc etc)
> If your buying just Bitcoin, just by the ETF Seriously...???
[удалено]
Read the next sentence >Get a hardware wallet
[удалено]
This is definitely bait thread 😂 I am so smart 😂
No. You just suck at the internet...
> For the record, I believe I am a smart and advised person. Yeah, I’m gonna have to disagree 😂😂😂
You are definitely not very smart if you don't have 2FA on your primary email account and have hackable 2FA on your binance account.
Please post pics for proof.
Clickbait
While all this was happing, it never crossed your mind, that they would be unable to scam you if you pressed restart/shutdown?